diff --git a/app.te b/app.te
index 8109ddb71e6029e9d2271bc0a2c6120b512beb5a..9adb86a809ae6f5b533c73b8ca7ce33e0c6d3ab7 100644
--- a/app.te
+++ b/app.te
@@ -33,9 +33,10 @@ allow appdomain adbd:process sigchld;
 # child shell or gdbserver pty access for runas.
 allow appdomain devpts:chr_file { getattr read write ioctl };
 
-# Communicate with system_server.
+# Use pipes and sockets provided by system_server via binder or local socket.
 allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt };
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
diff --git a/domain.te b/domain.te
index 013126baa08a652a1a1c6b84cf92534e50e50387..34af567d9c65d9b2cfe47279027bfd577405d521 100644
--- a/domain.te
+++ b/domain.te
@@ -35,6 +35,8 @@ userdebug_or_eng(`
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
 
+  binder_call(domain, su)
+
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes
   allow domain su:fifo_file { write getattr };
diff --git a/file.te b/file.te
index baa77d0b74fcb36b38eb6a518f264fec5db93572..f1bcafdbd2ee26354fe30809e9671549b1279615 100644
--- a/file.te
+++ b/file.te
@@ -11,6 +11,7 @@ type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_net, fs_type;
+type proc_sysrq, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
@@ -116,6 +117,7 @@ type logdr_socket, file_type;
 type logdw_socket, file_type;
 type mdns_socket, file_type;
 type mdnsd_socket, file_type;
+type mtpd_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
 type racoon_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 6b7e45c0d9f43f17eedf79f6815f87edb107d461..8bc312f2e0cab6c91723f251be26416f00083d05 100644
--- a/file_contexts
+++ b/file_contexts
@@ -85,6 +85,7 @@
 /dev/socket/logdw	u:object_r:logdw_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd	u:object_r:mtpd_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/racoon	u:object_r:racoon_socket:s0
diff --git a/genfs_contexts b/genfs_contexts
index 634f4bd6ca44db0004976013c8a67d6dc4b69dea..f247cec0ca101f2021935d52153cfc01e8eb8d17 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -4,6 +4,7 @@ genfscon rootfs / u:object_r:rootfs:s0
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
diff --git a/system_server.te b/system_server.te
index cf4b158436a0b200b2aa695e47a144123ccad1e3..1f6bbee3822380915148cec3d45d44e790656ce6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -16,11 +16,20 @@ allow system_server system_server_tmpfs:file execute;
 # For art.
 allow system_server dalvikcache_data_file:file execute;
 
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
 # Needed to close the zygote socket, which involves getopt / getattr
 allow system_server zygote:unix_stream_socket { getopt getattr };
 
@@ -55,6 +64,9 @@ allow system_server kernel:system module_request;
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms;
+
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 
@@ -70,6 +82,9 @@ allow system_server appdomain:{ file lnk_file } rw_file_perms;
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
 
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
@@ -86,6 +101,7 @@ allow system_server init:process sigchld;
 unix_socket_connect(system_server, property, init)
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, netd, netd)
 unix_socket_connect(system_server, vold, vold)
 unix_socket_connect(system_server, zygote, zygote)
@@ -109,6 +125,10 @@ r_dir_file(system_server, mediaserver)
 allow system_server appdomain:process getattr;
 allow system_server mediaserver:process getattr;
 
+# Use sockets received over binder from various services.
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
@@ -126,6 +146,7 @@ allow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
@@ -151,7 +172,7 @@ allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom r
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file rw_file_perms;
+allow system_server wallpaper_file:file { rw_file_perms unlink };
 
 # Relabel /data/anr.
 allow system_server system_data_file:dir relabelfrom;
@@ -199,15 +220,13 @@ allow system_server domain:file r_file_perms;
 allow system_server gps_device:chr_file rw_file_perms;
 allow system_server gps_control:file rw_file_perms;
 
-# Allow system_server to use app-created sockets.
-allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:fifo_file { getattr read write };
 
 # Allow abstract socket connection
 allow system_server rild:unix_stream_socket connectto;
 
-# connect to vpn tunnel
-allow system_server mtp:unix_stream_socket { connectto };
-
 # BackupManagerService lets PMS create a data backup file
 allow system_server cache_backup_file:file create_file_perms;
 # Relabel /data/backup
@@ -217,6 +236,9 @@ allow system_server cache_backup_file:file { relabelto relabelfrom };
 # LocalTransport creates and relabels /cache/backup
 allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
 
+# Access SDcard files passed via binder or sockets.
+allow system_server sdcard_type:file { read write getattr };
+
 # Allow system to talk to usb device
 allow system_server usb_device:chr_file rw_file_perms;
 allow system_server usb_device:dir r_dir_perms;