diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40a4..d9e351c49 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te
@@ -27,15 +27,16 @@ set_prop(atrace, debug_prop)
 allow atrace {
   service_manager_type
   -apex_service
-  -incident_service
-  -iorapd_service
-  -netd_service
   -dnsresolver_service
-  -stats_service
   -dumpstate_service
+  -incident_service
   -installd_service
-  -vold_service
+  -iorapd_service
   -lpdump_service
+  -netd_service
+  -stats_service
+  -tracingproxy_service
+  -vold_service
   -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a200..e20e6ca8e 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -161,6 +161,7 @@ allow incidentd {
   system_server_service
   app_api_service
   system_api_service
+  -tracingproxy_service
 }:service_manager find;
 
 # Only incidentd can publish the binder service
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177ec..239686e67 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -90,6 +90,7 @@ allow system_app {
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
+  -tracingproxy_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad460c..fc9a2455a 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te
@@ -116,3 +116,6 @@ neverallow traced {
 # Only init is allowed to enter the traced domain via exec()
 neverallow { domain -init } traced:process transition;
 neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/atrace.te b/private/atrace.te
index d4aed40a4..d9e351c49 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -27,15 +27,16 @@ set_prop(atrace, debug_prop)
 allow atrace {
   service_manager_type
   -apex_service
-  -incident_service
-  -iorapd_service
-  -netd_service
   -dnsresolver_service
-  -stats_service
   -dumpstate_service
+  -incident_service
   -installd_service
-  -vold_service
+  -iorapd_service
   -lpdump_service
+  -netd_service
+  -stats_service
+  -tracingproxy_service
+  -vold_service
   -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a200..e20e6ca8e 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -161,6 +161,7 @@ allow incidentd {
   system_server_service
   app_api_service
   system_api_service
+  -tracingproxy_service
 }:service_manager find;
 
 # Only incidentd can publish the binder service
diff --git a/private/system_app.te b/private/system_app.te
index 10b8177ec..239686e67 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -90,6 +90,7 @@ allow system_app {
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
+  -tracingproxy_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
diff --git a/private/traced.te b/private/traced.te
index 6e3ad460c..fc9a2455a 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -116,3 +116,6 @@ neverallow traced {
 # Only init is allowed to enter the traced domain via exec()
 neverallow { domain -init } traced:process transition;
 neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;