diff --git a/private/atrace.te b/private/atrace.te
index fc2751764dc51f27fefb9c17a3880e9f42a71c71..3d7902fe982ad866862344bb71603242ddf27553 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
# Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file rw_file_perms;
+ allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
diff --git a/private/domain.te b/private/domain.te
index dff7957f01b810c04e302893cdf67608698d74e7..aa35ff9bb02a010808bd418e6282be066a34f4d9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -17,6 +17,13 @@ neverallow {
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+neverallow {
+ domain
+ -init
+ -vendor_init
+ userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0eafca6e7789906b025c66e0dddc0576ed37f498..8b72457e3f93e5fb26eca09acef44a4bbc07e815 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -14,6 +14,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8f0d489ab7291d8db144f5ba06a3e2703be7d3c1..986e415c47d96f07f80a1299206c157634acc969 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,7 +123,12 @@ genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
@@ -148,7 +153,6 @@ genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
@@ -166,12 +170,62 @@ genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_
genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
diff --git a/private/shell.te b/private/shell.te
index 7a7ebf462cfa185f07f69f60ee16d8a04d589872..9b7235b8a0721daa9393d4067a81438fc8214624 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,18 +4,19 @@ typeattribute shell coredomain;
allow shell uhid_device:chr_file rw_file_perms;
# systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
userdebug_or_eng(`
allow shell debugfs_tracing_debug:file rw_file_perms;
')
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/traceur_app.te b/private/traceur_app.te
index e2d55f89e7a6801e367c7e0294d7b8cfedff903c..c9e6be1b7cb00f1b4319a6e6a64ed13da1b5c01e 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,7 @@ typeattribute traceur_app coredomain;
app_domain(traceur_app);
allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
userdebug_or_eng(`
allow traceur_app debugfs_tracing_debug:file rw_file_perms;
@@ -10,3 +11,5 @@ userdebug_or_eng(`
allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir { add_name getattr search write };
allow traceur_app atrace_exec:file rx_file_perms;
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
diff --git a/public/domain.te b/public/domain.te
index 24514bf0f619b62d790e2c8348a25be264f1ab62..b175ed436c7cc873d85ba80170b5be6af42614c8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -241,6 +241,7 @@ allow domain cgroup:file w_file_perms;
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
# Filesystem access.
diff --git a/public/file.te b/public/file.te
index f45de90cb94be5594297cd55e9ef92c1f4455d7a..d1feb3acedcc227f402fb8a60822db351fb4f824 100644
--- a/public/file.te
+++ b/public/file.te
@@ -379,7 +379,7 @@ allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index c3e36eaf2230babc8d5f44c58fa60b93974c5fdd..afdc10ed195225431ae029b636ba7a1cdfb5388f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,7 +199,7 @@ allow init {
allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;