diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index c5735569f..14d9f17ea 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -1,45 +1,53 @@
-# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
 
-  include <abstractions/base>
-  include <abstractions/p11-kit>
-  include <abstractions/X>
+  abi <abi/3.0>,
+
+  ##include <abstractions/p11-kit>
+  ##include <abstractions/X>
 
   # TODO: adjust when support finer-grained netlink rules
-  network netlink raw,
+  #network netlink raw,
 
-  /etc/udev/udev.conf r,
-  /etc/wildmidi/wildmidi.cfg r,
+  #/etc/udev/udev.conf r,
+  #/etc/wildmidi/wildmidi.cfg r,
 
   /dev/ r,
   /dev/bus/usb/ r,
   /dev/dri/ r,
 
   # /dev/shm is a symlink to /run/shm on ubuntu
-  owner /{dev,run}/shm/shmfd-* rw,
+  #owner /{dev,run}/shm/shmfd-* rw,
 
-  /run/udev/data/c* r,
-  /run/udev/data/+pci:* r,
-  /run/udev/data/+usb* r,
+  #
+  @{run}/udev/data/c81:*  r,     # For video4linux
+  @{run}/udev/data/c226:* r,     # For /dev/dri/card[0-9]*
+  @{run}/udev/data/+drm:* r,     # For screen outputs
+  #@{run}/udev/data/+pci:* r,
+  @{run}/udev/data/+usb:* r,
 
-  /sys/bus/ r,
-  /sys/bus/usb/devices/ r,
-  /sys/class/ r,
-  /sys/class/drm/ r,
-  /sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
-  /sys/devices/system/node/ r,
-  /sys/devices/system/node/*/meminfo r,
+  @{sys}/bus/ r,
+  @{sys}/bus/usb/devices/ r,
+  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
 
-  owner /tmp/orcexec.* mrw,
-  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
-  # needed if /tmp is mounted noexec:
-  owner @{HOME}/orcexec.* mr,
+  # The orcexec.* file is JIT compiled code for various GStreamer elements.
+  # If one is blocked the next is used instead.
+  # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec
+  # flag.
+  owner @{run}/user/[0-9]*/orcexec.* mrw,
+  #owner /tmp/orcexec.* mrw,
+  #owner @{HOME}/orcexec.* mrw,
 
-  /usr/lib/frei0r-[0-9]/*.so m,
-  # /usr/lib/@{multiarch}/dri/** mr,
-  /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
-  /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
-  /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
+  /{usr/,}lib/frei0r-[0-9]/*.so mr,
+  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
+  /{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr,
+  /{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr,
+  /{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
 
-  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
-  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
-  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
+  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
+  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash
index 4ab3dbb18..9c7be1326 100644
--- a/apparmor.d/abstractions/trash
+++ b/apparmor.d/abstractions/trash
@@ -20,7 +20,10 @@
   owner @{user_share_dirs}/Trash/files/{,**} rw,
   owner @{user_share_dirs}/Trash/info/ rw,
   owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw,
-  owner @{user_share_dirs}/Trash/expunged/{,**} rw,
+  owner @{user_share_dirs}/Trash/expunged/ rw,
+  owner @{user_share_dirs}/Trash/expunged/[0-9]* rw,
+  owner @{user_share_dirs}/Trash/expunged/[0-9]*/ rw,
+  owner @{user_share_dirs}/Trash/expunged/[0-9]*/** rw,
 
   # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
   owner /{media,mnt}/*/.Trash/ rw,
@@ -30,7 +33,10 @@
   owner /{media,mnt}/*/.Trash/[0-9]*/files/{,**} rw,
   owner /{media,mnt}/*/.Trash/[0-9]*/info/ rw,
   owner /{media,mnt}/*/.Trash/[0-9]*/info/*.trashinfo{,.*} rw,
-  owner /{media,mnt}/*/.Trash/[0-9]*/expunged/{,**} rw,
+  owner /{media,mnt}/*/.Trash/[0-9]*/expunged/ rw,
+  owner /{media,mnt}/*/.Trash/[0-9]*/expunged/[0-9]* rw,
+  owner /{media,mnt}/*/.Trash/[0-9]*/expunged/[0-9]*/ rw,
+  owner /{media,mnt}/*/.Trash/[0-9]*/expunged/[0-9]*/** rw,
 
   # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
   owner /{media,mnt}/*/.Trash-[0-9]*/ rw,
@@ -39,4 +45,7 @@
   owner /{media,mnt}/*/.Trash-[0-9]*/files/{,**} rw,
   owner /{media,mnt}/*/.Trash-[0-9]*/info/ rw,
   owner /{media,mnt}/*/.Trash-[0-9]*/info/*.trashinfo{,.*} rw,
-  owner /{media,mnt}/*/.Trash-[0-9]*/expunged/{,**} rw,
+  owner /{media,mnt}/*/.Trash-[0-9]*/expunged/ rw,
+  owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]* rw,
+  owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/ rw,
+  owner /{media,mnt}/*/.Trash-[0-9]*/expunged/[0-9]*/** rw,
diff --git a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
index f9f8b8d8e..041ecdafc 100644
--- a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
+++ b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
@@ -32,6 +32,10 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
 
   /usr/lib/apt-cacher-ng/acngtool ixr,
 
+  # Allow serving local documentation
+  /etc/mime.types r,
+  /usr/share/doc/apt-cacher-ng/html/** r,
+
   # used by libevent
   @{PROC}/sys/kernel/random/uuid r,
 
diff --git a/apparmor.d/groups/desktop/obexautofs b/apparmor.d/groups/desktop/obexautofs
index f35623798..aec33a901 100644
--- a/apparmor.d/groups/desktop/obexautofs
+++ b/apparmor.d/groups/desktop/obexautofs
@@ -17,10 +17,13 @@ profile obexautofs @{exec_path} {
 
   @{exec_path} mr,
 
-  /usr/bin/fusermount{,3} rPx,
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
-  owner @{HOME}/bluetooth/ r,
-  mount fstype=fuse.obexautofs -> @{HOME}/bluetooth/,
+  owner @{HOME}/*/ r,
+  owner @{HOME}/*/*/ r,
+
+  mount fstype=fuse.obexautofs -> @{HOME}/*/,
+  mount fstype=fuse.obexautofs -> @{HOME}/*/*/,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
@@ -31,10 +34,31 @@ profile obexautofs @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{uevent,busnum,devnum,speed,descriptors} r,
 
   @{run}/udev/data/+usb:* r,
-  @{run}/udev/data/c189:* r,
+  @{run}/udev/data/c189:* r,  # for /dev/bus/usb/**
 
   /dev/bus/usb/ r,
   /dev/fuse rw,
 
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    /etc/fuse.conf r,
+
+    /dev/fuse rw,
+
+    mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
+
   include if exists <local/obexautofs>
 }
diff --git a/apparmor.d/groups/desktop/obexfs b/apparmor.d/groups/desktop/obexfs
index c45cfdfc9..043c36eba 100644
--- a/apparmor.d/groups/desktop/obexfs
+++ b/apparmor.d/groups/desktop/obexfs
@@ -16,12 +16,38 @@ profile obexfs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount{,3} rPx,
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
-  owner @{HOME}/bluetooth/ r,
-  mount fstype=fuse.obexfs -> @{HOME}/bluetooth/,
+  owner @{HOME}/*/ r,
+  owner @{HOME}/*/*/ r,
+
+  mount fstype=fuse.obexfs -> @{HOME}/*/,
+  mount fstype=fuse.obexfs -> @{HOME}/*/*/,
 
   /dev/fuse rw,
 
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    network bluetooth stream,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    /etc/fuse.conf r,
+
+    /dev/fuse rw,
+
+    mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
+
   include if exists <local/obexfs>
 }
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 64d5ad273..1b5726139 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -16,8 +16,8 @@ profile gvfsd @{exec_path} {
   /{usr/,}bin/{,ba,da}sh   rix,
 
   # Don't strip env here.
-  /{usr/,}lib/gvfs/gvfsd-*    rPx,
-  /usr/{lib,libexec}/gvfsd-*  rPx,
+  /{usr/,}lib/gvfs/gvfsd-*    rpx,
+  /usr/{lib,libexec}/gvfsd-*  rpx,
 
   /usr/share/gvfs/{,**} r,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive
index 11b577410..b9d4ef0c6 100644
--- a/apparmor.d/groups/gvfs/gvfsd-archive
+++ b/apparmor.d/groups/gvfs/gvfsd-archive
@@ -15,9 +15,15 @@ profile gvfsd-archive @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /**.tar r,
-  owner /**.tar.gz r,
-  owner /**.zip r,
+  owner @{HOME}/**.{tar,tar.gz,zip} r,
+  owner /media/**.{TAR,TAR.GZ,ZIP} r,
+  owner @{HOME}/**.{tar,tar.gz,zip} r,
+  owner /media/**.{TAR,TAR.GZ,ZIP} r,
+
+  owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
+  owner /media/*/**.{iso,img,bin,mdf,nrg} r,
+  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
+  owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} r,
 
   include if exists <local/gvfsd-archive>
 }
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index b4883535d..5adfe8a38 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -13,13 +13,34 @@ profile gvfsd-fuse @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount{,3} rPx,
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
   mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
 
-   @{PROC}/sys/fs/pipe-max-size r,
-
   /dev/fuse rw,
 
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    capability dac_read_search,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
+    umount @{run}/user/[0-9]*/**/,
+
+    /etc/fuse.conf r,
+
+    /dev/fuse rw,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
+
   include if exists <local/gvfsd-fuse>
 }
diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp
index 7840dffdd..c886bf6d9 100644
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@@ -12,6 +12,7 @@ profile gvfsd-mtp @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/devices-usb>
+  include <abstractions/user-download-strict>
 
   network netlink raw,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network
index 328dc6716..0c6f83828 100644
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@@ -17,5 +17,11 @@ profile gvfsd-network @{exec_path} {
   owner @{run}/user/[0-9]*/gvfsd/ rw,
   owner @{run}/user/[0-9]*/gvfsd/socket-[a-zA-z0-9]* rw,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  include <abstractions/dconf>
+  owner @{run}/user/[0-9]*/dconf/ rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
+
   include if exists <local/gvfsd-network>
 }
diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse
index 56565252f..a7b54d7ab 100644
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += /usr/{lib,libexec}/gvfsd-smb-browse
 profile gvfsd-smb-browse @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   network netlink raw,
   network inet stream,
@@ -27,5 +28,7 @@ profile gvfsd-smb-browse @{exec_path} {
 
   /etc/samba/smb.conf r,
 
+  owner @{run}samba/ rw,
+
   include if exists <local/gvfsd-smb-browse>
 }
diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs
index 3b815c0ca..4ded53715 100644
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@@ -13,14 +13,35 @@ profile sshfs @{exec_path} flags=(complain) {
   @{exec_path} mr,
 
   /{usr/,}bin/ssh            rPx,
-  /{usr/,}bin/fusermount{,3} rPx,
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
   /dev/fuse rw,
 
   mount fstype=fuse.sshfs -> @{HOME}/*/,
   mount fstype=fuse.sshfs -> @{HOME}/*/*/,
-  mount fstype=fuse.sshfs -> /media/*/,
-  mount fstype=fuse.sshfs -> /media/*/*/,
+
+  @{PROC}/sys/fs/pipe-max-size r,
+
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
+
+    /etc/fuse.conf r,
+
+    /dev/fuse rw,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
 
   include if exists <local/sshfs>
 }
diff --git a/apparmor.d/profiles-a-l/appimage-beyond-all-reason b/apparmor.d/profiles-a-l/appimage-beyond-all-reason
index a7ef47b45..6fb935e30 100644
--- a/apparmor.d/profiles-a-l/appimage-beyond-all-reason
+++ b/apparmor.d/profiles-a-l/appimage-beyond-all-reason
@@ -47,7 +47,7 @@ profile appimage-beyond-all-reason @{exec_path} {
 
   /{usr/,}bin/x86_64-linux-gnu-addr2line rix,
 
-  /{usr/,}bin/fusermount{,3}             rPx,
+  /{usr/,}bin/fusermount{,3}             rCx -> fusermount,
 
   mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
 
@@ -105,5 +105,31 @@ profile appimage-beyond-all-reason @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    capability dac_read_search,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    mount fstype={fuse,fuse.*.AppImage} -> /tmp/.mount_*/,
+    umount /tmp/.mount_*/,
+
+    /dev/fuse rw,
+
+    /etc/fuse.conf r,
+
+    owner @{HOME}/**.AppImage r,
+    owner /media/*/**.AppImage r,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
+
   include if exists <local/appimage-beyond-all-reason>
 }
diff --git a/apparmor.d/profiles-a-l/archivemount b/apparmor.d/profiles-a-l/archivemount
new file mode 100644
index 000000000..072c36b30
--- /dev/null
+++ b/apparmor.d/profiles-a-l/archivemount
@@ -0,0 +1,57 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path}  = /{usr/,}bin/archivemount
+profile archivemount @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
+
+        /**.{tar,tar.gz,zip} r,
+        /**.{TAR,TAR.GZ,ZIP} r,
+  owner /**.{tar,tar.gz,zip} w,
+  owner /**.{TAR,TAR.GZ,ZIP} w,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/*/ r,
+  owner @{HOME}/*/*/ r,
+
+  mount fstype=fuse.archivemount -> @{HOME}/*/,
+  mount fstype=fuse.archivemount -> @{HOME}/*/*/,
+
+  /dev/fuse rw,
+
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/,
+
+    /dev/fuse rw,
+
+    /etc/fuse.conf r,
+
+    owner @{HOME}/ r,
+    /**.{tar,tar.gz,zip} r,
+    /**.{TAR,TAR.GZ,ZIP} r,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
+
+  include if exists <local/archivemount>
+}
diff --git a/apparmor.d/profiles-a-l/aspell b/apparmor.d/profiles-a-l/aspell
new file mode 100644
index 000000000..77f085d28
--- /dev/null
+++ b/apparmor.d/profiles-a-l/aspell
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/aspell
+profile aspell @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /usr/share/aspell/{,*} r,
+
+  /usr/lib/aspell/{,*} r,
+
+  /var/lib/aspell/{,*} r,
+  /var/lib/aspell/*.rws rw,
+
+  include if exists <local/aspell>
+}
diff --git a/apparmor.d/profiles-a-l/aspell-autobuildhash b/apparmor.d/profiles-a-l/aspell-autobuildhash
new file mode 100644
index 000000000..c95ae2b7b
--- /dev/null
+++ b/apparmor.d/profiles-a-l/aspell-autobuildhash
@@ -0,0 +1,74 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/aspell-autobuildhash
+profile aspell-autobuildhash @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+
+  @{exec_path} r,
+  /{usr/,}bin/perl r,
+
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/which                rix,
+  /{usr/,}bin/precat               rix,
+  /{usr/,}bin/zcat                 rix,
+  /{usr/,}bin/gzip                 rix,
+  /{usr/,}bin/basename             rix,
+  /{usr/,}bin/prezip-bin           rix,
+
+  /{usr/,}bin/dpkg-trigger         rPx,
+  /{usr/,}bin/aspell               rPx,
+
+  # Think what to do about this (#FIXME#)
+  /usr/share/debconf/frontend      rPx,
+  #/usr/share/debconf/frontend     rCx -> frontend,
+
+  /usr/share/aspell/{,*} r,
+
+  /usr/lib/aspell/{,*} r,
+  /usr/lib/aspell/*.rws rw,
+
+  /var/lib/aspell/ r,
+  /var/lib/aspell/* rw,
+
+
+  profile frontend {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
+
+    /usr/share/debconf/frontend r,
+    /{usr/,}bin/perl r,
+
+    /{usr/,}sbin/aspell-autobuildhash rPx,
+
+    /{usr/,}bin/{,ba,da}sh rix,
+    /{usr/,}bin/stty       rix,
+    /{usr/,}bin/locale     rix,
+
+    /etc/debconf.conf r,
+    owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
+
+    # The following is needed when debconf uses GUI frontends.
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
+    capability dac_read_search,
+    /{usr/,}bin/lsb_release rPx -> child-lsb_release,
+    /{usr/,}bin/hostname    rix,
+    owner @{PROC}/@{pid}/mounts r,
+    @{HOME}/.Xauthority r,
+
+  }
+
+  include if exists <local/aspell-autobuildhash>
+}
diff --git a/apparmor.d/profiles-a-l/borg b/apparmor.d/profiles-a-l/borg
index e5badbaf2..c2f75a565 100644
--- a/apparmor.d/profiles-a-l/borg
+++ b/apparmor.d/profiles-a-l/borg
@@ -33,11 +33,12 @@ profile borg @{exec_path} {
   /{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
 
   /{usr/,}bin/ccache                 rCx -> ccache,
-
-  /usr/bin/fusermount{,3}            rPx,
+  /usr/bin/fusermount{,3}            rCx -> fusermount,
 
   mount fstype=fuse -> /media/*/,
+  mount fstype=fuse -> /media/*/*/,
   umount /media/*/,
+  umount /media/*/*/,
 
   /dev/fuse rw,
 
@@ -91,5 +92,19 @@ profile borg @{exec_path} {
 
   }
 
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    umount /media/*/,
+    umount /media/*/*/,
+
+  }
+
   include if exists <local/borg>
 }
diff --git a/apparmor.d/profiles-a-l/cawbird b/apparmor.d/profiles-a-l/cawbird
index cc2eb415b..b97edb54d 100644
--- a/apparmor.d/profiles-a-l/cawbird
+++ b/apparmor.d/profiles-a-l/cawbird
@@ -17,6 +17,7 @@ profile cawbird @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/enchant>
   include <abstractions/audio>
+  include <abstractions/gstreamer>
   include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
@@ -26,17 +27,12 @@ profile cawbird @{exec_path} {
   /{usr/,}bin/xdg-open    rCx -> open,
   /{usr/,}bin/exo-open    rCx -> open,
 
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPx,
-
   owner @{user_config_dirs}/cawbird/ rw,
   owner @{user_config_dirs}/cawbird/** rwk,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/cawbird-* rw,
 
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
-
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
@@ -49,18 +45,6 @@ profile cawbird @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node0/meminfo r,
-
-  # The orcexec.* file is JIT compiled code for various GStreamer elements.
-  # If one is blocked the next is used instead.
-  owner @{run}/user/[0-9]*/orcexec.* mrw,
-  #owner @{HOME}/orcexec.* mrw,
-  #owner /tmp/orcexec.* mrw,
-
-  /dev/ r,
-  /dev/dri/ r,
-
   owner @{PROC}/@{pid}/fd/ r,
 
 
diff --git a/apparmor.d/profiles-a-l/czkawka-cli b/apparmor.d/profiles-a-l/czkawka-cli
new file mode 100644
index 000000000..0fa8b1f77
--- /dev/null
+++ b/apparmor.d/profiles-a-l/czkawka-cli
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/czkawka_cli
+profile czkawka-cli @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  # Dirs to scan for duplicates
+  #owner @{HOME}/** rw,
+  owner /media/** rw,
+
+  owner @{user_config_dirs}/czkawka/ rw,
+  owner @{user_config_dirs}/czkawka/** rw,
+
+  owner @{user_cache_dirs}/ rw,
+  owner @{user_cache_dirs}/czkawka/ rw,
+  owner @{user_cache_dirs}/czkawka/** rw,
+
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  @{sys}/fs/cgroup/{,**} r,
+
+  include if exists <local/czkawka-cli>
+}
diff --git a/apparmor.d/profiles-a-l/czkawka-gui b/apparmor.d/profiles-a-l/czkawka-gui
new file mode 100644
index 000000000..327f0a672
--- /dev/null
+++ b/apparmor.d/profiles-a-l/czkawka-gui
@@ -0,0 +1,73 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/czkawka_gui
+profile czkawka-gui @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/xdg-open   rCx -> open,
+
+  # Dirs to scan for duplicates
+  #owner @{HOME}/** rw,
+  owner /media/** rw,
+
+  owner @{user_config_dirs}/czkawka/ rw,
+  owner @{user_config_dirs}/czkawka/** rw,
+
+  owner @{user_cache_dirs}/ rw,
+  owner @{user_cache_dirs}/czkawka/ rw,
+  owner @{user_cache_dirs}/czkawka/** rw,
+
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  @{sys}/fs/cgroup/{,**} r,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  include <abstractions/dconf>
+  owner @{run}/user/[0-9]*/dconf/ rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
+
+
+  profile open {
+    include <abstractions/base>
+    include <abstractions/xdg-open>
+
+    /{usr/,}bin/xdg-open mr,
+
+    /{usr/,}bin/{,ba,da}sh      rix,
+    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/readlink        rix,
+    /{usr/,}bin/basename        rix,
+
+    owner @{HOME}/ r,
+
+    owner @{run}/user/[0-9]*/ r,
+
+    # Allowed apps to open
+    #/{usr/,}lib/firefox/firefox  rPx,
+    /{usr/,}bin/smplayer          rPx,
+    /{usr/,}bin/geany             rPx,
+    /{usr/,}bin/viewnior         rPUx,
+
+    # file_inherit
+    owner @{HOME}/.xsession-errors w,
+
+  }
+
+  include if exists <local/czkawka-gui>
+}
diff --git a/apparmor.d/profiles-a-l/exo-open b/apparmor.d/profiles-a-l/exo-open
index f1436b960..19192c2c4 100644
--- a/apparmor.d/profiles-a-l/exo-open
+++ b/apparmor.d/profiles-a-l/exo-open
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/exo-open
 profile exo-open @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/gtk>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
diff --git a/apparmor.d/profiles-a-l/font-manager b/apparmor.d/profiles-a-l/font-manager
index 61192e96b..d9a358bfb 100644
--- a/apparmor.d/profiles-a-l/font-manager
+++ b/apparmor.d/profiles-a-l/font-manager
@@ -14,6 +14,7 @@ profile font-manager @{exec_path} {
   include <abstractions/fontconfig-cache-write>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
+  include <abstractions/gstreamer>
   include <abstractions/ssl_certs>
 
   network inet dgram,
@@ -27,15 +28,10 @@ profile font-manager @{exec_path} {
   /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess     rix,
   /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix,
 
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
-
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/font-manager/ rw,
   owner @{user_cache_dirs}/font-manager/* rwk,
 
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
-
   owner @{user_config_dirs}/font-manager/ rw,
   owner @{user_config_dirs}/font-manager/* rw,
 
@@ -61,12 +57,8 @@ profile font-manager @{exec_path} {
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/firmware/acpi/pm_profile r,
-  @{sys}/devices/system/node/ r,
   @{sys}/fs/cgroup/{,**} r,
 
-  /dev/ r,
-  /dev/dri/ r,
-
   include <abstractions/dconf>
   owner @{run}/user/[0-9]*/dconf/ rw,
   owner @{run}/user/[0-9]*/dconf/user rw,
diff --git a/apparmor.d/profiles-a-l/frontend b/apparmor.d/profiles-a-l/frontend
index 0008bcfa9..1e565cc54 100644
--- a/apparmor.d/profiles-a-l/frontend
+++ b/apparmor.d/profiles-a-l/frontend
@@ -29,6 +29,7 @@ profile frontend @{exec_path} flags=(complain) {
   /{usr/,}bin/linux-check-removal          rPx,
   /{usr/,}bin/ucf                          rPx,
   /{usr/,}sbin/pam-auth-update             rPx,
+  /{usr/,}sbin/aspell-autobuildhash        rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
   # Run the package maintainer's scripts
diff --git a/apparmor.d/profiles-a-l/fuseiso b/apparmor.d/profiles-a-l/fuseiso
index 128528953..a56608a22 100644
--- a/apparmor.d/profiles-a-l/fuseiso
+++ b/apparmor.d/profiles-a-l/fuseiso
@@ -13,15 +13,17 @@ profile fuseiso @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount{,3} rPx,
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
   # Where to mount ISO files
   owner @{HOME}/*/ rw,
   owner @{HOME}/*/*/ rw,
+  owner @{HOME}/.cache/**/ r,
 
   # Be able to mount ISO images
   mount fstype=fuse.fuseiso -> @{HOME}/*/,
   mount fstype=fuse.fuseiso -> @{HOME}/*/*/,
+  mount fstype=fuse.fuseiso -> @{HOME}/.cache/**/,
 
   # Image files to be mounted
   owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
@@ -34,5 +36,35 @@ profile fuseiso @{exec_path} {
 
   /dev/fuse rw,
 
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    capability dac_read_search,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/,
+    mount fstype={fuse,fuse.fuseiso} -> @{HOME}/.cache/**/,
+
+    /dev/fuse rw,
+
+    /etc/fuse.conf r,
+
+    @{PROC}/@{pid}/mounts r,
+
+    # Image files to be mounted
+    owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
+    owner /media/*/**.{iso,img,bin,mdf,nrg} r,
+    owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
+    owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} r,
+
+  }
+
   include if exists <local/fuseiso>
 }
diff --git a/apparmor.d/profiles-a-l/fusermount b/apparmor.d/profiles-a-l/fusermount
index 886a97f83..186f399fc 100644
--- a/apparmor.d/profiles-a-l/fusermount
+++ b/apparmor.d/profiles-a-l/fusermount
@@ -15,12 +15,7 @@ profile fusermount @{exec_path} {
   #  fusermount: mount failed: Operation not permitted
   capability sys_admin,
 
-  # This is needed when mounting MTP devices via some file manager:
-  #  fusermount: mount failed: Permission denied
-  capability dac_read_search,
-
-  # For obexfs
-  network bluetooth stream,
+  #capability dac_read_search,
 
   @{exec_path} mr,
 
@@ -35,32 +30,13 @@ profile fusermount @{exec_path} {
   mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
   mount fstype={fuse,fuse.*} -> /media/*/,
   mount fstype={fuse,fuse.*} -> /media/*/*/,
-  # For MTP
-  mount                      -> /,
 
-  # For AppImage
-  mount fstype={fuse,fuse.*} -> /tmp/.mount_*/,
-
-  # For GVFS
-  mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/,
-
-  # Be able to unmount the ISO images
   umount @{HOME}/*/,
   umount @{HOME}/*/*/,
   umount @{HOME}/.cache/**/,
   umount /media/*/,
+  umount /media/*/*/,
   umount /tmp/.mount_*/,
-  umount @{run}/user/[0-9]*/**/,
-
-  # Image files to be mounted
-  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-
-  # AppImage files
-  owner @{HOME}/**.AppImage r,
-  owner /media/*/**.AppImage r,
 
   /etc/fuse.conf r,
 
diff --git a/apparmor.d/profiles-a-l/gajim b/apparmor.d/profiles-a-l/gajim
index 545eaa4c3..12cd210f3 100644
--- a/apparmor.d/profiles-a-l/gajim
+++ b/apparmor.d/profiles-a-l/gajim
@@ -9,11 +9,12 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gajim
 profile gajim @{exec_path} {
   include <abstractions/base>
+  include <abstractions/X>
   include <abstractions/gtk>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
-  include <abstractions/dri-common>
+  include <abstractions/audio>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
@@ -21,7 +22,8 @@ profile gajim @{exec_path} {
   include <abstractions/python>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-dconf>
+  include <abstractions/gstreamer>
+  include <abstractions/enchant>
   include <abstractions/deny-root-dir-access>
 
   network inet dgram,
@@ -38,22 +40,26 @@ profile gajim @{exec_path} {
   /{usr/,}{s,}bin/ldconfig  rix,
 
   # To play sounds
-  /{usr/,}bin/aplay      rCx -> audio,
-  /{usr/,}bin/pacat      rCx -> audio,
+  /{usr/,}bin/aplay      rix,
+  /{usr/,}bin/pacat      rix,
 
   # Needed for GPG/PGP support
   /{usr/,}bin/gpg        rCx -> gpg,
+  /{usr/,}bin/gpgconf    rCx -> gpg,
+  /{usr/,}bin/gpgsm      rCx -> gpg,
 
   # External apps
-  /{usr/,}bin/xdg-settings    rPUx,
-  /{usr/,}lib/firefox/firefox rPUx,
+  /{usr/,}bin/xdg-settings    rPx,
+  /{usr/,}lib/firefox/firefox rPx,
+  /{usr/,}bin/spacefm         rPx,
 
   # Gajim plugins
   /usr/share/gajim/plugins/{,**} r,
 
   # Gajim home files
   owner @{HOME}/ r,
-  owner @{user_config_dirs}/gajim/{,**} rw,
+  owner @{user_config_dirs}/gajim/ rw,
+  owner @{user_config_dirs}/gajim/** rwk,
   owner @{user_share_dirs}/gajim/ rw,
   owner @{user_share_dirs}/gajim/** rwk,
 
@@ -62,45 +68,62 @@ profile gajim @{exec_path} {
   owner @{user_cache_dirs}/gajim/ rw,
   owner @{user_cache_dirs}/gajim/** rwk,
 
+  owner @{HOME}/.cache/farstream/ rw,
+  owner @{HOME}/.cache/farstream/codecs.audio.x86_64.cache{,.tmp*} rw,
+
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/mountinfo r,
 
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
   /etc/fstab r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
+
+  # For video streaming
+  @{sys}/class/video4linux/ r,
+  /dev/video[0-9]* rw,
+
   # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
+    /var/tmp/ r,
+        /tmp/ r,
   owner /tmp/* rw,
-  # owner /var/tmp/* rw,
-  # owner @{HOME}/* rw,
+
+  include <abstractions/dconf>
+  owner @{run}/user/[0-9]*/dconf/ rw,
+  owner @{run}/user/[0-9]*/dconf/user rw,
 
   # Silencer
   deny /usr/share/gajim/** w,
 
 
-  profile audio {
-    include <abstractions/base>
-    include <abstractions/audio>
-
-    /{usr/,}bin/aplay mr,
-    /{usr/,}bin/pacat mr,
-
-    owner @{HOME}/.Xauthority r,
-
-    /etc/machine-id r,
-    /var/lib/dbus/machine-id r,
-
-  }
-
   profile gpg {
     include <abstractions/base>
 
-    /{usr/,}bin/gpg mr,
+    /{usr/,}bin/gpg     mr,
+    /{usr/,}bin/gpgconf mr,
+    /{usr/,}bin/gpgsm   mr,
+
+    /{usr/,}bin/gpg-agent      rix,
+    /{usr/,}lib/gnupg/scdaemon rix,
+
+    # without owner
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+    owner @{run}/user/[0-9]*/gnupg/d.*/ rw,
+    owner @{run}/user/[0-9]*/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    owner @{HOME}/.local/share/gajim/openpgp/ rw,
+    owner @{HOME}/.local/share/gajim/openpgp/** rwkl -> @{HOME}/.local/share/gajim/openpgp/**,
+
   }
 
   include if exists <local/gajim>
diff --git a/apparmor.d/profiles-a-l/jmtpfs b/apparmor.d/profiles-a-l/jmtpfs
new file mode 100644
index 000000000..e7a17e884
--- /dev/null
+++ b/apparmor.d/profiles-a-l/jmtpfs
@@ -0,0 +1,53 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/jmtpfs
+profile jmtpfs @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/devices-usb>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
+
+  # Mount points
+  owner @{HOME}/*/ r,
+  owner @{HOME}/*/*/ r,
+
+  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
+  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
+
+  /etc/magic r,
+
+  /dev/fuse rw,
+
+
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    # To mount anything:
+    capability sys_admin,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
+
+    /etc/fuse.conf r,
+
+    /dev/fuse rw,
+
+    @{PROC}/@{pid}/mounts r,
+
+  }
+
+  include if exists <local/jmtpfs>
+}
diff --git a/apparmor.d/profiles-m-z/psi b/apparmor.d/profiles-m-z/psi
new file mode 100644
index 000000000..ec3fb71e0
--- /dev/null
+++ b/apparmor.d/profiles-m-z/psi
@@ -0,0 +1,161 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/psi
+profile psi @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
+
+  signal (send) set=(term, kill) peer=child-lsb_release,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/lsb_release rPx -> child-lsb_release,
+  /{usr/,}bin/xdg-open    rCx -> open,
+
+  # Needed for GPG/PGP support
+  /{usr/,}bin/gpg         rCx -> gpg,
+
+  # Needed for playing sound events
+  /{usr/,}bin/aplay       rCx -> aplay,
+
+  # PSI files
+  /usr/share/psi/{,**} r,
+
+  # PSI config files
+  owner @{HOME}/ r,
+  owner @{user_config_dirs}/psi/ rw,
+  owner @{user_config_dirs}/psi/** rwkl -> @{user_config_dirs}/psi/#[0-9]*[0-9],
+
+  owner @{user_share_dirs}/psi/ rw,
+  owner @{user_share_dirs}/psi/** rwk,
+
+  # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
+  owner @{user_config_dirs}/qt5ct/{,**} r,
+  /usr/share/qt5ct/** r,
+
+  # Cache files
+  owner @{user_cache_dirs}/ rw,
+  owner @{user_cache_dirs}/psi/{,**} rw,
+  owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  # Autostart
+  owner @{user_config_dirs}/autostart/psi.desktop rw,
+
+  /etc/debian_version r,
+
+  /dev/shm/#[0-9]*[0-9] rw,
+
+  deny owner @{PROC}/@{pid}/cmdline r,
+  deny       @{PROC}/sys/kernel/random/boot_id r,
+       owner @{PROC}/@{pid}/mountinfo r,
+       owner @{PROC}/@{pid}/mounts r,
+
+  /etc/fstab r,
+
+  owner /var/tmp/etilqs_[0-9a-f]* rw,
+
+  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/Psi.* rwl -> /tmp/#[0-9]*[0-9],
+
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
+
+  /usr/share/hwdata/pnp.ids r,
+
+  # file_inherit
+  owner @{HOME}/.xsession-errors w,
+
+  # Allowed apps to open
+  /{usr/,}lib/firefox/firefox rPUx,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+
+  profile aplay {
+    include <abstractions/base>
+    include <abstractions/audio>
+
+    /{usr/,}bin/aplay mr,
+    #/{usr/,}bin/pulseaudio rPUx,
+
+    /var/lib/dbus/machine-id r,
+    /etc/machine-id r,
+
+    /usr/share/psi/sound/** r,
+
+    owner @{HOME}/.Xauthority r,
+
+    # file_inherit
+    /dev/dri/card[0-9]* rw,
+
+  }
+
+  profile gpg {
+    include <abstractions/base>
+
+    /{usr/,}bin/gpg mr,
+
+    owner @{HOME}/.gnupg/ rw,
+    owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
+
+    # file_inherit
+    /dev/dri/card[0-9]* rw,
+
+  }
+
+  profile open {
+    include <abstractions/base>
+    include <abstractions/xdg-open>
+
+    /{usr/,}bin/xdg-open mr,
+
+    /{usr/,}bin/{,ba,da}sh      rix,
+    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/readlink        rix,
+    /{usr/,}bin/basename        rix,
+
+    owner @{HOME}/ r,
+
+    owner @{run}/user/[0-9]*/ r,
+
+    # Allowed apps to open
+    /{usr/,}lib/firefox/firefox rPUx,
+
+    # file_inherit
+    owner @{HOME}/.xsession-errors w,
+
+  }
+
+  include if exists <local/psi>
+}
diff --git a/apparmor.d/profiles-m-z/pulseaudio b/apparmor.d/profiles-m-z/pulseaudio
index 2aad22244..222ffac9a 100644
--- a/apparmor.d/profiles-m-z/pulseaudio
+++ b/apparmor.d/profiles-m-z/pulseaudio
@@ -31,7 +31,7 @@ profile pulseaudio @{exec_path} {
   /{usr/,}lib/pulse/gsettings-helper mrix,
 
   # PulseAudio files
-  /usr/share/pulseaudio/** r,
+  /usr/share/pulseaudio/{,**} r,
   /{usr/,}lib/pulse-*/modules/*.so mr,
 
   # PulseAudio home config files
diff --git a/apparmor.d/profiles-m-z/quiterss b/apparmor.d/profiles-m-z/quiterss
index bfe928b12..731287e92 100644
--- a/apparmor.d/profiles-m-z/quiterss
+++ b/apparmor.d/profiles-m-z/quiterss
@@ -23,8 +23,8 @@ profile quiterss @{exec_path} {
   include <abstractions/wayland>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
+  include <abstractions/gstreamer>
   include <abstractions/deny-root-dir-access>
-
   # This one is needed when you want to receive sound notifications
   include <abstractions/audio>
 
@@ -39,8 +39,6 @@ profile quiterss @{exec_path} {
 
   /{usr/,}bin/xdg-open rCx -> open,
 
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
-
   # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
   owner @{user_config_dirs}/qt5ct/{,**} r,
   /usr/share/qt5ct/** r,
@@ -53,9 +51,6 @@ profile quiterss @{exec_path} {
   owner @{user_cache_dirs}/QuiteRss/ rw,
   owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**,
 
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
-
        owner @{PROC}/@{pid}/fd/ r,
   deny       @{PROC}/sys/kernel/random/boot_id r,
   deny owner @{PROC}/@{pid}/cmdline r,
@@ -69,14 +64,7 @@ profile quiterss @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  # The orcexec.* file is JIT compiled code for various GStreamer elements.
-  # If one is blocked the next is used instead.
-  owner @{run}/user/[0-9]*/orcexec.* mrw,
-  #owner @{HOME}/orcexec.* mrw,
-  #owner /tmp/orcexec.* mrw,
-
-  deny /dev/ r,
-       /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#[0-9]*[0-9] rw,
 
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,
diff --git a/apparmor.d/profiles-m-z/smtube b/apparmor.d/profiles-m-z/smtube
index 7c251a98b..be2afb4d4 100644
--- a/apparmor.d/profiles-m-z/smtube
+++ b/apparmor.d/profiles-m-z/smtube
@@ -20,6 +20,7 @@ profile smtube @{exec_path} {
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
+  include <abstractions/gstreamer>
   include <abstractions/deny-root-dir-access>
 
   network inet dgram,
@@ -31,8 +32,6 @@ profile smtube @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
-
   # SMTube config files
   owner @{user_config_dirs}/smtube/ rw,
   owner @{user_config_dirs}/smtube/* rwkl -> @{user_config_dirs}/smtube/#[0-9]*[0-9],
@@ -54,16 +53,12 @@ profile smtube @{exec_path} {
   owner @{user_cache_dirs}/smtube/ rw,
   owner @{user_cache_dirs}/smtube/* rwk,
 
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
   /usr/share/hwdata/pnp.ids r,
 
-  deny /dev/ r,
-       /dev/shm/#[0-9]*[0-9] rw,
+  /dev/shm/#[0-9]*[0-9] rw,
 
   deny owner @{PROC}/@{pid}/cmdline r,
        owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/profiles-m-z/strawberry b/apparmor.d/profiles-m-z/strawberry
index 2666cda08..f0e289660 100644
--- a/apparmor.d/profiles-m-z/strawberry
+++ b/apparmor.d/profiles-m-z/strawberry
@@ -26,6 +26,7 @@ profile strawberry @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
+  include <abstractions/gstreamer>
   include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=strawberry-tagreader,
@@ -42,7 +43,6 @@ profile strawberry @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/strawberry-tagreader rPx,
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
 
   /{usr/,}bin/xdg-open             rCx -> open,
 
@@ -68,9 +68,6 @@ profile strawberry @{exec_path} {
   owner @{user_cache_dirs}/strawberry/ rw,
   owner @{user_cache_dirs}/strawberry/** rwl -> @{user_cache_dirs}/strawberry/networkcache/prepared/#[0-9]*[0-9],
 
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
-
   owner @{user_cache_dirs}/xine-lib/ rw,
   owner @{user_cache_dirs}/xine-lib/plugins.cache{,.new} rw,
 
@@ -87,18 +84,8 @@ profile strawberry @{exec_path} {
 
   /etc/fstab r,
 
-  deny /dev/ r,
-       /dev/shm/#[0-9]*[0-9] rw,
-       /dev/sr[0-9]* r,
-
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node[0-9]/meminfo r,
-
-  # The orcexec.* file is JIT compiled code for various GStreamer elements.
-  # If one is blocked the next is used instead.
-  owner @{run}/user/[0-9]*/orcexec.* mrw,
-  #owner @{HOME}/orcexec.* mrw,
-  #owner /tmp/orcexec.* mrw,
+  /dev/shm/#[0-9]*[0-9] rw,
+  /dev/sr[0-9]* r,
 
   owner /tmp/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
   owner /tmp/.*/ rw,
diff --git a/apparmor.d/profiles-m-z/umount b/apparmor.d/profiles-m-z/umount
index 0e445268c..f9f3e5761 100644
--- a/apparmor.d/profiles-m-z/umount
+++ b/apparmor.d/profiles-m-z/umount
@@ -30,7 +30,8 @@ profile umount @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/umount.* rPx,
+  /{usr/,}sbin/umount.*   rPx,
+  /{usr/,}sbin/mount.*    rPx,
 
   # Mount points
   @{HOME}/ r,
diff --git a/apparmor.d/profiles-m-z/virt-manager b/apparmor.d/profiles-m-z/virt-manager
index cc742276f..ff2980a14 100644
--- a/apparmor.d/profiles-m-z/virt-manager
+++ b/apparmor.d/profiles-m-z/virt-manager
@@ -26,6 +26,7 @@ profile virt-manager @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/python>
   include <abstractions/devices-usb>
+  include <abstractions/gstreamer>
   include <abstractions/deny-dconf>
 
   network inet stream,
@@ -42,8 +43,6 @@ profile virt-manager @{exec_path} {
 
   /{usr/,}{s,}bin/libvirtd rPx,
 
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
-
   /usr/share/virt-manager/{,**} r,
 
   owner @{HOME}/ r,
@@ -51,9 +50,6 @@ profile virt-manager @{exec_path} {
   owner @{user_cache_dirs}/virt-manager/ rw,
   owner @{user_cache_dirs}/virt-manager/** rw,
 
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
-  owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
-
   # For disk images
   /media/ r,
   /media/*/ r,
@@ -88,22 +84,13 @@ profile virt-manager @{exec_path} {
 
   /etc/fstab r,
 
-  @{run}/mount/utab r,
+        @{run}/mount/utab r,
 
   owner @{run}/user/[0-9]*/libvirt/libvirtd.lock rwk,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node[0-9]*/meminfo r,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  # The orcexec.* file is JIT compiled code for various GStreamer elements.
-  # If one is blocked the next is used instead.
-  owner @{run}/user/[0-9]*/orcexec.* mrw,
-  #owner @{HOME}/orcexec.* mrw,
-  #owner /tmp/orcexec.* mrw,
-
   # Silecne the noise
   deny /usr/share/virt-manager/{,**} w,
 
diff --git a/apparmor.d/profiles-m-z/xdg-open b/apparmor.d/profiles-m-z/xdg-open
index e815d1499..7a4324f9a 100644
--- a/apparmor.d/profiles-m-z/xdg-open
+++ b/apparmor.d/profiles-m-z/xdg-open
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-open
 profile xdg-open @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
 
   @{exec_path} r,