diff --git a/jay-config/src/_private.rs b/jay-config/src/_private.rs
index 29359e2f..1a5a5b62 100644
--- a/jay-config/src/_private.rs
+++ b/jay-config/src/_private.rs
@@ -83,6 +83,7 @@ pub enum ClientCriterionIpc {
     },
     Sandboxed,
     Uid(i32),
+    Pid(i32),
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash, Eq, PartialEq)]
diff --git a/jay-config/src/_private/client.rs b/jay-config/src/_private/client.rs
index 12c8e3b4..5deb5c9a 100644
--- a/jay-config/src/_private/client.rs
+++ b/jay-config/src/_private/client.rs
@@ -1543,6 +1543,7 @@ impl ConfigClient {
             ClientCriterion::SandboxInstanceIdRegex(t) => string!(t, SandboxInstanceId, true),
             ClientCriterion::Sandboxed => ClientCriterionIpc::Sandboxed,
             ClientCriterion::Uid(p) => ClientCriterionIpc::Uid(p),
+            ClientCriterion::Pid(p) => ClientCriterionIpc::Pid(p),
         };
         let res = self.send_with_response(&ClientMessage::CreateClientMatcher { criterion });
         get_response!(
diff --git a/jay-config/src/client.rs b/jay-config/src/client.rs
index 1b2d4206..d8c5a547 100644
--- a/jay-config/src/client.rs
+++ b/jay-config/src/client.rs
@@ -79,6 +79,8 @@ pub enum ClientCriterion<'a> {
     Sandboxed,
     /// Matches the user ID of the client.
     Uid(i32),
+    /// Matches the process ID of the client.
+    Pid(i32),
 }
 
 impl ClientCriterion<'_> {
diff --git a/src/config/handler.rs b/src/config/handler.rs
index b34500a6..c513894b 100644
--- a/src/config/handler.rs
+++ b/src/config/handler.rs
@@ -1886,6 +1886,7 @@ impl ConfigProxyHandler {
             }
             ClientCriterionIpc::Sandboxed => mgr.sandboxed(),
             ClientCriterionIpc::Uid(p) => mgr.uid(*p),
+            ClientCriterionIpc::Pid(p) => mgr.pid(*p),
         };
         let cached = Rc::new(CachedCriterion {
             crit: criterion.clone(),
diff --git a/src/criteria/clm.rs b/src/criteria/clm.rs
index a1d67a68..7027e703 100644
--- a/src/criteria/clm.rs
+++ b/src/criteria/clm.rs
@@ -7,6 +7,7 @@ use {
             CritDestroyListener, CritLiteralOrRegex, CritMatcherId, CritMatcherIds, CritMgrExt,
             CritUpstreamNode, FixedRootMatcher, RootMatcherMap,
             clm::clm_matchers::{
+                clmm_pid::ClmMatchPid,
                 clmm_sandboxed::ClmMatchSandboxed,
                 clmm_string::{
                     ClmMatchSandboxAppId, ClmMatchSandboxEngine, ClmMatchSandboxInstanceId,
@@ -54,6 +55,7 @@ pub struct RootMatchers {
     sandbox_engine: ClmRootMatcherMap<ClmMatchSandboxEngine>,
     sandbox_instance_id: ClmRootMatcherMap<ClmMatchSandboxInstanceId>,
     uid: ClmRootMatcherMap<ClmMatchUid>,
+    pid: ClmRootMatcherMap<ClmMatchPid>,
 }
 
 pub async fn handle_cl_changes(state: Rc<State>) {
@@ -154,6 +156,7 @@ impl ClMatcherManager {
             unconditional!(sandbox_app_id);
             unconditional!(sandbox_engine);
             unconditional!(uid);
+            unconditional!(pid);
             fixed!(sandboxed);
             self.constant[true].handle(data);
         }
@@ -178,6 +181,10 @@ impl ClMatcherManager {
     pub fn uid(&self, pid: i32) -> Rc<ClmUpstreamNode> {
         self.root(ClmMatchUid(pid as _))
     }
+
+    pub fn pid(&self, pid: i32) -> Rc<ClmUpstreamNode> {
+        self.root(ClmMatchPid(pid as _))
+    }
 }
 
 impl CritTarget for Rc<Client> {
diff --git a/src/criteria/clm/clm_matchers.rs b/src/criteria/clm/clm_matchers.rs
index b7886e61..422a44f4 100644
--- a/src/criteria/clm/clm_matchers.rs
+++ b/src/criteria/clm/clm_matchers.rs
@@ -17,6 +17,7 @@ macro_rules! fixed_root_criterion {
     };
 }
 
+pub mod clmm_pid;
 pub mod clmm_sandboxed;
 pub mod clmm_string;
 pub mod clmm_uid;
diff --git a/src/criteria/clm/clm_matchers/clmm_pid.rs b/src/criteria/clm/clm_matchers/clmm_pid.rs
new file mode 100644
index 00000000..fc7ae8dc
--- /dev/null
+++ b/src/criteria/clm/clm_matchers/clmm_pid.rs
@@ -0,0 +1,20 @@
+use {
+    crate::{
+        client::Client,
+        criteria::{RootMatcherMap, clm::RootMatchers, crit_graph::CritRootCriterion},
+    },
+    std::rc::Rc,
+    uapi::c,
+};
+
+pub struct ClmMatchPid(pub c::pid_t);
+
+impl CritRootCriterion<Rc<Client>> for ClmMatchPid {
+    fn matches(&self, data: &Rc<Client>) -> bool {
+        data.pid_info.pid == self.0
+    }
+
+    fn nodes(roots: &RootMatchers) -> Option<&RootMatcherMap<Rc<Client>, Self>> {
+        Some(&roots.pid)
+    }
+}
diff --git a/toml-config/src/config.rs b/toml-config/src/config.rs
index c5c53eff..381b24f4 100644
--- a/toml-config/src/config.rs
+++ b/toml-config/src/config.rs
@@ -233,6 +233,7 @@ pub struct ClientMatch {
     pub sandbox_instance_id_regex: Option<String>,
     pub sandboxed: Option<bool>,
     pub uid: Option<i32>,
+    pub pid: Option<i32>,
 }
 
 #[derive(Debug, Clone)]
diff --git a/toml-config/src/config/parsers/client_match.rs b/toml-config/src/config/parsers/client_match.rs
index 59c8a22f..a6076b46 100644
--- a/toml-config/src/config/parsers/client_match.rs
+++ b/toml-config/src/config/parsers/client_match.rs
@@ -49,7 +49,7 @@ impl Parser for ClientMatchParser<'_> {
                 sandbox_app_id,
                 sandbox_app_id_regex,
             ),
-            (sandbox_instance_id, sandbox_instance_id_regex, uid),
+            (sandbox_instance_id, sandbox_instance_id_regex, uid, pid),
         ) = ext.extract((
             (
                 opt(str("name")),
@@ -67,6 +67,7 @@ impl Parser for ClientMatchParser<'_> {
                 opt(str("sandbox-instance-id")),
                 opt(str("sandbox-instance-id-regex")),
                 opt(s32("uid")),
+                opt(s32("pid")),
             ),
         ))?;
         let mut not = None;
@@ -108,6 +109,7 @@ impl Parser for ClientMatchParser<'_> {
             sandbox_instance_id_regex: sandbox_instance_id_regex.despan_into(),
             sandboxed: sandboxed.despan(),
             uid: uid.despan(),
+            pid: pid.despan(),
         })
     }
 }
diff --git a/toml-config/src/rules.rs b/toml-config/src/rules.rs
index f077d928..e5ce8978 100644
--- a/toml-config/src/rules.rs
+++ b/toml-config/src/rules.rs
@@ -121,6 +121,7 @@ impl Rule for ClientRule {
         value_ref!(SandboxInstanceId, sandbox_instance_id);
         value_ref!(SandboxInstanceIdRegex, sandbox_instance_id_regex);
         value!(Uid, uid);
+        value!(Pid, pid);
         bool!(Sandboxed, sandboxed);
         Some(())
     }
diff --git a/toml-spec/spec/spec.generated.json b/toml-spec/spec/spec.generated.json
index b343ca76..af20bc5f 100644
--- a/toml-spec/spec/spec.generated.json
+++ b/toml-spec/spec/spec.generated.json
@@ -563,6 +563,10 @@
         "uid": {
           "type": "integer",
           "description": "Matches the user ID of the client."
+        },
+        "pid": {
+          "type": "integer",
+          "description": "Matches the process ID of the client."
         }
       },
       "required": []
diff --git a/toml-spec/spec/spec.generated.md b/toml-spec/spec/spec.generated.md
index f7011d77..19878aaf 100644
--- a/toml-spec/spec/spec.generated.md
+++ b/toml-spec/spec/spec.generated.md
@@ -879,6 +879,14 @@ The table has the following fields:
 
   The numbers should be integers.
 
+- `pid` (optional):
+
+  Matches the process ID of the client.
+
+  The value of this field should be a number.
+
+  The numbers should be integers.
+
 
 <a name="types-ClientMatchExactly"></a>
 ### `ClientMatchExactly`
diff --git a/toml-spec/spec/spec.yaml b/toml-spec/spec/spec.yaml
index 37cdb901..fc0ae7c7 100644
--- a/toml-spec/spec/spec.yaml
+++ b/toml-spec/spec/spec.yaml
@@ -3242,6 +3242,11 @@ ClientMatch:
       integer_only: true
       required: false
       description: Matches the user ID of the client.
+    pid:
+      kind: number
+      integer_only: true
+      required: false
+      description: Matches the process ID of the client.
 
 
 ClientMatchExactly: