diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7291de6a2..4c4c5d095 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -42,6 +42,7 @@ tests:
   stage: test
   image: golang
   script:
+    - echo '#!/usr/bin/env bash\nexit 0' > /usr/bin/journalctl
     - go test ./cmd/aa-log -v -cover
 
 
diff --git a/.golangci.yaml b/.golangci.yaml
new file mode 100644
index 000000000..7718ccda2
--- /dev/null
+++ b/.golangci.yaml
@@ -0,0 +1,5 @@
+---
+
+linters-settings:
+  staticcheck:
+    checks: ["all", "-SA1019" ]
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c65cda9f3..e00b0fb8a 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,8 +1,8 @@
 # Contributing
 
-You want to contribute to `apparmor.d`, **thank a lot for this.** You will find
-in this page all the useful information needed to contribute.
-
+You want to contribute to `apparmor.d`, **thank a lot for this.** Feedbacks, 
+contributors, pull requests are all very welcome. You will find in this page all
+the useful information needed to contribute.
 
 ## How to contribute?
 
@@ -31,7 +31,7 @@ you'll see a Compare & pull request button, fill and submit the pull request.
 
 
 ## Projects rules
- 
+
 A few rules:
 1. As these are mandatory access control policies only what it explicitly required
    should be authorized. Meaning, you should not allow everything (or a large area)
@@ -75,7 +75,26 @@ profile foo @{exec_path} {
 
 ## Profile Guidelines
 
-> This profile guideline is still evloving, feel free to propose improvment
+**A common structure**
+
+AppArmor profiles can be written without any specific guidelines. However, when 
+you work with over 1200 profiles, you need a common structure among all the profiles. 
+
+The logic behind it is that if a rule is present in a profile, it should only be
+in one place, making profile review easier. 
+
+For example, if a program needs to run executables binary. The rules allowing it
+can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It
+is therefore easy to ensure some profile features such as: 
+* A profile has access to a given resource 
+* A profile enforces a strict [write xor execute] (W^X) policy. 
+
+It also improves compatibilities and makes personalization easier thanks to the use of more variables 
+ 
+**Guidelines**
+
+> **Note**: This profile guideline is still evolving, feel free to propose improvment
+> as long as it does not vary too much from the existing rules.
 
 In order to ensure a common structure across the profiles, all new profile should
 try to follow the guideline presented here.
@@ -87,18 +106,20 @@ The rules in the profile should be sorted as follow:
 - mount
 - remount
 - umount
+- pivot_root
 - ptrace
 - signal
 - unix
 - dbus (send, receive) send receice 
-- @{exec_path} mr,
+- @{exec_path} mr, the entry point of the profile
 - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
+  It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules.
 - The shared resources: `/usr/share`...
 - The system configuration: `/etc`...
 - The system data: `/var`...
 - The user data: `owner @{HOME}/`...
 - The user configuration, cache and in general all dotfiles
-- Temporary data: `/tmp/`, `@{run}/`...
+- Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`...
 - Sys files: `@{sys}/`...
 - Proc files: `@{PROC}/`... 
 - Dev files: `/dev/`...
@@ -120,10 +141,10 @@ The rules in the profile should be sorted as follow:
 
 The included tool `aa-log` can be useful to explore the apparmor log 
 
-## Abstraction
+## Abstractions
 
 This project and the apparmor profile official project provide a large selection
-of abstraction to be included in profiles. They should be used.
+of abstractions to be included in profiles. They should be used.
 
 For instance, instead of writting:
 ```sh
@@ -142,44 +163,61 @@ include <abstractions/user-download-strict>
 * `@{PROC}=/proc/`
 * `@{run}=/run/ /var/run/`
 * `@{sys}=/sys/`
-* The Home directory: `@{HOME}`
+* The home root: `@{HOMEDIRS}=/home/`
+* The home directories: `@{HOME}=@{HOMEDIRS}/*/ /root/`
 * Process id(s): `@{pid}`, `@{pids}`
 * User id: `@{uid}`
 * Thread id: `@{tid}`
 * Classic XDG user directories: 
-    - Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
-    - Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
-    - Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
-    - Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
-    - Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
-    - Music: `@{XDG_MUSIC_DIR}="Music"`
-    - Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
-    - Videos: `@{XDG_VIDEOS_DIR}="Videos"`
+  - Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
+  - Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
+  - Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
+  - Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
+  - Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
+  - Music: `@{XDG_MUSIC_DIR}="Music"`
+  - Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
+  - Videos: `@{XDG_VIDEOS_DIR}="Videos"`
 
 **Additional variables available with this project:**
 
-* Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
+* Mountpoints root: `@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/`
+* Common mountpoints: `@{MOUNTS}=@{MOUNTDIRS}/*/`
 * Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
+* Hexadecimal: `@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]`
 * Extended XDG user directories: 
-    - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
-    - Books: `@{XDG_BOOKS_DIR}="Books"`
-    - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
-    - Sync: `@{XDG_SYNC_DIR}="Sync"`
-    - Vm: `@{XDG_VM_DIR}=".vm"`
-    - SSH: `@{XDG_SSH_DIR}=".ssh"`
-    - GPG: `@{XDG_GPG_DIR}=".gnupg"`
-    - Cache:` @{XDG_CACHE_HOME}=".cache"`
-    - Config: `@{XDG_CONFIG_HOME}=".config"`
-    - Data: `@{XDG_DATA_HOME}=".local/share"`
-    - Bin: `@{XDG_BIN_HOME}=".local/bin"`
-    - Lib: `@{XDG_LIB_HOME}=".local/lib"`
+  - Books: `@{XDG_BOOKS_DIR}="Books"`
+  - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
+  - Screenshots: `@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots"`
+  - Sync: `@{XDG_SYNC_DIR}="Sync"`
+  - Torrents: `@{XDG_TORRENTS_DIR}="Torrents"`
+  - Vm: `@{XDG_VM_DIR}=".vm"`
+  - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
+* Extended XDG dotfiles:
+  - SSH: `@{XDG_SSH_DIR}=".ssh"`
+  - GPG: `@{XDG_GPG_DIR}=".gnupg"`
+  - Cache:` @{XDG_CACHE_HOME}=".cache"`
+  - Config: `@{XDG_CONFIG_HOME}=".config"`
+  - Data: `@{XDG_DATA_HOME}=".local/share"`
+  - Bin: `@{XDG_BIN_HOME}=".local/bin"`
+  - Lib: `@{XDG_LIB_HOME}=".local/lib"`
 * Full path of the user configuration directories
-    - Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
-    - Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
-    - Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
-    - Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
-* Other full path user directories
-    - Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
+  - Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
+  - Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
+  - Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
+  - Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
+* Full path user directories
+  - Books: `@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}`
+  - Documents: `@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}`
+  - Download: `@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}`
+  - Music: `@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}`
+  - Pictures: `@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}`
+  - Projects: `@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}`
+  - Public: `@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}`
+  - Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
+  - Templates: `@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}`
+  - Torrents: `@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}`
+  - Videos: `@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}`
+  - Vm: `@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
 
 ## Additional documentation
 
@@ -187,3 +225,4 @@ include <abstractions/user-download-strict>
 * https://presentations.nordisch.org/apparmor/#/
 
 [git]: https://help.github.com/articles/set-up-git/
+[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
diff --git a/README.md b/README.md
index 51f6a2768..ab38c6555 100644
--- a/README.md
+++ b/README.md
@@ -6,8 +6,8 @@
 
 **Full set of AppArmor profiles**
 
-> Warning: This project is still in early development.
-
+> **Warning**: This project is still in early development. Help is very welcome
+> see [`CONTRIBUTING.md`](CONTRIBUTING.md) 
 
 ## Description 
 
diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write
index fd5c7b734..f6adf946d 100644
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@@ -8,6 +8,8 @@
   # The /sys/ entries probably should be tightened
 
   /dev/ r,
+  /dev/block/ r,
+  /dev/disk/{,*/} r,
 
   # Regular disk/partition devices
   /dev/{s,v}d[a-z]* rwk,
diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm
index e9fe5ec3d..984aea2f4 100644
--- a/apparmor.d/abstractions/lightdm
+++ b/apparmor.d/abstractions/lightdm
@@ -46,15 +46,15 @@
   /opt/ r,
   /opt/** rmixk,
   @{PROC}/ r,
-  @{PROC}/* rm,
+  @{PROC}/* mr,
   @{PROC}/[0-9]*/net/ r,
   @{PROC}/[0-9]*/net/dev r,
-  @{PROC}/asound rm,
-  @{PROC}/asound/** rm,
-  @{PROC}/ati rm,
-  @{PROC}/ati/** rm,
+  @{PROC}/asound mr,
+  @{PROC}/asound/** mr,
+  @{PROC}/ati mr,
+  @{PROC}/ati/** mr,
   @{PROC}/sys/vm/overcommit_memory r,
-  owner @{PROC}/** rm,
+  owner @{PROC}/** mr,
   # needed for gnome-keyring-daemon
   @{PROC}/*/status r,
   # needed for bamfdaemon and utilities such as ps and killall
@@ -62,7 +62,7 @@
   /sbin/ r,
   /sbin/** rmixk,
   /sys/ r,
-  /sys/** rm,
+  /sys/** mr,
   # needed for confined trusted helpers, such as dbus-daemon
   /sys/kernel/security/apparmor/.access rw,
   /tmp/ rw,
diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
index 6ba6c30ae..e57eca1ad 100644
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@@ -218,9 +218,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   profile gpg {
     #include <abstractions/base>
 
-   /usr/bin/gpgconf rm,
-   /usr/bin/gpg rm,
-   /usr/bin/gpgsm rm,
+   /usr/bin/gpgconf mr,
+   /usr/bin/gpg mr,
+   /usr/bin/gpgsm mr,
 
     owner @{HOME}/@{XDG_GPG_DIR}/* r,
     owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk,
@@ -232,7 +232,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   owner @{user_config_dirs}/kdeglobals r,
   /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
   /usr/share/qt5/translations/* r,
-  /usr/lib/*/qt5/plugins/** rm,
+  /usr/lib/*/qt5/plugins/** mr,
   /usr/share/plasma/look-and-feel/**/contents/defaults r,
 
   # TODO: remove when rules are available in abstractions/kde
diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc
index ab395231b..b09d5c8aa 100644
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@@ -287,4 +287,4 @@ profile vlc @{exec_path} {
   }
 
   include if exists <local/vlc>
-}
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index b7ee1e980..867c76795 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -28,6 +28,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setuid,
   capability sys_nice,
+  capability sys_ptrace,
 
   signal (send) peer=apt-methods-*,
 
@@ -46,7 +47,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
        member=Inhibit
        peer=(name=org.freedesktop.login[0-9]),
 
-  dbus send bus=system path=/org/freedesktop/DBus
+  dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
        interface=org.freedesktop.DBus{,.Introspectable}
        member={RequestName,GetConnectionUnixProcessID,Introspect}
        peer=(name=org.freedesktop.DBus),
@@ -101,6 +102,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook             rPx,
   /{usr/,}lib/update-notifier/update-motd-updates-available  rPx,
   /usr/share/command-not-found/cnf-update-db                 rPx,
+  /usr/share/language-tools/language-options                 rPx,
 
   # For editing the sources.list file
   /{usr/,}bin/sensible-editor rCx -> editor,
@@ -110,6 +112,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/sensible-pager  rCx -> pager,
 
   /usr/share/xml/iso-codes/{,**} r,
+  /usr/share/language-selector/data/pkg_depends r,
 
   /etc/apt/sources.list rwk,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv
index aa8b7ad16..74786b57b 100644
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
   # Local keyring storage
   /etc/apt/keyrings/ r,
   /etc/apt/keyrings/*.{gpg,asc} r,
+  /usr/share/keyrings/ r,
+  /usr/share/keyrings/*.{gpg,asc} r,
 
   # Extrepo keyring storage
   /var/lib/extrepo/keys/*.{gpg,asc} r,
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index 77aa271b4..0593605a0 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
   owner /tmp/apt-dpkg-install-*/ r,
 
   /var/log/dpkg.log w,
+  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   @{run}/systemd/userdb/ r,
 
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 73f581833..9ea5fe83e 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged},
+       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},
 
   @{exec_path} mr,
 
@@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
+  /etc/debian_version r,
+  /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/issue{.net,} r,
+  /etc/legal r,
+  /etc/lsb-release r,
+  /etc/profile.d/* r,
+  /etc/update-motd.d/* r,
   /etc/update-manager/{,**} r,
   /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
 
diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
new file mode 100644
index 000000000..ddb4a1f5a
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
+profile avahi-autoipd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal receive set=(kill,term),
+
+  @{exec_path} mr,
+  /etc/avahi/avahi-autoipd.action rix,
+
+  include if exists <local/avahi-autoipd>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
new file mode 100644
index 000000000..837961c3b
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
+profile avahi-browse @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Peer
+      member=Ping,
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.Avahi.Server
+      member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
+
+  dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
+      interface=org.freedesktop.Avahi.ServiceTypeBrowser
+      member={ItemNew,CacheExhausted,AllForNow},
+
+  @{exec_path} mr,
+
+  /{usr/,}lib/@{multiarch}/avahi/service-types.db rwk,
+
+  include if exists <local/avahi-browse>
+}
diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon
new file mode 100644
index 000000000..5a972463e
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-daemon
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-daemon
+profile avahi-daemon @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+  network inet6 dgram,
+
+  @{exec_path} mr,
+
+  /etc/avahi/** r,
+
+  include if exists <local/avahi-daemon>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish
new file mode 100644
index 000000000..5895d6a8f
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-publish
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
+profile avahi-publish @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/avahi-publish>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve
new file mode 100644
index 000000000..fe279ac7e
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-resolve
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
+profile avahi-resolve @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Peer
+      member=Ping,
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.Avahi.Server
+      member={GetAPIVersion,GetState,AddressResolverNew},
+
+  dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
+      interface=org.freedesktop.Avahi.AddressResolver
+      member={Free,HostNameResolverNew,},
+
+  dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
+      interface=org.freedesktop.Avahi.AddressResolver
+      member={Failure,Found},
+
+  @{exec_path} mr,
+
+  include if exists <local/avahi-resolve>
+}
diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name
new file mode 100644
index 000000000..ead18ed2e
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-set-host-name
+profile avahi-set-host-name @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/avahi-set-host-name>
+}
+
diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index f1cfd87dd..b6bf4ff65 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -32,6 +32,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read) peer=browserpass,
   ptrace (read) peer=chrome-gnome-shell,
+  ptrace (read) peer=gnome-browser-connector-host,
   ptrace (read) peer=keepassxc-proxy,
   ptrace (read) peer=lsb_release,
   ptrace (read) peer=xdg-settings,
@@ -49,6 +50,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   /{usr/,}bin/chrome-gnome-shell                rPx,
+  /{usr/,}bin/gnome-browser-connector-host      rPx,
   /{usr/,}lib/chromium/chrome-sandbox           rPx,
   /{usr/,}lib/chromium/chrome_crashpad_handler  rPx,
 
diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache
index b467e8f28..1bfe02a61 100644
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,8 +10,9 @@ include <tunables/global>
 @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
   include <abstractions/base>
-  include <abstractions/fonts>
+  include <abstractions/consoles>
   include <abstractions/fontconfig-cache-write>
+  include <abstractions/fonts>
 
   @{exec_path} mr,
 
@@ -19,6 +21,8 @@ profile fc-cache @{exec_path} {
   /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
   /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
 
+  /var/tmp/mkinitramfs_*/{**,} rwl,
+
   # Silencer
   deny network inet6 stream,
   deny network inet stream,
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index 09d3cb55b..46c7cd733 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -33,7 +33,6 @@ profile pipewire @{exec_path} {
 
   /usr/share/pipewire/pipewire.conf r,
 
-  /etc/machine-id r,
   /etc/pipewire/client.conf r,
   /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
   /etc/pipewire/pipewire.conf r,
diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session
index eca96bdf1..4e49fe8a7 100644
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire-media-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/devices-usb>
   include <abstractions/nameservice-strict>
@@ -44,11 +45,11 @@ profile pipewire-media-session @{exec_path} {
 
   owner @{HOME}/.local/state/ rw,
   owner @{HOME}/.local/state/pipewire/{,**} rw,
+
   owner @{user_config_dirs}/pipewire/ rw,
   owner @{user_config_dirs}/pipewire/** rw,
   owner @{user_config_dirs}/pulse/ rw,
 
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
 
   @{run}/udev/data/+sound:card[0-9]* r, # For sound
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index 16547bd46..32d5b102a 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -29,13 +29,15 @@ profile polkit-agent-helper @{exec_path} {
   signal (receive) set=(term, kill) peer=gnome-shell,
   signal (receive) set=(term, kill) peer=pkexec,
 
-  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       member=GetAll
+       peer=(name=:*),
 
-  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.PolicyKit[0-9].Authority
-       member=AuthenticationAgentResponse2,
+       member=AuthenticationAgentResponse2
+       peer=(name=:*),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 5847fcffd..b88b613ca 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -23,13 +23,14 @@ profile polkitd @{exec_path} {
   ptrace (read),
 
   dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
-       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
 
-  dbus send bus=system path=/org/freedesktop/DBus
+  dbus (send) bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
-       member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}
+       peer=(name=org.freedesktop.DBus),
 
-  dbus bind bus=system 
+  dbus (bind) bus=system
        name=org.freedesktop.PolicyKit[0-9],
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 2a8d08deb..2518c5794 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
      member=Get
      peer=(name=/org/freedesktop/hostname[0-9]),
 
+  dbus (send)
+     bus=system
+     path=/org.freedesktop.hostname[0-9]
+     interface=org.freedesktop.DBus.Prope
+     member=Get
+     peer=(name=/org/freedesktop/hostname[0-9]),
+
   @{exec_path} mrix,
 
   /{usr/,}@{libexec}/pulse/gsettings-helper mrix,
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index ca2b2c3ad..3a0453645 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/xdg-document-portal
 profile xdg-document-portal @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
 
   ptrace (read) peer=xdg-desktop-portal,
 
@@ -23,7 +24,6 @@ profile xdg-document-portal @{exec_path} {
 
   owner @{user_share_dirs}/flatpak/db/documents r,
 
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/doc/ rw,
 
   owner @{PROC}/@{pid}/fd/ r,
@@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} {
   profile flatpak {
     include <abstractions/base>
 
-    /{usr/,}bin/flatpak rm,
+    /{usr/,}bin/flatpak mr,
 
     / r,
     /etc/flatpak/remotes.d/{,*} r,
diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session
index 1805b7631..dbcca15d8 100644
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/bash>
   include <abstractions/consoles>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
@@ -53,7 +54,6 @@ profile gdm-wayland-session @{exec_path} {
 
   /etc/default/im-config r,
   /etc/gdm{3,}/custom.conf r,
-  /etc/machine-id r,
   /etc/shells r,
   /etc/X11/xinit/xinputrc r,
   /etc/X11/Xsession.d/*im-config_launch r,
@@ -61,8 +61,7 @@ profile gdm-wayland-session @{exec_path} {
   /usr/share/gdm/gdm.schemas r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-  owner @{run}/user/@{uid}/bus rw,
-        @{run}/gdm/custom.conf r,
+  @{run}/gdm/custom.conf r,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index fe4e1f9d0..fc30ca94d 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -46,16 +46,17 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gstreamer-1.0/ rw,
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
 
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
         @{run}/user/@{uid}/wayland-cursor-shared-* rw,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{sys}/devices/system/cpu/possible r,
 
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/task/ r,
-  owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/ r,
   /dev/tty rw,
diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
index 8735c2fe3..648e83f58 100644
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@@ -24,6 +24,8 @@ profile gnome-characters-backgroudservice @{exec_path} {
 
   /etc/gtk-3.0/settings.ini r,
 
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
+
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 07a34d14a..3db55197d 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -34,6 +34,9 @@ profile gnome-extension-ding @{exec_path} {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus bind bus=session
+       name=com.rastersoft.ding,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh            rix,
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index d4f5d0bc5..944782d40 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -9,6 +9,14 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
+  # include <abstractions/vulkan>
+  include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/opencl>
 
   @{exec_path} mr,
 
@@ -16,6 +24,15 @@ profile gnome-extensions-app @{exec_path} {
   /{usr/,}bin/gjs-console rix,
 
   /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/gnome-shell/org.gnome.Extensions* r,
+  /usr/share/X11/xkb/{,**} r,
+
+  @{sys}/devices/system/cpu/possible r,
+
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/task/@{tid}/stat r,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index 9054d9f4f..20ca500e2 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-terminal-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
@@ -34,8 +35,6 @@ profile gnome-terminal-server @{exec_path} {
 
   /etc/shells r,
 
-  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index c612512d1..93c4e7280 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -10,6 +10,7 @@ include <tunables/global>
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/gnome>
@@ -21,6 +22,20 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*}
+       interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions},
+
+  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
+       interface=org.gtk.Private.RemoteVolumeMonitor
+       member={IsSupported,List}
+       peer=(name=:*),
+
+  dbus bind bus=session
+       name=org.gnome.Nautilus,
+
+  dbus bind bus=session
+       name=org.freedesktop.FileManager1,
+
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
 
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index f3fa89e54..99799a9c4 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/tracker-extract-3
 profile tracker-extract @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/disks-read>
   include <abstractions/fonts>
@@ -51,8 +52,7 @@ profile tracker-extract @{exec_path} {
 
   owner /tmp/tracker-extract-3-files.*/{,*} rw,
 
-  owner @{run}/user/@{uid}/bus rw,
-        @{run}/blkid/blkid.tab r,
+  @{run}/blkid/blkid.tab r,
 
   @{run}/udev/data/c235:* r,
   @{run}/udev/data/c236:* r,
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index e7b4d13f9..5195c203e 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2017-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2017-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,22 +11,25 @@ include <tunables/global>
 profile gpg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read>
+
+  capability dac_read_search,
 
   network netlink raw,
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/gpgconf           rPx,
-  /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpg-agent         rPx,
   /{usr/,}bin/dirmngr           rPx,
+  /{usr/,}bin/gpg-agent         rPx,
+  /{usr/,}bin/gpg-connect-agent rPx,
+  /{usr/,}bin/gpgconf           rPx,
   /{usr/,}bin/gpgsm             rPx,
   /{usr/,}lib/gnupg/scdaemon    rPx,
 
-  # GPG config files
-  owner @{HOME}/ r,
+  /etc/inputrc r,
+
   owner @{HOME}/@{XDG_GPG_DIR}/ rw,
   owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
@@ -39,54 +42,9 @@ profile gpg @{exec_path} {
   owner /var/lib/*/.gnupg/ rw,
   owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
 
-  # For flatpak
-  owner /tmp/ostree-gpg-*/ r,
-  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
-
-  # For ToR Browser
-  owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r,
-  owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
-
-  # For spamassassin
-  owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
-
-  # For lintian
-  owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
-  owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
-  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
-  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*/trustdb.gpg rw,
-  owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*/pubring.kbx rw,
-  owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*.gpg rw,
-  owner /tmp/*.gpg~ w,
-  owner /tmp/*.gpg.tmp rw,
-  owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
-  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
-  owner @{run}/user/@{uid}/gnupg/d.*/ rw,
-
-  # APT upstream/user keyrings
-  /usr/share/keyrings/*.{gpg,asc} r,
-  /etc/apt/keyrings/*.{gpg,asc} r,
-
-  # APT repositories
-  /var/lib/apt/lists/*_InRelease r,
-
-  # Verify files
-  owner @{HOME}/** r,
-  owner @{MOUNTS}/** r,
-
-  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/fd/ r,
-
-  /etc/inputrc r,
-
-  # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
 
   include if exists <local/gpg>
 }
diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf
index e5ba0a3ba..ab5f2ef8f 100644
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/gpg-connect-agent rPx,
diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm
index 9792071b4..9f231c4f2 100644
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   deny /usr/bin/.gnupg/ w,
diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup
new file mode 100644
index 000000000..2abd381b8
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-bios-setup
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
+profile grub-bios-setup @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-bios-setup>
+}
+
diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv
new file mode 100644
index 000000000..042887e3d
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-editenv
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-editenv
+profile grub-editenv @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /boot/grub/grubenv rw,
+
+  include if exists <local/grub-editenv>
+}
+
diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file
new file mode 100644
index 000000000..ccf58d6c4
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-file
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-file
+profile grub-file @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-file>
+}
+
diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest
new file mode 100644
index 000000000..caf64ee2c
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-fstest
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-fstest
+profile grub-fstest @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-fstest>
+}
+
diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi
new file mode 100644
index 000000000..aeb59a8df
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-glue-efi
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-glue-efi
+profile grub-glue-efi @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-glue-efi>
+}
+
diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install
new file mode 100644
index 000000000..cca0605c2
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-install
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-install
+profile grub-install @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-install>
+}
+
diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp
new file mode 100644
index 000000000..fce678809
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-kbdcomp
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-kbdcomp
+profile grub-kbdcomp @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-kbdcomp>
+}
+
diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless
new file mode 100644
index 000000000..49f08fd1e
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-macbless
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-macbless
+profile grub-macbless @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-macbless>
+}
+
diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg
new file mode 100644
index 000000000..b2f5ca590
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-menulst2cfg
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-menulst2cfg
+profile grub-menulst2cfg @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-menulst2cfg>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
new file mode 100644
index 000000000..3341b30c6
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -0,0 +1,78 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
+profile grub-mkconfig @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+
+  @{exec_path}                     mr,
+  /etc/grub.d/{**,}                rix,
+  /{usr/,}bin/{m,g,}awk            rix,
+  /{usr/,}bin/basename             rix,
+  /{usr/,}bin/cat                  rix,
+  /{usr/,}bin/chmod                rix,
+  /{usr/,}bin/cut                  rix,
+  /{usr/,}bin/date                 rix,
+  /{usr/,}bin/dirname              rix,
+  /{usr/,}bin/dpkg                 rPx,
+  /{usr/,}bin/find                 rix,
+  /{usr/,}bin/findmnt              rPx,
+  /{usr/,}bin/gettext              rix,
+  /{usr/,}bin/{e,f,}grep           rix,
+  /{usr/,}bin/lsb_release          rPx -> lsb_release,
+  /{usr/,}bin/grub-mkrelpath       rPx,
+  /{usr/,}bin/grub-script-check    rPx,
+  /{usr/,}bin/head                 rix,
+  /{usr/,}bin/id                   rPx,
+  /{usr/,}bin/ls                   rix,
+  /{usr/,}bin/mktemp               rix,
+  /{usr/,}bin/mount                rPx,
+  /{usr/,}bin/mountpoint           rix,
+  /{usr/,}bin/paste                rix,
+  /{usr/,}bin/readlink             rix,
+  /{usr/,}bin/rm                   rix,
+  /{usr/,}bin/rmdir                rix,
+  /{usr/,}bin/sed                  rix,
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/sort                 rix,
+  /{usr/,}bin/stat                 rix,
+  /{usr/,}bin/tail                 rix,
+  /{usr/,}bin/tr                   rix,
+  /{usr/,}bin/umount               rPx,
+  /{usr/,}bin/uname                rix,
+  /{usr/,}bin/which{.debianutils,} rix,
+  /{usr/,}{s,}bin/dmsetup          rPUx,
+  /{usr/,}{s,}bin/grub-probe       rPx,
+  /{usr/,}{local/,}{s,}bin/zfs     rPx,
+  /{usr/,}{local/,}{s,}bin/zpool   rPx,
+
+  /boot/{**,} r,
+  /boot/grub/{**,} rw,
+
+  /etc/default/grub r,
+  /etc/default/grub.d/{*,} r,
+
+  /usr/share/grub/{**,} r,
+
+  /.zfs/snapshot/*/etc/{machine-id,} r,
+  /.zfs/snapshot/*/{usr/,}lib/os-release r,
+
+  / r,
+
+  owner /tmp/** rw,
+
+  @{PROC}/@{pids}/mountinfo r,
+  @{PROC}/@{pids}/mounts r,
+
+  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
+
+  include if exists <local/grub-mkconfig>
+}
diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap
new file mode 100644
index 000000000..306173901
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
+profile grub-mkdevicemap @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mkdevicemap>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont
new file mode 100644
index 000000000..a0ace1a2a
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkfont
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkfont
+profile grub-mkfont @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mkfont>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage
new file mode 100644
index 000000000..2b6212a0a
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkimage
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkimage
+profile grub-mkimage @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mkimage>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout
new file mode 100644
index 000000000..b9a514b72
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mklayout
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mklayout
+profile grub-mklayout @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mklayout>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir
new file mode 100644
index 000000000..4f37e31a0
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mknetdir
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mknetdir
+profile grub-mknetdir @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mknetdir>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
new file mode 100644
index 000000000..ef9e5c6da
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
+profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mkpasswd-pbkdf2>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath
new file mode 100644
index 000000000..76e7c0a3f
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
+profile grub-mkrelpath @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+  /{usr/,}{local/,}{s,}bin/zpool rPx,
+
+  @{PROC}/@{pids}/mountinfo r,
+
+  include if exists <local/grub-mkrelpath>
+}
diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue
new file mode 100644
index 000000000..9948ac15f
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkrescue
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkrescue
+profile grub-mkrescue @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mkrescue>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone
new file mode 100644
index 000000000..90e3a4c46
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkstandalone
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkstandalone
+profile grub-mkstandalone @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mkstandalone>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount
new file mode 100644
index 000000000..b855d7e45
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mount
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mount
+profile grub-mount @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-mount>
+}
+
diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img
new file mode 100644
index 000000000..6b8c10722
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-ntldr-img
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-ntldr-img
+profile grub-ntldr-img @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-ntldr-img>
+}
+
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
new file mode 100644
index 000000000..416d25e1c
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-probe
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-probe
+profile grub-probe @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+
+  capability sys_admin,
+
+  @{exec_path} mr,
+  /{usr/,}bin/lsb_release        rPx -> lsb_release,
+  /{usr/,}bin/udevadm            rPx,
+  /{usr/,}{local/,}{s,}bin/zpool rPx,
+
+  @{PROC}/@{pids}/mountinfo r,
+  @{PROC}/devices r,
+  
+  /dev/mapper/control rw,
+
+  include if exists <local/grub-probe>
+}
diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot
new file mode 100644
index 000000000..f16643fff
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-reboot
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-reboot
+profile grub-reboot @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-reboot>
+}
+
diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label
new file mode 100644
index 000000000..8749c265c
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-render-label
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-render-label
+profile grub-render-label @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-render-label>
+}
+
diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check
new file mode 100644
index 000000000..643797e1a
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-script-check
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-script-check
+profile grub-script-check @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /boot/grub/grub.cfg{.new,} rw,
+
+  include if exists <local/grub-script-check>
+}
diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default
new file mode 100644
index 000000000..fe8201d6c
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-set-default
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-set-default
+profile grub-set-default @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-set-default>
+}
+
diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg
new file mode 100644
index 000000000..487e61680
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-syslinux2cfg
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
+profile grub-syslinux2cfg @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  include if exists <local/grub-syslinux2cfg>
+}
+
diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub
new file mode 100644
index 000000000..a59d80b9c
--- /dev/null
+++ b/apparmor.d/groups/grub/update-grub
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
+profile update-grub @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}{s,}bin/grub-mkconfig rPx,
+
+  include if exists <local/update-grub>
+}
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 701adf2b9..18f55c822 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
 
   @{exec_path} mr,
 
@@ -20,7 +21,6 @@ profile gvfsd @{exec_path} {
 
   /usr/share/gvfs/{,**} r,
 
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/gvfs/ rw,
   owner @{run}/user/@{uid}/gvfsd/ rw,
 
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 0919ba889..6e56b5372 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,
 
+  dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
   dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.PolicyKit[0-9].Authority
        member=Changed,
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index d63512be5..cce44eee5 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} {
 
   @{exec_path} mrix,
 
-  "/opt/Mullvad VPN/*.so*" rm,
+  "/opt/Mullvad VPN/*.so*" mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/gsettings   rix,
@@ -53,6 +53,7 @@ profile mullvad-gui @{exec_path} {
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r,
+  @{sys}/devices/system/cpu/possible r,
 
         @{PROC}/ r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index 11dfdf161..15f077331 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -8,7 +8,7 @@ include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/nm-dispatcher
 @{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher
-profile nm-dispatcher @{exec_path} {
+profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 050fdd2ce..acb81dbc0 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/cp                  rix,
   /{usr/,}bin/dd                  rix,
   /{usr/,}bin/find                rix,
-  /{usr/,}bin/findmnt             rix,
+  /{usr/,}bin/findmnt             rPx,
   /{usr/,}bin/fsck                rix,
   /{usr/,}bin/gawk                rix,
   /{usr/,}bin/grep                rix,
@@ -77,10 +77,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Can copy any program to the initframs
   /{usr/,}bin/ r,
-  /{usr/,}bin/[a-z0-9]* rm,
-  /{usr/,}lib/plymouth/plymouthd-* rm,
-  /{usr/,}lib/systemd/systemd-* rm,
-  /{usr/,}lib/udev/[a-z0-9]* rm,
+  /{usr/,}bin/[a-z0-9]* mr,
+  /{usr/,}lib/plymouth/plymouthd-* mr,
+  /{usr/,}lib/systemd/systemd-* mr,
+  /{usr/,}lib/udev/[a-z0-9]* mr,
 
   # Manage /boot
   / r,
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index ff37f0cae..01615f949 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -83,6 +83,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
 
   owner @{run}/sshd{,.init}.pid wl,
+        @{run}/motd.d/{,*} r,
         @{run}/motd.dynamic rw,
         @{run}/motd.dynamic.new rw,
         @{run}/resolvconf/resolv.conf r,
diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl
index 338f4f983..99f2dee8c 100644
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@@ -27,7 +27,7 @@ profile child-systemctl flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
-  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit
        interface=org.freedesktop.systemd[0-9].Manager
        member=GetUnitFileState,
 
@@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {
 
   /etc/systemd/user/{,**} rwl,
 
+  @{run}/systemd/private rw,
+
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/1/environ r,
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index 698fd2f3c..40fcb4c8f 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/networkctl
-profile networkctl @{exec_path} flags=(complain) {
+profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
@@ -39,9 +39,6 @@ profile networkctl @{exec_path} flags=(complain) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  @{run}/systemd/netif/links/[0-9]* r,
-  @{run}/systemd/netif/state r,
-
   # To be able to read logs
   @{run}/log/ r,
   /{run,var}/log/journal/ r,
@@ -50,12 +47,16 @@ profile networkctl @{exec_path} flags=(complain) {
   /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
   /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
 
+  @{run}/systemd/netif/links/[0-9]* r,
+  @{run}/systemd/netif/state r,
+  @{run}/systemd/notify w,
+
   @{sys}/devices/**/net/**/uevent r,
 
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/stat r,
         @{PROC}/filesystems r,
         @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/networkctl>
 }
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index 271a3eb3c..2a4179786 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -10,17 +10,32 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability sys_resource,
   capability net_admin,
 
-  signal (send) peer=child-pager,
-
   network inet dgram,
   network netlink raw,
 
+  signal (send) peer=child-pager,
+
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.systemd1.Manager
+      member=ListUnits,
+
+  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
   @{exec_path} mr,
+
   /{usr/,}lib/systemd/system-environment-generators/* rix,
 
   /{usr/,}bin/pager     rPx -> child-pager,
@@ -37,7 +52,10 @@ profile systemd-analyze @{exec_path} {
 
   owner /tmp/systemd-temporary-*/ rw,
 
+  @{run}/systemd/generator/ r,
+  @{run}/systemd/private rw,
   @{run}/systemd/system/ r,
+  @{run}/systemd/transient/ r,
   @{run}/systemd/userdb/io.systemd.DynamicUser w,
   @{run}/udev/data/* r,
   @{run}/udev/tags/systemd/ r,
@@ -52,13 +70,12 @@ profile systemd-analyze @{exec_path} {
   @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,
 
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/comm r,
         @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/tty rw,
-  /dev/pts/1 rw,
 
   include if exists <local/systemd-analyze>
 }
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index 8cc0dc4f6..4a3f945fc 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -17,11 +17,17 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName},
+       member={RequestName,ReleaseName,GetConnectionUnixUser}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.PolicyKit1.Authority
+       member=CheckAuthorization
+       peer=(name=org.freedesktop.PolicyKit1),
 
   dbus receive bus=system path=/org/freedesktop/hostname[0-9]
        interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll},
+       member={Get,GetAll,SetHostname},
 
   dbus bind bus=system 
        name=org.freedesktop.hostname[0-9],
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 51f4ff123..6c3a80cf7 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-hwdb
 profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 38d22fea5..4b9646942 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -7,40 +8,68 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-networkd
-profile systemd-networkd @{exec_path} flags=(complain) {
+profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability net_admin,
   capability net_raw,
   capability net_bind_service,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/org/freedesktop/hostname[0-9]
+       interface=org.freedesktop.hostname1
+       member=SetHostname
+       peer=(name=org.freedesktop.hostname1),
+
+  dbus receive bus=system path=/org/freedesktop/network[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  dbus bind bus=system
+       name=org.freedesktop.network1,
+
   @{exec_path} mr,
 
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
   /etc/systemd/networkd.conf r,
   /etc/systemd/network/ r,
   /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
 
+  /etc/networkd-dispatcher/carrier.d/{,*} r,
+
+        @{run}/systemd/network/ r,
+        @{run}/systemd/network/*.network r,
+  owner @{run}/systemd/netif/.#state rw,
+  owner @{run}/systemd/netif/.#state* rw,
+  owner @{run}/systemd/netif/leases/.#* rw,
+  owner @{run}/systemd/netif/leases/[0-9]* rw,
   owner @{run}/systemd/netif/links/.#* rw,
   owner @{run}/systemd/netif/links/[0-9]* rw,
-  owner @{run}/systemd/netif/leases/[0-9]* rw,
-  owner @{run}/systemd/netif/leases/.#* rw,
-  owner @{run}/systemd/netif/.#state* rw,
-  owner @{run}/systemd/netif/.#state rw,
   owner @{run}/systemd/netif/state rw,
 
-  # To be able to configure network interfaces
-        @{PROC}/sys/net/ipv{4,6}/** rw,
-
-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
-
-  @{sys}/devices/**/net/** r,
-
   @{run}/udev/data/n[0-9]* r,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  @{sys}/devices/**/net/** r,
+  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+
+  @{PROC}/sys/net/ipv{4,6}/** rw,
 
   include if exists <local/systemd-networkd>
 }
diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online
index 4f1f4c6c2..7dc88b71c 100644
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@@ -11,6 +11,10 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
+  capability net_admin,
+
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{run}/systemd/netif/links/[0-9]* r,
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 4cb03377b..97c3a1f4c 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -17,9 +17,15 @@ profile apport-gtk @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   capability sys_ptrace,
 
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   /{usr/,}{s,}bin/killall5          rix,
@@ -50,21 +56,22 @@ profile apport-gtk @{exec_path} {
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
-  /etc/apport/blacklist.d/apport r,
-  /etc/apport/blacklist.d/README.blacklist r,
-  /etc/apport/crashdb.conf r,
+  /etc/apport/{,**} r,
   /etc/bash_completion.d/apport_completion r,
   /etc/cron.daily/apport r,
   /etc/default/apport r,
   /etc/init.d/apport r,
   /etc/logrotate.d/apport r,
   /etc/xdg/autostart/*.desktop r,
+  /etc/gtk-3.0/settings.ini r,
 
-  /var/crash/{,*.@{uid}.crash} r,
+  /var/crash/{,*.@{uid}.crash} rw,
   /var/lib/dpkg/info/ r,
+  /var/lib/dpkg/info/*.list r,
   /var/lib/dpkg/info/*.md5sums r,
   /var/log/installer/media-info r,
 
+        @{run}/snapd.socket rw,
   owner @{run}/user/@{uid}/wayland-[0-9] rw,
 
   /tmp/[a-z0-9]* rw,
@@ -83,8 +90,9 @@ profile apport-gtk @{exec_path} {
 
   profile gdb {
     include <abstractions/base>
-    include <abstractions/python>
+    include <abstractions/dconf>
     include <abstractions/fonts>
+    include <abstractions/python>
 
     /{usr/,}bin/gdb mr,
   
@@ -92,6 +100,9 @@ profile apport-gtk @{exec_path} {
     /{usr/,}{s,}bin/* r,
 
     /usr/share/gdb/{,**} r,
+    /usr/share/themes/{,**} r,
+    /usr/share/gnome-shell/{,**} r,
+    /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
     /etc/gdb/{,**} r,
 
diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required
index 0ef30e5f2..1fc19b408 100644
--- a/apparmor.d/groups/ubuntu/notify-reboot-required
+++ b/apparmor.d/groups/ubuntu/notify-reboot-required
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/update-notifier/notify-reboot-required
 profile notify-reboot-required @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index f5e7e6d94..26838b924 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -14,7 +14,9 @@ profile software-properties-gtk @{exec_path} {
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
+  include <abstractions/nameservice-strict>
   include <abstractions/openssl>
+  include <abstractions/python>
 
   dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager}
       interface=org.freedesktop.DBus.Introspectable
@@ -51,10 +53,13 @@ profile software-properties-gtk @{exec_path} {
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,
 
+  /etc/apport/blacklist.d/{,*} r,
+  /etc/default/apport r,
   /etc/gtk-3.0/settings.ini r,
   /etc/machine-id r,
   /etc/update-manager/release-upgrades r,
 
+  /var/crash/*software-properties-gtk.@{uid}.crash rw,
   /var/lib/snapd/desktop/icons/ r,
 
   owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@@ -67,6 +72,10 @@ profile software-properties-gtk @{exec_path} {
   @{sys}/devices/**/modalias r,
 
         @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/asound/cards r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
 
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index dbf9eba3c..63dec833f 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -38,6 +38,8 @@ profile update-notifier @{exec_path} {
   /usr/share/apport/apport-checkreports               rPx,
   /usr/share/apport/apport-gtk                        rPx,
 
+  /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
+
   /usr/share/applications/{,**} r,
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 684676717..2789ee07b 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /opt/cni/bin/calico
+@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel
new file mode 100644
index 000000000..1c21c261a
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-flannel
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
+profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-flannel>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local
new file mode 100644
index 000000000..9ca86fb5f
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-host-local
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
+profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-host-local>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
index e6a24a412..465b6d119 100644
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
 profile cni-xtables-nft {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
 
     capability net_admin,
@@ -30,6 +31,4 @@ profile cni-xtables-nft {
     /etc/nftables.conf rw,
 
     @{PROC}/@{pids}/net/ip_tables_names r,
-
-    /dev/pts/[0-9]* rw,
 }
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index c700d8efd..bfdcd25e0 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   capability dac_override,
   capability fsetid,
   capability fowner,
+  capability mknod,
   capability net_admin,
+  capability setfcap,
   capability sys_admin,
 
   network inet dgram,
@@ -36,6 +38,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
   umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  umount /tmp/ctd-volume[0-9]*/,
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer={dockerd,k3s},
@@ -84,7 +87,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   owner /var/tmp/** rwkl,
   owner /tmp/** rwkl,
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/ rw,
+        /tmp/ctd-volume[0-9]*/{data,} rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
new file mode 100644
index 000000000..3c9284d46
--- /dev/null
+++ b/apparmor.d/groups/virt/dockerd
@@ -0,0 +1,100 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/dockerd
+profile dockerd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  capability chown, 
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability mknod,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_chroot,
+  capability kill,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  mount options=(rw, bind) -> /run/docker/netns/*,
+  mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
+  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
+  mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
+  mount options=(rw, rslave) -> /,
+  umount /.pivot_root[0-9]*/,
+  umount /run/docker/netns/*,
+  umount /var/lib/docker/overlay*/**/,
+
+  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
+  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
+
+  ptrace (read) peer=unconfined,
+
+  signal (send) set=kill peer=docker-*,
+  signal (send) set=term peer=containerd,
+
+  @{exec_path} mrix,
+
+  /{usr/,}{s,}bin/apparmor_parser     rPx,
+  /{usr/,}{s,}bin/runc                rUx,
+  /{usr/,}{s,}bin/xtables-nft-multi   rix,
+  /{usr/,}bin/containerd              rPx,
+  /{usr/,}bin/docker-init             rix,
+  /{usr/,}bin/kmod                    rPx,
+  /{usr/,}bin/ps                      rPx,
+  /{usr/,}bin/unpigz                  rix,
+
+  # Docker needs full access of its containers.
+  # TODO: should be in a sub profile started with pivot_root, not supported yet.
+  /{,**} rw,
+  deny /boot/{,**} rw,
+  deny /dev/{,**} rw,
+  deny /media/{,**} rw,
+  deny /mnt/{,**} rw,
+
+  owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
+  owner /var/lib/docker/{,**} rwk,
+  owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
+
+  @{sys}/fs/cgroup/cgroup.controllers r,
+  @{sys}/fs/cgroup/cpuset.cpus.effective r,
+  @{sys}/fs/cgroup/cpuset.mems.effective r,
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{sys}/kernel/security/apparmor/profiles r,
+  @{sys}/module/apparmor/parameters/enabled r,
+
+        @{PROC}/1/cgroup r,
+        @{PROC}/1/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/keys/root_maxkeys r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/threads-max r,
+        @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
+        @{PROC}/sys/net/core/somaxconn r,
+        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
+        @{PROC}/sys/net/ipv{4,6}/conf/docker[0-9]*/accept_ra rw,
+        @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
+        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+  owner @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pids}/cgroup r,
+  owner @{PROC}/@{pids}/fd/ r,
+  owner @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pids}/net/ip_tables_names r,
+  owner @{PROC}/@{pids}/uid_map r,
+
+  include if exists <local/dockerd>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 3f041cc45..1a5e667e3 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -26,7 +26,7 @@ profile k3s @{exec_path} {
   capability sys_resource,
 
   ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
 
   # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
@@ -109,16 +109,11 @@ profile k3s @{exec_path} {
   owner @{PROC}/@{pids}/oom_score_adj rw,
   owner @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/uid_map r,
-  
+
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,
         @{PROC}/modules r,
         @{PROC}/sys/fs/pipe-max-size r,
-        @{PROC}/sys/net/core/somaxconn r,
-        @{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
-        @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
-        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
-        @{PROC}/sys/net/netfilter/* rw,
         @{PROC}/sys/kernel/keys/* r,
         @{PROC}/sys/kernel/panic rw,
         @{PROC}/sys/kernel/panic_on_oom rw,
@@ -126,11 +121,16 @@ profile k3s @{exec_path} {
         @{PROC}/sys/kernel/pid_max r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/threads-max r,
+        @{PROC}/sys/net/core/somaxconn r,
+        @{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
+        @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
+        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
+        @{PROC}/sys/net/netfilter/* rw,
         @{PROC}/sys/vm/overcommit_memory rw,
         @{PROC}/sys/vm/panic_on_oom r,
 
   @{sys}/class/net/ r,
-  
+
   @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r,
   @{sys}/devices/system/edac/mc/ r,
   @{sys}/devices/system/cpu/ r,
@@ -138,14 +138,15 @@ profile k3s @{exec_path} {
   @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   @{sys}/devices/system/cpu/present{,/} r,
-
-  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
-  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/ r,
   @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r,
   @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r,
+
+  @{sys}/devices/virtual/block/*/** r,
   @{sys}/devices/virtual/dmi/id/* r,
+  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
+  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
 
   @{sys}/fs/cgroup/{,*,*/} r,
   @{sys}/fs/cgroup/cgroup.subtree_control rw,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 8134925c9..4a3f57beb 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -103,7 +103,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}{s,}bin/dmidecode                            rPx,
   /{usr/,}{s,}bin/dnsmasq                              rPx,
   /{usr/,}{s,}bin/virtiofsd                            rux, # TODO: WIP
-  /{usr/,}{s,}bin/virtlogd                             rPX,
+  /{usr/,}{s,}bin/virtlogd                             rPx,
   /{usr/,}bin/lvm                                      rUx,
   /{usr/,}bin/mdevctl                                  rPx,
   /{usr/,}bin/swtpm                                    rPx,
@@ -155,6 +155,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+dmi:id r,
   @{run}/udev/data/+drm:* r,
+  @{run}/udev/data/+hid:* r,
   @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
   @{run}/udev/data/+leds:* r,
   @{run}/udev/data/+pci* r,
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index ef93fd235..103c4ed96 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -13,9 +13,30 @@ profile aa-log @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/journalctl rCx -> journalctl,
+
   /var/log/audit/* r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  profile journalctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    /{usr/,}bin/journalctl mr,
+
+    /var/lib/dbus/machine-id r,
+    /etc/machine-id r,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/[0-9a-f]*/ r,
+    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
+    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
+
+    @{PROC}/sys/kernel/random/boot_id r,
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+  }
+
   include if exists <local/aa-log>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote
index 27e1945a7..76f648ede 100644
--- a/apparmor.d/profiles-a-f/anyremote
+++ b/apparmor.d/profiles-a-f/anyremote
@@ -18,7 +18,7 @@ profile anyremote @{exec_path} {
   network inet stream,
   network inet6 stream,
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/cat        rix,
diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd
index e46ecbe3b..5a0123ffd 100644
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/org/freedesktop/DBus
+      interface=org.freedesktop.DBus
+      member=RequestName,
+  
+  dbus receive bus=system path=/org/freedesktop/bolt
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus receive bus=system path=/org/freedesktop/bolt
+      interface=org.freedesktop.bolt1.Manager
+      member=ListDevices,
+  
+  dbus bind bus=system 
+      name=org.freedesktop.bolt,
+
   @{exec_path} mr,
 
   /var/lib/boltd/{,**} rw,
 
   owner @{run}/boltd/{,**} rw,
 
+  @{run}/systemd/notify rw,
   @{run}/systemd/journal/socket w,
   @{run}/udev/data/+thunderbolt:* r,
 
@@ -37,7 +57,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
   @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
   @{sys}/devices/platform/**/uevent r,
+  @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
   include if exists <local/boltd>
-}
\ No newline at end of file
+}
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index bd4ddff7a..c4ad09191 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,6 +12,7 @@ include <tunables/global>
 profile dkms @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
   capability dac_read_search,
@@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/rmdir      rix,
   /{usr/,}bin/find       rix,
   /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/gawk       rix,
+  /{usr/,}bin/{,g,m}awk  rix,
   /{usr/,}bin/cp         rix,
   /{usr/,}bin/date       rix,
   /{usr/,}bin/ln         rix,
@@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
   /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
 
+  /var/lib/dkms/**/dkms.postbuild rix,
+
   / r,
   /{usr/,}lib/modules/*/updates/ rw,
   /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
@@ -103,6 +107,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   profile kmod {
     include <abstractions/base>
     include <abstractions/consoles>
+    include <abstractions/openssl>
 
     /{usr/,}bin/kmod mr,
 
diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller
index 8dd6e33b6..677acfbb8 100644
--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} {
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
-
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/tput       rix,
+  /{usr/,}{s,}bin/dkms   rPx,
   /{usr/,}bin/echo       rix,
-
-  /{usr/,}{s,}bin/dkms      rPx,
-
+  /{usr/,}bin/plymouth   rix,
+  /{usr/,}bin/readlink   rix,
   /{usr/,}bin/run-parts  rCx -> run-parts,
   /{usr/,}bin/systemctl  rPx -> child-systemctl,
+  /{usr/,}bin/tput       rix,
 
   # For shell pwd
   / r,
diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt
new file mode 100644
index 000000000..36c2cea56
--- /dev/null
+++ b/apparmor.d/profiles-a-f/findmnt
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/findmnt
+profile findmnt @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /etc/fstab r,
+  /etc/mtab r,
+  
+  @{PROC}/@{pids}/mountinfo r,
+
+  include if exists <local/findmnt>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 57144bb02..5d5c558e5 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -16,6 +16,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
+  capability sys_nice,
+
   signal (send),
 
   network inet stream,
@@ -24,6 +26,26 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   network inet6 dgram,
   network netlink raw,
 
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/
+      interface=org.freedesktop.fwupd
+      member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
+  
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+      interface=org.freedesktop.systemd[0-9].Manager
+      member={GetDefaultTarget,GetUnit},
+
+  dbus receive bus=system path=/
+      interface=org.freedesktop.fwupd
+      member=Changed,
+
   @{exec_path} mr,
 
   /{usr/,}bin/dbus-launch  rCx -> dbus,
@@ -37,6 +59,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
 
   owner @{user_cache_dirs}/ rw,
+        @{user_cache_dirs}/dconf/user rw,
   owner @{user_cache_dirs}/fwupd/ rw,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
 
diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas
index 3af156984..c812c59c2 100644
--- a/apparmor.d/profiles-g-l/glib-compile-schemas
+++ b/apparmor.d/profiles-g-l/glib-compile-schemas
@@ -19,5 +19,7 @@ profile glib-compile-schemas @{exec_path} {
   /usr/share/glib-2.0/schemas/gschemas.compiled.[A-Z0-9]* rw,
   /usr/share/glib-2.0/schemas/gschemas.compiled rw,
 
+  /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
+
   include if exists <local/glib-compile-schemas>
 }
diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info
index a541546cb..997a523eb 100644
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/install-info
 profile install-info @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate
index 3c878be31..1737430b5 100644
--- a/apparmor.d/profiles-g-l/language-validate
+++ b/apparmor.d/profiles-g-l/language-validate
@@ -6,18 +6,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/share/language-tools/language-validate
+@{exec_path} = /usr/share/language-tools/language-{options,validate}
 profile language-validate @{exec_path} {
   include <abstractions/base>
 
   capability setgid,
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh                      rix,
-  /{usr/,}bin/grep                            rix,
-  /{usr/,}bin/locale                          rix,
-  /usr/share/language-tools/language-options  rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/grep        rix,
+  /{usr/,}bin/locale      rix,
 
   /usr/share/locale-langpack/{,*} r,
   /usr/share/language-tools/{,*} r,
diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man
index e32ab8c76..392735390 100644
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@@ -58,14 +58,14 @@ profile man_groff {
 
   signal peer=man,
 
-  /{usr/,}bin/eqn      rm,
-  /{usr/,}bin/grap     rm,
-  /{usr/,}bin/pic      rm,
-  /{usr/,}bin/preconv  rm,
-  /{usr/,}bin/refer    rm,
-  /{usr/,}bin/tbl      rm,
-  /{usr/,}bin/troff    rm,
-  /{usr/,}bin/vgrind   rm,
+  /{usr/,}bin/eqn      mr,
+  /{usr/,}bin/grap     mr,
+  /{usr/,}bin/pic      mr,
+  /{usr/,}bin/preconv  mr,
+  /{usr/,}bin/refer    mr,
+  /{usr/,}bin/tbl      mr,
+  /{usr/,}bin/troff    mr,
+  /{usr/,}bin/vgrind   mr,
 
   /{usr/,}lib/groff/site-tmac/** r,
   /usr/share/groff/** r,
@@ -83,14 +83,14 @@ profile man_filter {
 
   signal peer=man,
 
-  /{usr/,}bin/bzip2      rm,
-  /{usr/,}bin/gzip       rm,
-  /{usr/,}bin/col        rm,
-  /{usr/,}bin/compress   rm,
-  /{usr/,}bin/iconv      rm,
-  /{usr/,}bin/lzip.lzip  rm,
-  /{usr/,}bin/tr         rm,
-  /{usr/,}bin/xz         rm,
+  /{usr/,}bin/bzip2      mr,
+  /{usr/,}bin/gzip       mr,
+  /{usr/,}bin/col        mr,
+  /{usr/,}bin/compress   mr,
+  /{usr/,}bin/iconv      mr,
+  /{usr/,}bin/lzip.lzip  mr,
+  /{usr/,}bin/tr         mr,
+  /{usr/,}bin/xz         mr,
 
   # Manual pages can be more or less anywhere, especially with "man -l", and
   # there's no harm in allowing wide read access here since the worst it can
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index 35c7caba8..c2e4c5b7d 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -53,10 +54,11 @@ profile mkinitramfs @{exec_path} {
   /{usr/,}bin/xz         rix,
   /{usr/,}bin/zstd       rix,
 
-  /{usr/,}bin/ldd        rCx -> ldd,
-  /{usr/,}sbin/ldconfig  rCx -> ldconfig,
-  /{usr/,}bin/find       rCx -> find,
-  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}bin/ldd                  rCx -> ldd,
+  /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd,
+  /{usr/,}sbin/ldconfig            rCx -> ldconfig,
+  /{usr/,}bin/find                 rCx -> find,
+  /{usr/,}bin/kmod                 rCx -> kmod,
 
   /{usr/,}bin/dpkg          rPx -> child-dpkg,
   /{usr/,}bin/linux-version rPx,
@@ -103,7 +105,7 @@ profile mkinitramfs @{exec_path} {
     /{usr/,}lib/initramfs-tools/bin/* mr,
 
     /{usr/,}lib/@{multiarch}/ld-*.so*  rix,
-    /{usr/,}lib{,x}32/ld-*.so          rix,
+    /{usr/,}lib{,x}32/ld-*.so{,.2}     rix,
 
   }
 
diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs
index eaf3104d5..b13322333 100644
--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@@ -11,6 +11,7 @@ profile mount-zfs @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability sys_admin,  # To mount anything.
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry
index 7b817df47..4c904ce09 100644
--- a/apparmor.d/profiles-m-r/pinentry
+++ b/apparmor.d/profiles-m-r/pinentry
@@ -14,6 +14,7 @@ profile pinentry @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/pinentry-*        rPx,
+  /{usr/,}bin/{,ba,da}sh        rix,
 
   /etc/pinentry/preexec r,
 
diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses
index 6cd6a660d..ba6390b17 100644
--- a/apparmor.d/profiles-m-r/pinentry-curses
+++ b/apparmor.d/profiles-m-r/pinentry-curses
@@ -13,7 +13,7 @@ profile pinentry-curses @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash      rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
 
   /usr/share/terminfo/x/xterm-256color r,
 
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index 18ac7aa79..9136dc223 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -29,19 +29,32 @@ profile pkexec @{exec_path} flags=(complain) {
 
   network netlink raw,
 
-  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       member=GetAll
+       peer=(name=:*),
 
-  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.PolicyKit[0-9].Authority
-       member={EnumerateActions,CheckAuthorization},
+       member={EnumerateActions,CheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent}
+       peer=(name=:*),
+
+  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/Authority
+       interface=org.freedesktop.PolicyKit[0-9]*.Authority
+       member=Changed
+       peer=(name=:*),
+
+  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/AuthenticationAgent
+       interface=org.freedesktop.PolicyKit[0-9]*.AuthenticationAgent
+       member=BeginAuthentication
+       peer=(name=:*),
 
   @{exec_path} mr,
 
   # Apps to be run via pkexec
   /{usr/,}{s,}bin/*            rPUx,
   /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
+  /{usr/,}lib/polkit-agent-helper-[0-9]              rPx,
   /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
   /{usr/,}lib/update-notifier/package-system-locked  rPx,
   /usr/share/apport/apport-gtk rPx,
diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd
index 10fc5bd92..d586dbaca 100644
--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -20,35 +21,31 @@ profile rsyslogd @{exec_path} {
   capability net_admin,  # For remote logs
   capability setgid,  # For downgrading privileges
   capability setuid,
+  capability sys_nice,
   capability syslog,
-  
+
   @{exec_path} mr,
 
   /{usr/,}lib/@{multiarch}/rsyslog/*.so mr,
 
-  # rsyslog configuration
   /etc/rsyslog.conf r,
   /etc/rsyslog.d/{,**} r,
-  /var/spool/rsyslog/ r,
-  /var/spool/rsyslog/** rw,
 
-  owner @{run}/rsyslogd.pid{,.tmp} rwk,
-  owner @{run}/systemd/journal/syslog w,
-        @{run}/systemd/notify rw,
-
-  # log files and devices
-  /var/log/** rw,
-  @{PROC}/kmsg r,
-
-  # a cert for gtls module
   /etc/CA/*.crt r,
   /etc/CA/*.key r,
 
+  /var/log/** rw,
+  /var/spool/rsyslog/ r,
+  /var/spool/rsyslog/** rw,
+
+        @{run}/systemd/notify rw,
+  owner @{run}/rsyslogd.pid{,.tmp} rwk,
+  owner @{run}/systemd/journal/syslog w,
+
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
+  @{PROC}/kmsg r,
   @{PROC}/sys/kernel/osrelease r,
 
-  @{run}/systemd/notify w,
-
   include if exists <local/rsyslogd>
 }
diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon
index 82302316e..71e444334 100644
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@@ -9,7 +9,7 @@ include <tunables/global>
 
 
 @{exec_path} = @{libexec}/rtkit-daemon
-profile rtkit-daemon @{exec_path} {
+profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index be940b18b..de6c971e7 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -118,11 +119,13 @@ profile run-parts @{exec_path} {
     include <abstractions/base>
 
     /{usr/,}bin/{,ba,da}sh rix,
+    /{usr/,}bin/{e,}grep   rix,
     /{usr/,}bin/cat        rix,
     /{usr/,}bin/cut        rix,
     /{usr/,}bin/find       rix,
-    /{usr/,}bin/grep       rix,
+    /{usr/,}bin/head       rix,
     /{usr/,}bin/id         rix,
+    /{usr/,}bin/sort       rix,
     /{usr/,}bin/tr         rix,
     /{usr/,}bin/uname      rix,
 
@@ -132,16 +135,23 @@ profile run-parts @{exec_path} {
     /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,
 
     / r,
+    /etc/default/motd-news r,
     /etc/lsb-release r,
     /etc/update-motd.d/[0-9]*-[a-z]* r,
 
+    /var/cache/motd-news r,
     /var/lib/update-notifier/updates-available r,
 
+    @{run}/motd.d/{,*} r,
+
+    @{PROC}/@{pids}/mounts r,
+
   }
 
   profile kernel {
     include <abstractions/base>
     include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability sys_module,
 
@@ -151,7 +161,7 @@ profile run-parts @{exec_path} {
     /{usr/,}bin/chmod      rix,
     /{usr/,}bin/cut        rix,
     /{usr/,}bin/dirname    rix,
-    /{usr/,}bin/gawk       rix,
+    /{usr/,}bin/{,m,g}awk  rix,
     /{usr/,}bin/kmod       rix,
     /{usr/,}bin/mv         rix,
     /{usr/,}bin/rm         rix,
diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
new file mode 100644
index 000000000..949c9ebe7
--- /dev/null
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid
+profile sanoid @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/perl>
+
+  @{exec_path}                 mr,
+  /{usr/,}bin/{,ba,da}sh       rix,
+  /{usr/,}bin/perl             rix,
+  /{usr/,}bin/ps               rPx,
+  /{usr/,}{local/,}{s,}bin/zfs rPx,
+
+  /etc/sanoid/{*,} r,
+
+  /var/cache/sanoid/snapshots.txt rw,
+
+  /usr/share/sanoid/{**,} r,
+
+  @{run}/sanoid/ rw,
+  @{run}/sanoid/sanoid_cacheupdate.lock rwk,
+  @{run}/sanoid/sanoid_pruning.lock rwk,
+
+  owner /tmp/** rw,
+
+  include if exists <local/sanoid>
+}
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index 38567f5c1..5aaf88e65 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -16,9 +16,9 @@ profile snap @{exec_path} {
   @{exec_path} mrix,
 
   /snap/{,**} rw,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-confine  rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp  rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snapd r,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine  rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp  rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd r,
 
   /etc/fstab r,
 
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index ef2ce90e4..f16c2042b 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -18,8 +18,11 @@ profile snapd @{exec_path} {
   include <abstractions/ssl_certs>
 
   capability audit_write,
+  capability chown,
   capability dac_override,
   capability dac_read_search,
+  capability fowner,
+  capability fsetid,
   capability net_admin,
   capability setgid,
   capability setuid,
@@ -56,6 +59,7 @@ profile snapd @{exec_path} {
   /{usr/,}bin/cp                       rix,
   /{usr/,}bin/gzip                     rix,
   /{usr/,}bin/mount                    rix,
+  /{usr/,}bin/snap                     rPx,
   /{usr/,}bin/sync                     rix,
   /{usr/,}bin/systemctl                rix,
   /{usr/,}bin/systemd-detect-virt      rPx,
@@ -65,15 +69,15 @@ profile snapd @{exec_path} {
   /{usr/,}bin/unsquashfs               rix,
   /{usr/,}bin/update-desktop-database  rPx,
 
-  /snap/snapd/[0-9]*/lib/@{multiarch}/**            mr,
-  /snap/snapd/[0-9]*/lib/@{multiarch}/ld-*.so       rix,
-  /snap/snapd/[0-9]*/usr/bin/snap                   rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-discard-ns  rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp     rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns   rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snapd            rix,
-  /snap/snapd/[0-9]*/usr/bin/fc-cache-*             rPx -> fc-cache,
-  /snap/snapd/[0-9]*/usr/bin/xdelta3                rix, # TODO: rPx ?
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-*             mr,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap                   rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3                rix, # TODO: rPx ?
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/**        mr,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so   rix,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns  rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp     rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns   rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd            rix,
 
   /usr/share/bash-completion/completions/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@@ -104,6 +108,7 @@ profile snapd @{exec_path} {
   /tmp/syscheck-squashfs-[0-9]* rw,
   /tmp/read-file[0-9]*/{,**} rw,
 
+  /home/ r,
   @{HOME}/ r,
   @{HOME}/snap/{,**} rw,
 
@@ -114,8 +119,8 @@ profile snapd @{exec_path} {
   owner @{run}/user/{,@{uid}/} r,
   owner @{run}/user/snap.*/{,**} rw,
 
-  @{run}/snapd-snap.socket rw,
-  @{run}/snapd.socket rw,
+  @{run}/snapd*.socket rw,
+  @{run}/snapd/{,**} rw,
   @{run}/snapd/lock/*.lock rwk,
   @{run}/systemd/notify rw,
   @{run}/systemd/private rw,
@@ -128,7 +133,6 @@ profile snapd @{exec_path} {
   @{sys}/kernel/security/apparmor/features/ r,
   @{sys}/kernel/security/apparmor/profiles r,
 
-  owner @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/cgroups r,
@@ -136,6 +140,7 @@ profile snapd @{exec_path} {
         @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/sys/kernel/seccomp/actions_avail r,
         @{PROC}/version r,
+  owner @{PROC}/@{pids}/mountinfo r,
 
   /dev/loop-control rw,
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index dd688cfbb..524c33381 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -32,17 +32,21 @@ profile steam @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
-  ptrace (read) peer=steam-*,
+  ptrace (read),
 
   signal (send) peer=steam-game,
   signal (read),
 
+  unix (receive) type=stream,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh             rix,
+  /{usr/,}bin/*sum                   rix,
   /{usr/,}bin/basename               rix,
   /{usr/,}bin/cat                    rix,
   /{usr/,}bin/cmp                    rix,
+  /{usr/,}bin/cp                     rix,
   /{usr/,}bin/cut                    rix,
   /{usr/,}bin/dirname                rix,
   /{usr/,}bin/gawk                   rix,
@@ -53,18 +57,23 @@ profile steam @{exec_path} {
   /{usr/,}bin/ldd                    rix,
   /{usr/,}bin/ln                     rix,
   /{usr/,}bin/lspci                  rPx,
+  /{usr/,}bin/mkdir                  rix,
+  /{usr/,}bin/mv                     rix,
   /{usr/,}bin/readlink               rix,
   /{usr/,}bin/realpath               rix,
   /{usr/,}bin/rm                     rix,
   /{usr/,}bin/sed                    rix,
   /{usr/,}bin/steam-runtime-urlopen  rix,
   /{usr/,}bin/tail                   rix,
+  /{usr/,}bin/tar                    rix,
+  /{usr/,}bin/touch                  rix,
   /{usr/,}bin/tr                     rix,
   /{usr/,}bin/uname                  rix,
   /{usr/,}bin/which                  rix,
   /{usr/,}bin/xdg-icon-resource      rPx,
-
-  /{usr/,}lib{32,64}/ld-linux.so* rix,
+  /{usr/,}bin/xz                     rix,
+  /{usr/,}bin/zenity                 rix,
+  /{usr/,}lib{32,64}/ld-linux.so*    rix,
 
   @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
   @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
@@ -116,6 +125,7 @@ profile steam @{exec_path} {
   owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
   owner @{user_share_dirs}/Steam/ rw,
   owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**,
+  owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
@@ -125,6 +135,7 @@ profile steam @{exec_path} {
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
   owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
+  owner /tmp/dumps/ rw,
   owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
   owner /tmp/sh-thd.* rw,
   owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
@@ -162,6 +173,7 @@ profile steam @{exec_path} {
   @{sys}/power/suspend_stats/success rk,
 
         @{PROC}/ r,
+        @{PROC}/@{pids}/comm rk,
         @{PROC}/@{pids}/net/route r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
@@ -170,7 +182,6 @@ profile steam @{exec_path} {
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/sys/user/max_user_namespaces r,
         @{PROC}/version r,
-  owner @{PROC}/@{pid}/comm rk,
   owner @{PROC}/@{pid}/autogroup rw,
   owner @{PROC}/@{pid}/cmdline rk,
   owner @{PROC}/@{pid}/fd/ r,
@@ -184,5 +195,7 @@ profile steam @{exec_path} {
   /dev/input/ r,
   /dev/tty rw,
 
+  audit deny /**.steam_exec_test.sh rw,
+
   include if exists <local/steam>
 }
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index 807b79594..65b78b491 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -36,6 +36,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/ssl_certs>
   include <abstractions/vulkan>
 
+  capability dac_override,
+  capability dac_read_search,
   capability setpcap,
   capability sys_admin,
   capability sys_ptrace,
@@ -89,6 +91,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{steamruntime}/pressure-vessel/lib{,exec}/** mrix,
   @{steamruntime}/run rix,
 
+  @{user_share_dirs}/Steam/bin/ r,
+  @{user_share_dirs}/Steam/bin/* mr,
   @{user_share_dirs}/Steam/legacycompat/ r,
   @{user_share_dirs}/Steam/legacycompat/** mr,
   @{user_share_dirs}/Steam/linux{32,64}/ r,
@@ -137,6 +141,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/ r,
   owner @{user_share_dirs}/Steam/* r,
   owner @{user_share_dirs}/Steam/*log* rw,
+  owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
   owner @{user_share_dirs}/Steam/steamapps/ r,
   owner @{user_share_dirs}/Steam/steamapps/common/ r,
   owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
@@ -159,6 +164,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner /dev/shm/mono.* rw,
   owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
+  owner /dev/shm/ValveIPCSHM_@{uid} rw,
   owner /dev/shm/wine-*-fsync rw,
 
   owner /tmp/.wine-@{uid}/server-*/* rwk,
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index 35598b9db..c59845280 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -9,8 +9,9 @@ include <tunables/global>
 @{exec_path} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui
 profile steam-gameoverlayui @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nvidia>
+  include <abstractions/audio>
   include <abstractions/fonts>
+  include <abstractions/nvidia>
 
   network inet stream,
   network inet6 stream,
@@ -34,15 +35,19 @@ profile steam-gameoverlayui @{exec_path} {
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_share_dirs}/Steam/{,**} r,
   owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw,
-  owner @{user_share_dirs}/Steam/public/url_list.txt rk,
+  owner @{user_share_dirs}/Steam/public/* rk,
+  owner @{user_share_dirs}/Steam/resource/{,**} rk,
+  owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
   owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
+  owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
   owner /tmp/gameoverlayui.log* rw,
   owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
+  owner /tmp/miles_image_* mrw,
 
   @{sys}/ r,
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index ed41a2e3c..cc89bfd43 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -37,7 +37,7 @@ profile sudo @{exec_path} {
 
   signal (send) peer=unconfined,
   signal (send) set=(cont,hup) peer=su,
-  signal (send) set=winch peer=apt,
+  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},
 
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid
new file mode 100644
index 000000000..4cc4f0d97
--- /dev/null
+++ b/apparmor.d/profiles-s-z/syncoid
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}{s,}bin/syncoid
+profile syncoid @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+
+  @{exec_path}                   mr,
+  /{usr/,}bin/grep               rix,
+  /{usr/,}bin/mbuffer            rix,
+  /{usr/,}bin/perl               rix,
+  /{usr/,}bin/ps                 rPx,
+  /{usr/,}bin/pv                 rix,
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}{local/,}{s,}bin/zfs   rPx,
+  /{usr/,}{local/,}{s,}bin/zpool rPx,
+
+  /etc/mbuffer.rc r,
+
+  owner /tmp/** rw,
+
+  @{PROC}/@{pids}/maps r,
+
+  include if exists <local/syncoid>
+}
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 552227bc9..c89a78e60 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -27,6 +27,28 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  # Allow mounting of removable devices
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*       -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]*          -> @{MOUNTS}/*/,
+
+  # Allow mounting of loop devices (ISO files)
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*        -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
+
+  # Allow mounting of cdrom
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
+  mount fstype={iso9660,udf,ntfs3}                 /dev/sr[0-9]*   -> /media/cdrom[0-9]/,
+
+  # Allow mounting od sd cards
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
+
+  # Allow unmounting
+  umount @{MOUNTS}/,
+  umount @{MOUNTS}/*/,
+  umount /media/cdrom[0-9]/,
+
   dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
        interface=org.freedesktop.{DBus*,UDisks2*},
 
@@ -50,7 +72,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.PolicyKit[0-9].Authority
        member=CheckAuthorization,
 
-  dbus bind bus=system 
+  dbus bind bus=system
        name=org.freedesktop.UDisks2,
 
   @{exec_path} mr,
@@ -71,86 +93,46 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/systemctl       rPx -> child-systemctl,
   /{usr/,}bin/systemd-escape  rPx,
 
-  # Allow mounting of removable devices
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*       -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]*     -> @{MOUNTS}/*/,
-  # Allow mounting of loop devices (ISO files)
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*        -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-  # Allow mounting of cdrom
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
-  mount fstype={iso9660,udf,ntfs3}                 /dev/sr[0-9]*   -> /media/cdrom[0-9]/,
-  # Allow mounting od sd cards
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-  # Allow unmounting
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-  umount /media/cdrom[0-9]/,
+  /etc/udisks2/{,**} r,
+  /etc/libblockdev/{,**} r,
+  /etc/fstab r,
+  /etc/crypttab r,
+
+  /var/lib/udisks2/ r,
+  /var/lib/udisks2/mounted-fs{,*} rw,
 
   # Be able to create/delete dirs for removable media
   @{MOUNTS}/ rw,
   @{MOUNTS}/*/ rw,
-  /media/cdrom[0-9]/ rw,
 
-  # Udisks2 config files
-  /etc/udisks2/ r,
-  /etc/udisks2/udisks2.conf r,
-
-  /etc/libblockdev/conf.d/ r,
-  /etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/cmdline r,
-        @{PROC}/devices r,
-        @{PROC}/swaps r,
-
-  # To be able to initialize device-mapper disk devices
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
-
-  # The special /dev/loop-control file can be used to create and destroy loop devices or to find
-  # the first available loop device.
-  /dev/loop-control rw,
-
-  # To check whether the x-udisks-auth option was used to specify that additional authorization is
-  # required to mount/unlock a device
-  /etc/fstab r,
-  /etc/crypttab r,
-
-  # To be able to operate on encryted devices
+  @{run}/ r,
+  @{run}/mount/utab{,.*} rw,
+  @{run}/mount/utab.lock rwk,
+  @{run}/udisks2/{,**} rw,
+  @{run}/systemd/seats/seat[0-9]* r,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/L* rwk,
 
-  @{sys}/fs/ r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
-
-  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
-  @{sys}/devices/virtual/block/dm-[0-9]*/ w,
-  @{sys}/devices/virtual/block/dm-[0-9]*/** w,
-  @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
-
-  # For powering off USB devices
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
-
+  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
   @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
+  @{sys}/devices/virtual/block/*/{,**} rw,
+  @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
+  @{sys}/fs/ r,
 
-  @{run}/ r,
+        @{PROC}/cmdline r,
+        @{PROC}/devices r,
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
-  # Info on mounted devices
-  @{run}/mount/utab{,.*} rw,
-  @{run}/mount/utab.lock rwk,
-  /var/lib/udisks2/ r,
-  /var/lib/udisks2/mounted-fs{,*} rw,
-
-  @{run}/udisks2/{,**} rw,
-
-  @{run}/systemd/seats/seat[0-9]* r,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  /dev/loop-control rw,
+  /dev/mapper/ r,
+  /dev/mapper/control rw,
 
   include if exists <local/udisksd>
 }
diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users
new file mode 100644
index 000000000..a62d14e75
--- /dev/null
+++ b/apparmor.d/profiles-s-z/users
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/users
+profile users @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /var/log/wtmp rk,
+
+  @{run}/utmp rk,
+
+  include if exists <local/users>
+}
diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis
new file mode 100644
index 000000000..86a2075a0
--- /dev/null
+++ b/apparmor.d/profiles-s-z/whereis
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/whereis
+profile whereis @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /{usr/,}{local/,}{s,}bin/ r,
+  /{usr/,}lib/go-*/bin/ r,
+  /{usr/,}{local/,}games/ r,
+
+  /etc/ r,
+
+  /{usr/,}lib{,32,64}/ r,
+  /usr/local/{,etc/,lib/} r,
+  /usr/include/ r,
+  /usr/share/ r,
+  /usr/share/info/{**,} r,
+  /usr/share/man/{**,} r,
+  /usr/src/{**,} r,
+
+  @{libexec}/ r,
+
+  /opt/ r,
+  /opt/cni/bin/ r,
+  /opt/containerd/bin/ r,
+
+  /snap/bin/ r,
+
+  owner @{HOME}/{.local/,}/{.,}bin/ r,
+  owner @{HOME}/.krew/bin/ r,
+  owner @{HOME}/go/bin/ r,
+
+  include if exists <local/whereis>
+}
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
new file mode 100644
index 000000000..32635f414
--- /dev/null
+++ b/apparmor.d/profiles-s-z/which
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/which{.debianutils,} 
+profile which @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}{local/,}{s,}bin/ r,
+  /{usr/,}lib/go-*/bin/ r,
+  /{usr/,}{local/,}games/ r,
+
+  /opt/cni/bin/ r,
+  /opt/containerd/bin/ r,
+
+  /snap/bin/ r,
+
+  owner @{HOME}/{.local/,}/{.,}bin/ r,
+  owner @{HOME}/.krew/bin/ r,
+  owner @{HOME}/go/bin/ r,
+
+  include if exists <local/which>
+}
diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami
new file mode 100644
index 000000000..6dca3d67b
--- /dev/null
+++ b/apparmor.d/profiles-s-z/whoami
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/whoami
+profile whoami @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/whoami>
+}
diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant
index 93e75bf29..32472fb93 100644
--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/wpa_supplicant
-profile wpa-supplicant @{exec_path} {
+profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/openssl>
diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed
index a37053b93..8994f68d6 100644
--- a/apparmor.d/profiles-s-z/zed
+++ b/apparmor.d/profiles-s-z/zed
@@ -22,9 +22,11 @@ profile zed @{exec_path} {
   /{usr/,}bin/expr rix,
   /{usr/,}bin/flock rix,
   /{usr/,}bin/grep rix,
+  /{usr/,}bin/hostname rix,
   /{usr/,}bin/ls rix,
   /{usr/,}bin/logger rix,
   /{usr/,}bin/mawk rix,
+  /{usr/,}bin/mktemp rix,
   /{usr/,}bin/rm rix,
   /{usr/,}bin/realpath rix,
   /{usr/,}bin/sort rix,
@@ -39,6 +41,8 @@ profile zed @{exec_path} {
   @{run}/zed.state rwkl,
   @{run}/zfs-list.cache@* rw,
 
+  owner /tmp/tmp.* rw,
+
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/[0-9]*/address r,
   
diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs
index 500cfec1d..cb36774d0 100644
--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
 profile zfs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   
   capability sys_admin,
   capability dac_read_search,
@@ -20,6 +21,10 @@ profile zfs @{exec_path} {
 
   /etc/zfs/zfs-list.cache/{,*} rwk,
 
+  # Sanoid generates temorary files with random names including underscores, directly under /tmp.
+  # https://github.com/jimsalterjrs/sanoid/issues/758
+  /tmp/* rw,
+
   @{run}/zfs-list.cache@* rw,
 
   @{PROC}/@{pids}/mounts r,
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 77dae7f07..f1ae419f4 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -13,7 +13,7 @@ profile zpool @{exec_path} {
 
   capability sys_admin,
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
@@ -25,9 +25,12 @@ profile zpool @{exec_path} {
   @{run}/blkid/blkid.tab.old rwl,
   @{run}/blkid/blkid.tab-* rwl,
 
+  /tmp/tmp.* rw,
+
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/[0-9]*/address r,
 
+  @{PROC}/@{pids}/mountinfo r,
   @{PROC}/@{pids}/mounts r,
   @{PROC}/sys/kernel/spl/hostid r,
 
diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
index 76b98a496..d4d227408 100644
--- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot
+++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
@@ -9,14 +9,15 @@ include <tunables/global>
 @{exec_path} = @{libexec}/zsys-system-autosnapshot
 profile zsys-system-autosnapshot @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
-  @{exec_path}           rm,
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/zsysctl    rPx,
-  /{usr/,}bin/zsysd      rPx,
+  @{exec_path}            mr,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/cat         rix,
+  /{usr/,}bin/cp          rix,
+  /{usr/,}bin/rm          rix,
+  /{usr/,}{s,}bin/zsysctl rPx,
+  /{usr/,}{s,}bin/zsysd   rPx,
   
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
@@ -24,7 +25,5 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) {
   @{run}/zsys-snapshot.unattended-upgrades rw,
   @{run}/unattended-upgrades.pid r,
 
-  /dev/pts/[0-9]* rw,
-
   include if exists <local/zsys-system-autosnapshot>
 }
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index 8862b59cd..d8a6c4514 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -22,7 +22,8 @@ profile zsysd @{exec_path} flags=(complain) {
   @{exec_path}                   rmix,
   /{usr/,}{local/,}{s,}bin/zfs   rPx,
   /{usr/,}{local/,}{s,}bin/zpool rPx,
-  /{usr/,}{s,}bin/update-grub    rPUx,
+  # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1
+  /{usr/,}{s,}bin/update-grub    rPx,
 
   /etc/hostid r,
   /etc/zsys.conf r,
@@ -34,10 +35,10 @@ profile zsysd @{exec_path} flags=(complain) {
   @{run}/zsys-snapshot.unattended-upgrades rw,
   @{run}/zsysd.sock rw,
 
-  owner @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/mounts r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/spl/hostid r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/mounts r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/spl/hostid r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go
index aa47d9c00..05d0e8654 100644
--- a/cmd/aa-log/main.go
+++ b/cmd/aa-log/main.go
@@ -1,16 +1,20 @@
 // aa-log - Review AppArmor generated messages
-// Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+// Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
 package main
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/hex"
+	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -18,6 +22,7 @@ import (
 
 // Command line options
 var (
+	dbus bool
 	help bool
 	path string
 )
@@ -45,6 +50,11 @@ type AppArmorLog map[string]string
 // AppArmorLogs describes all apparmor log entries
 type AppArmorLogs []AppArmorLog
 
+// SystemdLog is a simplified systemd json log representation.
+type SystemdLog struct {
+	Message string `json:"MESSAGE"`
+}
+
 var (
 	quoted bool
 	isHexa = regexp.MustCompile("^[0-9A-Fa-f]+$")
@@ -84,6 +94,40 @@ func removeDuplicateLog(logs []string) []string {
 	return list
 }
 
+// getJournalctlDbusSessionLogs return a reader with the logs entries
+func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, error) {
+	var logs []SystemdLog
+	var stdout bytes.Buffer
+	var value string
+
+	if useFile {
+		content, err := ioutil.ReadAll(file)
+		if err != nil {
+			return nil, err
+		}
+		value = string(content)
+	} else {
+		cmd := exec.Command("journalctl", "--user", "-b", "-u", "dbus.service", "-o", "json")
+		cmd.Stdout = &stdout
+		if err := cmd.Run(); err != nil {
+			return nil, err
+		}
+		value = stdout.String()
+	}
+
+	value = strings.Replace(value, "\n", ",\n", -1)
+	value = strings.TrimSuffix(value, ",\n")
+	value = `[` + value + `]`
+	if err := json.Unmarshal([]byte(value), &logs); err != nil {
+		return nil, err
+	}
+	res := ""
+	for _, log := range logs {
+		res += log.Message + "\n"
+	}
+	return strings.NewReader(res), nil
+}
+
 // NewApparmorLogs return a new ApparmorLogs list of map from a log file
 func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
 	log := ""
@@ -198,7 +242,7 @@ func (aaLogs AppArmorLogs) String() string {
 	return res
 }
 
-func aaLog(path string, profile string) error {
+func aaLog(path string, profile string, dbus bool) error {
 	file, err := os.Open(filepath.Clean(path))
 	if err != nil {
 		return err
@@ -210,21 +254,31 @@ func aaLog(path string, profile string) error {
 		}
 	}()
 
-	aaLogs := NewApparmorLogs(file, profile)
-	fmt.Print(aaLogs.String())
-	return err
+	if dbus {
+		file, err := getJournalctlDbusSessionLogs(file, path != LogFile)
+		if err != nil {
+			return err
+		}
+		aaLogs := NewApparmorLogs(file, profile)
+		fmt.Print(aaLogs.String())
+	} else {
+		aaLogs := NewApparmorLogs(file, profile)
+		fmt.Print(aaLogs.String())
+	}
+	return nil
 }
 
 func init() {
 	flag.BoolVar(&help, "h", false, "Show this help message and exit.")
 	flag.StringVar(&path, "f", LogFile,
 		"Set a log`file` or a suffix to the default log file.")
+	flag.BoolVar(&dbus, "d", false, "Show dbus session event.")
 }
 
 func main() {
 	flag.Parse()
 	if help {
-		fmt.Printf(`aa-log [-h] [-f file] [profile]
+		fmt.Printf(`aa-log [-h] [-d] [-f file] [profile]
 
   Review AppArmor generated messages in a colorful way.
   It can be given an optional profile name to filter the output with.
@@ -244,7 +298,7 @@ func main() {
 		logfile = path
 	}
 
-	err := aaLog(logfile, profile)
+	err := aaLog(logfile, profile, dbus)
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go
index 2ddca15d2..c33c5f5a9 100644
--- a/cmd/aa-log/main_test.go
+++ b/cmd/aa-log/main_test.go
@@ -93,6 +93,40 @@ func TestAppArmorEvents(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "dbus system",
+			event: `type=USER_AVC msg=audit(1111111111.111:1111): pid=1780 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name="org.freedesktop.PolicyKit1" pid=1794 label="snapd" peer_pid=1790 peer_label="polkitd"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"`,
+			want: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "snapd",
+					"operation":  "dbus_method_call",
+					"name":       "org.freedesktop.PolicyKit1",
+					"mask":       "send",
+					"bus":        "system",
+					"path":       "/org/freedesktop/PolicyKit1/Authority",
+					"interface":  "org.freedesktop.PolicyKit1.Authority",
+					"member":     "CheckAuthorization",
+					"peer_label": "polkitd",
+				},
+			},
+		},
+		{
+			name:  "dbus session",
+			event: `apparmor="ALLOWED" operation="dbus_bind"  bus="session" name="org.freedesktop.portal.Documents" mask="bind" pid=2174 label="xdg-document-portal"`,
+			want: AppArmorLogs{
+				{
+					"apparmor":  "ALLOWED",
+					"profile":   "",
+					"label":     "xdg-document-portal",
+					"operation": "dbus_bind",
+					"name":      "org.freedesktop.portal.Documents",
+					"mask":      "bind",
+					"bus":       "session",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -153,6 +187,25 @@ func TestNewApparmorLogs(t *testing.T) {
 			path: "../../tests/audit.log",
 			want: refMan,
 		},
+		{
+			name: "power-profiles-daemon",
+			path: "../../tests/audit.log",
+			want: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "power-profiles-daemon",
+					"operation":  "dbus_method_call",
+					"name":       "org.freedesktop.DBus",
+					"mask":       "send",
+					"bus":        "system",
+					"path":       "/org/freedesktop/DBus",
+					"interface":  "org.freedesktop.DBus",
+					"member":     "AddMatch",
+					"peer_label": "dbus-daemon",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -164,6 +217,51 @@ func TestNewApparmorLogs(t *testing.T) {
 	}
 }
 
+func Test_getJournalctlDbusSessionLogs(t *testing.T) {
+	tests := []struct {
+		name    string
+		path    string
+		useFile bool
+		want    AppArmorLogs
+	}{
+		{
+			name:    "gsd-xsettings",
+			useFile: true,
+			path:    "../../tests/systemd.log",
+			want: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "gsd-xsettings",
+					"operation":  "dbus_method_call",
+					"name":       ":1.88",
+					"mask":       "receive",
+					"bus":        "session",
+					"path":       "/org/gtk/Settings",
+					"interface":  "org.freedesktop.DBus.Properties",
+					"member":     "GetAll",
+					"peer_label": "gnome-extension-ding",
+				},
+			},
+		},
+		// {
+		// 	name:    "journalctl",
+		// 	useFile: false,
+		// 	path:    "",
+		// 	want:    AppArmorLogs{},
+		// },
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			file, _ := os.Open(tt.path)
+			reader, _ := getJournalctlDbusSessionLogs(file, tt.useFile)
+			if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestAppArmorLogs_String(t *testing.T) {
 	tests := []struct {
 		name   string
@@ -180,6 +278,25 @@ func TestAppArmorLogs_String(t *testing.T) {
 			aaLogs: refMan,
 			want:   "\033[1;32mALLOWED\033[0m \033[34mman\033[0m \033[33mexec\033[0m \033[35m/usr/bin/preconv\033[0m info=\"no new privs\" comm=man requested_mask=\033[1;31mx\033[0m denied_mask=\033[1;31mx\033[0m error=-1\n",
 		},
+		{
+			name: "power-profiles-daemon",
+			aaLogs: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "power-profiles-daemon",
+					"operation":  "dbus_method_call",
+					"name":       "org.freedesktop.DBus",
+					"mask":       "send",
+					"bus":        "system",
+					"path":       "/org/freedesktop/DBus",
+					"interface":  "org.freedesktop.DBus",
+					"member":     "AddMatch",
+					"peer_label": "dbus-daemon",
+				},
+			},
+			want: "\033[1;32mALLOWED\033[0m \033[34mpower-profiles-daemon\033[0m \033[33mdbus_method_call\033[0m \033[35morg.freedesktop.DBus\033[0m \033[1;31msend\033[0m \033[36mbus=system\033[0m path=\033[37m/org/freedesktop/DBus\033[0m interface=\033[37morg.freedesktop.DBus\033[0m member=\033[32mAddMatch\033[0m peer_label=dbus-daemon\n",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -195,24 +312,34 @@ func Test_app(t *testing.T) {
 		name    string
 		path    string
 		profile string
+		dbus    bool
 		wantErr bool
 	}{
 		{
-			name:    "OK",
+			name:    "Test audit.log",
 			path:    "../../tests/audit.log",
 			profile: "",
+			dbus:    false,
+			wantErr: false,
+		},
+		{
+			name:    "Test Dbus Session",
+			path:    "../../tests/systemd.log",
+			profile: "",
+			dbus:    true,
 			wantErr: false,
 		},
 		{
 			name:    "No logfile",
 			path:    "../../tests/log",
 			profile: "",
+			dbus:    false,
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := aaLog(tt.path, tt.profile); (err != nil) != tt.wantErr {
+			if err := aaLog(tt.path, tt.profile, tt.dbus); (err != nil) != tt.wantErr {
 				t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
diff --git a/tests/audit.log b/tests/audit.log
index 4f05b1cb8..1d236b7e6 100644
--- a/tests/audit.log
+++ b/tests/audit.log
@@ -26,3 +26,9 @@ type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="open" pro
 type=AVC msg=audit(1111111111.111:1111): apparmor="DENIED" operation="open" profile="chrome-gnome-shell" name="/home/user/.netrc" pid=9119 comm="chrome-gnome-sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="user" OUID="user"
 type=BPF msg=audit(1111111111.111:1111): prog-id=26 op=LOAD
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="man" name="/usr/bin/preconv" pid=60755 comm="man" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="man_groff"FSUID="user" OUID="root"
+type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.3" mask="receive" label="dbus-daemon" peer_pid=1667 peer_label="power-profiles-daemon"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
+type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000
+type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=1667 label="power-profiles-daemon" peer_label="dbus-daemon"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
+type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.4" mask="receive" label="dbus-daemon" peer_pid=1 peer_label="unconfined"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
+type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="bind" profile="gnome-shell" pid=2027 comm="gnome-shell" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X1"
+type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" profile="gnome-session-binary" pid=1995 comm="gnome-session-b" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr="@/tmp/.ICE-unix/1995" peer_addr=none peer="gnome-shell"
diff --git a/tests/systemd.log b/tests/systemd.log
new file mode 100644
index 000000000..7d2efccf7
--- /dev/null
+++ b/tests/systemd.log
@@ -0,0 +1,12 @@
+{"_EXE":"/usr/bin/dbus-daemon","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_IDENTIFIER":"dbus-daemon","__REALTIME_TIMESTAMP":"1660508874368560","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","SYSLOG_FACILITY":"1","_SOURCE_REALTIME_TIMESTAMP":"1660508874363660","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:54 ","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/dev_2dloop10_2edevice\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"","_TRANSPORT":"syslog","SYSLOG_PID":"2134","_SYSTEMD_UNIT":"user@1000.service","_COMM":"dbus-daemon","__MONOTONIC_TIMESTAMP":"4450642","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","_UID":"1000","_PID":"2134","PRIORITY":"5","_GID":"1000","_HOSTNAME":"ubuntu","_SYSTEMD_SLICE":"user-1000.slice","_AUDIT_LOGINUID":"1000","SYSLOG_RAW":"<13>Aug 14 21:27:54 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/dev_2dloop10_2edevice\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"\n","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=5fb1;b=b08dfa6083e7567a1921a715000001fb;m=43e952;t=5e639599a6630;x=83188ca2cb9a0a03","_SYSTEMD_USER_SLICE":"app.slice","_CAP_EFFECTIVE":"0"}
+{"_PID":"2134","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/gnome_2dsession_2dwayland_40ubuntu_2etarget\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"","SYSLOG_IDENTIFIER":"dbus-daemon","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=5fb2;b=b08dfa6083e7567a1921a715000001fb;m=43e98d;t=5e639599a666b;x=c9cd50322836b032","SYSLOG_PID":"2134","_SYSTEMD_USER_SLICE":"app.slice","_SYSTEMD_UNIT":"user@1000.service","_AUDIT_LOGINUID":"1000","__MONOTONIC_TIMESTAMP":"4450701","__REALTIME_TIMESTAMP":"1660508874368619","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:54 ","SYSLOG_RAW":"<13>Aug 14 21:27:54 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/gnome_2dsession_2dwayland_40ubuntu_2etarget\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"\n","PRIORITY":"5","SYSLOG_FACILITY":"1","_TRANSPORT":"syslog","_CAP_EFFECTIVE":"0","_GID":"1000","_SOURCE_REALTIME_TIMESTAMP":"1660508874363712","_EXE":"/usr/bin/dbus-daemon","_UID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_SYSTEMD_SLICE":"user-1000.slice","_HOSTNAME":"ubuntu","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","_COMM":"dbus-daemon"}
+{"_SYSTEMD_USER_SLICE":"app.slice","_CAP_EFFECTIVE":"0","__MONOTONIC_TIMESTAMP":"15127876","SYSLOG_IDENTIFIER":"dbus-daemon","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","SYSLOG_RAW":"<13>Aug 14 21:28:05 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RemoveMatch\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2786 label=\"nautilus\" peer_label=\"dbus-daemon\"\n","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=65a6;b=b08dfa6083e7567a1921a715000001fb;m=e6d544;t=5e6395a3d5222;x=bb43e5245930ae54","_PID":"2134","__REALTIME_TIMESTAMP":"1660508885045794","_HOSTNAME":"ubuntu","SYSLOG_PID":"2134","SYSLOG_FACILITY":"1","_SYSTEMD_USER_UNIT":"dbus.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_TRANSPORT":"syslog","SYSLOG_TIMESTAMP":"Aug 14 21:28:05 ","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_COMM":"dbus-daemon","_AUDIT_LOGINUID":"1000","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_SYSTEMD_SLICE":"user-1000.slice","_SOURCE_REALTIME_TIMESTAMP":"1660508885045724","_UID":"1000","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_GID":"1000","_SYSTEMD_UNIT":"user@1000.service","_EXE":"/usr/bin/dbus-daemon","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RemoveMatch\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2786 label=\"nautilus\" peer_label=\"dbus-daemon\"","PRIORITY":"5","_AUDIT_SESSION":"2"}
+{"_SOURCE_REALTIME_TIMESTAMP":"1660508875210386","_TRANSPORT":"syslog","_SYSTEMD_USER_UNIT":"dbus.service","SYSLOG_PID":"2134","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","SYSLOG_IDENTIFIER":"dbus-daemon","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=6467;b=b08dfa6083e7567a1921a715000001fb;m=50c1d8;t=5e63959a73eb6;x=3e2f0ec03be78562","PRIORITY":"5","__REALTIME_TIMESTAMP":"1660508875210422","_EXE":"/usr/bin/dbus-daemon","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_RAW":"<13>Aug 14 21:27:55 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/Nautilus\" interface=\"org.gtk.Actions\" member=\"DescribeAll\" name=\":1.98\" mask=\"receive\" pid=2786 label=\"nautilus\" peer_pid=3211 peer_label=\"nautilus\"\n","_GID":"1000","_HOSTNAME":"ubuntu","_AUDIT_SESSION":"2","_CAP_EFFECTIVE":"0","_SYSTEMD_SLICE":"user-1000.slice","__MONOTONIC_TIMESTAMP":"5292504","SYSLOG_TIMESTAMP":"Aug 14 21:27:55 ","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/Nautilus\" interface=\"org.gtk.Actions\" member=\"DescribeAll\" name=\":1.98\" mask=\"receive\" pid=2786 label=\"nautilus\" peer_pid=3211 peer_label=\"nautilus\"","_UID":"1000","SYSLOG_FACILITY":"1","_SYSTEMD_UNIT":"user@1000.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_PID":"2134","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_COMM":"dbus-daemon","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_AUDIT_LOGINUID":"1000"}
+{"_CAP_EFFECTIVE":"0","_AUDIT_SESSION":"2","__REALTIME_TIMESTAMP":"1660508875210574","_SYSTEMD_USER_SLICE":"app.slice","_AUDIT_LOGINUID":"1000","SYSLOG_RAW":"<13>Aug 14 21:27:55 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.84\" pid=3024 label=\"gnome-extension-ding\" peer_pid=2999 peer_label=\"gsd-xsettings\"\n","_GID":"1000","PRIORITY":"5","_SOURCE_REALTIME_TIMESTAMP":"1660508875210536","SYSLOG_IDENTIFIER":"dbus-daemon","SYSLOG_PID":"2134","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:55 ","_COMM":"dbus-daemon","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_SYSTEMD_UNIT":"user@1000.service","_TRANSPORT":"syslog","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_FACILITY":"1","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.84\" pid=3024 label=\"gnome-extension-ding\" peer_pid=2999 peer_label=\"gsd-xsettings\"","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=6468;b=b08dfa6083e7567a1921a715000001fb;m=50c270;t=5e63959a73f4e;x=893876022610c36e","_SYSTEMD_OWNER_UID":"1000","__MONOTONIC_TIMESTAMP":"5292656","_SYSTEMD_USER_UNIT":"dbus.service","_PID":"2134","_EXE":"/usr/bin/dbus-daemon","_HOSTNAME":"ubuntu","_UID":"1000","_SYSTEMD_SLICE":"user-1000.slice","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service"}
+{"_COMM":"dbus-daemon","SYSLOG_PID":"2134","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","__REALTIME_TIMESTAMP":"1660508875210632","SYSLOG_FACILITY":"1","_EXE":"/usr/bin/dbus-daemon","SYSLOG_IDENTIFIER":"dbus-daemon","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" name=\":1.88\" mask=\"receive\" pid=2999 label=\"gsd-xsettings\" peer_pid=3024 peer_label=\"gnome-extension-ding\"","_UID":"1000","__MONOTONIC_TIMESTAMP":"5292714","_TRANSPORT":"syslog","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:55 ","_PID":"2134","PRIORITY":"5","SYSLOG_RAW":"<13>Aug 14 21:27:55 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" name=\":1.88\" mask=\"receive\" pid=2999 label=\"gsd-xsettings\" peer_pid=3024 peer_label=\"gnome-extension-ding\"\n","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SYSTEMD_OWNER_UID":"1000","_GID":"1000","_SYSTEMD_UNIT":"user@1000.service","_SYSTEMD_USER_UNIT":"dbus.service","_AUDIT_LOGINUID":"1000","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=6469;b=b08dfa6083e7567a1921a715000001fb;m=50c2aa;t=5e63959a73f88;x=5c93993eebd934c","_SYSTEMD_SLICE":"user-1000.slice","_SYSTEMD_USER_SLICE":"app.slice","_AUDIT_SESSION":"2","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_HOSTNAME":"ubuntu","_CAP_EFFECTIVE":"0","_SOURCE_REALTIME_TIMESTAMP":"1660508875210544"}
+{"_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_UID":"1000","_AUDIT_SESSION":"2","_SOURCE_REALTIME_TIMESTAMP":"1660508873116974","SYSLOG_IDENTIFIER":"dbus-daemon","_COMM":"dbus-daemon","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"UpdateActivationEnvironment\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2175 label=\"gnome-session-binary\" peer_label=\"dbus-daemon\"\n","_SYSTEMD_USER_UNIT":"dbus.service","_HOSTNAME":"ubuntu","_CAP_EFFECTIVE":"0","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_AUDIT_LOGINUID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_TRANSPORT":"syslog","__REALTIME_TIMESTAMP":"1660508873116986","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","__MONOTONIC_TIMESTAMP":"3199068","_PID":"2134","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_PID":"2134","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=559d;b=b08dfa6083e7567a1921a715000001fb;m=30d05c;t=5e63959874d3a;x=b24fce16294858e3","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_EXE":"/usr/bin/dbus-daemon","_SYSTEMD_UNIT":"user@1000.service","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","_SYSTEMD_SLICE":"user-1000.slice","SYSLOG_FACILITY":"1","_GID":"1000","PRIORITY":"5","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"UpdateActivationEnvironment\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2175 label=\"gnome-session-binary\" peer_label=\"dbus-daemon\""}
+{"_AUDIT_SESSION":"2","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1\" interface=\"org.freedesktop.systemd1.Manager\" member=\"SetEnvironment\" mask=\"send\" name=\"org.freedesktop.systemd1\" pid=2289 label=\"gnome-session-binary\" peer_pid=1969 peer_label=\"unconfined\"","_PID":"2134","_GID":"1000","_TRANSPORT":"syslog","_CAP_EFFECTIVE":"0","_SYSTEMD_SLICE":"user-1000.slice","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","SYSLOG_FACILITY":"1","_SYSTEMD_UNIT":"user@1000.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_SYSTEMD_USER_UNIT":"dbus.service","_AUDIT_LOGINUID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","__REALTIME_TIMESTAMP":"1660508873179343","SYSLOG_PID":"2134","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=55dd;b=b08dfa6083e7567a1921a715000001fb;m=31c3f1;t=5e639598840cf;x=669640969915bdb7","_SOURCE_REALTIME_TIMESTAMP":"1660508873179332","_EXE":"/usr/bin/dbus-daemon","_SYSTEMD_OWNER_UID":"1000","PRIORITY":"5","_HOSTNAME":"ubuntu","_SYSTEMD_USER_SLICE":"app.slice","_COMM":"dbus-daemon","_UID":"1000","__MONOTONIC_TIMESTAMP":"3261425","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1\" interface=\"org.freedesktop.systemd1.Manager\" member=\"SetEnvironment\" mask=\"send\" name=\"org.freedesktop.systemd1\" pid=2289 label=\"gnome-session-binary\" peer_pid=1969 peer_label=\"unconfined\"\n","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_IDENTIFIER":"dbus-daemon"}
+{"_SYSTEMD_SLICE":"user-1000.slice","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/a11y/bus\" interface=\"org.a11y.Bus\" member=\"GetAddress\" mask=\"send\" name=\"org.a11y.Bus\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2321 peer_label=\"at-spi-bus-launcher\"\n","_SYSTEMD_OWNER_UID":"1000","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_GID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=58c7;b=b08dfa6083e7567a1921a715000001fb;m=3d1a91;t=5e6395993976f;x=7672612d85202a41","SYSLOG_FACILITY":"1","_COMM":"dbus-daemon","__MONOTONIC_TIMESTAMP":"4004497","_CAP_EFFECTIVE":"0","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_TRANSPORT":"syslog","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_HOSTNAME":"ubuntu","_AUDIT_LOGINUID":"1000","_UID":"1000","_SYSTEMD_UNIT":"user@1000.service","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/a11y/bus\" interface=\"org.a11y.Bus\" member=\"GetAddress\" mask=\"send\" name=\"org.a11y.Bus\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2321 peer_label=\"at-spi-bus-launcher\"","_SOURCE_REALTIME_TIMESTAMP":"1660508873922402","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","__REALTIME_TIMESTAMP":"1660508873922415","PRIORITY":"5","SYSLOG_PID":"2134","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","_SYSTEMD_USER_SLICE":"app.slice","_EXE":"/usr/bin/dbus-daemon","_PID":"2134","SYSLOG_IDENTIFIER":"dbus-daemon","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 "}
+{"_SYSTEMD_UNIT":"user@1000.service","_SYSTEMD_USER_UNIT":"dbus.service","_EXE":"/usr/bin/dbus-daemon","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","SYSLOG_FACILITY":"1","SYSLOG_IDENTIFIER":"dbus-daemon","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SYSTEMD_SLICE":"user-1000.slice","_PID":"2134","_GID":"1000","_TRANSPORT":"syslog","_AUDIT_SESSION":"2","_COMM":"dbus-daemon","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/SessionManager\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.29\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2289 peer_label=\"gnome-session-binary\"\n","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","__REALTIME_TIMESTAMP":"1660508873925953","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=58dc;b=b08dfa6083e7567a1921a715000001fb;m=3d2863;t=5e6395993a541;x=40d5952488f76012","_HOSTNAME":"ubuntu","PRIORITY":"5","_SYSTEMD_OWNER_UID":"1000","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/SessionManager\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.29\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2289 peer_label=\"gnome-session-binary\"","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_SOURCE_REALTIME_TIMESTAMP":"1660508873925692","_CAP_EFFECTIVE":"0","_SYSTEMD_USER_SLICE":"app.slice","__MONOTONIC_TIMESTAMP":"4008035","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","SYSLOG_PID":"2134","_AUDIT_LOGINUID":"1000","_UID":"1000"}
+{"_PID":"2134","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RequestName\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2808 label=\"gjs-console\" peer_label=\"dbus-daemon\"","_EXE":"/usr/bin/dbus-daemon","_CAP_EFFECTIVE":"0","_TRANSPORT":"syslog","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","__MONOTONIC_TIMESTAMP":"4075041","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_FACILITY":"1","SYSLOG_PID":"2134","_SYSTEMD_UNIT":"user@1000.service","_SYSTEMD_SLICE":"user-1000.slice","_AUDIT_LOGINUID":"1000","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","_SYSTEMD_USER_UNIT":"dbus.service","SYSLOG_IDENTIFIER":"dbus-daemon","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=59fa;b=b08dfa6083e7567a1921a715000001fb;m=3e2e21;t=5e6395994aaff;x=7943c0d544e18263","PRIORITY":"5","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RequestName\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2808 label=\"gjs-console\" peer_label=\"dbus-daemon\"\n","_SOURCE_REALTIME_TIMESTAMP":"1660508873992950","_GID":"1000","_HOSTNAME":"ubuntu","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","__REALTIME_TIMESTAMP":"1660508873992959","_UID":"1000","_SYSTEMD_OWNER_UID":"1000","_COMM":"dbus-daemon","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0"}
+{"_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/Notifications\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.37\" pid=2808 label=\"gjs-console\" peer_pid=2336 peer_label=\"gnome-shell\"\n","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_SYSTEMD_UNIT":"user@1000.service","_PID":"2134","_TRANSPORT":"syslog","_SYSTEMD_SLICE":"user-1000.slice","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=5a22;b=b08dfa6083e7567a1921a715000001fb;m=3e3cf0;t=5e6395994b9ce;x=530c8e8f82a22c96","_CAP_EFFECTIVE":"0","SYSLOG_FACILITY":"1","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SOURCE_REALTIME_TIMESTAMP":"1660508873996745","_AUDIT_LOGINUID":"1000","SYSLOG_PID":"2134","_UID":"1000","__MONOTONIC_TIMESTAMP":"4078832","__REALTIME_TIMESTAMP":"1660508873996750","_GID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","SYSLOG_IDENTIFIER":"dbus-daemon","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","PRIORITY":"5","_HOSTNAME":"ubuntu","_SYSTEMD_OWNER_UID":"1000","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_COMM":"dbus-daemon","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","_EXE":"/usr/bin/dbus-daemon","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/Notifications\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.37\" pid=2808 label=\"gjs-console\" peer_pid=2336 peer_label=\"gnome-shell\"","_AUDIT_SESSION":"2"}