diff --git a/private/app.te b/private/app.te
index 04be106f3cf2a5d084828be88254c6c090918d00..f21887e928760cfe17f188e08ede35dc4f1bc776 100644
--- a/private/app.te
+++ b/private/app.te
@@ -133,7 +133,7 @@ userdebug_or_eng(`
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827b297b1bb252ec7e78e5c5a5e5d16cc10d..2b0515ad904d1b78edaf23632cc58d69ab0341b4 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@ neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
 # Directly access external storage
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;