diff --git a/app.te b/app.te
index 1aee3ac5d1fb615bbf09314bcbd68b67ac8853c5..1b8492435079e1a422961744ccea71958b0ca074 100644
--- a/app.te
+++ b/app.te
@@ -40,10 +40,11 @@ allow appdomain adbd:process sigchld;
 # child shell or gdbserver pty access for runas.
 allow appdomain devpts:chr_file { getattr read write ioctl };
 
-# Communicate with system_server.
+# Use pipes and sockets provided by system_server via binder or local socket.
 allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt };
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 binder_call(appdomain, system_server)
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
diff --git a/domain.te b/domain.te
index abd11584bca4e1126c330e6dc4b6a14fa361dd20..47e4ef894fdc5107baeed4b7f68238caabc0b9cf 100644
--- a/domain.te
+++ b/domain.te
@@ -34,6 +34,8 @@ userdebug_or_eng(`
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
 
+  binder_call(domain, su)
+
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes
   allow domain su:fifo_file { write getattr };
diff --git a/file.te b/file.te
index 19f93d4717aae6b45250e22d653c19d49282f4ae..6ff46b66c3b04ecbe8aaf2e5d44ad47c7c3eb853 100644
--- a/file.te
+++ b/file.te
@@ -11,6 +11,7 @@ type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_net, fs_type;
+type proc_sysrq, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
@@ -112,6 +113,7 @@ type keystore_socket, file_type;
 type lmkd_socket, file_type;
 type mdns_socket, file_type;
 type mdnsd_socket, file_type;
+type mtpd_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
 type qemud_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 81caa35d6d38fa75e5917b596957077dfc4756a5..2f3bf9b46fa4d79a11c267be729ee168caa8af0a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -83,6 +83,7 @@
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd	u:object_r:mtpd_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/qemud	u:object_r:qemud_socket:s0
diff --git a/genfs_contexts b/genfs_contexts
index 634f4bd6ca44db0004976013c8a67d6dc4b69dea..f247cec0ca101f2021935d52153cfc01e8eb8d17 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -4,6 +4,7 @@ genfscon rootfs / u:object_r:rootfs:s0
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
diff --git a/system_server.te b/system_server.te
index 6ec3af4a2b2b99f1edd6b028647c8caa93c64825..1ec3ac8ed4962e892fe98714cd25698f0f2aac16 100644
--- a/system_server.te
+++ b/system_server.te
@@ -16,11 +16,20 @@ allow system_server system_server_tmpfs:file execute;
 # For art.
 allow system_server dalvikcache_data_file:file execute;
 
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
 # Needed to close the zygote socket, which involves getopt / getattr
 # This should be deleted after b/12061011 is fixed
 allow system_server zygote:unix_stream_socket { getopt getattr };
@@ -56,6 +65,9 @@ allow system_server kernel:system module_request;
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket *;
 
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms;
+
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 
@@ -71,6 +83,9 @@ allow system_server appdomain:{ file lnk_file } rw_file_perms;
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
 
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
@@ -88,6 +103,7 @@ unix_socket_connect(system_server, property, init)
 unix_socket_connect(system_server, qemud, qemud)
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, netd, netd)
 unix_socket_connect(system_server, vold, vold)
 unix_socket_connect(system_server, zygote, zygote)
@@ -113,6 +129,10 @@ r_dir_file(system_server, mediaserver)
 allow system_server appdomain:process getattr;
 allow system_server mediaserver:process getattr;
 
+# Use sockets received over binder from various services.
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
@@ -130,6 +150,7 @@ allow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
@@ -156,7 +177,7 @@ allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom r
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file rw_file_perms;
+allow system_server wallpaper_file:file { rw_file_perms unlink };
 
 # Relabel /data/anr.
 allow system_server system_data_file:dir relabelfrom;
@@ -204,15 +225,13 @@ allow system_server domain:file r_file_perms;
 allow system_server gps_device:chr_file rw_file_perms;
 allow system_server gps_control:file rw_file_perms;
 
-# Allow system_server to use app-created sockets.
-allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:fifo_file { getattr read write };
 
 # Allow abstract socket connection
 allow system_server rild:unix_stream_socket connectto;
 
-# connect to vpn tunnel
-allow system_server mtp:unix_stream_socket { connectto };
-
 # BackupManagerService lets PMS create a data backup file
 allow system_server cache_backup_file:file create_file_perms;
 # Relabel /data/backup
@@ -222,6 +241,9 @@ allow system_server cache_backup_file:file { relabelto relabelfrom };
 # LocalTransport creates and relabels /cache/backup
 allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
 
+# Access SDcard files passed via binder or sockets.
+allow system_server sdcard_type:file { read write getattr };
+
 # Allow system to talk to usb device
 allow system_server usb_device:chr_file rw_file_perms;
 allow system_server usb_device:dir r_dir_perms;