diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 23ee9435d..d57939bb7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,6 +170,9 @@ create_pty(untrusted_app_all)
 userdebug_or_eng(`
   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+  # The use of debugfs kcov is considered a breach of the kernel integrity
+  # according to the heuristic of lockdown.
+  allow untrusted_app_all self:lockdown integrity;
 ')
 
 # Allow signalling simpleperf domain, which is the domain that the simpleperf
diff --git a/public/domain.te b/public/domain.te
index e1d6739e2..f46ca675f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -275,6 +275,14 @@ allow domain debugfs_tracing:dir search;
 allow domain debugfs_tracing_debug:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
 # Filesystem access.
 allow domain fs_type:filesystem getattr;
 allow domain fs_type:dir getattr;
@@ -1396,3 +1404,6 @@ neverallow {
 } ashmem_device:chr_file open;
 
 neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;