diff --git a/private/domain.te b/private/domain.te
index aa4305862e602b18af45781f3267931d6517c275..fb6ba4f78fadf6787de52fd745038420a3ba3a3f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -9,6 +9,7 @@ neverallow {
   domain
   -vold
   -dumpstate
+  userdebug_or_eng(`-incidentd')
   -storaged
   -system_server
   userdebug_or_eng(`-perfprofd')
diff --git a/private/incidentd.te b/private/incidentd.te
index 22ff985c351bc026aebf7e5d2427c96464421e87..6b248f181723dbb4ae092d3f82825a582f7b4250 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -46,32 +46,47 @@ userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;
 
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
+# Enable incidentd to get stack traces.
+binder_use(incidentd)
+hwbinder_use(incidentd)
+allow incidentd hwservicemanager:hwservice_manager { list };
+get_prop(incidentd, hwservicemanager_prop)
+allow incidentd hidl_manager_hwservice:hwservice_manager { find };
 
 # Read files in /proc
 allow incidentd {
+  proc_cmdline
+  proc_pipe_conf
   proc_stat
 }:file r_file_perms;
 
 # Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir create_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
+allow incidentd { appdomain ephemeral_app system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in incidentd/utils.c
 allow incidentd {
+  # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
   audioserver
   cameraserver
   drmserver
   inputflinger
-  mediacodec
   mediadrmserver
   mediaextractor
+  mediametrics
   mediaserver
   sdcardd
+  statsd
   surfaceflinger
+
+  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
+  hal_audio_server
+  hal_bluetooth_server
+  hal_camera_server
+  hal_graphics_composer_server
+  hal_sensors_server
+  hal_vr_server
+  mediacodec # TODO(b/36375899): hal_omx_server
 }:process signal;
 
 # Allow incidentd to make binder calls to any binder service
@@ -79,7 +94,18 @@ binder_call(incidentd, system_server)
 binder_call(incidentd, appdomain)
 
 # Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:global_capability_class_set sys_ptrace;
+userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
+# incidentd has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow incidentd *:process ptrace;
+
+allow incidentd self:global_capability_class_set {
+    # Send signals to processes
+    kill
+};
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
 
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index ee5786700af42827f624028bb1d16b002787b813..e9cf30301f2ecafe489c82e4e73c764460ef77e9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -366,10 +366,11 @@ allow system_server anr_data_file:file create_file_perms;
 #
 # Allow system_server to connect and write to the tombstoned java trace socket in
 # order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture.
+# dumpstate during bugreport capture and incidentd during incident collection.
 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
 allow system_server tombstoned:fd use;
 allow system_server dumpstate:fifo_file append;
+allow system_server incidentd:fifo_file append;
 
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.
diff --git a/public/app.te b/public/app.te
index 27de8bb32e9925603f02a8234501aa11acf6522f..0a9e12825a42edaa6c56abfb2f5d2b8593388d0b 100644
--- a/public/app.te
+++ b/public/app.te
@@ -150,6 +150,7 @@ allow appdomain anr_data_file:file { open append };
 unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
 allow appdomain tombstoned:fd use;
 allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
@@ -157,6 +158,10 @@ allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdow
 allow appdomain dumpstate:fifo_file { write getattr };
 allow appdomain shell_data_file:file { write getattr };
 
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index b914a102b4ec5bd179f4d9fe1cd94f728033c7f3..ea8cb59b517e10f6392a43b07a30c9e31c9a87d0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1034,6 +1034,7 @@ neverallow {
   -tombstoned
   -crash_dump
   -dumpstate
+  -incidentd
   -system_server
 
   # Processes that can't exec crash_dump
@@ -1041,10 +1042,10 @@ neverallow {
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
-# Never allow anyone except dumpstate or the system server to connect or write to
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
 # the tombstoned intercept socket.
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
 
 # Android does not support System V IPCs.
 #
diff --git a/public/dumpstate.te b/public/dumpstate.te
index cd983d797c5e06e26151e540e01a2a458d17541f..0fad5e10f39c1efef68ac8fc404649ecd827b586 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -57,7 +57,7 @@ allow dumpstate { appdomain system_server }:process signal;
 
 # Signal native processes to dump their stack.
 allow dumpstate {
-  # This list comes from native_processes_to_dump in dumpstate/utils.c
+  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
   audioserver
   cameraserver
   drmserver
@@ -69,7 +69,7 @@ allow dumpstate {
   sdcardd
   surfaceflinger
 
-  # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
diff --git a/public/te_macros b/public/te_macros
index 2cb19757ebe557b768d36797fefbbea7d8fcb9c0..4d5f84bbc25d55498b150d931eea147fe5fa6f47 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -505,8 +505,10 @@ userdebug_or_eng(`
 ')
 allow $1 anr_data_file:file append;
 allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
 # TODO: Figure out why write is needed.
 allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
 allow $1 system_server:fifo_file { append write };
 allow $1 tombstoned:unix_stream_socket connectto;
 allow $1 tombstoned:fd use;