diff --git a/public/app.te b/public/app.te
index 3c29946c8..1fd818645 100644
--- a/public/app.te
+++ b/public/app.te
@@ -169,15 +169,7 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
 r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
@@ -550,3 +542,8 @@ neverallow appdomain proc_uid_concurrent_policy_time:file *;
 
 # Apps cannot access proc_uid_cpupower
 neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps cannot access proc/net/xt_qtaguid/ files anymore since P.
+neverallow { appdomain -shell } qtaguid_proc:file rw_file_perms;
+neverallow { appdomain -shell } proc_qtaguid_stat:{ file lnk_file } r_file_perms;
+neverallow { appdomain -shell } qtaguid_device:chr_file r_file_perms;