diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 60e8503c9bf08d64c3a0f487b88a367dc38277d1..7e14dd42dd265c619ac9c44b30e31a97eb55b3a6 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -19,7 +19,8 @@ neverallow all_untrusted_apps domain:netlink_socket *;
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
+neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering
diff --git a/private/file.te b/private/file.te
index 8d18a9084484936839385994ab324ca747a34d8c..fd1c2eec5d6953354945de48b158f2d795f43cd3 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,3 +9,7 @@ type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
 
 # /data/misc/perfetto-traces for perfetto traces
 type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
+type debugfs_kcov, fs_type, debugfs_type;
+
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a965bb88232f6f3a3b0eb9a813567a8d5b07238f..dc43958bbe45b41d4e1cd8e3e64a192e3af33631 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -255,6 +255,9 @@ genfscon debugfs /tracing/events/lowmemorykiller/
 genfscon debugfs /tracing/events/sync/                                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/fence/                                          u:object_r:debugfs_tracing:s0
 
+genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
+
+
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon exfat / u:object_r:exfat:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 527216def248891dd2bab6ac76a21dfe2255f324..72e03e12fbc3c8ac5a7b2e80d99ff16d15067ed4 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -140,3 +140,10 @@ create_pty(untrusted_app_all)
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
 # denial to prevent third party apps from spamming the logs.
 dontaudit untrusted_app_all system_data_file:dir write;
+
+# Allow access to kcov via its ioctl interface for coverage
+# guided kernel fuzzing.
+userdebug_or_eng(`
+  allow untrusted_app_all debugfs_kcov:file rw_file_perms;
+  allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+')
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 97869f9f9f82d54f16f59bc7f0c98fe0bed5dc64..ab2f7c5543fd5a029a2a9fe10e832409b97d6f23 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1169,6 +1169,9 @@ define(`JSIOCGVERSION', `0x80046a01')
 define(`JSIOCSAXMAP', `0x40406a31')
 define(`JSIOCSBTNMAP', `0x44006a33')
 define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
 define(`KDADDIO', `0x00004b34')
 define(`KDDELIO', `0x00004b35')
 define(`KDDISABIO', `0x00004b37')