diff --git a/public/app.te b/public/app.te
index 411ce593f..169e61995 100644
--- a/public/app.te
+++ b/public/app.te
@@ -405,6 +405,14 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
 
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+
+neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
+
 # Read or write access to /proc/pid entries for any non-app domain.
 # A different form of hidepid=2 like protections
 neverallow appdomain { domain -appdomain }:file no_w_file_perms;
diff --git a/public/te_macros b/public/te_macros
index cdfdc89ee..a9814ff88 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -178,6 +178,12 @@ tmpfs_domain($1)
 allow $1 $1_tmpfs:file execute;
 neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -$1 -crash_dump } $1:process ptrace;
 ')
 
 #####################################