diff --git a/scripts/inc.compatibility.sh b/scripts/inc.compatibility.sh
index 7ddf015..19635a4 100755
--- a/scripts/inc.compatibility.sh
+++ b/scripts/inc.compatibility.sh
@@ -205,6 +205,53 @@ minapihack(){
   esac
 }
 
+runtimepermissionshack(){
+  tee -a "$build/META-INF/com/google/android/update-binary" > /dev/null <<'EOFILE'
+install -d "$(dirname "$run_perms")"
+
+if [ ! -e "$run_perms" ]; then
+  fingerprint="$(file_getprop "$BPROP" "ro.build.fingerprint")"
+  echo "<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
+<runtime-permissions fingerprint=\"$fingerprint\">
+</runtime-permissions>" > "$run_perms"
+fi
+
+#We (only) set permissions of apps that are part of core or that are direct replacements of AOSP/Stock apps with a high level of system integration
+fixpkgperms "com.android.vending" "CONTACTS_PERMISSIONS" "LOCATION_PERMISSIONS" "PHONE_PERMISSIONS" "SMS_PERMISSIONS"
+fixpkgperms "com.google.android.apps.gcs" "CONTACTS_PERMISSIONS" "LOCATION_PERMISSIONS"
+fixpkgperms "com.google.android.apps.messaging" "CAMERA_PERMISSIONS" "CONTACTS_PERMISSIONS" "LOCATION_PERMISSIONS" "MICROPHONE_PERMISSIONS" "PHONE_PERMISSIONS" "SMS_PERMISSIONS" "STORAGE_PERMISSIONS"
+fixpkgperms "com.google.android.backuptransport" "CONTACTS_PERMISSIONS"
+fixpkgperms "com.google.android.contacts" "CONTACTS_PERMISSIONS" "PHONE_PERMISSIONS" "STORAGE_PERMISSIONS"
+fixpkgperms "com.google.android.dialer" "CONTACTS_PERMISSIONS" "PHONE_PERMISSIONS" "ADDITIONAL_PERMISSIONS" #uses non-AOSP permissions
+fixpkgperms "com.google.android.GoogleCamera" "CAMERA_PERMISSIONS" "LOCATION_PERMISSIONS" "MICROPHONE_PERMISSIONS" "STORAGE_PERMISSIONS" #mind the capitals in the packagename
+fixpkgperms "com.google.android.gm.exchange" "CALENDAR_PERMISSIONS" "CONTACTS_PERMISSIONS"
+fixpkgperms "com.google.android.gms" "CALENDAR_PERMISSIONS" "CAMERA_PERMISSIONS" "CONTACTS_PERMISSIONS" "LOCATION_PERMISSIONS" "MICROPHONE_PERMISSIONS" "PHONE_PERMISSIONS" "SENSORS_PERMISSIONS" "SMS_PERMISSIONS" "STORAGE_PERMISSIONS"
+fixpkgperms "com.google.android.googlequicksearchbox" "CALENDAR_PERMISSIONS" "CAMERA_PERMISSIONS" "CONTACTS_PERMISSION" "LOCATION_PERMISSIONS" "MICROPHONE_PERMISSIONS" "PHONE_PERMISSIONS" "SMS_PERMISSIONS" "STORAGE_PERMISSIONS"
+fixpkgperms "com.google.android.gsf" "CONTACTS_PERMISSIONS" "PHONE_PERMISSIONS"
+fixpkgperms "com.google.android.gsf.login" "CONTACTS_PERMISSIONS" "PHONE_PERMISSIONS"
+fixpkgperms "com.google.android.packageinstaller" "STORAGE_PERMISSIONS"
+fixpkgperms "com.google.android.setupwizard" "CONTACTS_PERMISSIONS" "PHONE_PERMISSIONS"
+fixpkgperms "com.google.android.syncadapters.contacts" "CONTACTS_PERMISSIONS"
+fixpkgperms "com.google.android.talk" "CAMERA_PERMISSIONS" "CONTACTS_PERMISSIONS" "LOCATION_PERMISSIONS" "MICROPHONE_PERMISSIONS" "PHONE_PERMISSIONS" "SMS_PERMISSIONS" "STORAGE_PERMISSIONS"
+#faceunlock
+#calsync
+#googlefeedback
+#googleonetimeinitializer
+#googlepartnersetup
+#googletts
+#googletag
+#clockgoogle
+#calculatorgoogle
+#androidforwork
+#dmagent
+#projectfi
+
+fixuserperms "com.google.android.calendar.uid.shared" "CALENDAR_PERMISSIONS" "READ_CONTACTS" #note that READ_CONTACTS is not a permission group
+fixuserperms "com.google.uid.shared" "CALENDAR_PERMISSIONS" "CONTACTS_PERMISSIONS" "LOCATION_PERMISSIONS" "MICROPHONE_PERMISSIONS" "PHONE_PERMISSIONS" "SENSORS_PERMISSIONS" "SMS_PERMISSIONS" "STORAGE_PERMISSIONS"
+
+EOFILE
+}
+
 systemlibhack(){
   case "$package" in
     com.google.android.webview) if [ "$API" -lt "23" ]; then #webview libs are only on /system/lib/ on pre-Marshmallow
diff --git a/scripts/inc.updatebinary.sh b/scripts/inc.updatebinary.sh
index ee3671b..3b3feb0 100755
--- a/scripts/inc.updatebinary.sh
+++ b/scripts/inc.updatebinary.sh
@@ -39,6 +39,7 @@ calc_log=/tmp/calc.log;
 conflicts_log=/tmp/conflicts.log;
 rec_cache_log=/cache/recovery/log;
 rec_tmp_log=/tmp/recovery.log;
+run_perms="/data/system/users/0/runtime-permissions.xml"
 user_remove_notfound_log=/tmp/user_remove_notfound.log;
 user_remove_multiplefound_log=/tmp/user_remove_multiplefound.log;
 
@@ -324,6 +325,59 @@ which_dpi() {
   fi;
 }
 # _____________________________________________________________________________________________________________________
+#                                           Define Runtime Permissions Functions
+fixpkgperms() {
+  currentperms="$(awk "/<pkg name=\"$1\">/,/<\/pkg>/" "$run_perms")"
+  if [ -z "$currentperms" ]; then #if the packagename is not yet in the permissions
+    sed -i "/<runtime-permissions/a\ \ <pkg name=\"$1\">\n\ \ <\/pkg>" "$run_perms"
+  fi
+  for permissionsets in "$@"; do
+    if [ "$permissionsets" = "$1" ]; then #skip first entry since that is the packagename (posix-style)
+      continue
+    fi
+    getruntimeperms "$permissionsets"
+    for permission in $permissions; do
+      if ! echo "$currentperms" | grep -q "<item name=\"android.permission.$permission\""; then
+        sed -i "/<pkg name=\"$1\">/a\ \ \ \ <item name=\"android.permission.$permission\" granted=\"true\" flags=\"30\" />" "$run_perms"
+      fi
+    done
+  done
+}
+
+fixuserperms() {
+  currentperms="$(awk "/<shared-user name=\"$1\">/,/<\/shared-user>/" "$run_perms")"
+  if [ -z "$currentperms" ]; then #if the packagename is not yet in the permissions
+    sed -i "/<runtime-permissions/a\ \ <shared-user name=\"$1\">\n\ \ <\/shared-user>" "$run_perms"
+  fi
+  for permissionsets in "$@"; do
+    if [ "$permissionsets" = "$1" ]; then #skip first entry since that is the packagename (posix-style)
+      continue
+    fi
+    getruntimeperms "$permissionsets"
+    for permission in $permissions; do
+      if ! echo "$currentperms" | grep -q "<item name=\"android.permission.$permission\""; then
+        sed -i "/<shared-user name=\"$1\">/a\ \ \ \ <item name=\"android.permission.$permission\" granted=\"true\" flags=\"30\" />" "$run_perms"
+      fi
+    done
+  done
+}
+
+getruntimeperms(){
+  case "$1" in
+    PHONE_PERMISSIONS)      permissions="READ_PHONE_STATE CALL_PHONE READ_CALL_LOG WRITE_CALL_LOG ADD_VOICEMAIL USE_SIP PROCESS_OUTGOING_CALLS";;
+    CONTACTS_PERMISSIONS)   permissions="READ_CONTACTS WRITE_CONTACTS GET_ACCOUNTS";;
+    LOCATION_PERMISSIONS)   permissions="ACCESS_FINE_LOCATION ACCESS_COARSE_LOCATION";;
+    CALENDAR_PERMISSIONS)   permissions="READ_CALENDAR WRITE_CALENDAR";;
+    SMS_PERMISSIONS)        permissions="SEND_SMS RECEIVE_SMS READ_SMS RECEIVE_WAP_PUSH RECEIVE_MMS READ_CELL_BROADCASTS";;
+    MICROPHONE_PERMISSIONS) permissions="RECORD_AUDIO";;
+    CAMERA_PERMISSIONS)     permissions="CAMERA";;
+    SENSORS_PERMISSIONS)    permissions="BODY_SENSORS";;
+    STORAGE_PERMISSIONS)    permissions="READ_EXTERNAL_STORAGE WRITE_EXTERNAL_STORAGE";;
+    ADDITIONAL_PERMISSIONS) permissions="ACCESS_NETWORK_STATE ACCESS_WIFI_STATE CONTROL_INCALL_EXPERIENCE GET_ACCOUNTS READ_PROFILE READ_SYNC_SETTINGS RECEIVE_BOOT_COMPLETED USE_CREDENTIALS";; #not in AOSP, used in Dialer
+    *)                      permissions="$1";; #just give the literal permission back
+  esac
+}
+# _____________________________________________________________________________________________________________________
 #                                                  Gather Pre-Install Info
 # Get GApps Version and GApps Type from g.prop extracted at top of script
 gapps_version=$(file_getprop /tmp/g.prop ro.addon.open_version);
@@ -1419,6 +1473,18 @@ set_progress 0.83;
 ui_print " ";
 ui_print "- Fixing permissions & contexts";
 ui_print " ";
+
+EOFILE
+if [ "$API" -ge "23" ]; then
+  runtimepermissionshack #marshmallow needs runtime permissions set
+fi
+tee -a "$build/META-INF/com/google/android/update-binary" > /dev/null <<'EOFILE'
+set_perm 1000 1000 771 "/data/"
+set_perm 1000 1000 775 "/data/system"
+set_perm 1000 1000 775 "/data/system/users"
+set_perm 1000 1000 700 "$(dirname "$run_perms")"
+set_perm 1000 1000 600 "$run_perms"
+
 set_perm_recursive 0 0 755 644 "/system/app" "/system/framework" "/system/lib" "/system/lib64" "/system/priv-app" "/system/usr/srec" "/system/vendor/pittpatt" "/system/etc/permissions" "/system/etc/preferred-apps";
 
 set_progress 0.85;