diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 9508cfcf2..f7d001c70 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/bootctl
-profile bootctl @{exec_path} flags=(attach_disconnected) {
+profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>
@@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
   capability net_admin,
   capability sys_resource,
 
-  signal (send) peer=child-pager,
+  signal send peer=child-pager,
 
-  ptrace (read) peer=unconfined,
+  ptrace read peer=unconfined,
 
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,
 
   @{efi}/ r,
-  @{efi}/EFI/{,**} r,
-  @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
-  @{efi}/EFI/BOOT/BOOTX64.EFI w,
-  @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
-  @{efi}/EFI/systemd/systemd-boot*.efi w,
-  @{efi}/loader/.#bootctlrandom-seed@{hex} rw,
-  @{efi}/loader/.#entries.srel* w,
-  @{efi}/loader/{,**} r,
-  @{efi}/loader/entries.srel w,
-  @{efi}/loader/random-seed w,
+  @{efi}/@{hex32}/ rw,
+  @{efi}/EFI/{,**} rwl,
+  @{efi}/loader/ rw,
+  @{efi}/loader/** rwl -> @{efi}/loader/#@{int},
 
-  /etc/kernel/entry-token r,
+  /etc/kernel/.#entry-token@{hex16} rw,
+  /etc/kernel/entry-token rw,
   /etc/machine-id r,
   /etc/machine-info r,
 
@@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
   @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
-  @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
   @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl
index 3a78c531e..3c962e309 100644
--- a/apparmor.d/groups/systemd/homectl
+++ b/apparmor.d/groups/systemd/homectl
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/homectl
-profile homectl @{exec_path} {
+profile homectl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/common/systemd>
diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify
index 346e7d94e..ba6141d86 100644
--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
 
   @{exec_path} mr,
 
   @{sh_path}                     rix,
-  @{sbin}/blkid                  rPx,
   @{bin}/grep                    rix,
   @{bin}/systemd-detect-virt     rPx,
   @{bin}/tr                      rix,
   @{bin}/uname                   rix,
+  @{sbin}/blkid                  rPx,
 
   /etc/cloud/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 39192e7e1..b1869b16b 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   mqueue getattr type=posix /,
   mqueue r type=posix /,
 
-  unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system,
+  unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system,
 
   #aa:dbus own bus=system name=org.freedesktop.login1
 
diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online
index 0d5e40730..c36b5af39 100644
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
-profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
+profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 
diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced
index d1beae428..97dcb3b05 100644
--- a/apparmor.d/groups/systemd/systemd-nsresourced
+++ b/apparmor.d/groups/systemd/systemd-nsresourced
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-nsresourced
-profile systemd-nsresourced @{exec_path} {
+profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 
@@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} {
 
   @{exec_path} mr,
 
-  @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework,
+  @{lib}/systemd/systemd-nsresourcework ix, # no new privs
 
   @{run}/systemd/nsresource/ rw,
   @{run}/systemd/nsresource/** rw,
@@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} {
   @{sys}/kernel/btf/vmlinux r,
   @{sys}/kernel/security/lsm r,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
+
   include if exists <local/systemd-nsresourced>
 }