diff --git a/private/traced.te b/private/traced.te
index 33c5ac090..f58aa0fe4 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,5 +1,7 @@
 # Perfetto user-space tracing daemon (unprivileged)
-type traced, domain, coredomain, mlstrustedsubject;
+
+# type traced is defined under /public (because iorapd rules
+# under public/ need to refer to it).
 type traced_exec, system_file_type, exec_type, file_type;
 
 # Allow init to exec the daemon.
@@ -19,10 +21,18 @@ allow traced self:global_capability_class_set { sys_nice };
 # directly into that (rather than returning the trace contents over the socket).
 allow traced perfetto:fd use;
 allow traced shell:fd use;
-allow traced traceur_app:fd use;
 allow traced perfetto_traces_data_file:file { read write };
+
+# Allow traceur to pass open file descriptors to traced, so traced can directly
+# write into the output file without doing roundtrips over IPC.
+allow traced traceur_app:fd use;
 allow traced trace_data_file:file { read write };
 
+# Allow iorapd to pass memfd descriptors to traced, so traced can directly
+# write into the shmem buffer file without doing roundtrips over IPC.
+allow traced iorapd:fd use;
+allow traced iorapd_tmpfs:file { read write };
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/iorapd.te b/public/iorapd.te
index c056943f8..f2df0b08d 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -31,6 +31,9 @@ binder_call(iorapd, healthd)
 # iorapd temporarily changes its priority when running benchmarks
 allow iorapd self:global_capability_class_set sys_nice;
 
+# Allow to access Perfetto traced's privileged consumer socket to start/stop
+# tracing sessions and read trace data.
+unix_socket_connect(iorapd, traced_consumer, traced)
 
 ###
 ### neverallow rules
diff --git a/public/traced.te b/public/traced.te
new file mode 100644
index 000000000..ec5b85039
--- /dev/null
+++ b/public/traced.te
@@ -0,0 +1,2 @@
+type traced, domain, coredomain, mlstrustedsubject;
+