diff --git a/private/domain.te b/private/domain.te
index aa4305862e602b18af45781f3267931d6517c275..fb6ba4f78fadf6787de52fd745038420a3ba3a3f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -9,6 +9,7 @@ neverallow {
   domain
   -vold
   -dumpstate
+  userdebug_or_eng(`-incidentd')
   -storaged
   -system_server
   userdebug_or_eng(`-perfprofd')
diff --git a/private/incidentd.te b/private/incidentd.te
index 22ff985c351bc026aebf7e5d2427c96464421e87..6b248f181723dbb4ae092d3f82825a582f7b4250 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -46,32 +46,47 @@ userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;
 
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
+# Enable incidentd to get stack traces.
+binder_use(incidentd)
+hwbinder_use(incidentd)
+allow incidentd hwservicemanager:hwservice_manager { list };
+get_prop(incidentd, hwservicemanager_prop)
+allow incidentd hidl_manager_hwservice:hwservice_manager { find };
 
 # Read files in /proc
 allow incidentd {
+  proc_cmdline
+  proc_pipe_conf
   proc_stat
 }:file r_file_perms;
 
 # Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir create_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
+allow incidentd { appdomain ephemeral_app system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in incidentd/utils.c
 allow incidentd {
+  # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
   audioserver
   cameraserver
   drmserver
   inputflinger
-  mediacodec
   mediadrmserver
   mediaextractor
+  mediametrics
   mediaserver
   sdcardd
+  statsd
   surfaceflinger
+
+  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
+  hal_audio_server
+  hal_bluetooth_server
+  hal_camera_server
+  hal_graphics_composer_server
+  hal_sensors_server
+  hal_vr_server
+  mediacodec # TODO(b/36375899): hal_omx_server
 }:process signal;
 
 # Allow incidentd to make binder calls to any binder service
@@ -79,7 +94,18 @@ binder_call(incidentd, system_server)
 binder_call(incidentd, appdomain)
 
 # Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:global_capability_class_set sys_ptrace;
+userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
+# incidentd has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow incidentd *:process ptrace;
+
+allow incidentd self:global_capability_class_set {
+    # Send signals to processes
+    kill
+};
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
 
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 365c00ab952ec39f6d54f8a70cdf6860e07618a8..9830bd6a93ea1f62545f4bfe558d59a3d4e9a432 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -372,10 +372,11 @@ allow system_server anr_data_file:file create_file_perms;
 #
 # Allow system_server to connect and write to the tombstoned java trace socket in
 # order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture.
+# dumpstate during bugreport capture and incidentd during incident collection.
 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
 allow system_server tombstoned:fd use;
 allow system_server dumpstate:fifo_file append;
+allow system_server incidentd:fifo_file append;
 
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.
diff --git a/public/app.te b/public/app.te
index 25139acffcfb88e3ec0a3cf6d25686a11befebc4..307f12caf212cc6d6c4d854e919fbb2e4ebf160a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -150,6 +150,7 @@ allow appdomain anr_data_file:file { open append };
 unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
 allow appdomain tombstoned:fd use;
 allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
@@ -157,6 +158,10 @@ allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdow
 allow appdomain dumpstate:fifo_file { write getattr };
 allow appdomain shell_data_file:file { write getattr };
 
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 8ff0cbab6a5ad727383bf99a1501169ebf1a20a2..89e58ed1edff1c042822f8e043d9e1c189113d02 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1036,6 +1036,7 @@ neverallow {
   -tombstoned
   -crash_dump
   -dumpstate
+  -incidentd
   -system_server
 
   # Processes that can't exec crash_dump
@@ -1043,10 +1044,10 @@ neverallow {
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
-# Never allow anyone except dumpstate or the system server to connect or write to
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
 # the tombstoned intercept socket.
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
 
 # Android does not support System V IPCs.
 #
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 003e1f70a39a1841a8469528c20d82fd391da9a0..8906f5dcf4c8431ec3aacc0a8fc502519fb29a85 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -57,7 +57,7 @@ allow dumpstate { appdomain system_server }:process signal;
 
 # Signal native processes to dump their stack.
 allow dumpstate {
-  # This list comes from native_processes_to_dump in dumpstate/utils.c
+  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
   audioserver
   cameraserver
   drmserver
@@ -69,7 +69,7 @@ allow dumpstate {
   sdcardd
   surfaceflinger
 
-  # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
diff --git a/public/te_macros b/public/te_macros
index 9ae642997416efc42239e95974d1f1e4c6672c24..9cfe47c848ac3e72a98e7dadce698f3e126cdf61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -499,8 +499,10 @@ userdebug_or_eng(`
 ')
 allow $1 anr_data_file:file append;
 allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
 # TODO: Figure out why write is needed.
 allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
 allow $1 system_server:fifo_file { append write };
 allow $1 tombstoned:unix_stream_socket connectto;
 allow $1 tombstoned:fd use;