diff --git a/apparmor.d/abi/3.0 b/apparmor.d/abi/3.0
new file mode 100644
index 000000000..4b60c425f
--- /dev/null
+++ b/apparmor.d/abi/3.0
@@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/apparmor.d/abi/kernel-5.4-outoftree-network b/apparmor.d/abi/kernel-5.4-outoftree-network
new file mode 100644
index 000000000..6d5e95b6e
--- /dev/null
+++ b/apparmor.d/abi/kernel-5.4-outoftree-network
@@ -0,0 +1,76 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/apparmor.d/abi/kernel-5.4-vanilla b/apparmor.d/abi/kernel-5.4-vanilla
new file mode 100644
index 000000000..9fa0e8f54
--- /dev/null
+++ b/apparmor.d/abi/kernel-5.4-vanilla
@@ -0,0 +1,68 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/apparmor.d/abstractions/X b/apparmor.d/abstractions/X
index 194e81d5e..1ae3fa2ce 100644
--- a/apparmor.d/abstractions/X
+++ b/apparmor.d/abstractions/X
@@ -11,13 +11,14 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
-  #include <abstractions/dri-common>
+  include <abstractions/dri-common>
 
 
   # .ICEauthority files required for X authentication, per user
   owner @{HOME}/.ICEauthority r,
+  owner @{run}/user/*/ICEauthority r,
 
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
@@ -30,7 +31,7 @@
   owner @{run}/user/*/xauth_* r,
 
   # the unix socket to use to connect to the display
-  /tmp/.X11-unix/* rw,
+  /tmp/.X11-unix/* r,
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@@ -58,7 +59,10 @@
   /etc/X11/cursors/**             r,
 
   # Xwayland
-  owner /run/user/*/.mutter-Xwaylandauth.* r,
+  owner @{run}/user/*/.mutter-Xwaylandauth.* r,
 
   # Available Xsessions
   /usr/share/xsessions/{,*.desktop} r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/X.d>
diff --git a/apparmor.d/abstractions/apache2-common b/apparmor.d/abstractions/apache2-common
index 850dd89c8..d3f922493 100644
--- a/apparmor.d/abstractions/apache2-common
+++ b/apparmor.d/abstractions/apache2-common
@@ -2,7 +2,9 @@
 
 # This file contains basic permissions for Apache and every vHost
 
-  #include <abstractions/nameservice>
+  abi <abi/3.0>,
+
+  include <abstractions/nameservice>
 
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
@@ -20,7 +22,7 @@
   /usr/share/apache2/** r,
 
   # changehat itself
-  @{PROC}/@{pid}/attr/current                        rw,
+  @{PROC}/@{pid}/attr/{apparmor/,}current                        rw,
 
   # htaccess files - for what ever it is worth
   /**/.htaccess            r,
@@ -28,7 +30,10 @@
   /dev/urandom            r,
 
   # sasl-auth
-  /run/saslauthd/mux rw,
+  @{run}/saslauthd/mux rw,
 
   # OCSP stapling
-  /var/log/apache2/stapling-cache rw,
+  @{run}/lock/apache2/stapling-cache* rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/apache2-common.d>
diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root
index f22be0492..ba6618210 100644
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # Root app location
   / r,
diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index 7ef7b994f..123f5565b 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # User app location
   /                     r,
diff --git a/apparmor.d/abstractions/apparmor_api/change_profile b/apparmor.d/abstractions/apparmor_api/change_profile
index 30f6b7040..c2dfcba5d 100644
--- a/apparmor.d/abstractions/apparmor_api/change_profile
+++ b/apparmor.d/abstractions/apparmor_api/change_profile
@@ -6,6 +6,8 @@
 #
 # ------------------------------------------------------------------
 
-#include <abstractions/apparmor_api/introspect>
+abi <abi/3.0>,
 
-@{PROC}/@{tid}/attr/{current,exec} w,
+include <abstractions/apparmor_api/introspect>
+
+@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,
diff --git a/apparmor.d/abstractions/apparmor_api/examine b/apparmor.d/abstractions/apparmor_api/examine
index 2f2ea15a4..655708bfa 100644
--- a/apparmor.d/abstractions/apparmor_api/examine
+++ b/apparmor.d/abstractions/apparmor_api/examine
@@ -9,4 +9,6 @@
 # Make sure to include at least tunables/proc and tunables/kernelvars
 # when using this abstraction, if not tunables/global.
 
-@{PROC}/@{pids}/attr/{current,prev,exec} r,
+abi <abi/3.0>,
+
+@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,
diff --git a/apparmor.d/abstractions/apparmor_api/find_mountpoint b/apparmor.d/abstractions/apparmor_api/find_mountpoint
index b8ac54d12..d75970e55 100644
--- a/apparmor.d/abstractions/apparmor_api/find_mountpoint
+++ b/apparmor.d/abstractions/apparmor_api/find_mountpoint
@@ -6,6 +6,8 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
+
 #permissions needed for aa_find_mountpoint
 
 # Make sure to include at least tunables/proc and tunables/kernelvars
diff --git a/apparmor.d/abstractions/apparmor_api/introspect b/apparmor.d/abstractions/apparmor_api/introspect
index e110c8492..b88da0a47 100644
--- a/apparmor.d/abstractions/apparmor_api/introspect
+++ b/apparmor.d/abstractions/apparmor_api/introspect
@@ -6,7 +6,9 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
+
 # Make sure to include at least tunables/proc and tunables/kernelvars
 # when using this abstraction, if not tunables/global.
 
-@{PROC}/@{tid}/attr/{current,prev,exec} r,
+@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,
diff --git a/apparmor.d/abstractions/apparmor_api/is_enabled b/apparmor.d/abstractions/apparmor_api/is_enabled
index a637d3ced..56b1afd12 100644
--- a/apparmor.d/abstractions/apparmor_api/is_enabled
+++ b/apparmor.d/abstractions/apparmor_api/is_enabled
@@ -6,12 +6,14 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
+
 # permissions needed for aa_is_enabled
 
 # Make sure to include tunables/apparmorfs and tunables/global
 # when using this abstraction
 
-#include <abstractions/apparmor_api/find_mountpoint>
+include <abstractions/apparmor_api/find_mountpoint>
 @{sys}/module/apparmor/parameters/enabled r,
 
 # TODO: add alternate apparmorfs interface for enabled
diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common
index 996abfe98..c7e0290fc 100644
--- a/apparmor.d/abstractions/apt-common
+++ b/apparmor.d/abstractions/apt-common
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /etc/apt/apt.conf r,
   /etc/apt/apt.conf.d/{,*} r,
diff --git a/apparmor.d/abstractions/aspell b/apparmor.d/abstractions/aspell
index 954768924..eff252bd3 100644
--- a/apparmor.d/abstractions/aspell
+++ b/apparmor.d/abstractions/aspell
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # aspell permissions
 
+  abi <abi/3.0>,
+
   # per-user settings and dictionaries
   owner @{HOME}/.aspell.*.{pws,prepl} rwk,
 
@@ -11,3 +13,6 @@
   /usr/share/aspell/ r,
   /usr/share/aspell/* r,
   /var/lib/aspell/* r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/aspell.d>
diff --git a/apparmor.d/abstractions/audio b/apparmor.d/abstractions/audio
index f1ad356fd..f558e6073 100644
--- a/apparmor.d/abstractions/audio
+++ b/apparmor.d/abstractions/audio
@@ -10,6 +10,7 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
 
 
 /dev/admmidi*   rw,
@@ -56,13 +57,15 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
 # pulse
 /etc/pulse/ r,
 /etc/pulse/** r,
-/{run,dev}/shm/ r,
-owner /{run,dev}/shm/pulse-shm* rwk,
+/dev/shm/ r,
+@{run}/shm/ r,
+owner /dev/shm/pulse-shm* rwk,
+owner @{run}/shm/pulse-shm* rwk,
 owner @{HOME}/.pulse-cookie rwk,
 owner @{HOME}/.pulse/ rw,
 owner @{HOME}/.pulse/* rwk,
-owner /{,var/}run/user/*/pulse/  rw,
-owner /{,var/}run/user/*/pulse/{native,pid} rwk,
+owner @{run}/user/*/pulse/  rw,
+owner @{run}/user/*/pulse/{native,pid} rwk,
 owner @{HOME}/.config/pulse/*.conf r,
 owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
 owner @{HOME}/.config/pulse/cookie rwk,
@@ -86,3 +89,6 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
 
 # wildmidi
 /etc/wildmidi/wildmidi.cfg r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/audio.d>
diff --git a/apparmor.d/abstractions/authentication b/apparmor.d/abstractions/authentication
index 75771ecdc..e8b9f7ac1 100644
--- a/apparmor.d/abstractions/authentication
+++ b/apparmor.d/abstractions/authentication
@@ -10,18 +10,19 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
 
 
   # Some services need to perform authentication of users
   # Such authentication almost certainly needs access to the local users
   # databases containing passwords, PAM configuration files, PAM libraries
-  /{usr/,}etc/nologin                r,
-  /{usr/,}etc/pam.d/*                r,
-  /{usr/,}etc/securetty              r,
-  /{usr/,}etc/security/*             r,
-  /{usr/,}etc/shadow                 r,
-  /{usr/,}etc/gshadow                r,
-  /{usr/,}etc/pwdb.conf              r,
+  @{etc_ro}/nologin                r,
+  @{etc_ro}/pam.d/*                r,
+  @{etc_ro}/securetty              r,
+  @{etc_ro}/security/*             r,
+  @{etc_ro}/shadow                 r,
+  @{etc_ro}/gshadow                r,
+  @{etc_ro}/pwdb.conf              r,
 
   /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
   /{usr/,}lib{,32,64}/security/pam_*.so      mr,
@@ -31,22 +32,25 @@
   /{usr/,}lib/@{multiarch}/security/              r,
 
   # kerberos
-  #include <abstractions/kerberosclient>
+  include <abstractions/kerberosclient>
   # SuSE's pwdutils are different:
-  /{usr/,}etc/default/passwd         r,
-  /{usr/,}etc/login.defs             r,
+  @{etc_ro}/default/passwd         r,
+  @{etc_ro}/login.defs             r,
 
   # nis
-  #include <abstractions/nis>
+  include <abstractions/nis>
 
   # winbind
-  #include <abstractions/winbind>
+  include <abstractions/winbind>
 
   # likewise
-  #include <abstractions/likewise>
+  include <abstractions/likewise>
 
   # smbpass
-  #include <abstractions/smbpass>
+  include <abstractions/smbpass>
 
   # p11-kit (PKCS#11 modules configuration)
-  #include <abstractions/p11-kit>
+  include <abstractions/p11-kit>
+
+  # Include additions to the abstraction
+  include if exists <abstractions/authentication.d>
diff --git a/apparmor.d/abstractions/base b/apparmor.d/abstractions/base
index dff091254..5307a72a9 100644
--- a/apparmor.d/abstractions/base
+++ b/apparmor.d/abstractions/base
@@ -10,6 +10,7 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
 
 
   # (Note that the ldd profile has inlined this file; if you make
@@ -26,10 +27,10 @@
   # Allow access to the uuidd daemon (this daemon is a thin wrapper around
   # time and getrandom()/{,u}random and, when available, runs under an
   # unprivilged, dedicated user).
-  /run/uuidd/request             r,
-  /etc/locale/**                 r,
-  /etc/locale.alias              r,
-  /etc/localtime                 r,
+  @{run}/uuidd/request           r,
+  @{etc_ro}/locale/**          r,
+  @{etc_ro}/locale.alias       r,
+  @{etc_ro}/localtime          r,
   /etc/writable/localtime        r,
   /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
@@ -39,13 +40,13 @@
   /usr/share/zoneinfo/           r,
   /usr/share/zoneinfo/**         r,
   /usr/share/X11/locale/**       r,
-  /run/systemd/journal/dev-log w,
+  @{run}/systemd/journal/dev-log w,
   # systemd native journal API (see sd_journal_print(4))
-  /run/systemd/journal/socket w,
+  @{run}/systemd/journal/socket  w,
   # Nested containers and anything using systemd-cat need this. 'r' shouldn't
   # be required but applications fail without it. journald doesn't leak
   # anything when reading so this is ok.
-  /run/systemd/journal/stdout rw,
+  @{run}/systemd/journal/stdout  rw,
 
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
@@ -54,14 +55,14 @@
   /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
 
   # used by glibc when binding to ephemeral ports
-  /etc/bindresvport.blacklist    r,
+  @{etc_ro}/bindresvport.blacklist    r,
 
   # ld.so.cache and ld are used to load shared libraries; they are best
   # available everywhere
-  /etc/ld.so.cache               mr,
-  /etc/ld.so.conf                r,
-  /etc/ld.so.conf.d/{,*.conf}    r,
-  /etc/ld.so.preload             r,
+  @{etc_ro}/ld.so.cache               mr,
+  @{etc_ro}/ld.so.conf                r,
+  @{etc_ro}/ld.so.conf.d/{,*.conf}    r,
+  @{etc_ro}/ld.so.preload             r,
   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
@@ -76,6 +77,11 @@
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
   /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,
 
+  # FIPS-140-2 versions of some crypto libraries need to access their
+  # associated integrity verification file, or they will abort.
+  /{usr/,}lib{,32,64}/.lib*.so*.hmac      r,
+  /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
+
   # /dev/null is pretty harmless and frequently used
   /dev/null                      rw,
   # as is /dev/zero
@@ -180,3 +186,6 @@
   #owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
   #owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/base.d>
diff --git a/apparmor.d/abstractions/bash b/apparmor.d/abstractions/bash
index e8dcd75cb..89c1cf1e4 100644
--- a/apparmor.d/abstractions/bash
+++ b/apparmor.d/abstractions/bash
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # user-specific bash files
   @{HOMEDIRS}                      r,
   @{HOME}/.bashrc                  r,
@@ -42,3 +44,6 @@
   /etc/DIR_COLORS                  r,
   /{usr/,}bin/ls                   mix,
   /usr/bin/dircolors               mix,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/bash.d>
diff --git a/apparmor.d/abstractions/consoles b/apparmor.d/abstractions/consoles
index a16dffe0e..aabf3dd51 100644
--- a/apparmor.d/abstractions/consoles
+++ b/apparmor.d/abstractions/consoles
@@ -9,6 +9,7 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
 
 
   # there are three common ways to refer to consoles
@@ -21,4 +22,6 @@
   /dev/pts/[0-9]*   rw,
   /dev/pts/         r,
 
-  /dev/ptmx rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/consoles.d>
diff --git a/apparmor.d/abstractions/cups-client b/apparmor.d/abstractions/cups-client
index f38ac0979..44f36e2b6 100644
--- a/apparmor.d/abstractions/cups-client
+++ b/apparmor.d/abstractions/cups-client
@@ -9,10 +9,15 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
-  /{,var/}run/cups/cups.sock rw,
+  @{run}/cups/cups.sock   rw,
   # client should be able to read user-specified cups configuration
   owner @{HOME}/.cups/client.conf r,
   owner @{HOME}/.cups/lpoptions r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/cups-client.d>
diff --git a/apparmor.d/abstractions/dbus b/apparmor.d/abstractions/dbus
index c670fc2d9..b96ca09ac 100644
--- a/apparmor.d/abstractions/dbus
+++ b/apparmor.d/abstractions/dbus
@@ -9,8 +9,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This abstraction grants full system bus access. Consider using the
   # dbus-strict abstraction for fine-grained bus mediation.
 
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-strict>
   dbus bus=system,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus.d>
diff --git a/apparmor.d/abstractions/dbus-accessibility b/apparmor.d/abstractions/dbus-accessibility
index 40a330844..3c49a32ff 100644
--- a/apparmor.d/abstractions/dbus-accessibility
+++ b/apparmor.d/abstractions/dbus-accessibility
@@ -9,8 +9,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This abstraction grants full accessibility bus access. Consider using the
   # dbus-accessibility-strict abstraction for fine-grained bus mediation.
 
-  #include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-accessibility-strict>
   dbus bus=accessibility,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-accessibility.d>
diff --git a/apparmor.d/abstractions/dbus-accessibility-strict b/apparmor.d/abstractions/dbus-accessibility-strict
index a853ce209..8fe06ea63 100644
--- a/apparmor.d/abstractions/dbus-accessibility-strict
+++ b/apparmor.d/abstractions/dbus-accessibility-strict
@@ -9,9 +9,14 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   dbus send
        bus=accessibility
        path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-accessibility-strict.d>
diff --git a/apparmor.d/abstractions/dbus-network-manager-strict b/apparmor.d/abstractions/dbus-network-manager-strict
index 889a9a850..9930c80da 100644
--- a/apparmor.d/abstractions/dbus-network-manager-strict
+++ b/apparmor.d/abstractions/dbus-network-manager-strict
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   dbus send
        bus=system
        path=/org/freedesktop/NetworkManager
@@ -42,4 +44,4 @@
        member=GetSettings
        peer=(name=org.freedesktop.NetworkManager),
 
-  #include if exists <abstractions/dbus-network-manager-strict.d>
+  include if exists <abstractions/dbus-network-manager-strict.d>
diff --git a/apparmor.d/abstractions/dbus-session b/apparmor.d/abstractions/dbus-session
index eb1ed91e4..9b8b979e7 100644
--- a/apparmor.d/abstractions/dbus-session
+++ b/apparmor.d/abstractions/dbus-session
@@ -9,9 +9,14 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This abstraction grants full session bus access. Consider using the
   # dbus-session-strict abstraction for fine-grained bus mediation.
 
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
   /usr/bin/dbus-launch ix,
   dbus bus=session,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-session.d>
diff --git a/apparmor.d/abstractions/dbus-session-strict b/apparmor.d/abstractions/dbus-session-strict
index 1600554a6..a301d45f6 100644
--- a/apparmor.d/abstractions/dbus-session-strict
+++ b/apparmor.d/abstractions/dbus-session-strict
@@ -9,17 +9,18 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # unique per-machine identifier
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
-  owner /run/user/*/bus rw,
 
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/dbus-*"),
 
   # dbus with systemd and --enable-user-session
-  owner /run/user/[0-9]*/bus rw,
+  owner @{run}/user/[0-9]*/bus rw,
 
   dbus send
        bus=session
@@ -27,3 +28,6 @@
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-session-strict.d>
diff --git a/apparmor.d/abstractions/dbus-strict b/apparmor.d/abstractions/dbus-strict
index 01a426e46..915195d28 100644
--- a/apparmor.d/abstractions/dbus-strict
+++ b/apparmor.d/abstractions/dbus-strict
@@ -9,7 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  /{,var/}run/dbus/system_bus_socket rw,
+  abi <abi/3.0>,
+
+  @{run}/dbus/system_bus_socket rw,
 
   dbus send
        bus=system
@@ -17,3 +19,6 @@
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-strict.d>
diff --git a/apparmor.d/abstractions/dconf b/apparmor.d/abstractions/dconf
index 7ef697832..fc3b3dbd4 100644
--- a/apparmor.d/abstractions/dconf
+++ b/apparmor.d/abstractions/dconf
@@ -1,8 +1,13 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # permissions for querying dconf settings; granting write access should
 # be specified in a specific application's profile.
 
   /etc/dconf/** r,
-  owner /{,var/}run/user/*/dconf/user r,
+  owner @{run}/user/*/dconf/user r,
   owner @{HOME}/.config/dconf/user r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dconf.d>
diff --git a/apparmor.d/abstractions/deny-dconf b/apparmor.d/abstractions/deny-dconf
index bc7683bcf..0567f3a97 100644
--- a/apparmor.d/abstractions/deny-dconf
+++ b/apparmor.d/abstractions/deny-dconf
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   deny /etc/dconf/{,**} r,
 
diff --git a/apparmor.d/abstractions/deny-root-dir-access b/apparmor.d/abstractions/deny-root-dir-access
index 9e26510f7..19fb6d664 100644
--- a/apparmor.d/abstractions/deny-root-dir-access
+++ b/apparmor.d/abstractions/deny-root-dir-access
@@ -17,7 +17,7 @@
   # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
   # needed files in the user home dir.
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
   audit deny /root/{,**} rwkmlx,
diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read
index 288af63ce..bcda24e6e 100644
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # The /sys/ entries probably should be tightened
 
diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write
index 42bce3d77..d44b7f952 100644
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # The /sys/ entries probably should be tightened
 
diff --git a/apparmor.d/abstractions/dovecot-common b/apparmor.d/abstractions/dovecot-common
index e1681d9a0..35d3cb11a 100644
--- a/apparmor.d/abstractions/dovecot-common
+++ b/apparmor.d/abstractions/dovecot-common
@@ -9,6 +9,8 @@
 # ------------------------------------------------------------------
 # used with dovecot/*
 
+  abi <abi/3.0>,
+
   capability setgid,
 
   deny capability block_suspend,
@@ -16,4 +18,7 @@
   # dovecot's master can send us signals
   signal receive peer=dovecot,
 
-  /{var/,}run/dovecot/config rw,
+  owner @{run}/dovecot/config rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dovecot-common.d>
diff --git a/apparmor.d/abstractions/dri-common b/apparmor.d/abstractions/dri-common
index b5e0a5c5b..cd9542b0b 100644
--- a/apparmor.d/abstractions/dri-common
+++ b/apparmor.d/abstractions/dri-common
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This file contains common DRI-specific rules useful for GUI applications
 # (needed by libdrm and similar).
 
@@ -12,3 +14,6 @@
   /usr/share/drirc.d/{,*.conf}    r,
   owner @{HOME}/.drirc            r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dri-common.d>
diff --git a/apparmor.d/abstractions/dri-enumerate b/apparmor.d/abstractions/dri-enumerate
index e101be5cb..b5717cd21 100644
--- a/apparmor.d/abstractions/dri-enumerate
+++ b/apparmor.d/abstractions/dri-enumerate
@@ -1,8 +1,13 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This file contains common DRI-specific rules useful for GUI applications that
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
 # libdrm).
 
   @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dri-enumerate.d>
diff --git a/apparmor.d/abstractions/enchant b/apparmor.d/abstractions/enchant
index d0ff08529..e80373b2c 100644
--- a/apparmor.d/abstractions/enchant
+++ b/apparmor.d/abstractions/enchant
@@ -9,14 +9,18 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # abstraction for Enchant spellchecking frontend
 
   /usr/share/enchant/                              r,
   /usr/share/enchant/enchant.ordering              r,
-  /usr/share/enchant-[0-9]*/enchant.ordering       r,
+
+  /usr/share/enchant-2/                            r,
+  /usr/share/enchant-2/enchant.ordering            r,
 
   # aspell
-  #include <abstractions/aspell>
+  include <abstractions/aspell>
   /var/lib/dictionaries-common/aspell/             r,
   /var/lib/dictionaries-common/aspell/*            r,
 
@@ -55,3 +59,6 @@
   # per-user dictionaries
   owner @{HOME}/.config/enchant/                   rw,
   owner @{HOME}/.config/enchant/*                  rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/enchant.d>
diff --git a/apparmor.d/abstractions/evince b/apparmor.d/abstractions/evince
index e6a5757f7..8ff3fe068 100644
--- a/apparmor.d/abstractions/evince
+++ b/apparmor.d/abstractions/evince
@@ -3,9 +3,9 @@
 # abstraction used by evince binaries
 #
 
-  #include <abstractions/gnome>
-  #include <abstractions/p11-kit>
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/gnome>
+  include <abstractions/p11-kit>
+  include <abstractions/ubuntu-helpers>
 
   @{PROC}/[0-9]*/fd/ r,
   @{PROC}/[0-9]*/mountinfo r,
@@ -94,7 +94,7 @@
   # access to the Cache directory, which the browser may tell evince to open
   # from directly.
 
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
   audit deny @{HOME}/.gnupg/** mrwkl,
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
@@ -117,8 +117,8 @@
   audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
 
   # When LP: #451422 is fixed, change the above to simply be:
-  ##include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   #owner @{HOME}/.mozilla/**/*Cache/* r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.evince>
+  include <local/usr.bin.evince>
diff --git a/apparmor.d/abstractions/exo-open b/apparmor.d/abstractions/exo-open
index 6b14afa58..5717e4d79 100644
--- a/apparmor.d/abstractions/exo-open
+++ b/apparmor.d/abstractions/exo-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via exo-open helper.
 #
@@ -18,27 +20,27 @@
 #
 # # out-of-line child profile
 # profile foo//exo-open {
-#   #include <abstractions/exo-open>
+#   include <abstractions/exo-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # Add if accesibility access is considered as required
 #   # (for message boxe in case exo-open fails)
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # < add additional allowed applications here >
 # }
 
-  #include <abstractions/X>
-  #include <abstractions/audio> # for alert messages
-  #include <abstractions/base>
-  #include <abstractions/dbus-session-strict>
-  #include <abstractions/gnome>
+  include <abstractions/X>
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/gnome>
 
   # Main executables
 
@@ -71,4 +73,4 @@
   owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/exo-open.d>
+  include if exists <abstractions/exo-open.d>
diff --git a/apparmor.d/abstractions/fcitx b/apparmor.d/abstractions/fcitx
index 3d26cc955..9321bfcd2 100644
--- a/apparmor.d/abstractions/fcitx
+++ b/apparmor.d/abstractions/fcitx
@@ -9,5 +9,10 @@
 #
 # ------------------------------------------------------------------
 
-  #include <abstractions/fcitx-strict>
+  abi <abi/3.0>,
+
+  include <abstractions/fcitx-strict>
   dbus bus=fcitx,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/fcitx.d>
diff --git a/apparmor.d/abstractions/fcitx-strict b/apparmor.d/abstractions/fcitx-strict
index d77373417..19d2191df 100644
--- a/apparmor.d/abstractions/fcitx-strict
+++ b/apparmor.d/abstractions/fcitx-strict
@@ -9,7 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  #include <abstractions/dbus-session-strict>
+  abi <abi/3.0>,
+
+  include <abstractions/dbus-session-strict>
 
   dbus send
       bus=fcitx
@@ -19,3 +21,6 @@
       peer=(name=org.freedesktop.DBus),
 
   owner @{HOME}/.config/fcitx/dbus/* r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/fcitx-strict.d>
diff --git a/apparmor.d/abstractions/file-browsing-strict b/apparmor.d/abstractions/file-browsing-strict
index 838dc1d14..dff7f17c8 100644
--- a/apparmor.d/abstractions/file-browsing-strict
+++ b/apparmor.d/abstractions/file-browsing-strict
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   deny @{PROC}/@{pid}/mountinfo r,
   deny @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/abstractions/flatpak-snap b/apparmor.d/abstractions/flatpak-snap
index 47fbbbd8c..f2259f4a8 100644
--- a/apparmor.d/abstractions/flatpak-snap
+++ b/apparmor.d/abstractions/flatpak-snap
@@ -11,7 +11,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # Flatpak
   /var/lib/flatpak/exports/share/{,**} r,
diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read
index ce89f38db..6c5fefd53 100644
--- a/apparmor.d/abstractions/fontconfig-cache-read
+++ b/apparmor.d/abstractions/fontconfig-cache-read
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # The fontconfig cache can be generated via the following command:
   #   $ fc-cache -f -v
diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write
index 81c118a5f..a57b7b610 100644
--- a/apparmor.d/abstractions/fontconfig-cache-write
+++ b/apparmor.d/abstractions/fontconfig-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/fontconfig/ rw,
   owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
diff --git a/apparmor.d/abstractions/fonts b/apparmor.d/abstractions/fonts
index 5d7b173e5..402703d75 100644
--- a/apparmor.d/abstractions/fonts
+++ b/apparmor.d/abstractions/fonts
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /usr/share/AbiSuite/fonts/**          r,
 
   /usr/lib/xorg/modules/fonts/**.so*    mr,
@@ -59,3 +61,6 @@
 
   # data files for LibThai
   /usr/share/libthai/thbrk.tri          r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/fonts.d>
diff --git a/apparmor.d/abstractions/freedesktop.org b/apparmor.d/abstractions/freedesktop.org
index 2ffaaf99c..7277cc1fe 100644
--- a/apparmor.d/abstractions/freedesktop.org
+++ b/apparmor.d/abstractions/freedesktop.org
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # system configuration
   @{system_share_dirs}/applications/{**,} r,
   @{system_share_dirs}/icons/{**,}        r,
@@ -18,7 +20,8 @@
   @{system_share_dirs}/mime/** r,
 
   # per-user configurations
-  owner @{HOME}/.icons/{**,}                  r,
+  owner @{HOME}/.icons/                 r,
+  owner @{HOME}/.icons/default/index.theme r,
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
@@ -26,3 +29,6 @@
   owner @{user_share_dirs}/applications/{**,} r,
   owner @{user_share_dirs}/icons/{**,}        r,
   owner @{user_share_dirs}/mime/{**,}         r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/freedesktop.org.d>
diff --git a/apparmor.d/abstractions/fzf b/apparmor.d/abstractions/fzf
index a45de60a9..b9f3ceb3b 100644
--- a/apparmor.d/abstractions/fzf
+++ b/apparmor.d/abstractions/fzf
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.fzf/{,**} r,
 
diff --git a/apparmor.d/abstractions/gio-open b/apparmor.d/abstractions/gio-open
index ec6b18734..fda1fb9e3 100644
--- a/apparmor.d/abstractions/gio-open
+++ b/apparmor.d/abstractions/gio-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via gio helper.
 #
@@ -18,20 +20,20 @@
 #
 # # out-of-line child profile
 # profile foo//gio-open {
-#   #include <abstractions/gio-open>
+#   include <abstractions/gio-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 
-  #include <abstractions/base>
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
 
   # Main executables
 
@@ -54,4 +56,4 @@
   owner @{PROC}/@{pid}/fd/ r,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/gio-open.d>
+  include if exists <abstractions/gio-open.d>
diff --git a/apparmor.d/abstractions/gnome b/apparmor.d/abstractions/gnome
index 5bb2fc26d..94f3da630 100644
--- a/apparmor.d/abstractions/gnome
+++ b/apparmor.d/abstractions/gnome
@@ -9,13 +9,16 @@
 #    License published by the Free Software Foundation.
 #
 # ------------------------------------------------------------------
-#include <abstractions/base>
-#include <abstractions/fonts>
-#include <abstractions/X>
-#include <abstractions/freedesktop.org>
-#include <abstractions/xdg-desktop>
-#include <abstractions/user-tmp>
-#include <abstractions/wayland>
+
+  abi <abi/3.0>,
+
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/xdg-desktop>
+  include <abstractions/user-tmp>
+  include <abstractions/wayland>
 
   # systemwide gtk defaults
   /etc/gnome/gtkrc*               r,
@@ -88,7 +91,7 @@
   /usr/share/gvfs/remote-volume-monitors/  r,
   /usr/share/gvfs/remote-volume-monitors/* r,
   @{PROC}/@{pid}/mounts                    r,
-  /run/mount/utab                          r,
+  @{run}/mount/utab                        r,
 
   # printing
   /etc/papersize                   r,
@@ -96,7 +99,7 @@
   /usr/share/cups/charmaps/**      r,
 
   # holds MIT-MAGIC-COOKIE for gnome
-  owner /{,var/}run/gdm/auth*/database r,
+  owner @{run}/gdm/auth*/database r,
 
   # mime-types
   /etc/gnome/defaults.list r,
@@ -109,3 +112,6 @@
   unix (send, receive, connect)
        type=stream
        peer=(addr="@/dbus-vfs-daemon/socket-*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gnome.d>
diff --git a/apparmor.d/abstractions/gnupg b/apparmor.d/abstractions/gnupg
index d04c920df..050f04354 100644
--- a/apparmor.d/abstractions/gnupg
+++ b/apparmor.d/abstractions/gnupg
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # gnupg sub-process running permissions
 
+  abi <abi/3.0>,
+
   # user configurations
   owner @{HOME}/.gnupg/options     r,
   owner @{HOME}/.gnupg/pubring.gpg r,
@@ -9,3 +11,6 @@
   owner @{HOME}/.gnupg/secring.gpg r,
   owner @{HOME}/.gnupg/so/*.x86_64 mr,
   owner @{HOME}/.gnupg/trustdb.gpg rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gnupg.d>
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index 00f1ac81d..c5735569f 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -1,8 +1,8 @@
 # vim:syntax=apparmor
 
-  #include <abstractions/base>
-  #include <abstractions/p11-kit>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/p11-kit>
+  include <abstractions/X>
 
   # TODO: adjust when support finer-grained netlink rules
   network netlink raw,
diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk
index 537096677..8daed9cb5 100644
--- a/apparmor.d/abstractions/gtk
+++ b/apparmor.d/abstractions/gtk
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /usr/share/themes/{,**} r,
 
diff --git a/apparmor.d/abstractions/gvfs-open b/apparmor.d/abstractions/gvfs-open
index 397423daa..32653148a 100644
--- a/apparmor.d/abstractions/gvfs-open
+++ b/apparmor.d/abstractions/gvfs-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via gvfs-open helper.
 #
@@ -18,23 +20,23 @@
 #
 # # out-of-line child profile
 # profile foo//gvfs-open {
-#   #include <abstractions/gvfs-open>
+#   include <abstractions/gvfs-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
 
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # gvfs-open is deprecated, it launches gio open <uri>
-  #include <abstractions/gio-open>
+  include <abstractions/gio-open>
 
   # Main executables
 
@@ -42,4 +44,4 @@
   /{,usr/}bin/dash mr,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/gvfs-open.d>
+  include if exists <abstractions/gvfs-open.d>
diff --git a/apparmor.d/abstractions/hosts_access b/apparmor.d/abstractions/hosts_access
index a4ffb022d..e5ea88c11 100644
--- a/apparmor.d/abstractions/hosts_access
+++ b/apparmor.d/abstractions/hosts_access
@@ -9,5 +9,9 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/hosts.deny r,
   /etc/hosts.allow r,
+
+  include if exists <abstractions/hosts_access.d>
diff --git a/apparmor.d/abstractions/ibus b/apparmor.d/abstractions/ibus
index a4431b99a..0d28b57bb 100644
--- a/apparmor.d/abstractions/ibus
+++ b/apparmor.d/abstractions/ibus
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # abstraction for ibus input methods
   owner @{HOME}/.config/ibus/ r,
   owner @{HOME}/.config/ibus/bus/ rw,
@@ -27,3 +29,6 @@
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ibus.d>
diff --git a/apparmor.d/abstractions/kde b/apparmor.d/abstractions/kde
index cad5c7db0..a8eb44f8e 100644
--- a/apparmor.d/abstractions/kde
+++ b/apparmor.d/abstractions/kde
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#include <abstractions/base>
-#include <abstractions/fonts>
-#include <abstractions/X>
-#include <abstractions/freedesktop.org>
-#include <abstractions/xdg-desktop>
-#include <abstractions/user-tmp>
-#include <abstractions/qt5>
+abi <abi/3.0>,
+
+include <abstractions/base>
+include <abstractions/fonts>
+include <abstractions/X>
+include <abstractions/freedesktop.org>
+include <abstractions/xdg-desktop>
+include <abstractions/user-tmp>
+include <abstractions/qt5>
 
 /etc/qt3/kstylerc r,
 /etc/qt3/qt_plugins_3.3rc r,
@@ -75,3 +77,6 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
 /usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
 /usr/lib/@{multiarch}/qt4/plugins/**  mr,
 /usr/share/qt4/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde.d>
diff --git a/apparmor.d/abstractions/kde-globals-write b/apparmor.d/abstractions/kde-globals-write
index 8425f3f9c..5db20a358 100644
--- a/apparmor.d/abstractions/kde-globals-write
+++ b/apparmor.d/abstractions/kde-globals-write
@@ -1,10 +1,15 @@
 # vim:syntax=apparmor
 # Rules for changing KDE settings (for KFileDialog and other).
 
-  # User files
+  abi <abi/3.0>,
 
+  # User files
+ 
   owner @{HOME}/.config/#[0-9]* rw,
   owner @{HOME}/.config/kdeglobals rw,
-  owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*,
+  owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
   owner @{HOME}/.config/kdeglobals.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-globals-write.d>
diff --git a/apparmor.d/abstractions/kde-icon-cache-write b/apparmor.d/abstractions/kde-icon-cache-write
index d37fb3b8e..df3793e1a 100644
--- a/apparmor.d/abstractions/kde-icon-cache-write
+++ b/apparmor.d/abstractions/kde-icon-cache-write
@@ -1,7 +1,12 @@
 # vim:syntax=apparmor
 # Rules for writing KDE icon cache
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-icon-cache-write.d>
diff --git a/apparmor.d/abstractions/kde-language-write b/apparmor.d/abstractions/kde-language-write
index ee4d03f3e..1314d21c6 100644
--- a/apparmor.d/abstractions/kde-language-write
+++ b/apparmor.d/abstractions/kde-language-write
@@ -1,4 +1,7 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # Rules for changing per-application language settings on KDE. Some KDE
 # applications have "Help -> Switch Application Language..." option, that needs
 # write access to language settings file.
@@ -7,6 +10,9 @@
 
   owner @{HOME}/.config/#[0-9]* rw,
   owner @{HOME}/.config/klanguageoverridesrc rw,
-  owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*,
+  owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
   owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-language-write.d>
diff --git a/apparmor.d/abstractions/kde-open5 b/apparmor.d/abstractions/kde-open5
index 4fb651ea9..5f4e0f753 100644
--- a/apparmor.d/abstractions/kde-open5
+++ b/apparmor.d/abstractions/kde-open5
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via kde-open5 helper.
 #
@@ -18,40 +20,40 @@
 #
 # # out-of-line child profile
 # profile foo//kde-open5 {
-#   #include <abstractions/kde-open5>
+#   include <abstractions/kde-open5>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # Add if accesibility access is considered as required
 #   # (for message boxe in case exo-open fails)
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # Add if audio support for message box is
 #   # considered as required.
-#   #include if exists <abstractions/gstreamer>
+#   include if exists <abstractions/gstreamer>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
 
-  #include <abstractions/audio> # for alert messages
-  #include <abstractions/base>
-  #include <abstractions/dbus-accessibility-strict>
-  #include <abstractions/dbus-network-manager-strict>
-  #include <abstractions/dbus-session-strict>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/kde-icon-cache-write>
-  #include <abstractions/kde>
-  #include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
-  #include <abstractions/openssl>
-  #include <abstractions/qt5>
-  #include <abstractions/recent-documents-write>
-  #include <abstractions/X>
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/kde-icon-cache-write>
+  include <abstractions/kde>
+  include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+  include <abstractions/openssl>
+  include <abstractions/qt5>
+  include <abstractions/recent-documents-write>
+  include <abstractions/X>
 
   # Main executables
 
@@ -96,9 +98,9 @@
   # User files
 
   owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
-  owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
-  owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
+  owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
+  owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
   owner @{HOME}/.cache/kio_http/ rw,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/kde-open5.d>
+  include if exists <abstractions/kde-open5.d>
diff --git a/apparmor.d/abstractions/kde4 b/apparmor.d/abstractions/kde4
index 6e5e0a546..104a338cd 100644
--- a/apparmor.d/abstractions/kde4
+++ b/apparmor.d/abstractions/kde4
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /usr/share/kde4/** r,
 
diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5
index e0f131036..d8954a2f4 100644
--- a/apparmor.d/abstractions/kde5-plasma5
+++ b/apparmor.d/abstractions/kde5-plasma5
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
-  #include <abstractions/thumbnails-cache-read>
+  include <abstractions/thumbnails-cache-read>
 
   # KDE/Plasma5 themes
   #/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
@@ -52,7 +52,7 @@
 
   # Think what to do about this #FIXME#
   # It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
-  ##include <abstractions/recent-documents-write>
+  include <abstractions/recent-documents-write>
   #signal (send) set=(term, kill) peer=unconfined,
   #deny @{sys}/bus/ r,
   #deny @{sys}/bus/usb/devices/ r,
diff --git a/apparmor.d/abstractions/kerberosclient b/apparmor.d/abstractions/kerberosclient
index 5b79e3d6b..386e8c118 100644
--- a/apparmor.d/abstractions/kerberosclient
+++ b/apparmor.d/abstractions/kerberosclient
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # files required by kerberos client programs
   /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
   /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
@@ -32,3 +34,6 @@
 
   # credential caches
   /tmp/krb5cc* r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kerberosclient.d>
diff --git a/apparmor.d/abstractions/ldapclient b/apparmor.d/abstractions/ldapclient
index 0c527282f..550963c43 100644
--- a/apparmor.d/abstractions/ldapclient
+++ b/apparmor.d/abstractions/ldapclient
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
   /etc/ldap.conf            r,
   /etc/ldap.secret          r,
@@ -19,6 +21,9 @@
   /usr/lib{,32,64}/sasl2/*  r,
 
   # local LDAP name service daemon
-  /{,var/}run/nslcd/socket  rw,
+  @{run}/nslcd/socket  rw,
 
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ldapclient.d>
diff --git a/apparmor.d/abstractions/libpam-systemd b/apparmor.d/abstractions/libpam-systemd
index 76ee86933..b99765f98 100644
--- a/apparmor.d/abstractions/libpam-systemd
+++ b/apparmor.d/abstractions/libpam-systemd
@@ -9,7 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#include <abstractions/dbus-strict>
+  abi <abi/3.0>,
+
+include <abstractions/dbus-strict>
 
   # libpam-systemd notifies systemd-logind about session logins/logouts
   dbus send
@@ -17,3 +19,6 @@
     path=/org/freedesktop/login1
     interface=org.freedesktop.login1.Manager
     member={CreateSession,ReleaseSession},
+
+  # Include additions to the abstraction
+  include if exists <abstractions/libpam-systemd.d>
diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc
index e556f2a7b..51516e68b 100644
--- a/apparmor.d/abstractions/libvirt-lxc
+++ b/apparmor.d/abstractions/libvirt-lxc
@@ -1,4 +1,4 @@
-  #include <abstractions/base>
+  include <abstractions/base>
 
   umount,
 
diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu
index a03e9e2c9..98be0d4a2 100644
--- a/apparmor.d/abstractions/libvirt-qemu
+++ b/apparmor.d/abstractions/libvirt-qemu
@@ -1,6 +1,6 @@
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   # required for reading disk images
   capability dac_override,
diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm
index 1e64fd25e..a8ed92dd6 100644
--- a/apparmor.d/abstractions/lightdm
+++ b/apparmor.d/abstractions/lightdm
@@ -9,13 +9,13 @@
 
 # Requires apparmor 2.9
 
-  #include <abstractions/authentication>
-  #include <abstractions/cups-client>
-  #include <abstractions/dbus>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-accessibility>
-  #include <abstractions/nameservice>
-  #include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/cups-client>
+  include <abstractions/dbus>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-accessibility>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>
 
   # bug in compiz https://launchpad.net/bugs/697678
   /etc/compizconfig/config rw,
diff --git a/apparmor.d/abstractions/lightdm_chromium-browser b/apparmor.d/abstractions/lightdm_chromium-browser
index c8d6e6e6e..0547de064 100644
--- a/apparmor.d/abstractions/lightdm_chromium-browser
+++ b/apparmor.d/abstractions/lightdm_chromium-browser
@@ -31,7 +31,7 @@
 
   profile chromium {
     # Allow all the same accesses as other applications in the guest session
-    #include <abstractions/lightdm>
+    include <abstractions/lightdm>
 
     # but also allow a few things because of chromium-browser's sandboxing that
     # are not appropriate to other guest session applications.
diff --git a/apparmor.d/abstractions/likewise b/apparmor.d/abstractions/likewise
index 7482842a6..3cf9c92c6 100644
--- a/apparmor.d/abstractions/likewise
+++ b/apparmor.d/abstractions/likewise
@@ -9,5 +9,10 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /tmp/.lwidentity/pipe       rw,
   /var/lib/likewise-open/lwidentity_privileged/pipe rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/likewise.d>
diff --git a/apparmor.d/abstractions/mdns b/apparmor.d/abstractions/mdns
index 14c31b8c5..0e4a5dc01 100644
--- a/apparmor.d/abstractions/mdns
+++ b/apparmor.d/abstractions/mdns
@@ -8,7 +8,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # mdnsd
   /etc/mdns.allow r,
   /etc/nss_mdns.conf r,
-  /{,var/}run/mdnsd w,
+  @{run}/mdnsd w,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mdns.d>
diff --git a/apparmor.d/abstractions/mesa b/apparmor.d/abstractions/mesa
index be699c774..01609ff92 100644
--- a/apparmor.d/abstractions/mesa
+++ b/apparmor.d/abstractions/mesa
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Rules for Mesa implementation of the OpenGL API
 
+  abi <abi/3.0>,
+
   # System files
   /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
 
@@ -15,3 +17,6 @@
   owner @{HOME}/.cache/mesa_shader_cache/??/ w,
   owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mesa.d>
diff --git a/apparmor.d/abstractions/mesa-cache-write b/apparmor.d/abstractions/mesa-cache-write
index 80f8850a2..ae016a0fd 100644
--- a/apparmor.d/abstractions/mesa-cache-write
+++ b/apparmor.d/abstractions/mesa-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # System files
   /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
diff --git a/apparmor.d/abstractions/mir b/apparmor.d/abstractions/mir
index 16c57ec33..4ccc22ee9 100644
--- a/apparmor.d/abstractions/mir
+++ b/apparmor.d/abstractions/mir
@@ -9,9 +9,14 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # mir libraries sometimes do not have a lib prefix
   # see LP: #1422521
   /usr/lib/@{multiarch}/mir/*.so* mr,
   /usr/lib/@{multiarch}/mir/**/*.so* mr,
 
   # unprivileged mir socket for clients
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mir.d>
diff --git a/apparmor.d/abstractions/mozc b/apparmor.d/abstractions/mozc
index f736bc26e..e7480c2e6 100644
--- a/apparmor.d/abstractions/mozc
+++ b/apparmor.d/abstractions/mozc
@@ -9,4 +9,9 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mozc.d>
diff --git a/apparmor.d/abstractions/mysql b/apparmor.d/abstractions/mysql
index fed759bb0..4feccb44b 100644
--- a/apparmor.d/abstractions/mysql
+++ b/apparmor.d/abstractions/mysql
@@ -9,7 +9,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
    /var/lib/mysql{,d}/mysql{,d}.sock rw,
-   /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
+   @{run}/mysql{,d}/mysql{,d}.sock rw,
    /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
    /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mysql.d>
diff --git a/apparmor.d/abstractions/nameservice b/apparmor.d/abstractions/nameservice
index a78a874d8..a4a6152bd 100644
--- a/apparmor.d/abstractions/nameservice
+++ b/apparmor.d/abstractions/nameservice
@@ -9,31 +9,28 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # Many programs wish to perform nameservice-like operations, such as
   # looking up users by name or id, groups by name or id, hosts by name
   # or IP, etc. These operations may be performed through files, dns,
   # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
-  /etc/group              r,
-  /etc/host.conf          r,
-  /etc/hosts              r,
-  /etc/nsswitch.conf      r,
-  /etc/gai.conf           r,
-  /etc/passwd             r,
-  /etc/protocols          r,
+  @{etc_ro}/group          r,
+  @{etc_ro}/host.conf      r,
+  @{etc_ro}/hosts          r,
+  @{etc_ro}/nsswitch.conf  r,
+  @{etc_ro}/gai.conf       r,
+  @{etc_ro}/passwd         r,
+  @{etc_ro}/protocols      r,
 
   # libtirpc (used for NIS/YP login) needs this
-  /etc/netconfig r,
+  @{etc_ro}/netconfig r,
 
   # When using libnss-extrausers, the passwd and group files are merged from
   # an alternate path
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
-  # NSS records from systemd-userdbd.service
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
-  @{PROC}/sys/kernel/random/boot_id r,
-
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
@@ -41,56 +38,68 @@
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 
-  /etc/resolv.conf        r,
+  @{etc_ro}/resolv.conf r,
   # On systems where /etc/resolv.conf is managed programmatically, it is
-  # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
-  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
-  /etc/resolvconf/run/resolv.conf r,
-  /{,var/}run/systemd/resolve/stub-resolv.conf r,
+  # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
+  @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+  @{etc_ro}/resolvconf/run/resolv.conf  r,
+  @{run}/systemd/resolve/stub-resolv.conf r,
 
-  /etc/samba/lmhosts      r,
-  /etc/services           r,
+  @{etc_ro}/samba/lmhosts  r,
+  @{etc_ro}/services       r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
   # to vast speed increases when working with network-based lookups.
-  /{,var/}run/.nscd_socket   rw,
-  /{,var/}run/nscd/socket    rw,
+  @{run}/.nscd_socket   rw,
+  @{run}/nscd/socket    rw,
   /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
-  /{,var/}run/nscd/db*  rmix,
+  @{run}/nscd/db*  rmix,
 
   # The nss libraries are sometimes used in addition to PAM; make sure
   # they are available
   /{usr/,}lib{,32,64}/libnss_*.so*      mr,
   /{usr/,}lib/@{multiarch}/libnss_*.so*      mr,
-  /etc/default/nss               r,
+  @{etc_ro}/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution
-  /{,var/}run/avahi-daemon/socket rw,
+  @{run}/avahi-daemon/socket rw,
 
   # libnl-3-200 via libnss-gw-name
   @{PROC}/@{pid}/net/psched r,
-  /etc/libnl-*/classid r,
+  @{etc_ro}/libnl-*/classid r,
 
   # nis
-  #include <abstractions/nis>
+  include <abstractions/nis>
 
   # ldap
-  #include <abstractions/ldapclient>
+  include <abstractions/ldapclient>
 
   # winbind
-  #include <abstractions/winbind>
+  include <abstractions/winbind>
 
   # likewise
-  #include <abstractions/likewise>
+  include <abstractions/likewise>
 
   # mdnsd
-  #include <abstractions/mdns>
+  include <abstractions/mdns>
 
   # kerberos
-  #include <abstractions/kerberosclient>
+  include <abstractions/kerberosclient>
+
+  #libnss-systemd
+  include <abstractions/nss-systemd>
+
+  # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
+  #   https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+  dbus send
+       bus=system
+       path="/org/freedesktop/systemd1"
+       interface="org.freedesktop.systemd1.Manager"
+       member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
+       peer=(name="org.freedesktop.systemd1"),
 
   # TCP/UDP network access
   network inet  stream,
@@ -104,3 +113,6 @@
 
   # interface details
   @{PROC}/@{pid}/net/route r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/nameservice.d>
diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict
index 333257174..e1a9e7084 100644
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /etc/hosts r,
   /etc/host.conf r,
diff --git a/apparmor.d/abstractions/nis b/apparmor.d/abstractions/nis
index 690e6796a..1aea3f14d 100644
--- a/apparmor.d/abstractions/nis
+++ b/apparmor.d/abstractions/nis
@@ -8,8 +8,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # NIS rules
   /var/yp/binding/*           r,
   # portmapper may ask root processes to do nis/ldap at low ports
   capability net_bind_service,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/nis.d>
diff --git a/apparmor.d/abstractions/nss-systemd b/apparmor.d/abstractions/nss-systemd
new file mode 100644
index 000000000..6ff17bc73
--- /dev/null
+++ b/apparmor.d/abstractions/nss-systemd
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009-2011 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/3.0>,
+
+# libnss-systemd
+  #
+  #   https://systemd.io/USER_GROUP_API/
+  #   https://systemd.io/USER_RECORD/
+  #   https://www.freedesktop.org/software/systemd/man/nss-systemd.html
+  #
+  # Allow User/Group lookups via common VarLink socket APIs. Applications need
+  # to either consult all of them or the io.systemd.Multiplexer frontend.
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
+  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
+  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
+
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  include if exists <abstractions/nss-systemd.d>
diff --git a/apparmor.d/abstractions/nvidia b/apparmor.d/abstractions/nvidia
index b01ef8b55..b2d475f16 100644
--- a/apparmor.d/abstractions/nvidia
+++ b/apparmor.d/abstractions/nvidia
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # nvidia access requirements
-  
+
+  abi <abi/3.0>,
+
   # configuration queries
   capability ipc_lock,
 
@@ -26,3 +28,6 @@
   owner @{HOME}/.nv/GLCache/** rwk,
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/nvidia.d>
diff --git a/apparmor.d/abstractions/opencl b/apparmor.d/abstractions/opencl
index 32a21b2a5..58b353238 100644
--- a/apparmor.d/abstractions/opencl
+++ b/apparmor.d/abstractions/opencl
@@ -1,9 +1,15 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements
 
   # TODO: use conditionals to select allowed implementations
-  #include <abstractions/opencl-intel>
-  #include <abstractions/opencl-mesa>
-  #include <abstractions/opencl-nvidia>
-  #include <abstractions/opencl-pocl>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
+  include <abstractions/opencl-pocl>
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl.d>
diff --git a/apparmor.d/abstractions/opencl-common b/apparmor.d/abstractions/opencl-common
index 0ad3d559a..a80b4ba2c 100644
--- a/apparmor.d/abstractions/opencl-common
+++ b/apparmor.d/abstractions/opencl-common
@@ -1,4 +1,7 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # implementation-independent OpenCL access requirements
 
   # System files
@@ -8,3 +11,6 @@
   @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
   @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-common.d>
diff --git a/apparmor.d/abstractions/opencl-intel b/apparmor.d/abstractions/opencl-intel
index 353eeca29..4d0472330 100644
--- a/apparmor.d/abstractions/opencl-intel
+++ b/apparmor.d/abstractions/opencl-intel
@@ -1,13 +1,16 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements for Intel implementation
 
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
 
   # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
-  #include <abstractions/X>
+  include <abstractions/X>
 
   # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
-  #include <abstractions/dri-enumerate>
+  include <abstractions/dri-enumerate>
 
   # System files
 
@@ -15,3 +18,6 @@
   @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
   /usr/lib/@{multiarch}/beignet/** r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-intel.d>
diff --git a/apparmor.d/abstractions/opencl-mesa b/apparmor.d/abstractions/opencl-mesa
index 9d7f82b27..a5cada614 100644
--- a/apparmor.d/abstractions/opencl-mesa
+++ b/apparmor.d/abstractions/opencl-mesa
@@ -1,7 +1,10 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements for Mesa implementation
 
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
 
   # Additional libraries
 
@@ -18,3 +21,6 @@
 
   owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-mesa.d>
diff --git a/apparmor.d/abstractions/opencl-nvidia b/apparmor.d/abstractions/opencl-nvidia
index 8a4764ecb..bbd432b14 100644
--- a/apparmor.d/abstractions/opencl-nvidia
+++ b/apparmor.d/abstractions/opencl-nvidia
@@ -1,8 +1,11 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements for NVIDIA implementation
 
-  #include <abstractions/nvidia>
-  #include <abstractions/opencl-common>
+  include <abstractions/nvidia>
+  include <abstractions/opencl-common>
 
   # Executables
 
@@ -28,3 +31,6 @@
   owner @{HOME}/.nv/ComputeCache/** rw,
   owner @{HOME}/.nv/ComputeCache/index rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-nvidia.d>
diff --git a/apparmor.d/abstractions/opencl-pocl b/apparmor.d/abstractions/opencl-pocl
index 054689abc..8b93b0dc3 100644
--- a/apparmor.d/abstractions/opencl-pocl
+++ b/apparmor.d/abstractions/opencl-pocl
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
 # OpenCL access requirements for POCL implementation
 
-  #include <abstractions/opencl-common>
+  abi <abi/3.0>,
+
+  include <abstractions/opencl-common>
 
   # Executables
 
@@ -28,7 +30,7 @@
   @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
   @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
   /usr/share/pocl/** r,
-  /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
+  @{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
 
   # User files
 
@@ -41,7 +43,7 @@
   # Child profiles
 
   profile opencl_pocl_ld {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Main executables
 
@@ -54,7 +56,7 @@
   }
 
   profile opencl_pocl_clang {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Main executables
 
@@ -74,3 +76,6 @@
     owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
   }
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-pocl.d>
diff --git a/apparmor.d/abstractions/openssl b/apparmor.d/abstractions/openssl
index 697da7aeb..7dec53bf8 100644
--- a/apparmor.d/abstractions/openssl
+++ b/apparmor.d/abstractions/openssl
@@ -8,7 +8,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/ssl/openssl.cnf r,
   /usr/share/ssl/openssl.cnf r,
   @{PROC}/sys/crypto/fips_enabled r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/openssl.d>
diff --git a/apparmor.d/abstractions/orbit2 b/apparmor.d/abstractions/orbit2
index b8df9df6d..6e27461f5 100644
--- a/apparmor.d/abstractions/orbit2
+++ b/apparmor.d/abstractions/orbit2
@@ -1,5 +1,10 @@
 # vim:syntax=apparmor
 # orbit2 permissions
 
+  abi <abi/3.0>,
+
   # system library
   /usr/lib/orbit-2.0/*.so mr,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/orbit2.d>
diff --git a/apparmor.d/abstractions/p11-kit b/apparmor.d/abstractions/p11-kit
index 84b7b11d6..29696815e 100644
--- a/apparmor.d/abstractions/p11-kit
+++ b/apparmor.d/abstractions/p11-kit
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/pkcs11/ r,
   /etc/pkcs11/pkcs11.conf r,
   /etc/pkcs11/modules/ r,
@@ -20,8 +22,11 @@
   /usr/share/p11-kit/modules/* r,
 
   # gnome-keyring pkcs11 module
-  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+  owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
 
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.
+
+  # Include additions to the abstraction
+  include if exists <abstractions/p11-kit.d>
diff --git a/apparmor.d/abstractions/perl b/apparmor.d/abstractions/perl
index 0e20aeb5c..39718535a 100644
--- a/apparmor.d/abstractions/perl
+++ b/apparmor.d/abstractions/perl
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # a few files typically required for perl scripts
   /usr/bin/perl                  rmix,
   /usr/bin/perl[0-9].[0-9].[0-9] rmix,
@@ -21,3 +23,6 @@
   /usr/share/perl/**             r,
   /usr/share/perl5/**            r,
   /etc/perl/**                   r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/perl.d>
diff --git a/apparmor.d/abstractions/php b/apparmor.d/abstractions/php
index 4aba2415c..cd3172d42 100644
--- a/apparmor.d/abstractions/php
+++ b/apparmor.d/abstractions/php
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # shared snippets for config files
   /etc/php{,5,7}/**/ r,
   /etc/php{,5,7}/**.ini r,
@@ -37,3 +39,6 @@
 
   # Zend opcache
   /tmp/.ZendSem.* rwlk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/php.d>
diff --git a/apparmor.d/abstractions/php-worker b/apparmor.d/abstractions/php-worker
new file mode 100644
index 000000000..a476e4071
--- /dev/null
+++ b/apparmor.d/abstractions/php-worker
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+
+# This file contains basic permissions for php-fpm workers
+
+  abi <abi/3.0>,
+
+  # load common libraries and their support files
+  include <abstractions/base>
+  # common php files and support files that php needs
+  include <abstractions/php>
+
+  signal (receive) peer=php-fpm,
+
+  # This is some php opcaching file
+  /tmp/.ZendSem.* rwk,
+
+  # I think this is adaptive memory management
+  /sys/devices/system/node/* r,
+  /sys/devices/system/node/*/meminfo r,
+  /sys/devices/system/node/ r,
+
+  include if exists <abstractions/php-worker.d>
diff --git a/apparmor.d/abstractions/php5 b/apparmor.d/abstractions/php5
index 9f5355f98..25f8001e8 100644
--- a/apparmor.d/abstractions/php5
+++ b/apparmor.d/abstractions/php5
@@ -1,3 +1,8 @@
 #backwards compatibility include, actual abstraction moved from php5 to php
 
-#include <abstractions/php>
+  abi <abi/3.0>,
+
+  include <abstractions/php>
+
+  # Include additions to the abstraction
+  include if exists <abstractions/php5.d>
diff --git a/apparmor.d/abstractions/postfix-common b/apparmor.d/abstractions/postfix-common
index b10f888f3..c45fe8115 100644
--- a/apparmor.d/abstractions/postfix-common
+++ b/apparmor.d/abstractions/postfix-common
@@ -11,16 +11,16 @@
 # ------------------------------------------------------------------
 # used with postfix/*
 
+  abi <abi/3.0>,
+
 
   capability            setuid,
   capability            setgid,
   capability            sys_chroot,
 
   # postfix's master can send us signals
-  signal receive peer=/usr/lib/postfix/master,
   signal receive peer=postfix-master,
 
-  unix (send, receive) peer=(label=/usr/lib/postfix/master),
   unix (send, receive) peer=(label=postfix-master),
 
   /etc/mailname         r,
@@ -37,3 +37,8 @@
   /var/spool/postfix/etc/*        r,
   /var/spool/postfix/lib/lib*.so* mr,
   /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
+
+  /etc/postfix/dynamicmaps.cf.d/  r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/postfix-common.d>
diff --git a/apparmor.d/abstractions/private-files b/apparmor.d/abstractions/private-files
index 09f6d9bdc..5f0504178 100644
--- a/apparmor.d/abstractions/private-files
+++ b/apparmor.d/abstractions/private-files
@@ -2,6 +2,8 @@
 # privacy-violations contains rules for common files that you want to
 # explicitly deny access
 
+  abi <abi/3.0>,
+
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)
   deny @{HOME}/.*history mrwkl,
@@ -45,3 +47,6 @@
 
   deny @{HOME}/.zshenv mrk,
   audit deny @{HOME}/.zshenv wl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/private-files.d>
diff --git a/apparmor.d/abstractions/private-files-strict b/apparmor.d/abstractions/private-files-strict
index 31934318f..f732bec89 100644
--- a/apparmor.d/abstractions/private-files-strict
+++ b/apparmor.d/abstractions/private-files-strict
@@ -2,7 +2,9 @@
 # privacy-violations-strict contains additional rules for sensitive
 # files that you want to explicitly deny access
 
-  #include <abstractions/private-files>
+  abi <abi/3.0>,
+
+  include <abstractions/private-files>
 
   # potentially extremely sensitive files
   audit deny @{HOME}/.aws/{,**} mrwkl,
@@ -12,7 +14,7 @@
   audit deny @{HOME}/.gnome2/ w,
   audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
   # don't allow access to any gnome-keyring modules
-  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
+  audit deny @{run}/user/[0-9]*/keyring** mrwkl,
   audit deny @{HOME}/.mozilla/{,**} mrwkl,
   audit deny @{HOME}/.config/ w,
   audit deny @{HOME}/.config/chromium/{,**} mrwkl,
@@ -23,3 +25,6 @@
   audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
   audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/private-files-strict.d>
diff --git a/apparmor.d/abstractions/python b/apparmor.d/abstractions/python
index 6c81af84a..11a4e9972 100644
--- a/apparmor.d/abstractions/python
+++ b/apparmor.d/abstractions/python
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
   /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
   /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
@@ -37,5 +39,5 @@
   # python build configuration and headers
   /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
 
-  # Silencer
-  deny /usr/lib{,32,64}/python*/** w,
+  # Include additions to the abstraction
+  include if exists <abstractions/python.d>
diff --git a/apparmor.d/abstractions/qt5 b/apparmor.d/abstractions/qt5
index 66a574bf7..83dc00c4e 100644
--- a/apparmor.d/abstractions/qt5
+++ b/apparmor.d/abstractions/qt5
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Common rules for Qt5-based applications
 
+  abi <abi/3.0>,
+
   # Additional libraries
 
   /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
@@ -20,3 +22,6 @@
   owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
   owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/qt5.d>
diff --git a/apparmor.d/abstractions/qt5-compose-cache-write b/apparmor.d/abstractions/qt5-compose-cache-write
index 38cb23486..5322ea031 100644
--- a/apparmor.d/abstractions/qt5-compose-cache-write
+++ b/apparmor.d/abstractions/qt5-compose-cache-write
@@ -1,8 +1,13 @@
 # vim:syntax=apparmor
 # Allow writing cache for Qt5 "platforminputcontexts" plugins
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
   owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/qt5-compose-cache-write.d>
diff --git a/apparmor.d/abstractions/qt5-settings-write b/apparmor.d/abstractions/qt5-settings-write
index 07d10972d..327390ace 100644
--- a/apparmor.d/abstractions/qt5-settings-write
+++ b/apparmor.d/abstractions/qt5-settings-write
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Allow writing shared settings for Qt-based applications
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.config/#[0-9]*[0-9] rw,
@@ -9,3 +11,6 @@
   owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
   owner @{HOME}/.config/QtProject.conf.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/qt5-settings-write.d>
diff --git a/apparmor.d/abstractions/recent-documents-write b/apparmor.d/abstractions/recent-documents-write
index 320ec9433..02962e4c7 100644
--- a/apparmor.d/abstractions/recent-documents-write
+++ b/apparmor.d/abstractions/recent-documents-write
@@ -1,10 +1,15 @@
 # vim:syntax=apparmor
 # Allow updating recent documents
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.local/share/RecentDocuments/ rw,
   owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
-  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> /home/*/.local/share/RecentDocuments/#[0-9]*,
+  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
   owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/recent-documents-write.d>
diff --git a/apparmor.d/abstractions/ruby b/apparmor.d/abstractions/ruby
index ff4ac9fac..a71a2043b 100644
--- a/apparmor.d/abstractions/ruby
+++ b/apparmor.d/abstractions/ruby
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
@@ -19,3 +21,6 @@
 
   /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
   /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ruby.d>
diff --git a/apparmor.d/abstractions/samba b/apparmor.d/abstractions/samba
index 1cab7309e..c6601abd0 100644
--- a/apparmor.d/abstractions/samba
+++ b/apparmor.d/abstractions/samba
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,
   /usr/lib*/samba/ldb/*.so mr,
@@ -20,8 +22,15 @@
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/* w,
-  /{,var/}run/samba/ w,
-  /{,var/}run/samba/*.tdb rw,
+  @{run}/samba/ w,
+  @{run}/samba/*.tdb rw,
+  @{run}/samba/msg.lock/ rwk,
+  @{run}/samba/msg.lock/[0-9]* rwk,
+  /var/cache/samba/msg.lock/ rwk,
+  /var/cache/samba/msg.lock/[0-9]* rwk,
 
   # required for clustering
   /var/lib/ctdb/** rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/samba.d>
diff --git a/apparmor.d/abstractions/smbpass b/apparmor.d/abstractions/smbpass
index eb4cf26bb..89534d464 100644
--- a/apparmor.d/abstractions/smbpass
+++ b/apparmor.d/abstractions/smbpass
@@ -9,5 +9,10 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # libpam-smbpass/pam_smbpass.so permissions
   /var/lib/samba/*.[lt]db rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/smbpass.d>
diff --git a/apparmor.d/abstractions/ssl_certs b/apparmor.d/abstractions/ssl_certs
index 789efc580..bf6ae67cd 100644
--- a/apparmor.d/abstractions/ssl_certs
+++ b/apparmor.d/abstractions/ssl_certs
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/ssl/ r,
   /etc/ssl/certs/ r,
   /etc/ssl/certs/* r,
@@ -42,3 +44,6 @@
   /etc/certbot/archive/*/cert*.pem r,
   /etc/certbot/archive/*/chain*.pem r,
   /etc/certbot/archive/*/fullchain*.pem r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ssl_certs.d>
diff --git a/apparmor.d/abstractions/ssl_keys b/apparmor.d/abstractions/ssl_keys
index 2de760b56..f310bb5a1 100644
--- a/apparmor.d/abstractions/ssl_keys
+++ b/apparmor.d/abstractions/ssl_keys
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # private ssl permissions
 
   # Just include the whole /etc/ssl directory if we should have access to
@@ -28,3 +30,6 @@
   /etc/letsencrypt/archive/*/privkey*.pem r,
 
   /etc/certbot/archive/*/privkey*.pem r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ssl_keys.d>
diff --git a/apparmor.d/abstractions/svn-repositories b/apparmor.d/abstractions/svn-repositories
index 68ac5e0be..d518f1d0b 100644
--- a/apparmor.d/abstractions/svn-repositories
+++ b/apparmor.d/abstractions/svn-repositories
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This little snippet should abstract the read/write access to a repository.
   # it is intended to be included in profiles for svnserve/apache2 and maybe
   # some repository viewers like trac/viewvc
@@ -50,3 +52,6 @@
   /tmp/apr* rwl,
   /var/tmp/apr* rwl,
   /tmp/report*.tmp rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/svn-repositories.d>
diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common
index 345675703..b29ff1846 100644
--- a/apparmor.d/abstractions/systemd-common
+++ b/apparmor.d/abstractions/systemd-common
@@ -9,13 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   ptrace (read),
 
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/1/environ r,
         @{PROC}/1/sched r,
+        @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/random/boot_id r,
diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read
index 74109b101..68c89d236 100644
--- a/apparmor.d/abstractions/thumbnails-cache-read
+++ b/apparmor.d/abstractions/thumbnails-cache-read
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/thumbnails/ r,
   owner @{HOME}/.cache/thumbnails/{large,normal}/ r,
diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write
index fdd16f200..85c4cc23a 100644
--- a/apparmor.d/abstractions/thumbnails-cache-write
+++ b/apparmor.d/abstractions/thumbnails-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/thumbnails/ rw,
   owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor
index f2fe3c4e4..eb375573c 100644
--- a/apparmor.d/abstractions/tor
+++ b/apparmor.d/abstractions/tor
@@ -1,8 +1,8 @@
 # vim:syntax=apparmor
 
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
 
   network tcp,
   network udp,
diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem
index e8b82a83c..a1ebac2ac 100644
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@@ -15,10 +15,10 @@
 # While ideally we would narrow down our read access to the above, this is
 # a maintenance problem and doesn't work for files without extensions.
 
-  #include <abstractions/gnome>
-  #include <abstractions/gstreamer>
-  #include <abstractions/nameservice>
-  #include <abstractions/dbus-session>
+  include <abstractions/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice>
+  include <abstractions/dbus-session>
 
   # Allow read on all directories
   /**/ r,
diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash
index 4b686ce9a..3c2a0d1ef 100644
--- a/apparmor.d/abstractions/trash
+++ b/apparmor.d/abstractions/trash
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.config/trashrc rw,
   owner @{HOME}/.config/trashrc.lock rwk,
diff --git a/apparmor.d/abstractions/ubuntu-bittorrent-clients b/apparmor.d/abstractions/ubuntu-bittorrent-clients
index fb820c5a5..0d929ad61 100644
--- a/apparmor.d/abstractions/ubuntu-bittorrent-clients
+++ b/apparmor.d/abstractions/ubuntu-bittorrent-clients
@@ -2,9 +2,11 @@
 #
 # abstraction for allowing graphical bittorrent clients in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/azureus Cxr -> sanitized_helper,
   /usr/bin/bitstormlite Cxr -> sanitized_helper,
@@ -15,3 +17,6 @@
   /usr/bin/ktorrent Cxr -> sanitized_helper,
   /usr/bin/qbittorrent Cxr -> sanitized_helper,
   /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-bittorrent-clients.d>
diff --git a/apparmor.d/abstractions/ubuntu-browsers b/apparmor.d/abstractions/ubuntu-browsers
index d4438ad6a..c2c710a11 100644
--- a/apparmor.d/abstractions/ubuntu-browsers
+++ b/apparmor.d/abstractions/ubuntu-browsers
@@ -2,25 +2,23 @@
 #
 # abstraction for allowing access to graphical browsers in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/arora Cx -> sanitized_helper,
-  /usr/bin/conkeror Cx -> sanitized_helper,
   /usr/bin/dillo Cx -> sanitized_helper,
   /usr/bin/Dooble Cx -> sanitized_helper,
   /usr/bin/epiphany Cx -> sanitized_helper,
   /usr/bin/epiphany-browser Cx -> sanitized_helper,
   /usr/bin/epiphany-webkit Cx -> sanitized_helper,
   /usr/lib/fennec-*/fennec Cx -> sanitized_helper,
-  /usr/bin/galeon Cx -> sanitized_helper,
   /usr/bin/kazehakase Cx -> sanitized_helper,
   /usr/bin/konqueror Cx -> sanitized_helper,
   /usr/bin/midori Cx -> sanitized_helper,
   /usr/bin/netsurf Cx -> sanitized_helper,
-  /usr/bin/prism Cx -> sanitized_helper,
-  /usr/bin/rekonq Cx -> sanitized_helper,
   /usr/bin/seamonkey Cx -> sanitized_helper,
   /usr/bin/sensible-browser Pixr,
 
@@ -40,3 +38,4 @@
   /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
   /usr/bin/opera Cx -> sanitized_helper,
   /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser b/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
new file mode 100644
index 000000000..95724f1a4
--- /dev/null
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# Author: Jamie Strandboge <jamie@canonical.com>
+
+# For site-specific adjustments, please see:
+# /etc/apparmor.d/local/chromium-browser
+
+abi <abi/3.0>,
+
+include <abstractions/ubuntu-browsers.d/plugins-common>
+include <abstractions/ubuntu-browsers.d/mailto>
+include <abstractions/ubuntu-browsers.d/multimedia>
+include <abstractions/ubuntu-browsers.d/productivity>
+include <abstractions/ubuntu-browsers.d/java>
+include <abstractions/ubuntu-browsers.d/kde>
+include <abstractions/ubuntu-browsers.d/text-editors>
+include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+include <abstractions/ubuntu-browsers.d/user-files>
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/java b/apparmor.d/abstractions/ubuntu-browsers.d/java
index e0a67cf31..ae93c755d 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/java
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # Java plugin
   owner @{HOME}/.java/deployment/deployment.properties k,
   /etc/java-*/ r,
@@ -18,14 +20,14 @@
   # unfortunate workarounds of the proprietary Javas, so have a separate
   # profile.
   profile browser_openjdk {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/gnome>
-    #include <abstractions/kde>
-    #include <abstractions/nameservice>
-    #include <abstractions/ssl_certs>
-    #include <abstractions/user-tmp>
-    #include <abstractions/private-files-strict>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/gnome>
+    include <abstractions/kde>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+    include <abstractions/private-files-strict>
 
     network inet stream,
     network inet6 stream,
@@ -64,14 +66,14 @@
   # Profile for commercial Javas. These need workarounds to work right (eg
   # Sun's forcing of an executable stack (LP: #535247)).
   profile browser_java {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/gnome>
-    #include <abstractions/kde>
-    #include <abstractions/nameservice>
-    #include <abstractions/ssl_certs>
-    #include <abstractions/user-tmp>
-    #include <abstractions/private-files-strict>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/gnome>
+    include <abstractions/kde>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+    include <abstractions/private-files-strict>
 
     network inet stream,
     network inet6 stream,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/kde b/apparmor.d/abstractions/ubuntu-browsers.d/kde
index 038952a8b..bdac331e3 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/kde
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/kde
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 
-  #include <abstractions/kde>
+  abi <abi/3.0>,
+
+  include <abstractions/kde>
   /usr/bin/kde4-config Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/mailto b/apparmor.d/abstractions/ubuntu-browsers.d/mailto
index 40236a7bd..8d1570986 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/mailto
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/mailto
@@ -1,9 +1,11 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # for mailto:
-  #include <abstractions/ubuntu-email>
-  #include <abstractions/ubuntu-console-email>
+  include <abstractions/ubuntu-email>
+  include <abstractions/ubuntu-console-email>
 
   # Terminals for using console applications. These abstractions should ideally
   # have 'ix' to restrct access to what only firefox is allowed to do
-  #include <abstractions/ubuntu-gnome-terminal>
+  include <abstractions/ubuntu-gnome-terminal>
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
index 591d6b854..f2eb23ef3 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
@@ -1,9 +1,11 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 
-  #include <abstractions/X>
+  abi <abi/3.0>,
+
+  include <abstractions/X>
 
   # Pulseaudio
   /usr/bin/pulseaudio Pixr,
@@ -13,10 +15,9 @@
   /usr/bin/gimp* Cxr -> sanitized_helper,
   /usr/bin/shotwell Cxr -> sanitized_helper,
   /usr/bin/digikam Cxr -> sanitized_helper,
-  /usr/bin/f-spot Cxr -> sanitized_helper,
   /usr/bin/gwenview Cxr -> sanitized_helper,
 
-  #include <abstractions/ubuntu-media-players>
+  include <abstractions/ubuntu-media-players>
   owner @{HOME}/.adobe/ w,
   owner @{HOME}/.adobe/** rw,
   owner @{HOME}/.macromedia/ w,
@@ -25,18 +26,8 @@
   /usr/bin/lpstat Cxr -> sanitized_helper,
   /usr/bin/lpr Cxr -> sanitized_helper,
 
-  # npviewer
-  /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr,
-  /var/lib/ r,
-  /var/lib/**/*.so mr,
-  /usr/bin/setarch ixr,
-
   # Bittorrent clients
-  #include <abstractions/ubuntu-bittorrent-clients>
-
-  # Mozplugger
-  /etc/mozpluggerrc r,
-  /usr/bin/mozplugger-helper Cxr -> sanitized_helper,
+  include <abstractions/ubuntu-bittorrent-clients>
 
   # Archivers
   /usr/bin/ark Cxr -> sanitized_helper,
@@ -45,16 +36,10 @@
   /usr/local/lib{,32,64}/*.so* mr,
 
   # News feed readers
-  #include <abstractions/ubuntu-feed-readers>
-
-  # Googletalk
-  /opt/google/talkplugin/*.so mr,
-  /opt/google/talkplugin/lib/*.so mr,
-  /opt/google/talkplugin/GoogleTalkPlugin ixr,
-  owner @{HOME}/.config/google-googletalkplugin/** rw,
+  include <abstractions/ubuntu-feed-readers>
 
   # If we allow the above, nvidia based systems will also need this
-  #include <abstractions/nvidia>
+  include <abstractions/nvidia>
 
   # Virus scanners
   /usr/bin/clamscan Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common b/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
index c928f92cc..5d93b262e 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   #
   # Plugins/helpers
   #
@@ -13,4 +15,4 @@
 
   # Since all the ubuntu-browsers.d abstractions need this, just include it
   # here
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/ubuntu-helpers>
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/productivity b/apparmor.d/abstractions/ubuntu-browsers.d/productivity
index 2c898d130..1fc67a84a 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/productivity
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/productivity
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   # Openoffice.org
   /usr/bin/ooffice Cxr -> sanitized_helper,
@@ -22,7 +24,3 @@
   # PDFs
   /usr/bin/evince Cxr -> sanitized_helper,
   /usr/bin/okular Cxr -> sanitized_helper,
-
-  owner @{HOME}/.adobe/** rw,
-  /opt/Adobe/Reader9/bin/acroread Cxr -> sanitized_helper,
-  /opt/Adobe/Reader9/** r,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/text-editors b/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
index bf5eb1d18..e04c6b80b 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
   /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
index 0cd0928ef..cdbd47cd3 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
@@ -1,16 +1,15 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   # Apport
   /usr/bin/apport-bug Cx -> sanitized_helper,
 
   # Package installation
   /usr/bin/apturl Cxr -> sanitized_helper,
-  /usr/bin/gnome-codec-install Cxr -> sanitized_helper,
-  /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
-  /usr/lib/@{multiarch}/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
   /usr/share/software-center/software-center Cxr -> sanitized_helper,
 
   # Input Methods
@@ -29,10 +28,7 @@
   /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
 
   # Exo-aware applications
-  /usr/bin/exo-open ixr,
-  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
-  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
-  /etc/xdg/xfce4/helpers.rc r,
+  include <abstractions/exo-open>
 
   # unity webapps integration. Could go in its own abstraction
   owner /run/user/*/dconf/user rw,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
index 0429c13fd..c6a8eeddd 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # firefox-notify
-  #include <abstractions/python>
+  include <abstractions/python>
   /usr/bin/python2.[4567] ix,
   /usr/share/xul-ext/notify/**/download_complete_notify.py ix,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/apparmor.d/abstractions/ubuntu-browsers.d/user-files
index ffe68245b..e2965f019 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # Allow read to all files user has DAC access to and write access to all
   # files owned by the user in $HOME.
   @{HOME}/ r,
@@ -7,7 +9,7 @@
   owner @{HOME}/** w,
 
   # Do not allow read and/or write to particularly sensitive/problematic files
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
   audit deny @{HOME}/.ssh/{,**} mrwkl,
   audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
   audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
diff --git a/apparmor.d/abstractions/ubuntu-console-browsers b/apparmor.d/abstractions/ubuntu-console-browsers
index 554469e75..8f6687ae1 100644
--- a/apparmor.d/abstractions/ubuntu-console-browsers
+++ b/apparmor.d/abstractions/ubuntu-console-browsers
@@ -4,11 +4,13 @@
 # typically also need a terminal, so when using this abstraction, should also
 # do something like:
 #
-# #include <abstractions/ubuntu-gnome-terminal>
+# include <abstractions/ubuntu-gnome-terminal>
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/elinks Cx -> sanitized_helper,
   /usr/bin/links Cx -> sanitized_helper,
@@ -16,3 +18,6 @@
   /usr/bin/netrik Cx -> sanitized_helper,
   /usr/bin/w3m Cx -> sanitized_helper,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-console-browsers.d>
diff --git a/apparmor.d/abstractions/ubuntu-console-email b/apparmor.d/abstractions/ubuntu-console-email
index f77c9bd62..ee741fdfd 100644
--- a/apparmor.d/abstractions/ubuntu-console-email
+++ b/apparmor.d/abstractions/ubuntu-console-email
@@ -4,11 +4,13 @@
 # typically also need a terminal, so when using this abstraction, should also
 # do something like:
 #
-# #include <abstractions/ubuntu-gnome-terminal>
+# include <abstractions/ubuntu-gnome-terminal>
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/alpine Cx -> sanitized_helper,
   /usr/bin/citadel Cx -> sanitized_helper,
@@ -16,3 +18,6 @@
   /usr/bin/elmo Cx -> sanitized_helper,
   /usr/bin/mutt Cx -> sanitized_helper,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-console-email.d>
diff --git a/apparmor.d/abstractions/ubuntu-email b/apparmor.d/abstractions/ubuntu-email
index 48e0c6f40..45f02eba2 100644
--- a/apparmor.d/abstractions/ubuntu-email
+++ b/apparmor.d/abstractions/ubuntu-email
@@ -2,9 +2,11 @@
 #
 # abstraction for allowing graphical email clients in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/anjal Cx -> sanitized_helper,
   /usr/bin/balsa Cx -> sanitized_helper,
@@ -22,3 +24,6 @@
 
   /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop
   /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-email.d>
diff --git a/apparmor.d/abstractions/ubuntu-feed-readers b/apparmor.d/abstractions/ubuntu-feed-readers
index 85379e300..e8b89b1d3 100644
--- a/apparmor.d/abstractions/ubuntu-feed-readers
+++ b/apparmor.d/abstractions/ubuntu-feed-readers
@@ -2,9 +2,14 @@
 #
 # abstraction for allowing graphical news feed readers in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/akregator Cxr -> sanitized_helper,
   /usr/bin/liferea-add-feed Cxr -> sanitized_helper,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-feed-readers.d>
diff --git a/apparmor.d/abstractions/ubuntu-gnome-terminal b/apparmor.d/abstractions/ubuntu-gnome-terminal
index 7604df1e7..c6280b0ef 100644
--- a/apparmor.d/abstractions/ubuntu-gnome-terminal
+++ b/apparmor.d/abstractions/ubuntu-gnome-terminal
@@ -3,8 +3,13 @@
 # for allowing access to gnome-terminal
 #
 
-  #include <abstractions/gnome>
+  abi <abi/3.0>,
+
+  include <abstractions/gnome>
 
   # do not use ux or PUx here. Use at a minimum ix
   /usr/bin/gnome-terminal ix,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-gnome-terminal.d>
diff --git a/apparmor.d/abstractions/ubuntu-helpers b/apparmor.d/abstractions/ubuntu-helpers
index a1ab7bc04..4b9ea96b2 100644
--- a/apparmor.d/abstractions/ubuntu-helpers
+++ b/apparmor.d/abstractions/ubuntu-helpers
@@ -9,7 +9,7 @@
 #
 # Usage:
 # Because this abstraction defines the sanitized_helper profile, it must only
-# be #included once. Therefore this abstraction should typically not be
+# be included once. Therefore this abstraction should typically not be
 # included in other abstractions so as to avoid parser errors regarding
 # multiple definitions.
 #
@@ -31,17 +31,19 @@
 # Use at your own risk. This profile was developed as an interim workaround for
 # LP: #851986 until AppArmor utilizes proper environment filtering.
 
+  abi <abi/3.0>,
+
 profile sanitized_helper {
-  #include <abstractions/base>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/X>
 
   # Allow all networking
   network inet,
   network inet6,
 
   # Allow all DBus communications
-  #include <abstractions/dbus-session-strict>
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
   dbus,
 
   # Needed for Google Chrome
@@ -72,6 +74,12 @@ profile sanitized_helper {
   /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
   /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
 
+  # The same is needed for Brave
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
+
   # Full access
   / r,
   /** rwkl,
diff --git a/apparmor.d/abstractions/ubuntu-konsole b/apparmor.d/abstractions/ubuntu-konsole
index baa8fb395..4ece2bd37 100644
--- a/apparmor.d/abstractions/ubuntu-konsole
+++ b/apparmor.d/abstractions/ubuntu-konsole
@@ -3,8 +3,10 @@
 # for allowing access to konsole
 #
 
-  #include <abstractions/consoles>
-  #include <abstractions/kde>
+  abi <abi/3.0>,
+
+  include <abstractions/consoles>
+  include <abstractions/kde>
   capability sys_ptrace,
   @{PROC}/@{pid}/status r,
   @{PROC}/@{pid}/stat r,
@@ -15,3 +17,6 @@
   # do not use ux or Ux here. Use at a minimum ix
   /usr/bin/konsole ix,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-konsole.d>
diff --git a/apparmor.d/abstractions/ubuntu-media-players b/apparmor.d/abstractions/ubuntu-media-players
index 5918cb8c1..5fa48e75b 100644
--- a/apparmor.d/abstractions/ubuntu-media-players
+++ b/apparmor.d/abstractions/ubuntu-media-players
@@ -2,9 +2,11 @@
 #
 # abstraction for allowing access to media players in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/amarok Cxr -> sanitized_helper,
   /usr/bin/audacious2 Cxr -> sanitized_helper,
@@ -58,3 +60,6 @@
   /etc/gnashpluginrc r,
   owner @{HOME}/.gnash/ rw,
   owner @{HOME}/.gnash/** rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-media-players.d>
diff --git a/apparmor.d/abstractions/ubuntu-unity7-base b/apparmor.d/abstractions/ubuntu-unity7-base
index 25e88b692..6e207b287 100644
--- a/apparmor.d/abstractions/ubuntu-unity7-base
+++ b/apparmor.d/abstractions/ubuntu-unity7-base
@@ -9,14 +9,16 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
 #
 # Rules common to applications running under Unity 7
 #
 
-#include <abstractions/gnome>
+include <abstractions/gnome>
 
-#include <abstractions/dbus-session-strict>
-#include <abstractions/dbus-strict>
+include <abstractions/dbus-session-strict>
+include <abstractions/dbus-strict>
 
   #
   # Access required for connecting to/communication with Unity HUD
@@ -98,3 +100,6 @@
   # Deny potentially dangerous access
   #
   deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-unity7-base.d>
diff --git a/apparmor.d/abstractions/ubuntu-unity7-launcher b/apparmor.d/abstractions/ubuntu-unity7-launcher
index 52f6cd438..eb2f070d3 100644
--- a/apparmor.d/abstractions/ubuntu-unity7-launcher
+++ b/apparmor.d/abstractions/ubuntu-unity7-launcher
@@ -1,3 +1,5 @@
+  abi <abi/3.0>,
+
   #
   # Access required for connecting to/communicating with the Unity Launcher
   #
@@ -5,3 +7,6 @@
       bus=session
       interface="com.canonical.Unity.LauncherEntry"
       member="Update",
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-unity7-launcher.d>
diff --git a/apparmor.d/abstractions/ubuntu-unity7-messaging b/apparmor.d/abstractions/ubuntu-unity7-messaging
index 828592eef..21de3ff0d 100644
--- a/apparmor.d/abstractions/ubuntu-unity7-messaging
+++ b/apparmor.d/abstractions/ubuntu-unity7-messaging
@@ -1,3 +1,5 @@
+  abi <abi/3.0>,
+
   #
   # Access required for connecting to/communicating with the Unity messaging
   # indicator
@@ -5,3 +7,6 @@
   dbus (receive, send)
        bus=session
        path="/com/canonical/indicator/messages/*",
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-unity7-messaging.d>
diff --git a/apparmor.d/abstractions/ubuntu-xterm b/apparmor.d/abstractions/ubuntu-xterm
index a062cc72b..07eacaba9 100644
--- a/apparmor.d/abstractions/ubuntu-xterm
+++ b/apparmor.d/abstractions/ubuntu-xterm
@@ -3,7 +3,9 @@
 # for allowing access to xterm
 #
 
-  #include <abstractions/consoles>
+  abi <abi/3.0>,
+
+  include <abstractions/consoles>
   /dev/ptmx rw,
   /{,var/}run/utmp r,
   /etc/X11/app-defaults/XTerm r,
@@ -11,3 +13,6 @@
   # do not use ux or Ux here. Use at a minimum ix
   /usr/bin/xterm ix,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-xterm.d>
diff --git a/apparmor.d/abstractions/user-download b/apparmor.d/abstractions/user-download
index ea1043a33..765402947 100644
--- a/apparmor.d/abstractions/user-download
+++ b/apparmor.d/abstractions/user-download
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
 # Description: Where common programs should allow users to download
 # files
 
@@ -22,3 +24,6 @@
   owner @{HOME}/@{XDG_DOWNLOAD_DIR}/*	rwl,
   owner "@{HOME}/My Downloads/" 	r,
   owner "@{HOME}/My Downloads/**" 	rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-download.d>
diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict
index bc2a5b744..5dd1c6d88 100644
--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/[dD]ownload{,s}/ r,
   owner @{HOME}/[dD]ownload{,s}/** rwl,
diff --git a/apparmor.d/abstractions/user-mail b/apparmor.d/abstractions/user-mail
index b799ffcac..4156dfaac 100644
--- a/apparmor.d/abstractions/user-mail
+++ b/apparmor.d/abstractions/user-mail
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # location of user mail, spool and mboxes
   owner @{HOME}/[mM]ail/      r,
   owner @{HOME}/[mM]ail/**    rwl,
@@ -21,3 +23,6 @@
   owner @{HOME}/.forward      r,
   owner @{HOME}/Maildir/      r,
   owner @{HOME}/Maildir/**    rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-mail.d>
diff --git a/apparmor.d/abstractions/user-manpages b/apparmor.d/abstractions/user-manpages
index b7cc0cb8e..3178a4d60 100644
--- a/apparmor.d/abstractions/user-manpages
+++ b/apparmor.d/abstractions/user-manpages
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # perhaps your configuration has users elsewhere, or you don't wish
   # them to read their own manpages
   owner @{HOME}/man/                          r,
@@ -22,3 +24,6 @@
   /usr/local/share/man/man?/**          r,
   /usr/{share,X11R6,local,kerberos}/man/**	 r,
   /usr/man/**				r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-manpages.d>
diff --git a/apparmor.d/abstractions/user-tmp b/apparmor.d/abstractions/user-tmp
index 63993d60d..6d651c5dc 100644
--- a/apparmor.d/abstractions/user-tmp
+++ b/apparmor.d/abstractions/user-tmp
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # per-user tmp directories
   owner @{HOME}/tmp/**  rwkl,
   owner @{HOME}/tmp/    rw,
@@ -18,3 +20,6 @@
   /var/tmp/             rw,
   owner /tmp/**         rwkl,
   /tmp/                 rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-tmp.d>
diff --git a/apparmor.d/abstractions/user-write b/apparmor.d/abstractions/user-write
index c6ea29bdf..604b60b7a 100644
--- a/apparmor.d/abstractions/user-write
+++ b/apparmor.d/abstractions/user-write
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # per-user write  directories
   owner @{HOME}/                          r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/       r,
@@ -19,3 +21,6 @@
   owner @{HOME}/@{XDG_DESKTOP_DIR}/**     rwl,
   owner @{HOME}/@{XDG_DOCUMENTS_DIR}/**   rwl,
   owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-write.d>
diff --git a/apparmor.d/abstractions/video b/apparmor.d/abstractions/video
index 00a834681..7df9a1725 100644
--- a/apparmor.d/abstractions/video
+++ b/apparmor.d/abstractions/video
@@ -1,6 +1,11 @@
 # vim:syntax=apparmor
 # video device access
 
+  abi <abi/3.0>,
+
   # System devices
   @{sys}/class/video4linux r,
   @{sys}/class/video4linux/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/video.d>
diff --git a/apparmor.d/abstractions/vlc-art-cache-write b/apparmor.d/abstractions/vlc-art-cache-write
index 40a36bf39..1b5f1d041 100644
--- a/apparmor.d/abstractions/vlc-art-cache-write
+++ b/apparmor.d/abstractions/vlc-art-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/ rw,
   owner @{HOME}/.cache/vlc/ rw,
diff --git a/apparmor.d/abstractions/vulkan b/apparmor.d/abstractions/vulkan
index 04c8ec262..479a9dcb7 100644
--- a/apparmor.d/abstractions/vulkan
+++ b/apparmor.d/abstractions/vulkan
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Vulkan access requirements
 
+  abi <abi/3.0>,
+
   # System files
   /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
   /etc/glvnd/egl_vendor.d/{*,.json} r,
@@ -18,3 +20,6 @@
   # User files
   owner @{HOME}/.local/share/vulkan/implicit_layer.d/{,*.json} r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/vulkan.d>
diff --git a/apparmor.d/abstractions/wayland b/apparmor.d/abstractions/wayland
index 384c7aeb9..86ba0cffd 100644
--- a/apparmor.d/abstractions/wayland
+++ b/apparmor.d/abstractions/wayland
@@ -10,8 +10,10 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
-  owner @{run}/user/[0-9]*/weston-shared-* rw,
   owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
   owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/wayland.d>
diff --git a/apparmor.d/abstractions/web-data b/apparmor.d/abstractions/web-data
index 0baf29902..8459eee35 100644
--- a/apparmor.d/abstractions/web-data
+++ b/apparmor.d/abstractions/web-data
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /srv/www/htdocs/ r,
   /srv/www/htdocs/** r,
   # virtual hosting
@@ -23,3 +25,6 @@
 
   /var/www/html/ r,
   /var/www/html/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/web-data.d>
diff --git a/apparmor.d/abstractions/winbind b/apparmor.d/abstractions/winbind
index e982889ea..3503e5a00 100644
--- a/apparmor.d/abstractions/winbind
+++ b/apparmor.d/abstractions/winbind
@@ -9,9 +9,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # pam_winbindd
   /tmp/.winbindd/pipe  rw,
-  /var/{lib,run}/samba/winbindd_privileged/pipe rw,
+  /var/lib/samba/winbindd_privileged/pipe rw,
+  @{run}/samba/winbindd_privileged/pipe rw,
   /etc/samba/smb.conf         r,
   /etc/samba/dhcp.conf        r,
   /usr/lib*/samba/valid.dat   r,
@@ -19,3 +22,6 @@
   /usr/lib*/samba/lowcase.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/winbind.d>
diff --git a/apparmor.d/abstractions/wutmp b/apparmor.d/abstractions/wutmp
index d7509558a..7fdf906bd 100644
--- a/apparmor.d/abstractions/wutmp
+++ b/apparmor.d/abstractions/wutmp
@@ -9,8 +9,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # some services update wtmp, utmp, and lastlog with per-user
   # connection information
   /var/log/lastlog  rwk,
   /var/log/wtmp     wk,
-  /{,var/}run/utmp     rwk,
+  @{run}/utmp       rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/wutmp.d>
diff --git a/apparmor.d/abstractions/xad b/apparmor.d/abstractions/xad
index 54b0f40e2..f5f6e7204 100644
--- a/apparmor.d/abstractions/xad
+++ b/apparmor.d/abstractions/xad
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /opt/novell/xad/lib/ r,
   /opt/novell/xad/lib/lib*.so* mr,
   /opt/novell/xad/lib/gss/*.so* mr,
@@ -23,3 +25,6 @@
   /var/opt/novell/nici/* r,
   /var/opt/novell/nici/*/ r,
   /var/opt/novell/nici/*/* rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/xad.d>
diff --git a/apparmor.d/abstractions/xdg-desktop b/apparmor.d/abstractions/xdg-desktop
index bc8f6a00c..9f7f4ae2a 100644
--- a/apparmor.d/abstractions/xdg-desktop
+++ b/apparmor.d/abstractions/xdg-desktop
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # Entries based on:
   # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
 
@@ -22,3 +24,6 @@
   # fallbacks
   /usr/share/ r,
   /usr/local/share/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/xdg-desktop.d>
diff --git a/apparmor.d/abstractions/xdg-open b/apparmor.d/abstractions/xdg-open
index 67da04a48..aed207104 100644
--- a/apparmor.d/abstractions/xdg-open
+++ b/apparmor.d/abstractions/xdg-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via xdg-open helper. xdg-open abstraction
 # will allow to use gio-open, kde-open5 and other helpers of the different
@@ -16,40 +18,40 @@
 #
 # # out-of-line child profile
 # profile foo//xdg-open {
-#   #include <abstractions/xdg-open>
+#   include <abstractions/xdg-open>
 #
 #   # Enable a11y support if considered required by
 #   # profile author for (rare) error message boxes.
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # Enable gstreamer support if considered required by
 #   # profile author for (rare) error message boxes.
-#   #include if exists <abstractions/gstreamer>
+#   include if exists <abstractions/gstreamer>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
 
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # for openin with `exo-open`
-  #include <abstractions/exo-open>
+  include <abstractions/exo-open>
 
   # for opening with `gio open <uri>`
-  #include <abstractions/gio-open>
+  include <abstractions/gio-open>
 
   # for opening with gvfs-open (deprecated)
-  #include <abstractions/gvfs-open>
+  include <abstractions/gvfs-open>
 
   # for opening with kde-open5
-  ##include <abstractions/kde-open5>
+  include <abstractions/kde-open5>
 
   # Main executables
 
@@ -81,4 +83,4 @@
   owner @{HOME}/.local/share/applications/{,*.desktop} r,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/xdg-open.d>
+  include if exists <abstractions/xdg-open.d>
diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh
index 222c714f4..fc70afdca 100644
--- a/apparmor.d/abstractions/zsh
+++ b/apparmor.d/abstractions/zsh
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /usr/share/zsh/{,**} r,
   /usr/local/share/zsh/{,**} r,
diff --git a/apparmor.d/accounts-daemon b/apparmor.d/accounts-daemon
index 5d9ef3137..ddd191b64 100644
--- a/apparmor.d/accounts-daemon
+++ b/apparmor.d/accounts-daemon
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
 @{exec_path} += /usr/libexec/accounts-daemon
 profile accounts-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
 
   # Needed?
   deny capability sys_nice,
@@ -37,5 +37,5 @@ profile accounts-daemon @{exec_path} {
 
   /var/log/wtmp r,
 
-  #include if exists <local/accounts-daemon>
+  include if exists <local/accounts-daemon>
 }
diff --git a/apparmor.d/acpi b/apparmor.d/acpi
index b1bcbeb92..b1c44decf 100644
--- a/apparmor.d/acpi
+++ b/apparmor.d/acpi
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/acpi
 profile acpi @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile acpi @{exec_path} flags=(complain) {
   @{sys}/devices/virtual/thermal/{,**} r,
 
 
-  #include if exists <local/acpi>
+  include if exists <local/acpi>
 }
diff --git a/apparmor.d/adduser b/apparmor.d/adduser
index 17d4ecb47..aeb782bac 100644
--- a/apparmor.d/adduser
+++ b/apparmor.d/adduser
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/add{user,group}
 profile adduser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   # To create a user home dir and give it proper permissions:
   #  mkdir("/home/user", 0755)     = 0
@@ -67,5 +67,5 @@ profile adduser @{exec_path} {
   /var/lib/lightdm/{,*} w,
   /var/lib/sddm/{,*} w,
 
-  #include if exists <local/adduser>
+  include if exists <local/adduser>
 }
diff --git a/apparmor.d/adequate b/apparmor.d/adequate
index 38487c673..d6bac274c 100644
--- a/apparmor.d/adequate
+++ b/apparmor.d/adequate
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/adequate
 profile adequate @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -50,8 +50,8 @@ profile adequate @{exec_path} flags=(complain) {
 
 
   profile ldd flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/ldd mr,
 
@@ -70,10 +70,10 @@ profile adequate @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -89,10 +89,10 @@ profile adequate @{exec_path} flags=(complain) {
     /usr/share/debconf/templates/adequate.templates r,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -104,11 +104,11 @@ profile adequate @{exec_path} flags=(complain) {
   }
 
   profile pkg-config flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/pkg-config mr,
 
   }
 
-  #include if exists <local/adequate>
+  include if exists <local/adequate>
 }
diff --git a/apparmor.d/amarok b/apparmor.d/amarok
index b65c133e5..3feb7986a 100644
--- a/apparmor.d/amarok
+++ b/apparmor.d/amarok
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Audio extensions
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma,
@@ -37,22 +37,22 @@
 
 @{exec_path} = /{usr/,}bin/amarok
 profile amarok @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/kde4>
-  #include <abstractions/gtk>
-  #include <abstractions/audio>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/trash>
-  #include <abstractions/vlc-art-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/kde4>
+  include <abstractions/gtk>
+  include <abstractions/audio>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/trash>
+  include <abstractions/vlc-art-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -167,8 +167,8 @@ profile amarok @{exec_path} {
   # To generate the crash log info in Amarok
   /{usr/,}bin/gdb rCx -> gdb,
   profile gdb {
-    #include <abstractions/base>
-    #include <abstractions/python>
+    include <abstractions/base>
+    include <abstractions/python>
 
     /{usr/,}bin/gdb mr,
     /usr/share/glib-2.0/gdb/{,**} r,
@@ -196,5 +196,5 @@ profile amarok @{exec_path} {
 
   }
 
-  #include if exists <local/amarok>
+  include if exists <local/amarok>
 }
diff --git a/apparmor.d/amixer b/apparmor.d/amixer
index a231a7d5c..7d470380b 100644
--- a/apparmor.d/amixer
+++ b/apparmor.d/amixer
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/amixer
 profile amixer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/audio>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile amixer @{exec_path} {
 
   owner @{HOME}/.config/pulse/ r,
 
-  #include if exists <local/amixer>
+  include if exists <local/amixer>
 }
diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio
index 3f5389e1d..9ff291721 100644
--- a/apparmor.d/android-studio
+++ b/apparmor.d/android-studio
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{AS_LIBDIR}     = /media/*/android-studio
 @{AS_SDKDIR}     = /media/*/SDK
@@ -20,20 +20,20 @@
 
 @{exec_path}  = @{AS_LIBDIR}/bin/studio.sh
 profile android-studio @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
   #icnlude <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/ssl_certs>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -47,10 +47,16 @@ profile android-studio @{exec_path} {
 
   signal (send) set=(term, kill) peer=android-studio//lsb-release,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh  rix,
 
-  /{usr/,}bin/python3.[0-9]* r,
+  /{usr/,}bin/python3.[0-9]* rix,
 
   /{usr/,}bin/which       rix,
   /{usr/,}bin/uname       rix,
@@ -202,6 +208,7 @@ profile android-studio @{exec_path} {
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/partitions r,
         @{PROC}/vmstat r,
+        @{PROC}/loadavg r,
 
   @{sys}/fs/cgroup/*/** r,
 
@@ -232,7 +239,7 @@ profile android-studio @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -242,9 +249,9 @@ profile android-studio @{exec_path} {
   }
 
   profile lsb-release {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/python>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/python>
 
     signal (receive) set=(term, kill) peer=android-studio,
 
@@ -270,8 +277,8 @@ profile android-studio @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -297,5 +304,5 @@ profile android-studio @{exec_path} {
 
   }
 
-  #include if exists <local/android-studio>
+  include if exists <local/android-studio>
 }
diff --git a/apparmor.d/anki b/apparmor.d/anki
index eec5e4259..08cbb8407 100644
--- a/apparmor.d/anki
+++ b/apparmor.d/anki
@@ -9,29 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/anki
 profile anki @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/python>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/trash>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/trash>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=anki//mpv,
 
@@ -137,10 +137,10 @@ profile anki @{exec_path} {
 
 
   profile mpv {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/audio>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/audio>
 
     signal (receive) set=(term, kill) peer=anki,
 
@@ -171,7 +171,7 @@ profile anki @{exec_path} {
   }
 
   profile lame {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/lame mr,
 
@@ -180,8 +180,8 @@ profile anki @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -197,5 +197,5 @@ profile anki @{exec_path} {
 
   }
 
-  #include if exists <local/anki>
+  include if exists <local/anki>
 }
diff --git a/apparmor.d/anyremote b/apparmor.d/anyremote
index 28a32839c..2f6e0de12 100644
--- a/apparmor.d/anyremote
+++ b/apparmor.d/anyremote
@@ -9,20 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/anyremote
 profile anyremote @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(int, term, kill),
   signal (send) set=(term, kill),
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} rm,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -68,6 +71,9 @@ profile anyremote @{exec_path} {
   owner /tmp/amarok_covers/ rw,
   owner /tmp/*.png rw,
 
+  # For shell pwd
+  owner @{HOME}/ r,
+
   owner @{HOME}/.anyRemote/{,**} rw,
   owner @{HOME}/.anyRemote/imdb-mf.sh rix,
 
@@ -87,7 +93,7 @@ profile anyremote @{exec_path} {
 
 
   profile imagemagic {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/convert-im6.q16 mr,
 
@@ -107,8 +113,8 @@ profile anyremote @{exec_path} {
   }
 
   profile killall {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_ptrace,
 
@@ -129,8 +135,8 @@ profile anyremote @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     signal (send) set=(term, kill),
 
@@ -147,21 +153,21 @@ profile anyremote @{exec_path} {
   }
 
   profile curl {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/curl mr,
 
   }
 
     profile qdbus {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/qt5/bin/qdbus mr,
 
   }
 
-  #include if exists <local/anyremote>
+  include if exists <local/anyremote>
 }
diff --git a/apparmor.d/apache2.d/phpsysinfo b/apparmor.d/apache2.d/phpsysinfo
index af730910e..afd1ff340 100644
--- a/apparmor.d/apache2.d/phpsysinfo
+++ b/apparmor.d/apache2.d/phpsysinfo
@@ -1,12 +1,14 @@
 # Last Modified: Fri Sep 11 13:27:22 2009
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
 
+  abi <abi/3.0>,
+
   ^phpsysinfo {
-    #include <abstractions/apache2-common>
-    #include <abstractions/base>
-    #include <abstractions/nameservice>
-    #include <abstractions/php5>
-    #include <abstractions/python>
+    include <abstractions/apache2-common>
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/php5>
+    include <abstractions/python>
 
     /{,usr/}bin/dash ixr,
     /{,usr/}bin/df ixr,
@@ -43,6 +45,6 @@
     /var/lib/{misc,usbutils}/usb.ids r,
     /var/log/apache2/access.log w,
     /var/log/apache2/error.log w,
-    /{,var/}run/utmp rk,
+    @{run}/utmp rk,
     /usr/share/misc/pci.ids r,
   }
diff --git a/apparmor.d/aplay b/apparmor.d/aplay
index c9122416d..e69ac29dc 100644
--- a/apparmor.d/aplay
+++ b/apparmor.d/aplay
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aplay
 profile aplay @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/audio>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile aplay @{exec_path} flags=(complain) {
 
   owner @{HOME}/.config/pulse/ r,
 
-  #include if exists <local/aplay>
+  include if exists <local/aplay>
 }
diff --git a/apparmor.d/appstreamcli b/apparmor.d/appstreamcli
index b28dfdf7f..343433a71 100644
--- a/apparmor.d/appstreamcli
+++ b/apparmor.d/appstreamcli
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/appstreamcli
 profile appstreamcli @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -53,14 +53,14 @@ profile appstreamcli @{exec_path} flags=(complain) {
 
 
   profile curl {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/curl mr,
 
   }
 
-  #include if exists <local/appstreamcli>
+  include if exists <local/appstreamcli>
 }
diff --git a/apparmor.d/apt b/apparmor.d/apt
index 0fd069ae8..ce40b2438 100644
--- a/apparmor.d/apt
+++ b/apparmor.d/apt
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt
 profile apt @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -67,6 +67,7 @@ profile apt @{exec_path} flags=(complain) {
   # Needed? (##FIXME##)
   capability kill,
   capability fsetid,
+  capability net_admin,
 
   signal (send) peer=apt-methods-*,
 
@@ -124,8 +125,8 @@ profile apt @{exec_path} flags=(complain) {
 
 
   profile editor flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/sensible-editor mr,
     /{usr/,}bin/vim.*           mrix,
@@ -146,9 +147,9 @@ profile apt @{exec_path} flags=(complain) {
   }
 
   profile dpkg-source flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dpkg-source mr,
     /{usr/,}bin/perl r,
@@ -173,6 +174,6 @@ profile apt @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/apt>
+  include if exists <local/apt>
 }
 
diff --git a/apparmor.d/apt-cache b/apparmor.d/apt-cache
index e95e91911..026bdcad6 100644
--- a/apparmor.d/apt-cache
+++ b/apparmor.d/apt-cache
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-cache
 profile apt-cache @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile apt-cache @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
-  #include if exists <local/apt-cache>
+  include if exists <local/apt-cache>
 }
diff --git a/apparmor.d/apt-cdrom b/apparmor.d/apt-cdrom
index 217004ca6..373c755b1 100644
--- a/apparmor.d/apt-cdrom
+++ b/apparmor.d/apt-cdrom
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-cdrom
 profile apt-cdrom @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/apt-common>
 
   capability dac_read_search,
 
@@ -63,7 +63,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   /etc/apt/sources.list~ w,
 
   profile mount flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/mount mr,
 
@@ -74,7 +74,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   }
 
   profile umount flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_admin,
 
@@ -90,5 +90,5 @@ profile apt-cdrom @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/apt-cdrom>
+  include if exists <local/apt-cdrom>
 }
diff --git a/apparmor.d/apt-config b/apparmor.d/apt-config
index c21374181..1171094d5 100644
--- a/apparmor.d/apt-config
+++ b/apparmor.d/apt-config
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-config
 profile apt-config @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile apt-config @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  #include if exists <local/apt-config>
+  include if exists <local/apt-config>
 }
diff --git a/apparmor.d/apt-extracttemplates b/apparmor.d/apt-extracttemplates
index 389c53ab8..65d7eac72 100644
--- a/apparmor.d/apt-extracttemplates
+++ b/apparmor.d/apt-extracttemplates
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt-extracttemplates
 profile apt-extracttemplates @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -35,5 +35,5 @@ profile apt-extracttemplates @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/apt-extracttemplates>
+  include if exists <local/apt-extracttemplates>
 }
diff --git a/apparmor.d/apt-file b/apparmor.d/apt-file
index f1aea4c95..2efaeb1e0 100644
--- a/apparmor.d/apt-file
+++ b/apparmor.d/apt-file
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-file
 profile apt-file @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/apt-common>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/apt-common>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -40,5 +40,5 @@ profile apt-file @{exec_path} {
   # file_inherit
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-file>
+  include if exists <local/apt-file>
 }
diff --git a/apparmor.d/apt-ftparchive b/apparmor.d/apt-ftparchive
index d53e7627a..ef1357a88 100644
--- a/apparmor.d/apt-ftparchive
+++ b/apparmor.d/apt-ftparchive
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt-ftparchive
 profile apt-ftparchive @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile apt-ftparchive @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/apt-ftparchive>
+  include if exists <local/apt-ftparchive>
 }
diff --git a/apparmor.d/apt-get b/apparmor.d/apt-get
index 44da03ee5..21405246b 100644
--- a/apparmor.d/apt-get
+++ b/apparmor.d/apt-get
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt-get
 profile apt-get @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -66,6 +66,7 @@ profile apt-get @{exec_path} flags=(complain) {
   # Needed? (##FIXME##)
   capability kill,
   capability fsetid,
+  capability net_admin,
 
   signal (send) peer=apt-methods-*,
 
@@ -114,6 +115,8 @@ profile apt-get @{exec_path} flags=(complain) {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/ptmx rw,
+
         /tmp/ r,
   owner /tmp/apt-tmp-index.* rw,
   owner /tmp/apt-dpkg-install-*/ rw,
@@ -129,9 +132,9 @@ profile apt-get @{exec_path} flags=(complain) {
   owner /var/log/cron-apt/temp w,
 
 
-  profile pager flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+  profile pager {
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability dac_read_search,
 
@@ -153,9 +156,9 @@ profile apt-get @{exec_path} flags=(complain) {
   }
 
   profile dpkg-source flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/perl>
 
     /{usr/,}bin/dpkg-source mr,
     /{usr/,}bin/perl r,
@@ -180,5 +183,5 @@ profile apt-get @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/apt-get>
+  include if exists <local/apt-get>
 }
diff --git a/apparmor.d/apt-key b/apparmor.d/apt-key
index a6eb903d9..920839a90 100644
--- a/apparmor.d/apt-key
+++ b/apparmor.d/apt-key
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-key
 profile apt-key @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -59,9 +59,14 @@ profile apt-key @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
 
     /{usr/,}bin/gpg     mr,
     /{usr/,}bin/gpgconf mr,
@@ -97,5 +102,5 @@ profile apt-key @{exec_path} {
 
   }
 
-  #include if exists <local/apt-key>
+  include if exists <local/apt-key>
 }
diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs
index 74a52dbf9..96cb4003c 100644
--- a/apparmor.d/apt-listbugs
+++ b/apparmor.d/apt-listbugs
@@ -9,20 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-listbugs
 profile apt-listbugs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   #capability sys_tty_config,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
 
@@ -42,15 +48,15 @@ profile apt-listbugs @{exec_path} {
   @{PROC}/@{pid}/loginuid r,
 
   # The following is needed when apt-listbugs uses debcconf GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
   owner @{PROC}/@{pid}/mounts r,
   @{HOME}/.Xauthority r,
 
-  #include if exists <local/apt-listbugs>
+  include if exists <local/apt-listbugs>
 }
diff --git a/apparmor.d/apt-listbugs-aptcleanup b/apparmor.d/apt-listbugs-aptcleanup
index 6cb2f0b5c..f3eef8168 100644
--- a/apparmor.d/apt-listbugs-aptcleanup
+++ b/apparmor.d/apt-listbugs-aptcleanup
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
 profile apt-listbugs-aptcleanup @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
 
-  #include if exists <local/apt-listbugs-aptcleanup>
+  include if exists <local/apt-listbugs-aptcleanup>
 }
diff --git a/apparmor.d/apt-listbugs-migratepins b/apparmor.d/apt-listbugs-migratepins
index e3bc6cdc6..6e3ca525a 100644
--- a/apparmor.d/apt-listbugs-migratepins
+++ b/apparmor.d/apt-listbugs-migratepins
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/libexec/apt-listbugs/migratepins
 profile apt-listbugs-migratepins @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
@@ -31,5 +31,5 @@ profile apt-listbugs-migratepins @{exec_path} {
   owner /tmp/pin_migration_*-@{pid}-*/preferences w,
   owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w,
 
-  #include if exists <local/apt-listbugs-migratepins>
+  include if exists <local/apt-listbugs-migratepins>
 }
diff --git a/apparmor.d/apt-listbugs-prefclean b/apparmor.d/apt-listbugs-prefclean
index 87409ad6f..26004a99c 100644
--- a/apparmor.d/apt-listbugs-prefclean
+++ b/apparmor.d/apt-listbugs-prefclean
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/libexec/apt-listbugs/prefclean
 profile apt-listbugs-prefclean @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
@@ -32,5 +32,5 @@ profile apt-listbugs-prefclean @{exec_path} {
 
   owner /var/spool/apt-listbugs/lastprefclean rw,
 
-  #include if exists <local/apt-listbugs-prefclean>
+  include if exists <local/apt-listbugs-prefclean>
 }
diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges
index 7a57bc7db..c97a23ac2 100644
--- a/apparmor.d/apt-listchanges
+++ b/apparmor.d/apt-listchanges
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-listchanges
 profile apt-listchanges @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -67,10 +67,10 @@ profile apt-listchanges @{exec_path} {
   owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw,
 
   # The following is needed when apt-listchanges uses debcconf GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
@@ -79,8 +79,8 @@ profile apt-listchanges @{exec_path} {
 
 
   profile pager {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     #capability sys_tty_config,
 
@@ -101,5 +101,5 @@ profile apt-listchanges @{exec_path} {
 
   }
 
-  #include if exists <local/apt-listchanges>
+  include if exists <local/apt-listchanges>
 }
diff --git a/apparmor.d/apt-mark b/apparmor.d/apt-mark
index 933c16da7..a39abfac5 100644
--- a/apparmor.d/apt-mark
+++ b/apparmor.d/apt-mark
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-mark
 profile apt-mark @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -29,5 +29,5 @@ profile apt-mark @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
-  #include if exists <local/apt-mark>
+  include if exists <local/apt-mark>
 }
diff --git a/apparmor.d/apt-methods-cdrom b/apparmor.d/apt-methods-cdrom
index fb5c6c9f8..b91b5ced8 100644
--- a/apparmor.d/apt-methods-cdrom
+++ b/apparmor.d/apt-methods-cdrom
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/cdrom
 profile apt-methods-cdrom @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-cdrom @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-cdrom>
+  include if exists <local/apt-methods-cdrom>
 }
diff --git a/apparmor.d/apt-methods-copy b/apparmor.d/apt-methods-copy
index 637d6917c..354184071 100644
--- a/apparmor.d/apt-methods-copy
+++ b/apparmor.d/apt-methods-copy
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/copy
 profile apt-methods-copy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -60,5 +60,5 @@ profile apt-methods-copy @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-copy>
+  include if exists <local/apt-methods-copy>
 }
diff --git a/apparmor.d/apt-methods-file b/apparmor.d/apt-methods-file
index a5523cf28..165941e34 100644
--- a/apparmor.d/apt-methods-file
+++ b/apparmor.d/apt-methods-file
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/file
 profile apt-methods-file @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -60,5 +60,5 @@ profile apt-methods-file @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-file>
+  include if exists <local/apt-methods-file>
 }
diff --git a/apparmor.d/apt-methods-ftp b/apparmor.d/apt-methods-ftp
index c119f0e21..5c356d8a6 100644
--- a/apparmor.d/apt-methods-ftp
+++ b/apparmor.d/apt-methods-ftp
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/ftp
 profile apt-methods-ftp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-ftp @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-ftp>
+  include if exists <local/apt-methods-ftp>
 }
diff --git a/apparmor.d/apt-methods-gpgv b/apparmor.d/apt-methods-gpgv
index 0e2a1e83b..e3875e9ce 100644
--- a/apparmor.d/apt-methods-gpgv
+++ b/apparmor.d/apt-methods-gpgv
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/gpgv
 profile apt-methods-gpgv @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -92,5 +92,5 @@ profile apt-methods-gpgv @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-gpgv>
+  include if exists <local/apt-methods-gpgv>
 }
diff --git a/apparmor.d/apt-methods-http b/apparmor.d/apt-methods-http
index d1996be2b..0b352f0fc 100644
--- a/apparmor.d/apt-methods-http
+++ b/apparmor.d/apt-methods-http
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/http{,s}
 profile apt-methods-http @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -34,6 +34,12 @@ profile apt-methods-http @{exec_path} {
   signal (receive) peer=aptitude,
   signal (receive) peer=synaptic,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # apt-helper gets "no new privs" so "rix" it
@@ -74,5 +80,5 @@ profile apt-methods-http @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-http>
+  include if exists <local/apt-methods-http>
 }
diff --git a/apparmor.d/apt-methods-mirror b/apparmor.d/apt-methods-mirror
index fe2785c50..c1e05b10c 100644
--- a/apparmor.d/apt-methods-mirror
+++ b/apparmor.d/apt-methods-mirror
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
 profile apt-methods-mirror @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-mirror @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-mirror>
+  include if exists <local/apt-methods-mirror>
 }
diff --git a/apparmor.d/apt-methods-rred b/apparmor.d/apt-methods-rred
index 862606415..1149713b4 100644
--- a/apparmor.d/apt-methods-rred
+++ b/apparmor.d/apt-methods-rred
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/rred
 profile apt-methods-rred @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -60,5 +60,5 @@ profile apt-methods-rred @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-rred>
+  include if exists <local/apt-methods-rred>
 }
diff --git a/apparmor.d/apt-methods-rsh b/apparmor.d/apt-methods-rsh
index b9de67305..fd9d2084f 100644
--- a/apparmor.d/apt-methods-rsh
+++ b/apparmor.d/apt-methods-rsh
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
 profile apt-methods-rsh @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-rsh @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-rsh>
+  include if exists <local/apt-methods-rsh>
 }
diff --git a/apparmor.d/apt-methods-store b/apparmor.d/apt-methods-store
index 3ed2218f2..98f72658b 100644
--- a/apparmor.d/apt-methods-store
+++ b/apparmor.d/apt-methods-store
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/store
 profile apt-methods-store @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -65,5 +65,5 @@ profile apt-methods-store @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-store>
+  include if exists <local/apt-methods-store>
 }
diff --git a/apparmor.d/apt-show-versions b/apparmor.d/apt-show-versions
index b1b496382..b39ac121e 100644
--- a/apparmor.d/apt-show-versions
+++ b/apparmor.d/apt-show-versions
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-show-versions
 profile apt-show-versions @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/apt-common>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -37,5 +37,5 @@ profile apt-show-versions @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-show-versions>
+  include if exists <local/apt-show-versions>
 }
diff --git a/apparmor.d/apt-sortpkgs b/apparmor.d/apt-sortpkgs
index 8d0e48cd5..339484bb3 100644
--- a/apparmor.d/apt-sortpkgs
+++ b/apparmor.d/apt-sortpkgs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-sortpkgs
 profile apt-sortpkgs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile apt-sortpkgs @{exec_path} {
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
 
-  #include if exists <local/apt-sortpkgs>
+  include if exists <local/apt-sortpkgs>
 }
diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude
index 9867aad07..91eaa14b7 100644
--- a/apparmor.d/aptitude
+++ b/apparmor.d/aptitude
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/aptitude{,-curses}
 profile aptitude @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/apt-common>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -67,6 +67,7 @@ profile aptitude @{exec_path} flags=(complain) {
   capability kill,
   capability fsetid,
   capability sys_chroot,
+  capability net_admin,
   #capability sys_tty_config,
 
   signal (send) peer=apt-methods-*,
@@ -162,6 +163,8 @@ profile aptitude @{exec_path} flags=(complain) {
   #  aptitude[]: Oh, oh, it's an error! possibly I die!
   /dev/tty[0-9]* rw,
 
+  /dev/ptmx rw,
+
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
@@ -169,9 +172,9 @@ profile aptitude @{exec_path} flags=(complain) {
   /var/log/cron-apt/temp w,
 
 
-  profile pager flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+  profile pager {
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/                r,
     /{usr/,}bin/sensible-pager mr,
@@ -189,6 +192,6 @@ profile aptitude @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/aptitude>
+  include if exists <local/aptitude>
 }
 
diff --git a/apparmor.d/aptitude-changelog-parser b/apparmor.d/aptitude-changelog-parser
index 3898e2711..f32450084 100644
--- a/apparmor.d/aptitude-changelog-parser
+++ b/apparmor.d/aptitude-changelog-parser
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aptitude-changelog-parser
 profile aptitude-changelog-parser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -25,5 +25,5 @@ profile aptitude-changelog-parser @{exec_path} {
 
   /**/debian/changelog r,
 
-  #include if exists <local/aptitude-changelog-parser>
+  include if exists <local/aptitude-changelog-parser>
 }
diff --git a/apparmor.d/aptitude-create-state-bundle b/apparmor.d/aptitude-create-state-bundle
index 5f398845b..fb514aa98 100644
--- a/apparmor.d/aptitude-create-state-bundle
+++ b/apparmor.d/aptitude-create-state-bundle
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
 profile aptitude-create-state-bundle @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -36,5 +36,5 @@ profile aptitude-create-state-bundle @{exec_path} {
   /etc/apt/{,**} r,
   /var/lib/dpkg/status r,
 
-  #include if exists <local/aptitude-create-state-bundle>
+  include if exists <local/aptitude-create-state-bundle>
 }
diff --git a/apparmor.d/aptitude-run-state-bundle b/apparmor.d/aptitude-run-state-bundle
index 8ebe76cd5..0c9fff183 100644
--- a/apparmor.d/aptitude-run-state-bundle
+++ b/apparmor.d/aptitude-run-state-bundle
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
 profile aptitude-run-state-bundle @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -32,5 +32,5 @@ profile aptitude-run-state-bundle @{exec_path} {
 
   owner /tmp/aptitudebug.*/{,**} rw,
 
-  #include if exists <local/aptitude-run-state-bundle>
+  include if exists <local/aptitude-run-state-bundle>
 }
diff --git a/apparmor.d/arandr b/apparmor.d/arandr
index 33583192a..926442f96 100644
--- a/apparmor.d/arandr
+++ b/apparmor.d/arandr
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/arandr
 profile arandr @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -42,5 +42,5 @@ profile arandr @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/arandr>
+  include if exists <local/arandr>
 }
diff --git a/apparmor.d/at-spi-bus-launcher b/apparmor.d/at-spi-bus-launcher
index 62f514d54..f46ab640c 100644
--- a/apparmor.d/at-spi-bus-launcher
+++ b/apparmor.d/at-spi-bus-launcher
@@ -9,23 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
 @{exec_path} += /usr/libexec/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # Needed?
   deny capability sys_nice,
 
   signal (send) set=(term, kill) peer=dbus-daemon,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   /{usr/,}bin/dbus-daemon rPUx,
@@ -42,5 +45,5 @@ profile at-spi-bus-launcher @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   /var/log/lightdm/seat[0-9]*-greeter.log w,
 
-  #include if exists <local/at-spi-bus-launcher>
+  include if exists <local/at-spi-bus-launcher>
 }
diff --git a/apparmor.d/at-spi2-registryd b/apparmor.d/at-spi2-registryd
index 04b82dfc2..468dba129 100644
--- a/apparmor.d/at-spi2-registryd
+++ b/apparmor.d/at-spi2-registryd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi2-registryd
 @{exec_path} += /usr/libexec/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   # Needed?
   deny capability sys_nice,
@@ -32,5 +32,5 @@ profile at-spi2-registryd @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/at-spi2-registryd>
+  include if exists <local/at-spi2-registryd>
 }
diff --git a/apparmor.d/atftpd b/apparmor.d/atftpd
index bbeec5245..562e484ce 100644
--- a/apparmor.d/atftpd
+++ b/apparmor.d/atftpd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/atftpd
 profile atftpd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   # to run atftpd daemon as nobody/nogroup
   capability setgid,
@@ -31,5 +31,5 @@ profile atftpd @{exec_path} {
   # for libwrap (TCP Wrapper) support
   /etc/hosts.{,allow,deny} r,
 
-  #include if exists <local/atftpd>
+  include if exists <local/atftpd>
 }
diff --git a/apparmor.d/atom b/apparmor.d/atom
index 3f69cf159..547e8763b 100644
--- a/apparmor.d/atom
+++ b/apparmor.d/atom
@@ -9,30 +9,30 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
 profile atom @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/enchant>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/enchant>
   # The following doesn't seem to be needed
   ##include <abstractions/mesa>
   ##include <abstractions/consoles>
   ##include <abstractions/audio>
   ##include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
+  include <abstractions/thumbnails-cache-read>
   ##include <abstractions/zsh>
   ##include <abstractions/fzf>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=child-lsb_release,
   ptrace (read) peer=xdg-settings,
@@ -169,10 +169,10 @@ profile atom @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
 
     /{usr/,}bin/gpg mr,
 
@@ -186,8 +186,8 @@ profile atom @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -203,5 +203,5 @@ profile atom @{exec_path} {
 
   }
 
-  #include if exists <local/atom>
+  include if exists <local/atom>
 }
diff --git a/apparmor.d/badblocks b/apparmor.d/badblocks
index 4073d695d..000aea5e1 100644
--- a/apparmor.d/badblocks
+++ b/apparmor.d/badblocks
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/badblocks
 profile badblocks @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} r,
 
@@ -28,5 +28,5 @@ profile badblocks @{exec_path} {
   @{HOME}/** rwk,
   /media/*/** rwk,
 
-  #include if exists <local/badblocks>
+  include if exists <local/badblocks>
 }
diff --git a/apparmor.d/bin.netstat b/apparmor.d/bin.netstat
index a05e67b03..977f76c7c 100644
--- a/apparmor.d/bin.netstat
+++ b/apparmor.d/bin.netstat
@@ -14,15 +14,15 @@
 # give evolution access to significant chunks of /proc
 #
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/netstat
 profile netstat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   capability dac_read_search,
   capability syslog,
diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping
index 2ed7af5f2..dddeb71eb 100644
--- a/apparmor.d/bin.ping
+++ b/apparmor.d/bin.ping
@@ -10,11 +10,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile ping /{usr/,}bin/{,iputils-}ping {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   #capability net_raw, # Not needed when sysctl net.ipv4.ping_group_range is set
   #capability setuid,  # Not needed anymore since it's not SETUID binary
@@ -25,5 +27,5 @@ profile ping /{usr/,}bin/{,iputils-}ping {
   /etc/modules.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/bin.ping>
+  include if exists <local/bin.ping>
 }
diff --git a/apparmor.d/biosdecode b/apparmor.d/biosdecode
index edf4211f6..907fa9f68 100644
--- a/apparmor.d/biosdecode
+++ b/apparmor.d/biosdecode
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/biosdecode
 profile biosdecode @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed to read the /dev/mem device
   capability sys_rawio,
@@ -24,5 +24,5 @@ profile biosdecode @{exec_path} {
 
   /dev/mem r,
 
-  #include if exists <local/biosdecode>
+  include if exists <local/biosdecode>
 }
diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray
index 4f96ab97a..f17ab2c31 100644
--- a/apparmor.d/birdtray
+++ b/apparmor.d/birdtray
@@ -9,25 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/birdtray
 profile birdtray @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet,
+  network inet6,
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -78,8 +82,8 @@ profile birdtray @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -93,8 +97,8 @@ profile birdtray @{exec_path} {
     # file_inherit
     owner @{HOME}/.xsession-errors w,
 
-    #include if exists <local/qpdfview_open>
+    include if exists <local/qpdfview_open>
   }
 
-  #include if exists <local/birdtray>
+  include if exists <local/birdtray>
 }
diff --git a/apparmor.d/blkid b/apparmor.d/blkid
index 0dbe7cce1..13ee01028 100644
--- a/apparmor.d/blkid
+++ b/apparmor.d/blkid
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/blkid
 profile blkid @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -38,5 +38,5 @@ profile blkid @{exec_path} {
   @{HOME}/** r,
   /media/*/** r,
 
-  #include if exists <local/blkid>
+  include if exists <local/blkid>
 }
diff --git a/apparmor.d/blockdev b/apparmor.d/blockdev
index c530833d2..c4c96ecb1 100644
--- a/apparmor.d/blockdev
+++ b/apparmor.d/blockdev
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/blockdev
 profile blockdev @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile blockdev @{exec_path} {
 
   @{PROC}/partitions r,
 
-  #include if exists <local/blockdev>
+  include if exists <local/blockdev>
 }
diff --git a/apparmor.d/bluetoothctl b/apparmor.d/bluetoothctl
index 044739b28..f34be1b38 100644
--- a/apparmor.d/bluetoothctl
+++ b/apparmor.d/bluetoothctl
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/bluetoothctl
 profile bluetoothctl @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   /etc/inputrc r,
 
-  #include if exists <local/bluetoothctl>
+  include if exists <local/bluetoothctl>
 }
diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd
index 5c5bfe762..11377a410 100644
--- a/apparmor.d/bluetoothd
+++ b/apparmor.d/bluetoothd
@@ -9,19 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/bluetooth/bluetoothd
 @{exec_path} += /usr/libexec/bluetooth/bluetoothd
 profile bluetoothd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed for configuring HCI interfaces
   capability net_admin,
   capability net_bind_service,
 
+  network bluetooth,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}lib/@{multiarch}/bluetooth/plugins/*.so mr,
@@ -39,5 +42,5 @@ profile bluetoothd @{exec_path} {
 
   /var/lib/bluetooth/{,**} rw,
 
-  #include if exists <local/bluetoothd>
+  include if exists <local/bluetoothd>
 }
diff --git a/apparmor.d/bmon b/apparmor.d/bmon
index f8f2286ba..a4cfba00a 100644
--- a/apparmor.d/bmon
+++ b/apparmor.d/bmon
@@ -9,17 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/bmon
 profile bmon @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
   /etc/bmon.conf r,
 
-  #include if exists <local/bmon>
+  include if exists <local/bmon>
 }
diff --git a/apparmor.d/borg b/apparmor.d/borg
index 4ceac9981..537039ea2 100644
--- a/apparmor.d/borg
+++ b/apparmor.d/borg
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BACKUP_DIR} = /media/Arti/backup-*
 
 @{exec_path} = /{usr/,}bin/borg
 profile borg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   # For reading files of other users as root
   capability dac_read_search,
@@ -85,7 +85,7 @@ profile borg @{exec_path} {
 
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -95,5 +95,5 @@ profile borg @{exec_path} {
 
   }
 
-  #include if exists <local/borg>
+  include if exists <local/borg>
 }
diff --git a/apparmor.d/brave b/apparmor.d/brave
index 570a63224..76b104015 100644
--- a/apparmor.d/brave
+++ b/apparmor.d/brave
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
 @{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@@ -19,20 +19,20 @@
 
 @{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev}
 profile brave @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   capability sys_ptrace,
 
@@ -204,8 +204,8 @@ profile brave @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -220,5 +220,5 @@ profile brave @{exec_path} {
 
   }
 
-  #include if exists <local/brave>
+  include if exists <local/brave>
 }
diff --git a/apparmor.d/brave-browser b/apparmor.d/brave-browser
index 48503730e..c47bb3ab2 100644
--- a/apparmor.d/brave-browser
+++ b/apparmor.d/brave-browser
@@ -13,15 +13,15 @@
 @{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 @{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev}
 profile brave-browser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh    rix,
@@ -36,5 +36,5 @@ profile brave-browser @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/63 w,
 
-  #include if exists <local/brave-browser>
+  include if exists <local/brave-browser>
 }
diff --git a/apparmor.d/brave-sandbox b/apparmor.d/brave-sandbox
index 5cef49b71..1a4a1f435 100644
--- a/apparmor.d/brave-sandbox
+++ b/apparmor.d/brave-sandbox
@@ -13,14 +13,14 @@
 @{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 @{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox
 profile brave-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -35,5 +35,5 @@ profile brave-sandbox @{exec_path} {
         @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/brave-sandbox>
+  include if exists <local/brave-sandbox>
 }
diff --git a/apparmor.d/btrfs b/apparmor.d/btrfs
index 35093b741..2bca2e10b 100644
--- a/apparmor.d/btrfs
+++ b/apparmor.d/btrfs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{btrfs,btrfsck}
 profile btrfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   capability sys_admin,
   capability fowner,
@@ -53,5 +53,5 @@ profile btrfs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs>
+  include if exists <local/btrfs>
 }
diff --git a/apparmor.d/btrfs-convert b/apparmor.d/btrfs-convert
index bfefeafc6..923138f5a 100644
--- a/apparmor.d/btrfs-convert
+++ b/apparmor.d/btrfs-convert
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-convert
 profile btrfs-convert @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/btrfs-convert>
+  include if exists <local/btrfs-convert>
 }
diff --git a/apparmor.d/btrfs-find-root b/apparmor.d/btrfs-find-root
index 110718974..c4f85c4d4 100644
--- a/apparmor.d/btrfs-find-root
+++ b/apparmor.d/btrfs-find-root
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-find-root
 profile btrfs-find-root @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile btrfs-find-root @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs-find-root>
+  include if exists <local/btrfs-find-root>
 }
diff --git a/apparmor.d/btrfs-image b/apparmor.d/btrfs-image
index 9fb7d4e2c..f18b07102 100644
--- a/apparmor.d/btrfs-image
+++ b/apparmor.d/btrfs-image
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-image
 profile btrfs-image @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile btrfs-image @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs-image>
+  include if exists <local/btrfs-image>
 }
diff --git a/apparmor.d/btrfs-map-logical b/apparmor.d/btrfs-map-logical
index 4ee7b0747..4c9c935d0 100644
--- a/apparmor.d/btrfs-map-logical
+++ b/apparmor.d/btrfs-map-logical
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-map-logical
 profile btrfs-map-logical @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile btrfs-map-logical @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs-map-logical>
+  include if exists <local/btrfs-map-logical>
 }
diff --git a/apparmor.d/btrfs-select-super b/apparmor.d/btrfs-select-super
index b0f13786a..9f0fa81fa 100644
--- a/apparmor.d/btrfs-select-super
+++ b/apparmor.d/btrfs-select-super
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-select-super
 profile btrfs-select-super @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/btrfs-select-super>
+  include if exists <local/btrfs-select-super>
 }
diff --git a/apparmor.d/btrfstune b/apparmor.d/btrfstune
index c799f57f1..b27352dc1 100644
--- a/apparmor.d/btrfstune
+++ b/apparmor.d/btrfstune
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfstune
 profile btrfstune @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile btrfstune @{exec_path} {
   owner @{run}/blkid/blkid.tab{,-*} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
-  #include if exists <local/btrfstune>
+  include if exists <local/btrfstune>
 }
diff --git a/apparmor.d/calibre b/apparmor.d/calibre
index 383e250ca..dd30415b5 100644
--- a/apparmor.d/calibre
+++ b/apparmor.d/calibre
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # PDF extensions
 # pdf, epub, txt, html, mhtml, ps, mobi, djvu
@@ -30,23 +30,23 @@
 @{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer
 @{exec_path} += /{usr/,}bin/web2disk
 profile calibre @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/trash>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/trash>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -58,6 +58,8 @@ profile calibre @{exec_path} {
 
   capability sys_ptrace,
 
+  network netlink raw,
+
   @{exec_path} mrix,
   /{usr/,}bin/python3.[0-9]* r,
 
@@ -172,14 +174,17 @@ profile calibre @{exec_path} {
   /etc/inputrc r,
   /etc/magic r,
 
+  # Silencer
+  deny /usr/lib/python3/dist-packages/**.pyc.[0-9]* w,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -205,5 +210,5 @@ profile calibre @{exec_path} {
 
   }
 
-  #include if exists <local/calibre>
+  include if exists <local/calibre>
 }
diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird
index 10d422ab4..5dd850c8c 100644
--- a/apparmor.d/cawbird
+++ b/apparmor.d/cawbird
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/cawbird
 profile cawbird @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/enchant>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/enchant>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -49,7 +49,7 @@ profile cawbird @{exec_path} {
   /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
 
   # This is needed as cawbird stores its settings in the dconf database.
-  #include <abstractions/dconf>
+  include <abstractions/dconf>
   @{run}/user/[0-9]*/dconf/user rw,
 
   /var/lib/dbus/machine-id r,
@@ -71,8 +71,8 @@ profile cawbird @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -88,5 +88,5 @@ profile cawbird @{exec_path} {
 
   }
 
-  #include if exists <local/cawbird>
+  include if exists <local/cawbird>
 }
diff --git a/apparmor.d/ccze b/apparmor.d/ccze
index 8542859aa..0b21202a3 100644
--- a/apparmor.d/ccze
+++ b/apparmor.d/ccze
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ccze
 profile ccze @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile ccze @{exec_path} {
 
   /etc/cczerc r,
 
-  #include if exists <local/ccze>
+  include if exists <local/ccze>
 }
diff --git a/apparmor.d/cfdisk b/apparmor.d/cfdisk
index cea54cf95..612898d57 100644
--- a/apparmor.d/cfdisk
+++ b/apparmor.d/cfdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cfdisk
 profile cfdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -40,5 +40,5 @@ profile cfdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/cfdisk>
+  include if exists <local/cfdisk>
 }
diff --git a/apparmor.d/cgdisk b/apparmor.d/cgdisk
index 5ffd5bdfe..61a1b3ed8 100644
--- a/apparmor.d/cgdisk
+++ b/apparmor.d/cgdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cgdisk
 profile cgdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -32,5 +32,5 @@ profile cgdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/cgdisk>
+  include if exists <local/cgdisk>
 }
diff --git a/apparmor.d/cgrulesengd b/apparmor.d/cgrulesengd
index 83443fdde..d834c5efe 100644
--- a/apparmor.d/cgrulesengd
+++ b/apparmor.d/cgrulesengd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cgrulesengd
 profile cgrulesengd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # For creating Unix domain sockets/IPC sockets:
   #  socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
@@ -32,6 +32,8 @@ profile cgrulesengd @{exec_path} {
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
 
+  network netlink dgram,
+
   ptrace (read),
 
   @{exec_path} mr,
@@ -48,5 +50,5 @@ profile cgrulesengd @{exec_path} {
   /etc/cgconfig.conf r,
   /etc/cgrules.conf r,
 
-  #include if exists <local/cgrulesengd>
+  include if exists <local/cgrulesengd>
 }
diff --git a/apparmor.d/chage b/apparmor.d/chage
index bdd346d31..817a5baf2 100644
--- a/apparmor.d/chage
+++ b/apparmor.d/chage
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/chage
 profile chage @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -38,5 +38,5 @@ profile chage @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/chage>
+  include if exists <local/chage>
 }
diff --git a/apparmor.d/changestool b/apparmor.d/changestool
index f03af5709..991b8aeb5 100644
--- a/apparmor.d/changestool
+++ b/apparmor.d/changestool
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/changestool
 profile changestool @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -32,7 +32,7 @@ profile changestool @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg        mr,
     /{usr/,}bin/gpgconf    mr,
@@ -43,5 +43,5 @@ profile changestool @{exec_path} {
 
   }
 
-  #include if exists <local/changestool>
+  include if exists <local/changestool>
 }
diff --git a/apparmor.d/check-bios-nx b/apparmor.d/check-bios-nx
index d122dc552..14cff05d0 100644
--- a/apparmor.d/check-bios-nx
+++ b/apparmor.d/check-bios-nx
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/check-bios-nx
 profile check-bios-nx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # To remove the following errors:
   #  /usr/sbin/check-bios-nx: 19: cannot create /dev/stderr: Permission denied
@@ -37,7 +37,7 @@ profile check-bios-nx @{exec_path} {
 
 
     profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -51,5 +51,5 @@ profile check-bios-nx @{exec_path} {
 
   }
 
-  #include if exists <local/check-bios-nx>
+  include if exists <local/check-bios-nx>
 }
diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status
index 8c55381a5..40d9926f6 100644
--- a/apparmor.d/check-support-status
+++ b/apparmor.d/check-support-status
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/check-support-status
 profile check-support-status @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -67,8 +67,8 @@ profile check-support-status @{exec_path} flags=(complain) {
 
 
   profile debconf-escape flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/perl>
 
     /{usr/,}bin/debconf-escape r,
     /{usr/,}bin/perl r,
@@ -77,5 +77,5 @@ profile check-support-status @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/check-support-status>
+  include if exists <local/check-support-status>
 }
diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook
index 0de24ca79..09e5171ba 100644
--- a/apparmor.d/check-support-status-hook
+++ b/apparmor.d/check-support-status-hook
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/debian-security-support/check-support-status.hook
 profile check-support-status-hook @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -54,9 +54,9 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
 
 
   profile debconf-escape flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
 
     /{usr/,}bin/debconf-escape r,
     /{usr/,}bin/perl r,
@@ -67,10 +67,10 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -86,10 +86,10 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
     owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -99,10 +99,12 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
   }
 
   profile runuser flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/authentication>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/authentication>
+
+    network netlink raw,
 
     # To remove the following errors:
     #  runuser: cannot set user id: Operation not permitted
@@ -130,5 +132,5 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
     owner /tmp/debian-security-support.postinst.*/output w,
   }
 
-  #include if exists <local/check-support-status-hook>
+  include if exists <local/check-support-status-hook>
 }
diff --git a/apparmor.d/chfn b/apparmor.d/chfn
index 73aa1bf87..9ea56e023 100644
--- a/apparmor.d/chfn
+++ b/apparmor.d/chfn
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/chfn
 profile chfn @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -31,6 +31,8 @@ profile chfn @{exec_path} {
   # chfn is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -47,5 +49,5 @@ profile chfn @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/chfn>
+  include if exists <local/chfn>
 }
diff --git a/apparmor.d/child-dpkg b/apparmor.d/child-dpkg
index 1fa3533d7..4c9d422ad 100644
--- a/apparmor.d/child-dpkg
+++ b/apparmor.d/child-dpkg
@@ -15,14 +15,14 @@
 # is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/dpkg by default
 profile child-dpkg {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # Needed?
   deny capability setgid,
@@ -39,5 +39,5 @@ profile child-dpkg {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/child-dpkg>
+  include if exists <local/child-dpkg>
 }
diff --git a/apparmor.d/child-dpkg-divert b/apparmor.d/child-dpkg-divert
index e1dde189a..b69b435a4 100644
--- a/apparmor.d/child-dpkg-divert
+++ b/apparmor.d/child-dpkg-divert
@@ -15,13 +15,13 @@
 # it is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/dpkg-divert by default
 profile child-dpkg-divert {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   /{usr/,}bin/dpkg-divert mr,
 
@@ -35,5 +35,5 @@ profile child-dpkg-divert {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/child-dpkg-divert>
+  include if exists <local/child-dpkg-divert>
 }
diff --git a/apparmor.d/child-lsb_release b/apparmor.d/child-lsb_release
index 9be0414d6..9031c148c 100644
--- a/apparmor.d/child-lsb_release
+++ b/apparmor.d/child-lsb_release
@@ -15,15 +15,15 @@
 # it is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/lsb_release by default
 profile child-lsb_release {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
 
   signal (receive) set=(term, kill),
 
@@ -61,5 +61,6 @@ profile child-lsb_release {
 #  deny /tmp/gtalkplugin.log w,
   /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/child-lsb_release>
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/child-lsb_release>
 }
diff --git a/apparmor.d/child-pager b/apparmor.d/child-pager
index 9ca17b3dc..94eb4903e 100644
--- a/apparmor.d/child-pager
+++ b/apparmor.d/child-pager
@@ -15,14 +15,14 @@
 # is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/pager by default
 profile child-pager {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   signal (receive) set=(stop, cont, term, kill),
 
@@ -36,5 +36,5 @@ profile child-pager {
   # For shell pwd
   /root/ r,
 
-  #include if exists <local/child-pager>
+  include if exists <local/child-pager>
 }
diff --git a/apparmor.d/child-systemctl b/apparmor.d/child-systemctl
index 23717922d..f207d787c 100644
--- a/apparmor.d/child-systemctl
+++ b/apparmor.d/child-systemctl
@@ -15,15 +15,15 @@
 # it is invoked from other confined applications, but not when it is
 # used in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/systemctl by default
 profile child-systemctl {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/wutmp>
 
   capability sys_ptrace,
 
@@ -41,5 +41,5 @@ profile child-systemctl {
 
   /dev/kmsg w,
 
-  #include if exists <local/child-systemctl>
+  include if exists <local/child-systemctl>
 }
diff --git a/apparmor.d/chromium b/apparmor.d/chromium
index 61296c8a3..702e503a5 100644
--- a/apparmor.d/chromium
+++ b/apparmor.d/chromium
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
 @{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@@ -19,9 +19,9 @@
 
 @{exec_path} = /{usr/,}bin/chromium
 profile chromium @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -61,5 +61,5 @@ profile chromium @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/chromium>
+  include if exists <local/chromium>
 }
diff --git a/apparmor.d/chromium-chrome-sandbox b/apparmor.d/chromium-chrome-sandbox
index 8cdc3492e..79aa8f993 100644
--- a/apparmor.d/chromium-chrome-sandbox
+++ b/apparmor.d/chromium-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
 @{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@@ -20,8 +20,8 @@
 @{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome-sandbox
 
 profile chromium-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -38,5 +38,5 @@ profile chromium-chrome-sandbox @{exec_path} {
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/chromium-chrome-sandbox>
+  include if exists <local/chromium-chrome-sandbox>
 }
diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium
index 591156370..63a0e5e99 100644
--- a/apparmor.d/chromium-chromium
+++ b/apparmor.d/chromium-chromium
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
 @{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@@ -19,20 +19,20 @@
 
 @{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium
 profile chromium-chromium @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -49,6 +49,12 @@ profile chromium-chromium @{exec_path} {
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   @{CHROMIUM_INSTALLDIR}/chrome-sandbox rPx,
@@ -84,6 +90,7 @@ profile chromium-chromium @{exec_path} {
 
   # Chromium home files
   owner @{HOME}/ r,
+  owner @{HOME}/.config/ r,
   owner @{CHROMIUM_HOMEDIR}/ rw,
   owner @{CHROMIUM_HOMEDIR}/** rwk,
   owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw,
@@ -185,8 +192,8 @@ profile chromium-chromium @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -204,5 +211,5 @@ profile chromium-chromium @{exec_path} {
 
   }
 
-  #include if exists <local/chromium-chromium>
+  include if exists <local/chromium-chromium>
 }
diff --git a/apparmor.d/chsh b/apparmor.d/chsh
index ecbf3af19..78547ba41 100644
--- a/apparmor.d/chsh
+++ b/apparmor.d/chsh
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/chsh
 profile chsh @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -30,6 +30,8 @@ profile chsh @{exec_path} {
   # gpasswd is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -48,5 +50,5 @@ profile chsh @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/chsh>
+  include if exists <local/chsh>
 }
diff --git a/apparmor.d/claws-mail b/apparmor.d/claws-mail
index 024fea13f..fa0c0098d 100644
--- a/apparmor.d/claws-mail
+++ b/apparmor.d/claws-mail
@@ -9,24 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/claws-mail
 profile claws-mail @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/audio>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/audio>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -78,7 +78,7 @@ profile claws-mail @{exec_path} flags=(complain) {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
     /{usr/,}bin/gpgsm mr,
@@ -89,5 +89,5 @@ profile claws-mail @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/claws-mail>
+  include if exists <local/claws-mail>
 }
diff --git a/apparmor.d/code b/apparmor.d/code
index 3f0a69df4..86d599514 100644
--- a/apparmor.d/code
+++ b/apparmor.d/code
@@ -9,28 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
 profile code @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
   # The following doesn't seem to be needed
   ##include <abstractions/mesa>
   ##include <abstractions/consoles>
   ##include <abstractions/audio>
   ##include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=child-lsb_release,
 
@@ -142,6 +142,6 @@ profile code @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/code>
+  include if exists <local/code>
 }
 
diff --git a/apparmor.d/colord b/apparmor.d/colord
index f13da5f7a..661779a66 100644
--- a/apparmor.d/colord
+++ b/apparmor.d/colord
@@ -9,14 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/colord/colord /usr/libexec/colord
 profile colord @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -48,5 +50,5 @@ profile colord @{exec_path} {
 
   /usr/share/mime/mime.cache r,
 
-  #include if exists <local/colord>
+  include if exists <local/colord>
 }
diff --git a/apparmor.d/colord-sane b/apparmor.d/colord-sane
index 842c1367c..d8c767f8c 100644
--- a/apparmor.d/colord-sane
+++ b/apparmor.d/colord-sane
@@ -9,14 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/colord/colord-sane
 @{exec_path} += /usr/libexec/colord-sane
 profile colord-sane @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -43,5 +45,5 @@ profile colord-sane @{exec_path} flags=(complain) {
 
   @{PROC}/sys/dev/parport/ r,
 
-  #include if exists <local/colord-sane>
+  include if exists <local/colord-sane>
 }
diff --git a/apparmor.d/colord-session b/apparmor.d/colord-session
index c72c6981b..46b33c4d1 100644
--- a/apparmor.d/colord-session
+++ b/apparmor.d/colord-session
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/colord/colord-session /usr/libexec/colord-session
 profile colord-session @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/colord-session>
+  include if exists <local/colord-session>
 }
diff --git a/apparmor.d/command-not-found b/apparmor.d/command-not-found
index c326919ed..e2088009b 100644
--- a/apparmor.d/command-not-found
+++ b/apparmor.d/command-not-found
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /usr/share/command-not-found/command-not-found
 @{exec_path} += /{usr/,}bin/command-not-found
 profile command-not-found @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/apt-common>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -30,5 +30,5 @@ profile command-not-found @{exec_path} {
 
   /usr/share/command-not-found/{,**} r,
 
-  #include if exists <local/command-not-found>
+  include if exists <local/command-not-found>
 }
diff --git a/apparmor.d/compton b/apparmor.d/compton
index 90ad8c81a..4fdc93bb5 100644
--- a/apparmor.d/compton
+++ b/apparmor.d/compton
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/compton
 profile compton @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile compton @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/compton>
+  include if exists <local/compton>
 }
diff --git a/apparmor.d/conky b/apparmor.d/conky
index 65160494e..2f3ecf475 100644
--- a/apparmor.d/conky
+++ b/apparmor.d/conky
@@ -9,21 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/conky
 profile conky @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
 
   @{exec_path} mr,
 
@@ -142,11 +145,14 @@ profile conky @{exec_path} {
 
 
   profile browse {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    network inet,
+    network inet6,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
@@ -188,5 +194,5 @@ profile conky @{exec_path} {
 
   }
 
-  #include if exists <local/conky>
+  include if exists <local/conky>
 }
diff --git a/apparmor.d/convertall b/apparmor.d/convertall
index 54881e806..9e1980a71 100644
--- a/apparmor.d/convertall
+++ b/apparmor.d/convertall
@@ -9,24 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/convertall /usr/share/convertall/convertall.py
 profile convertall @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/python>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/python>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh     rix,
@@ -49,5 +49,5 @@ profile convertall @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/convertall>
+  include if exists <local/convertall>
 }
diff --git a/apparmor.d/cppw-cpgr b/apparmor.d/cppw-cpgr
index 3a187bb2d..9992b69bc 100644
--- a/apparmor.d/cppw-cpgr
+++ b/apparmor.d/cppw-cpgr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cp{pw,gr}
 profile cppw-cpgr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To set the right permission to the files in the /etc/ dir.
   capability chown,
@@ -38,5 +38,5 @@ profile cppw-cpgr @{exec_path} {
   # Source of the files to be replaced
   owner /root/* r,
 
-  #include if exists <local/cppw-cpgr>
+  include if exists <local/cppw-cpgr>
 }
diff --git a/apparmor.d/cpuid b/apparmor.d/cpuid
index b643d96f8..e57352b4f 100644
--- a/apparmor.d/cpuid
+++ b/apparmor.d/cpuid
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/cpuid
 profile cpuid @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability mknod,
 
@@ -25,5 +25,5 @@ profile cpuid @{exec_path} {
 
   owner /tmp/cpuid* rw,
 
-  #include if exists <local/cpuid>
+  include if exists <local/cpuid>
 }
diff --git a/apparmor.d/cpupower b/apparmor.d/cpupower
index 24c32773b..7a4da3eef 100644
--- a/apparmor.d/cpupower
+++ b/apparmor.d/cpupower
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/cpupower
 profile cpupower @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed to read the /dev/cpu/[0-9]*/msr device, and hence remove the following error:
   #  Could not read perf-bias value[-1]
@@ -48,7 +48,7 @@ profile cpupower @{exec_path} {
 
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -60,5 +60,5 @@ profile cpupower @{exec_path} {
 
   }
 
-  #include if exists <local/cpupower>
+  include if exists <local/cpupower>
 }
diff --git a/apparmor.d/crda b/apparmor.d/crda
index ce72d7b05..86c16a5af 100644
--- a/apparmor.d/crda
+++ b/apparmor.d/crda
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/crda
 profile crda @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # For "iw reg set PL"
   capability net_admin,
 
   @{exec_path} mr,
 
-  #include if exists <local/crda>
+  include if exists <local/crda>
 }
diff --git a/apparmor.d/cron b/apparmor.d/cron
index bb20a9fea..91679ca5b 100644
--- a/apparmor.d/cron
+++ b/apparmor.d/cron
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cron
 profile cron @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   capability setuid,
   capability setgid,
@@ -26,6 +26,8 @@ profile cron @{exec_path} {
   capability audit_write,
   capability sys_resource,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -77,7 +79,7 @@ profile cron @{exec_path} {
   /etc/security/limits.d/ r,
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -121,8 +123,8 @@ profile cron @{exec_path} {
     # file_inherit
     owner /tmp/#[0-9]*[0-9] rw,
 
-    #include if exists <local/cron_run-parts>
+    include if exists <local/cron_run-parts>
   }
 
-  #include if exists <local/cron>
+  include if exists <local/cron>
 }
diff --git a/apparmor.d/cron-apt b/apparmor.d/cron-apt
index bfbdc462d..ac45526cd 100644
--- a/apparmor.d/cron-apt
+++ b/apparmor.d/cron-apt
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cron-apt
 profile cron-apt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed?
   capability setgid,
@@ -92,5 +92,5 @@ profile cron-apt @{exec_path} {
   # file_inherit
   owner /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/cron-apt>
+  include if exists <local/cron-apt>
 }
diff --git a/apparmor.d/cron-apt-listbugs b/apparmor.d/cron-apt-listbugs
index c26954d58..2d6885ccb 100644
--- a/apparmor.d/cron-apt-listbugs
+++ b/apparmor.d/cron-apt-listbugs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/apt-listbugs
 profile cron-apt-listbugs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -26,7 +26,7 @@ profile cron-apt-listbugs @{exec_path} {
 
 
   profile prefclean {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
 
@@ -41,5 +41,5 @@ profile cron-apt-listbugs @{exec_path} {
 
   }
 
-  #include if exists <local/cron-apt-listbugs>
+  include if exists <local/cron-apt-listbugs>
 }
diff --git a/apparmor.d/cron-apt-show-versions b/apparmor.d/cron-apt-show-versions
index fda645e0e..9fd7598be 100644
--- a/apparmor.d/cron-apt-show-versions
+++ b/apparmor.d/cron-apt-show-versions
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/apt-show-versions
 profile cron-apt-show-versions @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -25,5 +25,5 @@ profile cron-apt-show-versions @{exec_path} {
   # For shell pwd
   / r,
 
-  #include if exists <local/cron-apt-show-versions>
+  include if exists <local/cron-apt-show-versions>
 }
diff --git a/apparmor.d/cron-apt-xapian-index b/apparmor.d/cron-apt-xapian-index
index 36fc40f1c..9f2d3e2d9 100644
--- a/apparmor.d/cron-apt-xapian-index
+++ b/apparmor.d/cron-apt-xapian-index
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.weekly/apt-xapian-index
 profile cron-apt-xapian-index @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -33,5 +33,5 @@ profile cron-apt-xapian-index @{exec_path} {
   # For shell pwd
   / r,
 
-  #include if exists <local/cron-apt-xapian-index>
+  include if exists <local/cron-apt-xapian-index>
 }
diff --git a/apparmor.d/cron-aptitude b/apparmor.d/cron-aptitude
index 99734edd7..a586ed379 100644
--- a/apparmor.d/cron-aptitude
+++ b/apparmor.d/cron-aptitude
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/aptitude
 profile cron-aptitude @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -38,5 +38,5 @@ profile cron-aptitude @{exec_path} {
   /var/backups/ r,
   /var/backups/* rw,
 
-  #include if exists <local/cron-aptitude>
+  include if exists <local/cron-aptitude>
 }
diff --git a/apparmor.d/cron-debsums b/apparmor.d/cron-debsums
index 82a4c94ec..42de1e9eb 100644
--- a/apparmor.d/cron-debsums
+++ b/apparmor.d/cron-debsums
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.{daily,weekly,monthly}/debsums
 profile cron-debsums @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -39,8 +39,8 @@ profile cron-debsums @{exec_path} {
 
 
   profile tee {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     # Needed to write to /proc/self/fd/3
     capability dac_override,
@@ -51,5 +51,5 @@ profile cron-debsums @{exec_path} {
 
   }
 
-  #include if exists <local/cron-debsums>
+  include if exists <local/cron-debsums>
 }
diff --git a/apparmor.d/cron-dlocate b/apparmor.d/cron-dlocate
index b8d947868..d7d72ee24 100644
--- a/apparmor.d/cron-dlocate
+++ b/apparmor.d/cron-dlocate
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/dlocate
 profile cron-dlocate @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh        rix,
 
   /{usr/,}sbin/update-dlocatedb rPx,
 
-  #include if exists <local/cron-dlocate>
+  include if exists <local/cron-dlocate>
 }
diff --git a/apparmor.d/cron-ipset-autoban-save b/apparmor.d/cron-ipset-autoban-save
index 5d68ce1c0..fe46a4970 100644
--- a/apparmor.d/cron-ipset-autoban-save
+++ b/apparmor.d/cron-ipset-autoban-save
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.hourly/ipset_autoban_save
 profile cron-ipset-autoban-save @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -25,5 +25,5 @@ profile cron-ipset-autoban-save @{exec_path} {
 
   /etc/peerblock/autoban rw,
 
-  #include if exists <local/cron-ipset-autoban-save>
+  include if exists <local/cron-ipset-autoban-save>
 }
diff --git a/apparmor.d/cron-logrotate b/apparmor.d/cron-logrotate
index 6123ef48d..149a82239 100644
--- a/apparmor.d/cron-logrotate
+++ b/apparmor.d/cron-logrotate
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/logrotate
 profile cron-logrotate @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -27,5 +27,5 @@ profile cron-logrotate @{exec_path} {
   # For shell pwd
   / r,
 
-  #include if exists <local/cron-logrotate>
+  include if exists <local/cron-logrotate>
 }
diff --git a/apparmor.d/cron-mlocate b/apparmor.d/cron-mlocate
index f34cb78c9..bac4455b2 100644
--- a/apparmor.d/cron-mlocate
+++ b/apparmor.d/cron-mlocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/mlocate
 profile cron-mlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -33,5 +33,5 @@ profile cron-mlocate @{exec_path} {
 
   @{run}/mlocate.daily.lock rwk,
 
-  #include if exists <local/cron-mlocate>
+  include if exists <local/cron-mlocate>
 }
diff --git a/apparmor.d/cron-popularity-contest b/apparmor.d/cron-popularity-contest
index a108f6e12..ec02d6127 100644
--- a/apparmor.d/cron-popularity-contest
+++ b/apparmor.d/cron-popularity-contest
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/popularity-contest
 profile cron-popularity-contest @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh          rix,
@@ -66,7 +66,7 @@ profile cron-popularity-contest @{exec_path} {
 
 
   profile savelog {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/savelog mr,
 
@@ -92,10 +92,10 @@ profile cron-popularity-contest @{exec_path} {
   }
 
   profile runuser {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/authentication>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/authentication>
 
     /{usr/,}sbin/runuser mr,
 
@@ -116,8 +116,8 @@ profile cron-popularity-contest @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/gpg mr,
 
@@ -134,9 +134,9 @@ profile cron-popularity-contest @{exec_path} {
   }
 
   profile popcon-upload {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/perl>
 
     /usr/share/popularity-contest/popcon-upload r,
     /{usr/,}bin/perl r,
@@ -151,5 +151,5 @@ profile cron-popularity-contest @{exec_path} {
 
   }
 
-  #include if exists <local/cron-popularity-contest>
+  include if exists <local/cron-popularity-contest>
 }
diff --git a/apparmor.d/crontab b/apparmor.d/crontab
index b62c26b60..20956a82f 100644
--- a/apparmor.d/crontab
+++ b/apparmor.d/crontab
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/crontab
 profile crontab @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability setgid,
   capability setuid,
@@ -38,8 +38,8 @@ profile crontab @{exec_path} {
 
 
   profile editor {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     capability fsetid,
 
@@ -62,5 +62,5 @@ profile crontab @{exec_path} {
 
   }
 
-  #include if exists <local/crontab>
+  include if exists <local/crontab>
 }
diff --git a/apparmor.d/curl b/apparmor.d/curl
index ecd4b5350..18de592f2 100644
--- a/apparmor.d/curl
+++ b/apparmor.d/curl
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/curl
 profile curl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -34,5 +39,5 @@ profile curl @{exec_path} {
   @{PROC}/uptime r,
   @{PROC}/loadavg r,
 
-  #include if exists <local/curl>
+  include if exists <local/curl>
 }
diff --git a/apparmor.d/dbus-daemon b/apparmor.d/dbus-daemon
index 4a126d20b..665724006 100644
--- a/apparmor.d/dbus-daemon
+++ b/apparmor.d/dbus-daemon
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dbus-daemon
 profile dbus-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability setgid,
   capability setuid,
@@ -24,6 +24,8 @@ profile dbus-daemon @{exec_path} {
 
   signal (receive) set=(term, kill),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /usr/libexec/* rPUx,
@@ -40,6 +42,8 @@ profile dbus-daemon @{exec_path} {
 
   /usr/share/defaults/**.conf r,
 
+  @{sys}/module/apparmor/parameters/enabled r,
+
         @{run}/systemd/users/[0-9]* r,
   owner @{run}/user/[0-9]*/dbus-1/ rw,
   owner @{run}/user/[0-9]*/dbus-1/services/ rw,
@@ -47,5 +51,5 @@ profile dbus-daemon @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/dbus-daemon>
+  include if exists <local/dbus-daemon>
 }
diff --git a/apparmor.d/dconf-editor b/apparmor.d/dconf-editor
index 7f83c13da..038c773c3 100644
--- a/apparmor.d/dconf-editor
+++ b/apparmor.d/dconf-editor
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dconf-editor
 profile dconf-editor @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile dconf-editor @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/dconf-editor>
+  include if exists <local/dconf-editor>
 }
diff --git a/apparmor.d/dconf-service b/apparmor.d/dconf-service
index 29a49a91c..54b0b1f61 100644
--- a/apparmor.d/dconf-service
+++ b/apparmor.d/dconf-service
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/dconf/dconf-service /usr/libexec/dconf-service
 profile dconf-service @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed?
   deny capability sys_nice,
@@ -34,5 +34,5 @@ profile dconf-service @{exec_path} {
 
   @{PROC}/cmdline r,
 
-  #include if exists <local/dconf-service>
+  include if exists <local/dconf-service>
 }
diff --git a/apparmor.d/ddclient b/apparmor.d/ddclient
index d9e98a907..04f5fcb8b 100644
--- a/apparmor.d/ddclient
+++ b/apparmor.d/ddclient
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ddclient
 profile ddclient @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -35,5 +35,5 @@ profile ddclient @{exec_path} {
 
   / r,
 
-  #include if exists <local/ddclient>
+  include if exists <local/ddclient>
 }
diff --git a/apparmor.d/debconf-apt-progress b/apparmor.d/debconf-apt-progress
index 31b2ffe91..6cfbb1a51 100644
--- a/apparmor.d/debconf-apt-progress
+++ b/apparmor.d/debconf-apt-progress
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debconf-apt-progress
 profile debconf-apt-progress @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -29,10 +29,10 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
 
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -54,5 +54,5 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/debconf-apt-progress>
+  include if exists <local/debconf-apt-progress>
 }
diff --git a/apparmor.d/debconf-show b/apparmor.d/debconf-show
index 9ce4281dc..1c8e29416 100644
--- a/apparmor.d/debconf-show
+++ b/apparmor.d/debconf-show
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debconf-show
 profile debconf-show @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -30,5 +30,5 @@ profile debconf-show @{exec_path} {
 
   /etc/shadow r,
 
-  #include if exists <local/debconf-show>
+  include if exists <local/debconf-show>
 }
diff --git a/apparmor.d/deborphan b/apparmor.d/deborphan
index 9867f070d..16006b331 100644
--- a/apparmor.d/deborphan
+++ b/apparmor.d/deborphan
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/deborphan
 profile deborphan @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,7 +27,7 @@ profile deborphan @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.synaptic/selections.{update,proceed} w,
 
-  #include if exists <local/deborphan>
+  include if exists <local/deborphan>
 }
 
 
diff --git a/apparmor.d/debsecan b/apparmor.d/debsecan
index f497e94f6..fca624067 100644
--- a/apparmor.d/debsecan
+++ b/apparmor.d/debsecan
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debsecan
 profile debsecan @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -48,5 +53,5 @@ profile debsecan @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/debsecan>
+  include if exists <local/debsecan>
 }
diff --git a/apparmor.d/debsign b/apparmor.d/debsign
index 58cf7d68e..b57a96bad 100644
--- a/apparmor.d/debsign
+++ b/apparmor.d/debsign
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/debsign
 profile debsign @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -55,7 +55,7 @@ profile debsign @{exec_path} {
 
   /{usr/,}bin/gpg rCx -> gpg,
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -67,5 +67,5 @@ profile debsign @{exec_path} {
 
   }
 
-  #include if exists <local/debsign>
+  include if exists <local/debsign>
 }
diff --git a/apparmor.d/debsums b/apparmor.d/debsums
index 068583a0e..6eaaeef04 100644
--- a/apparmor.d/debsums
+++ b/apparmor.d/debsums
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debsums
 profile debsums @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   # Needed to read files owned by other users than root.
   capability dac_read_search,
@@ -39,6 +39,7 @@ profile debsums @{exec_path} {
 
   # For shell pwd
   / r,
+  /root/ r,
 
   # Scanning files
   /{usr/,}bin/{,*} r,
@@ -49,5 +50,5 @@ profile debsums @{exec_path} {
   /opt/{,**} r,
   /boot/{,**} r,
 
-  #include if exists <local/debsums>
+  include if exists <local/debsums>
 }
diff --git a/apparmor.d/debtags b/apparmor.d/debtags
index 5b2dcb3c9..b73cba2ef 100644
--- a/apparmor.d/debtags
+++ b/apparmor.d/debtags
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debtags
 profile debtags @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
+  include <abstractions/python>
 
   #capability sys_tty_config,
 
@@ -41,5 +41,5 @@ profile debtags @{exec_path} {
   # file_inherit
   /var/log/cron-apt/temp w ,
 
-  #include if exists <local/debtags>
+  include if exists <local/debtags>
 }
diff --git a/apparmor.d/deluser b/apparmor.d/deluser
index c5e3e08a1..52e071ff0 100644
--- a/apparmor.d/deluser
+++ b/apparmor.d/deluser
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/del{user,group}
 profile deluser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The deluser command is issued as root and its task is to delete regular user accounts. It
   # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup.
@@ -53,7 +53,7 @@ profile deluser @{exec_path} {
 
 
   profile mount {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/mount mr,
 
@@ -63,5 +63,5 @@ profile deluser @{exec_path} {
 
   }
 
-  #include if exists <local/deluser>
+  include if exists <local/deluser>
 }
diff --git a/apparmor.d/df b/apparmor.d/df
index e0fb09835..7e7256fab 100644
--- a/apparmor.d/df
+++ b/apparmor.d/df
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/df
 profile df @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability dac_read_search,
 
@@ -27,5 +27,5 @@ profile df @{exec_path} {
   / r,
   /**/ r,
 
-  #include if exists <local/df>
+  include if exists <local/df>
 }
diff --git a/apparmor.d/dfc b/apparmor.d/dfc
index 130797a01..e52e0999d 100644
--- a/apparmor.d/dfc
+++ b/apparmor.d/dfc
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dfc
 profile dfc @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile dfc @{exec_path} {
   owner @{HOME}/.config/dfc/dfcrc r,
   owner @{HOME}/.dfcrc r,
 
-  #include if exists <local/dfc>
+  include if exists <local/dfc>
 }
diff --git a/apparmor.d/dhclient b/apparmor.d/dhclient
index 462b38145..421667c66 100644
--- a/apparmor.d/dhclient
+++ b/apparmor.d/dhclient
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dhclient
 profile dhclient @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   # To remove the following errors:
   #  dhclient[]: Open a socket for LPF: Operation not permitted
@@ -31,6 +31,11 @@ profile dhclient @{exec_path} {
   #capability net_admin,
   audit deny capability sys_module,
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+  network packet raw,
+
   @{exec_path} mr,
 
   # To run dhclient scripts
@@ -45,5 +50,5 @@ profile dhclient @{exec_path} {
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  #include if exists <local/dhclient>
+  include if exists <local/dhclient>
 }
diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script
index 6781ccce1..3e69842b4 100644
--- a/apparmor.d/dhclient-script
+++ b/apparmor.d/dhclient-script
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dhclient-script
 profile dhclient-script @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   # Needed?
   audit deny capability sys_module,
@@ -94,7 +94,7 @@ profile dhclient-script @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -105,5 +105,5 @@ profile dhclient-script @{exec_path} {
 
   }
 
-  #include if exists <local/dhclient-script>
+  include if exists <local/dhclient-script>
 }
diff --git a/apparmor.d/dig b/apparmor.d/dig
index 9f96c4994..85c84bfba 100644
--- a/apparmor.d/dig
+++ b/apparmor.d/dig
@@ -9,15 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dig
 profile dig @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -25,5 +31,5 @@ profile dig @{exec_path} {
 
   owner @{HOME}/.digrc r,
 
-  #include if exists <local/dig>
+  include if exists <local/dig>
 }
diff --git a/apparmor.d/dirmngr b/apparmor.d/dirmngr
index b125fe6ec..000504a80 100644
--- a/apparmor.d/dirmngr
+++ b/apparmor.d/dirmngr
@@ -9,15 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dirmngr
 profile dirmngr @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -34,5 +39,5 @@ profile dirmngr @{exec_path} {
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  #include if exists <local/dirmngr>
+  include if exists <local/dirmngr>
 }
diff --git a/apparmor.d/discord b/apparmor.d/discord
index c17222803..83790ded3 100644
--- a/apparmor.d/discord
+++ b/apparmor.d/discord
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{DISCORD_LIBDIR} = /usr/share/discord
 @{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@@ -19,19 +19,19 @@
 
 @{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord
 profile discord @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(kill, term) peer=@{profile_name}//lsb_release,
 
@@ -39,6 +39,12 @@ profile discord @{exec_path} {
   deny capability sys_ptrace,
   deny ptrace (read),
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@@ -138,8 +144,8 @@ profile discord @{exec_path} {
 
 
   profile xdg-mime {
-    #include <abstractions/base>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/base>
+    include <abstractions/freedesktop.org>
 
     /{usr/,}bin/xdg-mime mr,
 
@@ -160,9 +166,9 @@ profile discord @{exec_path} {
   }
 
   profile lsb_release {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/python>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/python>
 
     signal (receive) set=(kill, term) peer=discord,
 
@@ -188,8 +194,8 @@ profile discord @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -205,5 +211,5 @@ profile discord @{exec_path} {
 
   }
 
-  #include if exists <local/discord>
+  include if exists <local/discord>
 }
diff --git a/apparmor.d/discord-chrome-sandbox b/apparmor.d/discord-chrome-sandbox
index b839c1892..5a3cb9724 100644
--- a/apparmor.d/discord-chrome-sandbox
+++ b/apparmor.d/discord-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{DISCORD_LIBDIR} = /usr/share/discord
 @{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@@ -20,8 +20,8 @@
 @{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
 
 profile discord-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -43,5 +43,5 @@ profile discord-chrome-sandbox @{exec_path} {
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/discord-chrome-sandbox>
+  include if exists <local/discord-chrome-sandbox>
 }
diff --git a/apparmor.d/dkms b/apparmor.d/dkms
index d5733489e..6a70947dc 100644
--- a/apparmor.d/dkms
+++ b/apparmor.d/dkms
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dkms
 profile dkms @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -93,8 +93,8 @@ profile dkms @{exec_path} {
 
 
   profile kmod {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/kmod mr,
 
@@ -107,5 +107,5 @@ profile dkms @{exec_path} {
 
   }
 
-  #include if exists <local/dkms>
+  include if exists <local/dkms>
 }
diff --git a/apparmor.d/dkms-autoinstaller b/apparmor.d/dkms-autoinstaller
index fd4288aad..a65dbbd92 100644
--- a/apparmor.d/dkms-autoinstaller
+++ b/apparmor.d/dkms-autoinstaller
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/dkms/dkms_autoinstaller
 profile dkms-autoinstaller @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -34,12 +34,12 @@ profile dkms-autoinstaller @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/run-parts mr,
 
   }
 
-  #include if exists <local/dkms-autoinstaller>
+  include if exists <local/dkms-autoinstaller>
 }
diff --git a/apparmor.d/dlocate b/apparmor.d/dlocate
index c36987db6..4f5fbe9cf 100644
--- a/apparmor.d/dlocate
+++ b/apparmor.d/dlocate
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dlocate
 profile dlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -58,7 +58,7 @@ profile dlocate @{exec_path} {
 
 
   profile md5sum {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/md5sum mr,
 
@@ -68,5 +68,5 @@ profile dlocate @{exec_path} {
 
   }
 
-  #include if exists <local/dlocate>
+  include if exists <local/dlocate>
 }
diff --git a/apparmor.d/dmcrypt-get-device b/apparmor.d/dmcrypt-get-device
index dca3663e7..ce86e8fb8 100644
--- a/apparmor.d/dmcrypt-get-device
+++ b/apparmor.d/dmcrypt-get-device
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/eject/dmcrypt-get-device
 profile dmcrypt-get-device @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_admin,
   capability setgid,
@@ -28,5 +28,5 @@ profile dmcrypt-get-device @{exec_path} flags=(complain) {
 
   /dev/mapper/control rw,
 
-  #include if exists <local/dmcrypt-get-device>
+  include if exists <local/dmcrypt-get-device>
 }
diff --git a/apparmor.d/dmesg b/apparmor.d/dmesg
index 130ffb362..d36b5d770 100644
--- a/apparmor.d/dmesg
+++ b/apparmor.d/dmesg
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dmesg
 profile dmesg @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability syslog,
 
@@ -23,5 +23,5 @@ profile dmesg @{exec_path} {
 
   /dev/kmsg r,
 
-  #include if exists <local/dmesg>
+  include if exists <local/dmesg>
 }
diff --git a/apparmor.d/dmidecode b/apparmor.d/dmidecode
index 03a34fabf..9833adb24 100644
--- a/apparmor.d/dmidecode
+++ b/apparmor.d/dmidecode
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dmidecode
 profile dmidecode @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile dmidecode @{exec_path} {
   # For dumping the output to a file
   owner /tmp/dump.bin rw,
 
-  #include if exists <local/dmidecode>
+  include if exists <local/dmidecode>
 }
diff --git a/apparmor.d/dnscrypt-proxy b/apparmor.d/dnscrypt-proxy
index 770b2c20c..56b95e82c 100644
--- a/apparmor.d/dnscrypt-proxy
+++ b/apparmor.d/dnscrypt-proxy
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dnscrypt-proxy
 profile dnscrypt-proxy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   # To bind to the 53 tcp/udp port (when systemd's sockets aren't used).
   capability net_bind_service,
@@ -26,6 +26,14 @@ profile dnscrypt-proxy @{exec_path} {
   capability setgid,
   capability setuid,
 
+  # Needed?
+  capability net_admin,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mrix,
 
   # dnscrypt-proxy config files
@@ -70,5 +78,5 @@ profile dnscrypt-proxy @{exec_path} {
   # Needed?
   deny /etc/ssl/certs/java/ r,
 
-  #include if exists <local/dnscrypt-proxy>
+  include if exists <local/dnscrypt-proxy>
 }
diff --git a/apparmor.d/dpkg b/apparmor.d/dpkg
index f52e3b838..ee55b789f 100644
--- a/apparmor.d/dpkg
+++ b/apparmor.d/dpkg
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg
 profile dpkg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # To set proper ownership/permissions of installed files.
   capability chown,
@@ -116,8 +116,8 @@ profile dpkg @{exec_path} {
 
 
   profile diff {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/       r,
     /{usr/,}bin/pager mr,
@@ -136,7 +136,7 @@ profile dpkg @{exec_path} {
   }
 
   profile scripts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /var/lib/dpkg/info/*.config             r,
     /var/lib/dpkg/info/*.{preinst,postinst} r,
@@ -152,5 +152,5 @@ profile dpkg @{exec_path} {
 
   }
 
-  #include if exists <local/dpkg>
+  include if exists <local/dpkg>
 }
diff --git a/apparmor.d/dpkg-architecture b/apparmor.d/dpkg-architecture
index b72e69f2d..2a1936222 100644
--- a/apparmor.d/dpkg-architecture
+++ b/apparmor.d/dpkg-architecture
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-architecture
 profile dpkg-architecture @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /usr/bin/perl r,
@@ -33,7 +33,7 @@ profile dpkg-architecture @{exec_path} {
 
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -43,5 +43,5 @@ profile dpkg-architecture @{exec_path} {
 
   }
 
-  #include if exists <local/dpkg-architecture>
+  include if exists <local/dpkg-architecture>
 }
diff --git a/apparmor.d/dpkg-buildflags b/apparmor.d/dpkg-buildflags
index d6b657e66..0d0c5656f 100644
--- a/apparmor.d/dpkg-buildflags
+++ b/apparmor.d/dpkg-buildflags
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-buildflags
 profile dpkg-buildflags @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -28,5 +28,5 @@ profile dpkg-buildflags @{exec_path} flags=(complain) {
 
   owner @{HOME}/.config/dpkg/buildflags.conf r,
 
-  #include if exists <local/dpkg-buildflags>
+  include if exists <local/dpkg-buildflags>
 }
diff --git a/apparmor.d/dpkg-checkbuilddeps b/apparmor.d/dpkg-checkbuilddeps
index 19458871a..b7dbf3907 100644
--- a/apparmor.d/dpkg-checkbuilddeps
+++ b/apparmor.d/dpkg-checkbuilddeps
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps
 profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -33,5 +33,5 @@ profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
   # For package building
   owner @{BUILD_DIR}/**/debian/control r,
 
-  #include if exists <local/dpkg-checkbuilddeps>
+  include if exists <local/dpkg-checkbuilddeps>
 }
diff --git a/apparmor.d/dpkg-deb b/apparmor.d/dpkg-deb
index 01fed4629..b89baef59 100644
--- a/apparmor.d/dpkg-deb
+++ b/apparmor.d/dpkg-deb
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-deb
 profile dpkg-deb @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -45,5 +45,5 @@ profile dpkg-deb @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/dpkg-deb>
+  include if exists <local/dpkg-deb>
 }
diff --git a/apparmor.d/dpkg-divert b/apparmor.d/dpkg-divert
index fb055b869..714c6ca6d 100644
--- a/apparmor.d/dpkg-divert
+++ b/apparmor.d/dpkg-divert
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-divert
 profile dpkg-divert @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile dpkg-divert @{exec_path} {
   /var/lib/dpkg/diversions-new rw,
   /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
 
-  #include if exists <local/dpkg-divert>
+  include if exists <local/dpkg-divert>
 }
diff --git a/apparmor.d/dpkg-genbuildinfo b/apparmor.d/dpkg-genbuildinfo
index 9ebccdd28..67a2959c2 100644
--- a/apparmor.d/dpkg-genbuildinfo
+++ b/apparmor.d/dpkg-genbuildinfo
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-genbuildinfo
 profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -42,5 +42,5 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
   /usr/local/include/ r,
   /usr/local/etc/ r,
 
-  #include if exists <local/dpkg-genbuildinfo>
+  include if exists <local/dpkg-genbuildinfo>
 }
diff --git a/apparmor.d/dpkg-genchanges b/apparmor.d/dpkg-genchanges
index beb3e0792..a96c49719 100644
--- a/apparmor.d/dpkg-genchanges
+++ b/apparmor.d/dpkg-genchanges
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-genchanges
 profile dpkg-genchanges @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -31,5 +31,5 @@ profile dpkg-genchanges @{exec_path} flags=(complain) {
   # For package building
   owner @{BUILD_DIR}/** r,
 
-  #include if exists <local/dpkg-genchanges>
+  include if exists <local/dpkg-genchanges>
 }
diff --git a/apparmor.d/dpkg-preconfigure b/apparmor.d/dpkg-preconfigure
index 914c0e61c..35686aeb6 100644
--- a/apparmor.d/dpkg-preconfigure
+++ b/apparmor.d/dpkg-preconfigure
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dpkg-preconfigure
 profile dpkg-preconfigure @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -44,10 +44,10 @@ profile dpkg-preconfigure @{exec_path} {
   owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
 
   # The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
@@ -56,5 +56,5 @@ profile dpkg-preconfigure @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/dpkg-preconfigure>
+  include if exists <local/dpkg-preconfigure>
 }
diff --git a/apparmor.d/dpkg-query b/apparmor.d/dpkg-query
index 1e13965a9..8b77827b8 100644
--- a/apparmor.d/dpkg-query
+++ b/apparmor.d/dpkg-query
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-query
 profile dpkg-query @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile dpkg-query @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/dpkg-query>
+  include if exists <local/dpkg-query>
 }
diff --git a/apparmor.d/dpkg-split b/apparmor.d/dpkg-split
index 39fad099d..539672b3c 100644
--- a/apparmor.d/dpkg-split
+++ b/apparmor.d/dpkg-split
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-split
 profile dpkg-split @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -32,5 +32,5 @@ profile dpkg-split @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/dpkg-split>
+  include if exists <local/dpkg-split>
 }
diff --git a/apparmor.d/dpkg-trigger b/apparmor.d/dpkg-trigger
index 71fece4c5..ce4de7535 100644
--- a/apparmor.d/dpkg-trigger
+++ b/apparmor.d/dpkg-trigger
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-trigger
 profile dpkg-trigger @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile dpkg-trigger @{exec_path} {
   /var/lib/dpkg/triggers/ r,
   /var/lib/dpkg/triggers/Unincorp{,.new} rw,
 
-  #include if exists <local/dpkg-trigger>
+  include if exists <local/dpkg-trigger>
 }
diff --git a/apparmor.d/dpkg-vendor b/apparmor.d/dpkg-vendor
index 439c9ee79..5060d6f59 100644
--- a/apparmor.d/dpkg-vendor
+++ b/apparmor.d/dpkg-vendor
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-vendor
 profile dpkg-vendor @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /usr/bin/perl r,
 
   /etc/dpkg/origins/* r,
 
-  #include if exists <local/dpkg-vendor>
+  include if exists <local/dpkg-vendor>
 }
diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox
index 5a40b872a..95e1f55bd 100644
--- a/apparmor.d/dropbox
+++ b/apparmor.d/dropbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
 @{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@@ -19,18 +19,18 @@
 
 @{exec_path} = /{usr/,}bin/dropbox
 profile dropbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   ptrace peer=@{profile_name},
 
@@ -130,8 +130,8 @@ profile dropbox @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -147,5 +147,5 @@ profile dropbox @{exec_path} {
 
   }
 
-  #include if exists <local/dropbox>
+  include if exists <local/dropbox>
 }
diff --git a/apparmor.d/dumpcap b/apparmor.d/dumpcap
index 2eddf5f03..86fcd69b0 100644
--- a/apparmor.d/dumpcap
+++ b/apparmor.d/dumpcap
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dumpcap
 profile dumpcap @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To capture packekts
   capability net_raw,
@@ -23,6 +23,13 @@ profile dumpcap @{exec_path} {
 
   signal (receive) peer=wireshark,
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+  network bluetooth raw,
+
   @{exec_path} mr,
 
   @{sys}/class/net/ r,
@@ -36,7 +43,7 @@ profile dumpcap @{exec_path} {
   /dev/ r,
 
   # Traffic log files
-  owner /tmp/wireshark_*_[0-9]*_*.pcapng rw,
+  owner /tmp/wireshark_*.pcapng rw,
   owner /tmp/*.pcap rw,
 
   # file_inherit
@@ -44,5 +51,5 @@ profile dumpcap @{exec_path} {
   /usr/share/GeoIP/* r,
   /dev/dri/card[0-9] rw,
 
-  #include if exists <local/dumpcap>
+  include if exists <local/dumpcap>
 }
diff --git a/apparmor.d/dumpe2fs b/apparmor.d/dumpe2fs
index 0abb92a04..91cc5c63d 100644
--- a/apparmor.d/dumpe2fs
+++ b/apparmor.d/dumpe2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{dumpe2fs,e2mmpstatus}
 profile dumpe2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile dumpe2fs @{exec_path} {
   @{HOME}/** r,
   /media/*/** r,
 
-  #include if exists <local/dumpe2fs>
+  include if exists <local/dumpe2fs>
 }
diff --git a/apparmor.d/e2fsck b/apparmor.d/e2fsck
index 11005abb8..5e713e505 100644
--- a/apparmor.d/e2fsck
+++ b/apparmor.d/e2fsck
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{e2fsck,fsck.ext2,fsck.ext3,fsck.ext4}
 profile e2fsck @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile e2fsck @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/e2fsck>
+  include if exists <local/e2fsck>
 }
diff --git a/apparmor.d/e2image b/apparmor.d/e2image
index ceaf29bec..55684bc6d 100644
--- a/apparmor.d/e2image
+++ b/apparmor.d/e2image
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/e2image
 profile e2image @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile e2image @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/e2image>
+  include if exists <local/e2image>
 }
diff --git a/apparmor.d/edid-decode b/apparmor.d/edid-decode
index 31074dad6..02a75aaba 100644
--- a/apparmor.d/edid-decode
+++ b/apparmor.d/edid-decode
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/edid-decode
 profile edid-decode @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/*/edid r,
 
-  #include if exists <local/edid-decode>
+  include if exists <local/edid-decode>
 }
diff --git a/apparmor.d/eject b/apparmor.d/eject
index 424d1dcea..15259941b 100644
--- a/apparmor.d/eject
+++ b/apparmor.d/eject
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/eject
 profile eject @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_rawio,
 
@@ -31,5 +31,5 @@ profile eject @{exec_path} {
 
   /etc/fstab r,
 
-  #include if exists <local/eject>
+  include if exists <local/eject>
 }
diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa
index 5c6fd20b8..7650fa95a 100644
--- a/apparmor.d/engrampa
+++ b/apparmor.d/engrampa
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/engrampa
 profile engrampa @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -90,8 +90,8 @@ profile engrampa @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
     /{usr/,}bin/xdg-open mr,
@@ -111,5 +111,5 @@ profile engrampa @{exec_path} {
 
   }
 
-  #include if exists <local/engrampa>
+  include if exists <local/engrampa>
 }
diff --git a/apparmor.d/execute-dcut b/apparmor.d/execute-dcut
index 28af931a0..8596db4d9 100644
--- a/apparmor.d/execute-dcut
+++ b/apparmor.d/execute-dcut
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dcut /usr/share/dput/execute-dcut
 profile execute-dcut @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
-  #include if exists <local/execute-dcut>
+  include if exists <local/execute-dcut>
 }
diff --git a/apparmor.d/execute-dput b/apparmor.d/execute-dput
index c36146510..d65c5a17f 100644
--- a/apparmor.d/execute-dput
+++ b/apparmor.d/execute-dput
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput
 profile execute-dput @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -48,7 +48,7 @@ profile execute-dput @{exec_path} flags=(complain) {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
     /{usr/,}bin/gpg mr,
@@ -59,5 +59,5 @@ profile execute-dput @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/execute-dput>
+  include if exists <local/execute-dput>
 }
diff --git a/apparmor.d/exim4 b/apparmor.d/exim4
index c68ebf3e9..17477a37e 100644
--- a/apparmor.d/exim4
+++ b/apparmor.d/exim4
@@ -9,15 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/exim4
 profile exim4 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  network inet,
+  network inet6,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -60,5 +64,5 @@ profile exim4 @{exec_path} {
   /var/lib/dpkg/status r,
   /var/log/cron-apt/lastfullmessage r,
 
-  #include if exists <local/exim4>
+  include if exists <local/exim4>
 }
diff --git a/apparmor.d/exo-compose-mail b/apparmor.d/exo-compose-mail
index b23968b8b..fde8fc5e4 100644
--- a/apparmor.d/exo-compose-mail
+++ b/apparmor.d/exo-compose-mail
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/xfce4/exo/exo-compose-mail
 profile exo-compose-mail @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -26,5 +26,5 @@ profile exo-compose-mail @{exec_path} {
   /{usr/,}lib/thunderbird/thunderbird     rPx,
   /{usr/,}lib/thunderbird/thunderbird-bin rPx,
 
-  #include if exists <local/exo-compose-mail>
+  include if exists <local/exo-compose-mail>
 }
diff --git a/apparmor.d/exo-helper b/apparmor.d/exo-helper
index b755212f4..cb5c3468c 100644
--- a/apparmor.d/exo-helper
+++ b/apparmor.d/exo-helper
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9]
 profile exo-helper @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/app-launcher-user>
 
   # These are needed when there's no default application set in the ~/.config/xfce4/helpers.rc
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} mr,
 
@@ -59,5 +59,5 @@ profile exo-helper @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/exo-helper>
+  include if exists <local/exo-helper>
 }
diff --git a/apparmor.d/exo-open b/apparmor.d/exo-open
index 78c1e063f..13482a262 100644
--- a/apparmor.d/exo-open
+++ b/apparmor.d/exo-open
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/exo-open
 profile exo-open @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} mr,
 
@@ -34,5 +34,5 @@ profile exo-open @{exec_path} {
         /** r,
   owner /** rw,
 
-  #include if exists <local/exo-open>
+  include if exists <local/exo-open>
 }
diff --git a/apparmor.d/f3brew b/apparmor.d/f3brew
index 249535443..db18ff2d2 100644
--- a/apparmor.d/f3brew
+++ b/apparmor.d/f3brew
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3brew
 profile f3brew @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
-  #include if exists <local/f3brew>
+  include if exists <local/f3brew>
 }
diff --git a/apparmor.d/f3fix b/apparmor.d/f3fix
index e8a2a7670..f07abc2e8 100644
--- a/apparmor.d/f3fix
+++ b/apparmor.d/f3fix
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3fix
 profile f3fix @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # To remove the following errors:
   #  Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the
@@ -42,7 +42,7 @@ profile f3fix @{exec_path} {
         @{PROC}/swaps r,
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -65,6 +65,6 @@ profile f3fix @{exec_path} {
 
   }
 
-  #include if exists <local/f3fix>
+  include if exists <local/f3fix>
 }
 
diff --git a/apparmor.d/f3probe b/apparmor.d/f3probe
index 069697695..c9f5d15e6 100644
--- a/apparmor.d/f3probe
+++ b/apparmor.d/f3probe
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3probe
 profile f3probe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
-  #include if exists <local/f3probe>
+  include if exists <local/f3probe>
 }
 
diff --git a/apparmor.d/f3read b/apparmor.d/f3read
index 6d065cec5..f135264a3 100644
--- a/apparmor.d/f3read
+++ b/apparmor.d/f3read
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3read
 profile f3read @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,6 +27,6 @@ profile f3read @{exec_path} {
   /media/*/[0-9]*.h2w r,
   /media/*/*/[0-9]*.h2w r,
 
-  #include if exists <local/f3read>
+  include if exists <local/f3read>
 }
 
diff --git a/apparmor.d/f3write b/apparmor.d/f3write
index 276adb7ed..0ca7c0dd0 100644
--- a/apparmor.d/f3write
+++ b/apparmor.d/f3write
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3write
 profile f3write @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # The f3write doesn't have to be started as root, but when it's started as root, the following
   # CAP is needed in order to write to the user owned USB drives (e.g. mounted via udisks).
@@ -31,6 +31,6 @@ profile f3write @{exec_path} {
   owner /media/*/[0-9]*.h2w w,
   owner /media/*/*/[0-9]*.h2w w,
 
-  #include if exists <local/f3write>
+  include if exists <local/f3write>
 }
 
diff --git a/apparmor.d/fatlabel b/apparmor.d/fatlabel
index 65d4108ba..7ae626c78 100644
--- a/apparmor.d/fatlabel
+++ b/apparmor.d/fatlabel
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fatlabel
 profile fatlabel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
-  #include if exists <local/fatlabel>
+  include if exists <local/fatlabel>
 }
diff --git a/apparmor.d/fatresize b/apparmor.d/fatresize
index 28c5e6436..c9a5fa37d 100644
--- a/apparmor.d/fatresize
+++ b/apparmor.d/fatresize
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fatresize
 profile fatresize @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   # ioctl(3, BLKFLSBUF)              = -1 EACCES (Permission denied)
@@ -41,7 +41,7 @@ profile fatresize @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -64,5 +64,5 @@ profile fatresize @{exec_path} {
 
   }
 
-  #include if exists <local/fatresize>
+  include if exists <local/fatresize>
 }
diff --git a/apparmor.d/fc-list b/apparmor.d/fc-list
index 59831ccf3..b710467bf 100644
--- a/apparmor.d/fc-list
+++ b/apparmor.d/fc-list
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fc-list
 profile fc-list @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
 
   /{usr/,}bin/fc-list mr,
 
-  #include if exists <local/fc-list>
+  include if exists <local/fc-list>
 }
diff --git a/apparmor.d/fdisk b/apparmor.d/fdisk
index b21b465c4..e8bcad458 100644
--- a/apparmor.d/fdisk
+++ b/apparmor.d/fdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fdisk
 profile fdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -42,5 +42,5 @@ profile fdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/fdisk>
+  include if exists <local/fdisk>
 }
diff --git a/apparmor.d/ffmpeg b/apparmor.d/ffmpeg
index 6a74fc069..1f714b0d4 100644
--- a/apparmor.d/ffmpeg
+++ b/apparmor.d/ffmpeg
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -51,13 +51,13 @@
 
 @{exec_path} = /{usr/,}bin/ffmpeg
 profile ffmpeg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path}  mr,
 
@@ -85,5 +85,5 @@ profile ffmpeg @{exec_path} {
   # TMP files for apps using ffmpeg
   owner /tmp/vidcutter/** rw,
 
-  #include if exists <local/ffmpeg>
+  include if exists <local/ffmpeg>
 }
diff --git a/apparmor.d/ffplay b/apparmor.d/ffplay
index 9857e9947..4dfb053a2 100644
--- a/apparmor.d/ffplay
+++ b/apparmor.d/ffplay
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,11 +46,11 @@
 
 @{exec_path} = /{usr/,}bin/ffplay
 profile ffplay @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -69,5 +69,5 @@ profile ffplay @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]/meminfo r,
 
-  #include if exists <local/ffplay>
+  include if exists <local/ffplay>
 }
diff --git a/apparmor.d/ffprobe b/apparmor.d/ffprobe
index fb3cbbaa1..3194bb251 100644
--- a/apparmor.d/ffprobe
+++ b/apparmor.d/ffprobe
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,9 +46,9 @@
 
 @{exec_path} = /{usr/,}bin/ffprobe
 profile ffprobe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -64,5 +64,5 @@ profile ffprobe @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]/meminfo r,
 
-  #include if exists <local/ffprobe>
+  include if exists <local/ffprobe>
 }
diff --git a/apparmor.d/filecap b/apparmor.d/filecap
index f36c4f5c7..e452321cc 100644
--- a/apparmor.d/filecap
+++ b/apparmor.d/filecap
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/filecap
 profile filecap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -35,5 +35,5 @@ profile filecap @{exec_path} {
   #/ r,
   #/** r,
 
-  #include if exists <local/filecap>
+  include if exists <local/filecap>
 }
diff --git a/apparmor.d/filezilla b/apparmor.d/filezilla
index 1ac8643a9..a86b89cfb 100644
--- a/apparmor.d/filezilla
+++ b/apparmor.d/filezilla
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/filezilla
 profile filezilla @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=fzsftp,
 
@@ -75,5 +75,5 @@ profile filezilla @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/filezilla>
+  include if exists <local/filezilla>
 }
diff --git a/apparmor.d/firefox b/apparmor.d/firefox
index 46d790a60..27f482be9 100644
--- a/apparmor.d/firefox
+++ b/apparmor.d/firefox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,28 +19,33 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
 profile firefox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa-cache-write>
-  #include <abstractions/audio>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa-cache-write>
+  include <abstractions/audio>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
   ##include <abstractions/nvidia>
 
-
   ptrace peer=@{profile_name},
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
   signal (send) set=(term, kill) peer=firefox-*,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@@ -184,8 +189,8 @@ profile firefox @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open                                    mr,
     /{usr/,}bin/exo-open                                    mr,
@@ -215,5 +220,5 @@ profile firefox @{exec_path} {
 
   }
 
-  #include if exists <local/firefox>
+  include if exists <local/firefox>
 }
diff --git a/apparmor.d/firefox-crashreporter b/apparmor.d/firefox-crashreporter
index 8ab31288d..ae02c44e1 100644
--- a/apparmor.d/firefox-crashreporter
+++ b/apparmor.d/firefox-crashreporter
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,12 +19,12 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/crashreporter
 profile firefox-crashreporter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -60,5 +60,5 @@ profile firefox-crashreporter @{exec_path} {
   owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/firefox-crashreporter>
+  include if exists <local/firefox-crashreporter>
 }
diff --git a/apparmor.d/firefox-minidump-analyzer b/apparmor.d/firefox-minidump-analyzer
index 51adaa168..b1b16516f 100644
--- a/apparmor.d/firefox-minidump-analyzer
+++ b/apparmor.d/firefox-minidump-analyzer
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,8 +19,8 @@
 
 @{exec_path} = /{usr/,}lib/firefox/minidump-analyzer
 profile firefox-minidump-analyzer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -43,5 +43,5 @@ profile firefox-minidump-analyzer @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r,
 
-  #include if exists <local/firefox-minidump-analyzer>
+  include if exists <local/firefox-minidump-analyzer>
 }
diff --git a/apparmor.d/firefox-pingsender b/apparmor.d/firefox-pingsender
index 3250d4a0f..84fab49ea 100644
--- a/apparmor.d/firefox-pingsender
+++ b/apparmor.d/firefox-pingsender
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,11 +19,11 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/pingsender
 profile firefox-pingsender @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -34,5 +34,5 @@ profile firefox-pingsender @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/firefox-pingsender>
+  include if exists <local/firefox-pingsender>
 }
diff --git a/apparmor.d/firefox-plugin-container b/apparmor.d/firefox-plugin-container
index f4d375cea..2b256b142 100644
--- a/apparmor.d/firefox-plugin-container
+++ b/apparmor.d/firefox-plugin-container
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,11 +19,11 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/plugin-container
 profile firefox-plugin-container @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   signal (receive) set=(term, kill) peer=firefox,
 
   @{exec_path} mr,
 
-  #include if exists <local/firefox-plugin-container>
+  include if exists <local/firefox-plugin-container>
 }
diff --git a/apparmor.d/firejail-default b/apparmor.d/firejail-default
index e396ae7d9..aaf725974 100644
--- a/apparmor.d/firejail-default
+++ b/apparmor.d/firejail-default
@@ -4,7 +4,7 @@
 
 # AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
 # and <abstractions/dbus-session-strict>.
-#include <tunables/global>
+include <tunables/global>
 
 ##########
 # A simple PID declaration based on Ubuntu's @{pid}
@@ -14,14 +14,14 @@
 ##########
 @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
 
-profile firejail-default flags=(attach_disconnected,mediate_deleted) {
+profile firejail-default flags=(attach_disconnected, complain, mediate_deleted) {
 
 ##########
 # Allow D-Bus access. It may negatively affect security. Comment those lines or
 # use 'nodbus' option in profile if you don't need D-Bus functionality.
 ##########
-#include <abstractions/dbus-strict>
-#include <abstractions/dbus-session-strict>
+include <abstractions/dbus-strict>
+include <abstractions/dbus-session-strict>
 dbus,
 # Add rule in order to avoid dbus-*=filter breakage (#3432)
 owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
@@ -161,5 +161,5 @@ capability setfcap,
 #capability mac_admin,
 
 # Site-specific additions and overrides. See local/README for details.
-#include <local/firejail-default>
+include <local/firejail-default>
 }
diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot
index 8e823bf48..f9f1daf82 100644
--- a/apparmor.d/flameshot
+++ b/apparmor.d/flameshot
@@ -9,28 +9,35 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/flameshot
 profile flameshot @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -72,8 +79,8 @@ profile flameshot @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -88,5 +95,5 @@ profile flameshot @{exec_path} {
 
   }
 
-  #include if exists <local/flameshot>
+  include if exists <local/flameshot>
 }
diff --git a/apparmor.d/fping b/apparmor.d/fping
index 9d6bdffdb..3250d284e 100644
--- a/apparmor.d/fping
+++ b/apparmor.d/fping
@@ -9,21 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fping{,6}
 profile fping @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # This CAP can be blocked when the net.ipv4.ping_group_range sysctl parametr is set. Otherwise it
   # will return the following error:
   #  fping: can't create socket (must run as root?)
   deny capability net_raw,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+
   @{exec_path} mr,
 
-  #include if exists <local/fping>
+  include if exists <local/fping>
 }
diff --git a/apparmor.d/freetube b/apparmor.d/freetube
index 95519c28a..e134c2a79 100644
--- a/apparmor.d/freetube
+++ b/apparmor.d/freetube
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{FT_LIBDIR} =  /{usr/,}lib/freetube
 @{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@@ -20,20 +20,20 @@
 
 @{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
 profile freetube @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -43,6 +43,12 @@ profile freetube @{exec_path} {
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/uid_map w,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   @{FT_LIBDIR}/ r,
@@ -61,7 +67,7 @@ profile freetube @{exec_path} {
   owner /tmp/.org.chromium.Chromium.*/ rw,
   owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
   owner /tmp/.org.chromium.Chromium.*/SS w,
-  owner /tmp/.org.chromium.Chromium.* w,
+  owner /tmp/.org.chromium.Chromium.* rw,
   owner /tmp/net-export/ rw,
 
         /dev/shm/ r,
@@ -106,6 +112,8 @@ profile freetube @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  owner @{run}/user/[0-9]*/ r,
+
   # no new privs
   /{usr/,}bin/xdg-settings    rPx,
 
@@ -119,8 +127,8 @@ profile freetube @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -136,5 +144,5 @@ profile freetube @{exec_path} {
 
   }
 
-  #include if exists <local/freetube>
+  include if exists <local/freetube>
 }
diff --git a/apparmor.d/freetube-chrome-sandbox b/apparmor.d/freetube-chrome-sandbox
index eefd5fdbc..abd3704d8 100644
--- a/apparmor.d/freetube-chrome-sandbox
+++ b/apparmor.d/freetube-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{FT_LIBDIR} =  /{usr/,}lib/freetube
 @{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@@ -20,9 +20,9 @@
 
 @{exec_path} = @{FT_LIBDIR}/chrome-sandbox
 profile freetube-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   capability sys_admin,
   capability setgid,
@@ -38,5 +38,5 @@ profile freetube-chrome-sandbox @{exec_path} {
        owner @{PROC}/@{pid}/oom_{,score_}adj r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
 
-  #include if exists <local/freetube-chrome-sandbox>
+  include if exists <local/freetube-chrome-sandbox>
 }
diff --git a/apparmor.d/frontend b/apparmor.d/frontend
index 8a8ef23d5..d845967d0 100644
--- a/apparmor.d/frontend
+++ b/apparmor.d/frontend
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/debconf/frontend
 profile frontend @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -70,10 +70,10 @@ profile frontend @{exec_path} flags=(complain) {
   /etc/shadow r,
 
   # The following is needed when debconf uses GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
@@ -86,8 +86,8 @@ profile frontend @{exec_path} flags=(complain) {
 
 
   profile scripts flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     # What's this for? (#FIXME#)
     capability dac_read_search,
@@ -126,5 +126,5 @@ profile frontend @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/frontend>
+  include if exists <local/frontend>
 }
diff --git a/apparmor.d/fsck b/apparmor.d/fsck
index 97b6a11af..4d2837133 100644
--- a/apparmor.d/fsck
+++ b/apparmor.d/fsck
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fsck
 profile fsck @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile fsck @{exec_path} {
   owner @{run}/blkid/blkid.tab{,-*} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
-  #include if exists <local/fsck>
+  include if exists <local/fsck>
 }
diff --git a/apparmor.d/fsck-btrfs b/apparmor.d/fsck-btrfs
index 0a1e7abfa..1802923d3 100644
--- a/apparmor.d/fsck-btrfs
+++ b/apparmor.d/fsck-btrfs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fsck.btrfs
 profile fsck-btrfs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
 
@@ -23,5 +23,5 @@ profile fsck-btrfs @{exec_path} {
 
   /etc/fstab r,
 
-  #include if exists <local/fsck-btrfs>
+  include if exists <local/fsck-btrfs>
 }
diff --git a/apparmor.d/fsck-fat b/apparmor.d/fsck-fat
index a3b23d990..53b552464 100644
--- a/apparmor.d/fsck-fat
+++ b/apparmor.d/fsck-fat
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{fsck.fat,fsck.msdos,fsck.vfat,dosfsck}
 profile fsck-fat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile fsck-fat @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/fsck-fat>
+  include if exists <local/fsck-fat>
 }
diff --git a/apparmor.d/fuseiso b/apparmor.d/fuseiso
index 974525c11..12abbed14 100644
--- a/apparmor.d/fuseiso
+++ b/apparmor.d/fuseiso
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fuseiso
 profile fuseiso @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile fuseiso @{exec_path} {
 
   /dev/fuse rw,
 
-  #include if exists <local/fuseiso>
+  include if exists <local/fuseiso>
 }
diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount
index 79aafa25a..457a89f78 100644
--- a/apparmor.d/fusermount
+++ b/apparmor.d/fusermount
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fusermount{,3}
 profile fusermount @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To mount anything:
   #  fusermount: mount failed: Operation not permitted
@@ -59,5 +59,5 @@ profile fusermount @{exec_path} {
 
   @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/fusermount>
+  include if exists <local/fusermount>
 }
diff --git a/apparmor.d/fwupd b/apparmor.d/fwupd
index 8286a0960..758309f36 100644
--- a/apparmor.d/fwupd
+++ b/apparmor.d/fwupd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
 profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # This is needed in order to read/write from/to the /dev/tpm0 , device which is owned by tss:tss
   capability dac_override,
@@ -69,7 +69,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg        mr,
     /{usr/,}bin/gpgconf    mr,
@@ -80,5 +80,5 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   }
 
-  #include if exists <local/fwupd>
+  include if exists <local/fwupd>
 }
diff --git a/apparmor.d/fwupdmgr b/apparmor.d/fwupdmgr
index 0ad1aaaa4..7d2616618 100644
--- a/apparmor.d/fwupdmgr
+++ b/apparmor.d/fwupdmgr
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fwupdmgr
 profile fwupdmgr @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
 
   @{exec_path} mr,
 
@@ -40,8 +40,8 @@ profile fwupdmgr @{exec_path} flags=(complain) {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch mr,
 
@@ -49,5 +49,5 @@ profile fwupdmgr @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/fwupdmgr>
+  include if exists <local/fwupdmgr>
 }
diff --git a/apparmor.d/fzsftp b/apparmor.d/fzsftp
index 9c982ed10..2277cdeba 100644
--- a/apparmor.d/fzsftp
+++ b/apparmor.d/fzsftp
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fzsftp
 profile fzsftp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   signal (receive) set=(term, kill) peer=filezilla,
 
@@ -45,5 +45,5 @@ profile fzsftp @{exec_path} {
   # file_inherit
   #deny @{HOME}/.cache/filezilla/** rw,
 
-  #include if exists <local/fzsftp>
+  include if exists <local/fzsftp>
 }
diff --git a/apparmor.d/gajim b/apparmor.d/gajim
index 1113581f3..3f73f6fb1 100644
--- a/apparmor.d/gajim
+++ b/apparmor.d/gajim
@@ -9,26 +9,34 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gajim
 profile gajim @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
 
   @{exec_path} r,
 
@@ -80,8 +88,8 @@ profile gajim @{exec_path} {
 
 
   profile audio {
-    #include <abstractions/base>
-    #include <abstractions/audio>
+    include <abstractions/base>
+    include <abstractions/audio>
 
     /{usr/,}bin/aplay mr,
     /{usr/,}bin/pacat mr,
@@ -94,7 +102,7 @@ profile gajim @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -103,5 +111,5 @@ profile gajim @{exec_path} {
 
   }
 
-  #include if exists <local/gajim>
+  include if exists <local/gajim>
 }
diff --git a/apparmor.d/games-wesnoth b/apparmor.d/games-wesnoth
index ad930cb5a..88a035a0f 100644
--- a/apparmor.d/games-wesnoth
+++ b/apparmor.d/games-wesnoth
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/games/wesnoth{,-[0-9]*}
 profile games-wesnoth @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/dri-common>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/dri-common>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -39,5 +39,5 @@ profile games-wesnoth @{exec_path} {
   owner @{HOME}/.icons/default/index.theme r,
   /usr/share/icons/*/index.theme r,
 
-  #include if exists <local/games-wesnoth>
+  include if exists <local/games-wesnoth>
 }
diff --git a/apparmor.d/games-wesnoth-sh b/apparmor.d/games-wesnoth-sh
index 06b9644b3..5028d0d4d 100644
--- a/apparmor.d/games-wesnoth-sh
+++ b/apparmor.d/games-wesnoth-sh
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/games/wesnoth-[0-9]*{-nolog,-smalgui,_editor} /usr/games/wesnoth-nolog
 profile games-wesnoth-sh @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh       rix,
@@ -30,5 +30,5 @@ profile games-wesnoth-sh @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/games-wesnoth-sh>
+  include if exists <local/games-wesnoth-sh>
 }
diff --git a/apparmor.d/ganyremote b/apparmor.d/ganyremote
index 0354b9e58..838994875 100644
--- a/apparmor.d/ganyremote
+++ b/apparmor.d/ganyremote
@@ -9,23 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ganyremote
 profile ganyremote @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -77,8 +80,8 @@ profile ganyremote @{exec_path} {
 
 
   profile killall {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_ptrace,
 
@@ -96,8 +99,8 @@ profile ganyremote @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/pgrep mr,
 
@@ -110,5 +113,5 @@ profile ganyremote @{exec_path} {
 
   }
 
-  #include if exists <local/ganyremote>
+  include if exists <local/ganyremote>
 }
diff --git a/apparmor.d/gconfd b/apparmor.d/gconfd
index 032c43ff2..23e7a3edf 100644
--- a/apparmor.d/gconfd
+++ b/apparmor.d/gconfd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9]
 profile gconfd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile gconfd @{exec_path} {
   owner @{HOME}/.gconf/ rw,
   owner @{HOME}/.gconf/.testing.writeability rw,
 
-  #include if exists <local/gconfd>
+  include if exists <local/gconfd>
 }
diff --git a/apparmor.d/gdisk b/apparmor.d/gdisk
index 3301ae352..8e01c4d9f 100644
--- a/apparmor.d/gdisk
+++ b/apparmor.d/gdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gdisk
 profile gdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -39,5 +39,5 @@ profile gdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/gdisk>
+  include if exists <local/gdisk>
 }
diff --git a/apparmor.d/geany b/apparmor.d/geany
index ccc461c4f..bbbe36f75 100644
--- a/apparmor.d/geany
+++ b/apparmor.d/geany
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/geany
 profile geany @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/enchant>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/nameservice-strict>
 
   # To edit system files as root.
   capability dac_read_search,
@@ -104,8 +104,8 @@ profile geany @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch mr,
     /{usr/,}bin/dbus-send   mr,
@@ -117,5 +117,5 @@ profile geany @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/geany>
+  include if exists <local/geany>
 }
diff --git a/apparmor.d/gio-launch-desktop b/apparmor.d/gio-launch-desktop
index 40e31baf0..f68025b83 100644
--- a/apparmor.d/gio-launch-desktop
+++ b/apparmor.d/gio-launch-desktop
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/gio
 @{exec_path} += /{usr/,}bin/gio-launch-desktop
 @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} mr,
 
@@ -37,5 +37,5 @@ profile gio-launch-desktop @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/gio-launch-desktop>
+  include if exists <local/gio-launch-desktop>
 }
diff --git a/apparmor.d/git b/apparmor.d/git
index 38140691c..6ce418c41 100644
--- a/apparmor.d/git
+++ b/apparmor.d/git
@@ -9,18 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/git
 profile git @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ssl_certs>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
 
   @{exec_path} mr,
 
@@ -92,8 +98,8 @@ profile git @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/gpg mr,
 
@@ -105,9 +111,9 @@ profile git @{exec_path} {
   }
 
   profile ssh {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
 
     /{usr/,}bin/ssh mr,
 
@@ -124,15 +130,15 @@ profile git @{exec_path} {
   }
 
   profile exec {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     owner @{BUILD_DIR}/**/bin/* mr,
 
   }
 
-  profile editor flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+  profile editor {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/sensible-editor mr,
     /{usr/,}bin/vim.*           mrix,
@@ -154,5 +160,5 @@ profile git @{exec_path} {
 
   }
 
-  #include if exists <local/git>
+  include if exists <local/git>
 }
diff --git a/apparmor.d/globaltime b/apparmor.d/globaltime
index bf4a9a472..49a576265 100644
--- a/apparmor.d/globaltime
+++ b/apparmor.d/globaltime
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/globaltime
 profile globaltime @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile globaltime @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/globaltime>
+  include if exists <local/globaltime>
 }
diff --git a/apparmor.d/glxgears b/apparmor.d/glxgears
index 4cefc1384..16172760d 100644
--- a/apparmor.d/glxgears
+++ b/apparmor.d/glxgears
@@ -9,18 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/glxgears
 profile glxgears @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
@@ -33,5 +32,5 @@ profile glxgears @{exec_path} {
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/glxgears>
+  include if exists <local/glxgears>
 }
diff --git a/apparmor.d/glxinfo b/apparmor.d/glxinfo
index b65d74330..9aa0ca31e 100644
--- a/apparmor.d/glxinfo
+++ b/apparmor.d/glxinfo
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/glxinfo
 profile glxinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
   # Needed?
@@ -34,5 +34,5 @@ profile glxinfo @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/glxinfo>
+  include if exists <local/glxinfo>
 }
diff --git a/apparmor.d/gnome-keyring-daemon b/apparmor.d/gnome-keyring-daemon
index 6c2823838..569cb8bd2 100644
--- a/apparmor.d/gnome-keyring-daemon
+++ b/apparmor.d/gnome-keyring-daemon
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # Remove the following error:
   #  gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used
@@ -35,5 +35,5 @@ profile gnome-keyring-daemon @{exec_path} {
   owner @{run}/user/[0-9]*/keyring/ rw,
   owner @{run}/user/[0-9]*/keyring/* rw,
 
-  #include if exists <local/gnome-keyring-daemon>
+  include if exists <local/gnome-keyring-daemon>
 }
diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome
index bea277189..ec12aa184 100644
--- a/apparmor.d/google-chrome-chrome
+++ b/apparmor.d/google-chrome-chrome
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
 @{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@@ -19,19 +19,19 @@
 
 @{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable}
 profile google-chrome-chrome @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -45,6 +45,12 @@ profile google-chrome-chrome @{exec_path} {
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   @{CHROME_INSTALLDIR}/{,**} r,
@@ -181,8 +187,8 @@ profile google-chrome-chrome @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -197,5 +203,5 @@ profile google-chrome-chrome @{exec_path} {
 
   }
 
-  #include if exists <local/google-chrome-chrome>
+  include if exists <local/google-chrome-chrome>
 }
diff --git a/apparmor.d/google-chrome-chrome-sandbox b/apparmor.d/google-chrome-chrome-sandbox
index 6aab45889..f6c216816 100644
--- a/apparmor.d/google-chrome-chrome-sandbox
+++ b/apparmor.d/google-chrome-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
 @{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@@ -19,8 +19,8 @@
 
 @{exec_path} = @{CHROME_INSTALLDIR}/chrome-sandbox
 profile google-chrome-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -42,5 +42,5 @@ profile google-chrome-chrome-sandbox @{exec_path} {
        owner @{PROC}/@{pid}/fd/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/google-chrome-chrome-sandbox>
+  include if exists <local/google-chrome-chrome-sandbox>
 }
diff --git a/apparmor.d/google-chrome-google-chrome b/apparmor.d/google-chrome-google-chrome
index fbedbab4f..5d09959e3 100644
--- a/apparmor.d/google-chrome-google-chrome
+++ b/apparmor.d/google-chrome-google-chrome
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
 @{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@@ -19,9 +19,9 @@
 
 @{exec_path} = @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable}
 profile google-chrome-google-chrome @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -39,5 +39,5 @@ profile google-chrome-google-chrome @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/google-chrome-google-chrome>
+  include if exists <local/google-chrome-google-chrome>
 }
diff --git a/apparmor.d/gpa b/apparmor.d/gpa
index 8902b7643..e0adc9feb 100644
--- a/apparmor.d/gpa
+++ b/apparmor.d/gpa
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpa
 profile gpa @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -58,5 +58,5 @@ profile gpa @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/gpa>
+  include if exists <local/gpa>
 }
diff --git a/apparmor.d/gparted b/apparmor.d/gparted
index cc583ee32..cddf907e1 100644
--- a/apparmor.d/gparted
+++ b/apparmor.d/gparted
@@ -9,17 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gparted
 profile gparted @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh  rix,
 
+  /{usr/,}sbin/           r,
+  /{usr/,}sbin/gpartedbin rPx,
+
+  /{usr/,}bin/            r,
   /{usr/,}bin/{,e}grep    rix,
   /{usr/,}bin/cut         rix,
   /{usr/,}bin/id          rix,
@@ -33,19 +37,26 @@ profile gparted @{exec_path} {
   @{run}/udev/rules.d/90-udisks-inhibit.rules rw,
 
   /{usr/,}bin/udevadm     rCx -> udevadm,
+  /{usr/,}sbin/killall5   rCx -> killall,
 
-  /{usr/,}sbin/gpartedbin rPx,
   /{usr/,}bin/ps          rPx,
   /{usr/,}bin/xhost       rPx,
   /{usr/,}bin/pkexec      rPx,
   /{usr/,}bin/systemctl   rPx -> child-systemctl,
 
+  # For shell pwd
+  / r,
+  /root/ r,
+
+  /usr/local/bin/ r,
+  /usr/local/sbin/ r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -67,5 +78,25 @@ profile gparted @{exec_path} {
 
   }
 
-  #include if exists <local/gparted>
+  profile killall flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability sys_ptrace,
+
+    signal (send) set=(int, term, kill),
+
+    ptrace (read),
+
+    /{usr/,}sbin/killall5 mr,
+
+    # The /proc/ dir is needed to avoid the following error:
+    #  /proc: Permission denied
+         @{PROC}/ r,
+         @{PROC}/@{pids}/stat r,
+         @{PROC}/@{pids}/cmdline r,
+
+  }
+
+  include if exists <local/gparted>
 }
diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin
index 49ad27e1e..9b29c0d2c 100644
--- a/apparmor.d/gpartedbin
+++ b/apparmor.d/gpartedbin
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gpartedbin
 profile gpartedbin @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions.
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -144,7 +144,7 @@ profile gpartedbin @{exec_path} {
 
 
   profile mount {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_admin,
 
@@ -167,7 +167,7 @@ profile gpartedbin @{exec_path} {
   }
 
   profile umount {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_admin,
 
@@ -188,7 +188,7 @@ profile gpartedbin @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -205,14 +205,14 @@ profile gpartedbin @{exec_path} {
           @{PROC}/sys/kernel/random/boot_id r,
 
     # file_inherit
-    #include <abstractions/disks-write>  # lots of files in this abstraction get inherited
+    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
     /dev/mapper/control rw,
 
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open                                    mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -228,5 +228,5 @@ profile gpartedbin @{exec_path} {
 
   }
 
-  #include if exists <local/gpartedbin>
+  include if exists <local/gpartedbin>
 }
diff --git a/apparmor.d/gpasswd b/apparmor.d/gpasswd
index e28a9128f..106e0f58f 100644
--- a/apparmor.d/gpasswd
+++ b/apparmor.d/gpasswd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpasswd
 profile gpasswd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -29,6 +29,8 @@ profile gpasswd @{exec_path} {
   # gpasswd is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -46,5 +48,5 @@ profile gpasswd @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/gpasswd>
+  include if exists <local/gpasswd>
 }
diff --git a/apparmor.d/gpg b/apparmor.d/gpg
index f48156df6..642dc3a23 100644
--- a/apparmor.d/gpg
+++ b/apparmor.d/gpg
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpg
 profile gpg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mrix,
 
@@ -82,5 +82,5 @@ profile gpg @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/gpg>
+  include if exists <local/gpg>
 }
diff --git a/apparmor.d/gpg-agent b/apparmor.d/gpg-agent
index a2448f02c..8dc0d2b68 100644
--- a/apparmor.d/gpg-agent
+++ b/apparmor.d/gpg-agent
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpg-agent
 profile gpg-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   signal (receive) peer=pinentry-*,
 
@@ -56,5 +56,5 @@ profile gpg-agent @{exec_path} {
   # Silencer
   deny /{usr/,}bin/.gnupg/ w,
 
-  #include if exists <local/gpg-agent>
+  include if exists <local/gpg-agent>
 }
diff --git a/apparmor.d/gpg-connect-agent b/apparmor.d/gpg-connect-agent
index 00bcc281e..cf1da8f21 100644
--- a/apparmor.d/gpg-connect-agent
+++ b/apparmor.d/gpg-connect-agent
@@ -9,15 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpg-connect-agent
 profile gpg-connect-agent @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
-  #include if exists <local/gpg-connect-agent>
+  /etc/inputrc r,
+
+  include if exists <local/gpg-connect-agent>
 }
diff --git a/apparmor.d/gpgconf b/apparmor.d/gpgconf
index 592ca6205..d1393f9e5 100644
--- a/apparmor.d/gpgconf
+++ b/apparmor.d/gpgconf
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpgconf
 profile gpgconf @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mrix,
 
@@ -41,5 +41,5 @@ profile gpgconf @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/gpgconf>
+  include if exists <local/gpgconf>
 }
diff --git a/apparmor.d/gpgsm b/apparmor.d/gpgsm
index 2e5851fa2..1ab2716f2 100644
--- a/apparmor.d/gpgsm
+++ b/apparmor.d/gpgsm
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpgsm
 profile gpgsm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile gpgsm @{exec_path} {
 
   owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
 
-  #include if exists <local/gpgsm>
+  include if exists <local/gpgsm>
 }
diff --git a/apparmor.d/gpo b/apparmor.d/gpo
index 7bd4f54ca..fe9d1fc08 100644
--- a/apparmor.d/gpo
+++ b/apparmor.d/gpo
@@ -9,20 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpo
 profile gpo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -45,5 +50,5 @@ profile gpo @{exec_path} {
 
   owner /var/tmp/etilqs_[0-9a-f]* rw,
 
-  #include if exists <local/gpo>
+  include if exists <local/gpo>
 }
diff --git a/apparmor.d/gpodder b/apparmor.d/gpodder
index 73fbd70d9..7622d444f 100644
--- a/apparmor.d/gpodder
+++ b/apparmor.d/gpodder
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpodder
 profile gpodder @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -72,8 +78,8 @@ profile gpodder @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -90,5 +96,5 @@ profile gpodder @{exec_path} {
 
   }
 
-  #include if exists <local/gpodder>
+  include if exists <local/gpodder>
 }
diff --git a/apparmor.d/gpodder-migrate2tres b/apparmor.d/gpodder-migrate2tres
index 4d111e14a..b134396e3 100644
--- a/apparmor.d/gpodder-migrate2tres
+++ b/apparmor.d/gpodder-migrate2tres
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpodder-migrate2tres
 profile gpodder-migrate2tres @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -31,5 +31,5 @@ profile gpodder-migrate2tres @{exec_path} {
   owner @{HOME}/gPodder/ rw,
   owner @{HOME}/gPodder/** rwk,
 
-  #include if exists <local/gpodder-migrate2tres>
+  include if exists <local/gpodder-migrate2tres>
 }
diff --git a/apparmor.d/groupadd b/apparmor.d/groupadd
index df41be2b7..bed46fb84 100644
--- a/apparmor.d/groupadd
+++ b/apparmor.d/groupadd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/groupadd
 profile groupadd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -26,6 +26,8 @@ profile groupadd @{exec_path} {
   capability chown,
   capability fsetid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -41,5 +43,5 @@ profile groupadd @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/groupadd>
+  include if exists <local/groupadd>
 }
diff --git a/apparmor.d/groupdel b/apparmor.d/groupdel
index 1e92d1d0d..88578b6e2 100644
--- a/apparmor.d/groupdel
+++ b/apparmor.d/groupdel
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/groupdel
 profile groupdel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -26,6 +26,8 @@ profile groupdel @{exec_path} {
   capability chown,
   capability fsetid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -41,5 +43,5 @@ profile groupdel @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/groupdel>
+  include if exists <local/groupdel>
 }
diff --git a/apparmor.d/groupmod b/apparmor.d/groupmod
index 71eac7695..10c7e77bb 100644
--- a/apparmor.d/groupmod
+++ b/apparmor.d/groupmod
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/groupmod
 profile groupmod @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -26,6 +26,8 @@ profile groupmod @{exec_path} {
   capability chown,
   capability fsetid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -43,5 +45,5 @@ profile groupmod @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/groupmod>
+  include if exists <local/groupmod>
 }
diff --git a/apparmor.d/groups b/apparmor.d/groups
index 150f4502f..2be493cd4 100644
--- a/apparmor.d/groups
+++ b/apparmor.d/groups
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/groups
 profile groups @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  #include if exists <local/groups>
+  include if exists <local/groups>
 }
diff --git a/apparmor.d/grpck b/apparmor.d/grpck
index 6c1442b15..1a65eb927 100644
--- a/apparmor.d/grpck
+++ b/apparmor.d/grpck
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/grpck
 profile grpck @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To set the right permission to the files in the /etc/ dir.
   capability chown,
@@ -38,5 +38,5 @@ profile grpck @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/grpck>
+  include if exists <local/grpck>
 }
diff --git a/apparmor.d/gsmartcontrol b/apparmor.d/gsmartcontrol
index ddba75b84..822174ffa 100644
--- a/apparmor.d/gsmartcontrol
+++ b/apparmor.d/gsmartcontrol
@@ -9,18 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gsmartcontrol
 profile gsmartcontrol @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
 
   capability dac_read_search,
 
@@ -30,6 +31,7 @@ profile gsmartcontrol @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}sbin/smartctl rPx,
+  /{usr/,}bin/xterm     rCx -> terminal,
 
   # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two
   # following root processes:
@@ -73,8 +75,8 @@ profile gsmartcontrol @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -86,5 +88,33 @@ profile gsmartcontrol @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/gsmartcontrol>
+  profile terminal {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/freedesktop.org>
+
+    capability setuid,
+    capability setgid,
+    capability fsetid,
+
+    /{usr/,}bin/xterm mr,
+
+    /usr/sbin/update-smart-drivedb rPx,
+
+    owner @{HOME}/.Xauthority r,
+
+    /etc/shells r,
+
+    /etc/X11/app-defaults/XTerm-color r,
+    /etc/X11/app-defaults/XTerm r,
+    /etc/X11/cursors/*.theme r,
+
+    /usr/include/X11/bitmaps/vlines2 r,
+
+    /dev/ptmx rw,
+
+  }
+
+  include if exists <local/gsmartcontrol>
 }
diff --git a/apparmor.d/gsmartcontrol-root b/apparmor.d/gsmartcontrol-root
index e05197e85..9ef8cc9c7 100644
--- a/apparmor.d/gsmartcontrol-root
+++ b/apparmor.d/gsmartcontrol-root
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gsmartcontrol-root
 profile gsmartcontrol-root @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -25,5 +25,5 @@ profile gsmartcontrol-root @{exec_path} {
 
   /{usr/,}bin/pkexec     rPx,
 
-  #include if exists <local/gsmartcontrol-root>
+  include if exists <local/gsmartcontrol-root>
 }
diff --git a/apparmor.d/gtk-update-icon-cache b/apparmor.d/gtk-update-icon-cache
index 1b5b01351..938edbac9 100644
--- a/apparmor.d/gtk-update-icon-cache
+++ b/apparmor.d/gtk-update-icon-cache
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gtk-update-icon-cache
 profile gtk-update-icon-cache @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile gtk-update-icon-cache @{exec_path} {
   /usr/share/icons/**/.icon-theme.cache rw,
   /usr/share/icons/**/icon-theme.cache rw,
 
-  #include if exists <local/gtk-update-icon-cache>
+  include if exists <local/gtk-update-icon-cache>
 }
diff --git a/apparmor.d/gtk-youtube-viewer b/apparmor.d/gtk-youtube-viewer
index f8a6fbae6..77c82ef1d 100644
--- a/apparmor.d/gtk-youtube-viewer
+++ b/apparmor.d/gtk-youtube-viewer
@@ -9,22 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer
 profile gtk-youtube-viewer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -55,14 +61,14 @@ profile gtk-youtube-viewer @{exec_path} {
 
 
   profile xterm {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/perl>
-    #include <abstractions/wutmp>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
+    include <abstractions/nameservice-strict>
+    include <abstractions/perl>
+    include <abstractions/wutmp>
 
     signal (send) set=(hup, winch) peer=youtube-viewer,
     signal (send) set=(hup, winch) peer=youtube-viewer//wget,
@@ -96,8 +102,8 @@ profile gtk-youtube-viewer @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -114,5 +120,5 @@ profile gtk-youtube-viewer @{exec_path} {
 
   }
 
-  #include if exists <local/gtk-youtube-viewer>
+  include if exists <local/gtk-youtube-viewer>
 }
diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo
index 465055f7f..5d471abaf 100644
--- a/apparmor.d/hardinfo
+++ b/apparmor.d/hardinfo
@@ -9,20 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hardinfo
 profile hardinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
 
   # This is needed to display some content of devices -> resources
   capability sys_admin,
@@ -30,12 +31,18 @@ profile hardinfo @{exec_path} {
   # This is for benchmarks
   capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh      rix,
   /{usr/,}bin/locale          rix,
   /{usr/,}bin/ldd             rix,
   /{usr/,}bin/tr              rix,
+  /{usr/,}bin/python2.[0-9]*  rix,
   /{usr/,}bin/python3.[0-9]*  rix,
   /{usr/,}bin/perl            rix,
   /{usr/,}bin/ruby2.[0-9]*    rix,
@@ -98,6 +105,12 @@ profile hardinfo @{exec_path} {
 
   /etc/fstab r,
   /etc/exports r,
+  /etc/samba/smb.conf  r,
+
+  /etc/gdb/gdbinit.d/ r,
+
+  /usr/share/gdb/python/ r,
+  /usr/share/gdb/python/** r,
 
   /var/log/wtmp r,
 
@@ -108,12 +121,16 @@ profile hardinfo @{exec_path} {
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
+  # Silencer
+  deny /usr/share/gdb/python/** w,
+  deny /usr/lib/python3/** w,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -124,19 +141,22 @@ profile hardinfo @{exec_path} {
   }
 
   profile javac {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
-    /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac mr,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/* mr,
 
-    /etc/java-[0-9]*-openjdk/jvm-amd64.cfg r,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
+
+    /etc/java-[0-9]*-openjdk/** r,
 
     /usr/share/java/*.jar r,
 
     owner @{PROC}/@{pid}/mountinfo r,
     owner @{PROC}/@{pid}/cgroup r,
+    owner @{PROC}/@{pid}/coredump_filter rw,
 
-    /sys/fs/cgroup/** r,
+    @{sys}/fs/cgroup/** r,
 
     owner /tmp/hsperfdata_*/ rw,
     owner /tmp/hsperfdata_*/@{pid} rw,
@@ -144,8 +164,8 @@ profile hardinfo @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -162,15 +182,17 @@ profile hardinfo @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
+    @{sys}/module/** r,
+
     @{PROC}/cmdline r,
     @{PROC}/modules r,
     @{PROC}/ioports r,
 
   }
 
-  #include if exists <local/hardinfo>
+  include if exists <local/hardinfo>
 }
diff --git a/apparmor.d/hciconfig b/apparmor.d/hciconfig
index 168a76689..e88af380a 100644
--- a/apparmor.d/hciconfig
+++ b/apparmor.d/hciconfig
@@ -9,19 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hciconfig
 profile hciconfig @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability net_raw,
 
   capability net_admin,
 
+  network bluetooth raw,
+
   @{exec_path} mr,
 
-  #include if exists <local/hciconfig>
+  include if exists <local/hciconfig>
 }
diff --git a/apparmor.d/hddtemp b/apparmor.d/hddtemp
index cf1541d6b..65d49489d 100644
--- a/apparmor.d/hddtemp
+++ b/apparmor.d/hddtemp
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/hddtemp
 profile hddtemp @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To remove the following errors:
   #  /dev/sda: Permission denied
@@ -28,6 +28,9 @@ profile hddtemp @{exec_path} {
   # It looks like hddtemp works just fine without it.
   deny capability sys_admin,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   # Monitored hard drives
@@ -39,5 +42,5 @@ profile hddtemp @{exec_path} {
   # Needed when the hddtemp daemon is started in the TCP/IP mode
   /etc/gai.conf r,
 
-  #include if exists <local/hddtemp>
+  include if exists <local/hddtemp>
 }
diff --git a/apparmor.d/hdparm b/apparmor.d/hdparm
index b05a4c284..5cf7e42a5 100644
--- a/apparmor.d/hdparm
+++ b/apparmor.d/hdparm
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/hdparm
 profile hdparm @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # To remove the following errors:
   #  re-writing sector *: BLKFLSBUF failed: Permission denied
@@ -37,5 +37,5 @@ profile hdparm @{exec_path} flags=(complain) {
   @{HOME}/** r,
   /media/*/** r,
 
-  #include if exists <local/hdparm>
+  include if exists <local/hdparm>
 }
diff --git a/apparmor.d/hexchat b/apparmor.d/hexchat
index 862ab3178..26e0f0ab9 100644
--- a/apparmor.d/hexchat
+++ b/apparmor.d/hexchat
@@ -9,26 +9,32 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hexchat
 profile hexchat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
   # For python/perl plugins
-  #include <abstractions/python>
-  #include <abstractions/perl>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/python>
+  include <abstractions/perl>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -52,5 +58,5 @@ profile hexchat @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/hexchat>
+  include if exists <local/hexchat>
 }
diff --git a/apparmor.d/hostname b/apparmor.d/hostname
index 0b4c19781..2f56d302a 100644
--- a/apparmor.d/hostname
+++ b/apparmor.d/hostname
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
 profile hostname @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
   @{exec_path} mr,
 
-  #include if exists <local/hostname>
+  include if exists <local/hostname>
 }
diff --git a/apparmor.d/htop b/apparmor.d/htop
index 5557c073a..b6e1dfd24 100644
--- a/apparmor.d/htop
+++ b/apparmor.d/htop
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/htop
 profile htop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
@@ -29,9 +29,14 @@ profile htop @{exec_path} {
 
   capability sys_ptrace,
 
+  # Needed?
+  capability net_admin,
+
   signal (send),
   ptrace (read),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{PROC}/ r,
@@ -50,6 +55,7 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/wchan r,
   @{PROC}/@{pids}/io r,
+  @{PROC}/@{pids}/comm r,
 
   @{PROC}/@{pids}/task/ r,
   @{PROC}/@{pids}/task/@{tid}/cmdline r,
@@ -62,9 +68,13 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/task/@{tid}/wchan r,
   @{PROC}/@{pids}/task/@{tid}/status r,
   @{PROC}/@{pids}/task/@{tid}/io r,
+  @{PROC}/@{pids}/task/@{tid}/comm r,
 
   owner @{PROC}/@{pid}/smaps_rollup r,
 
+  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
+
   owner @{HOME}/.config/htop/ rw,
   owner @{HOME}/.config/htop/htoprc rw,
 
@@ -75,5 +85,5 @@ profile htop @{exec_path} {
   #  htop[]: Oh, oh, it's an error! possibly I die!
   /dev/tty[0-9]* rw,
 
-  #include if exists <local/htop>
+  include if exists <local/htop>
 }
diff --git a/apparmor.d/hugeadm b/apparmor.d/hugeadm
index f5234127c..7af2a321c 100644
--- a/apparmor.d/hugeadm
+++ b/apparmor.d/hugeadm
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hugeadm
 profile hugeadm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To mount anything under /var/lib/hugetlbfs/** .
   capability sys_admin,
@@ -63,5 +63,5 @@ profile hugeadm @{exec_path} {
         @{sys}/kernel/mm/transparent_hugepage/* r,
   owner @{sys}/kernel/mm/transparent_hugepage/* rw,
 
-  #include if exists <local/hugeadm>
+  include if exists <local/hugeadm>
 }
diff --git a/apparmor.d/hugo b/apparmor.d/hugo
index 850656682..07812f0ee 100644
--- a/apparmor.d/hugo
+++ b/apparmor.d/hugo
@@ -9,15 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{HUGO_DIR} = /media/debuilder/hugo
 
 @{exec_path} = /{usr/,}bin/hugo
 profile hugo @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -40,5 +43,5 @@ profile hugo @{exec_path} {
 
   /etc/mime.types r,
 
-  #include if exists <local/hugo>
+  include if exists <local/hugo>
 }
diff --git a/apparmor.d/hw-probe b/apparmor.d/hw-probe
index 2142e01c8..36c4c42d5 100644
--- a/apparmor.d/hw-probe
+++ b/apparmor.d/hw-probe
@@ -9,17 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hw-probe
 profile hw-probe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   capability sys_admin,
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
@@ -32,6 +35,7 @@ profile hw-probe @{exec_path} {
   /{usr/,}bin/uname       rix,
 
   /{usr/,}bin/dd          rix,
+  /{usr/,}bin/tar         rix,
 
   /{usr/,}bin/efivar      rix,
   /{usr/,}bin/efibootmgr  rix,
@@ -85,6 +89,7 @@ profile hw-probe @{exec_path} {
   /{usr/,}sbin/ifconfig       rCx -> netconfig,
   /{usr/,}sbin/iwconfig       rCx -> netconfig,
   /{usr/,}sbin/ethtool        rCx -> netconfig,
+  /{usr/,}bin/curl            rCx -> curl,
 
   owner /root/HW_PROBE/{,**} rw,
 
@@ -114,8 +119,8 @@ profile hw-probe @{exec_path} {
 
 
   profile find {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     capability dac_read_search,
 
@@ -123,10 +128,12 @@ profile hw-probe @{exec_path} {
 
     /dev/{,**} r,
 
+    /root/ r,
+
   }
 
   profile journalctl {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/journalctl mr,
 
@@ -145,7 +152,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile systemd-analyze {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/systemd-analyze mr,
 
@@ -154,7 +161,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile killall {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_ptrace,
 
@@ -172,7 +179,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -194,7 +201,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -208,12 +215,19 @@ profile hw-probe @{exec_path} {
   }
 
   profile netconfig {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Not needed
     deny capability net_admin,
     deny capability net_raw,
 
+    network inet dgram,
+    network inet6 dgram,
+    network ipx dgram,
+    network ax25 dgram,
+    network appletalk dgram,
+    network netlink raw,
+
     /{usr/,}sbin/iw       mr,
     /{usr/,}sbin/ifconfig mr,
     /{usr/,}sbin/iwconfig mr,
@@ -224,5 +238,16 @@ profile hw-probe @{exec_path} {
 
   }
 
-  #include if exists <local/hw-probe>
+  profile curl {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    /{usr/,}bin/curl mr,
+
+  }
+
+
+  include if exists <local/hw-probe>
 }
diff --git a/apparmor.d/hwinfo b/apparmor.d/hwinfo
index ad0927d8e..e27b4e393 100644
--- a/apparmor.d/hwinfo
+++ b/apparmor.d/hwinfo
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/hwinfo
 profile hwinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # Without the sys_admin CAP, some information, for instance the reserved I/O port address range
   # in the /proc/ioports, will be hidden.
@@ -32,6 +32,10 @@ profile hwinfo @{exec_path} {
   # Needed when passed disk related options (--block, --partition, --floppy)
   capability sys_rawio,
 
+  network inet dgram,
+  network inet6 dgram,
+  network packet raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -78,7 +82,7 @@ profile hwinfo @{exec_path} {
 
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -95,7 +99,7 @@ profile hwinfo @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -115,5 +119,5 @@ profile hwinfo @{exec_path} {
 
   }
 
-  #include if exists <local/hwinfo>
+  include if exists <local/hwinfo>
 }
diff --git a/apparmor.d/i2cdetect b/apparmor.d/i2cdetect
index 8f21883e1..2a8c051e4 100644
--- a/apparmor.d/i2cdetect
+++ b/apparmor.d/i2cdetect
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/i2cdetect
 profile i2cdetect @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/i2cdetect>
+  include if exists <local/i2cdetect>
 }
diff --git a/apparmor.d/i3lock b/apparmor.d/i3lock
index 6e54160bc..65fdda5af 100644
--- a/apparmor.d/i3lock
+++ b/apparmor.d/i3lock
@@ -9,18 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/i3lock
 profile i3lock @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -38,5 +40,5 @@ profile i3lock @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/i3lock>
+  include if exists <local/i3lock>
 }
diff --git a/apparmor.d/i3lock-fancy b/apparmor.d/i3lock-fancy
index 02d024c41..bc44fa3ed 100644
--- a/apparmor.d/i3lock-fancy
+++ b/apparmor.d/i3lock-fancy
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/i3lock-fancy
 profile i3lock-fancy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,9 +49,9 @@ profile i3lock-fancy @{exec_path} {
 
 
   profile imagemagic {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
 
     /{usr/,}bin/convert-im6.q16 mr,
     /{usr/,}bin/import-im6.q16  mr,
@@ -72,8 +72,7 @@ profile i3lock-fancy @{exec_path} {
     # file_inherit
     owner /dev/tty[0-9]* rw,
 
-
   }
 
-  #include if exists <local/i3lock-fancy>
+  include if exists <local/i3lock-fancy>
 }
diff --git a/apparmor.d/ifconfig b/apparmor.d/ifconfig
index 00fa8a7f3..ed0f727a6 100644
--- a/apparmor.d/ifconfig
+++ b/apparmor.d/ifconfig
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ifconfig
 profile ifconfig @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -24,6 +24,9 @@ profile ifconfig @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   @{PROC}/net/dev r,
@@ -33,5 +36,5 @@ profile ifconfig @{exec_path} {
 
   /etc/networks r,
 
-  #include if exists <local/ifconfig>
+  include if exists <local/ifconfig>
 }
diff --git a/apparmor.d/ifup b/apparmor.d/ifup
index d8839ada4..60df93c2f 100644
--- a/apparmor.d/ifup
+++ b/apparmor.d/ifup
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{ifup,ifdown,ifquery}
 profile ifup @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -23,6 +23,8 @@ profile ifup @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -46,7 +48,7 @@ profile ifup @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -85,5 +87,5 @@ profile ifup @{exec_path} {
 
   }
 
-  #include if exists <local/ifup>
+  include if exists <local/ifup>
 }
diff --git a/apparmor.d/initd-kexec b/apparmor.d/initd-kexec
index 5cd404723..5e0ec791e 100644
--- a/apparmor.d/initd-kexec
+++ b/apparmor.d/initd-kexec
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/init.d/kexec
 profile initd-kexec @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -35,7 +35,7 @@ profile initd-kexec @{exec_path} {
   @{sys}/kernel/kexec_loaded r,
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -44,7 +44,7 @@ profile initd-kexec @{exec_path} {
   }
 
   profile systemctl {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_resource,
 
@@ -68,5 +68,5 @@ profile initd-kexec @{exec_path} {
 
   }
 
-  #include if exists <local/initd-kexec>
+  include if exists <local/initd-kexec>
 }
diff --git a/apparmor.d/initd-kexec-load b/apparmor.d/initd-kexec-load
index 196d91da9..6ffc56e89 100644
--- a/apparmor.d/initd-kexec-load
+++ b/apparmor.d/initd-kexec-load
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/init.d/kexec-load
 profile initd-kexec-load @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,7 +49,7 @@ profile initd-kexec-load @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -58,8 +58,8 @@ profile initd-kexec-load @{exec_path} {
   }
 
   profile systemctl {
-    #include <abstractions/base>
-    #include <abstractions/wutmp>
+    include <abstractions/base>
+    include <abstractions/wutmp>
 
     capability sys_resource,
 
@@ -83,5 +83,5 @@ profile initd-kexec-load @{exec_path} {
 
   }
 
-  #include if exists <local/initd-kexec-load>
+  include if exists <local/initd-kexec-load>
 }
diff --git a/apparmor.d/initd-kmod b/apparmor.d/initd-kmod
index a74e5d00e..db2ddefa8 100644
--- a/apparmor.d/initd-kmod
+++ b/apparmor.d/initd-kmod
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/init.d/kmod
 profile initd-kmod @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -36,7 +36,7 @@ profile initd-kmod @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -45,7 +45,7 @@ profile initd-kmod @{exec_path} {
   }
 
   profile systemctl {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_resource,
 
@@ -63,5 +63,5 @@ profile initd-kmod @{exec_path} {
 
   }
 
-  #include if exists <local/initd-kmod>
+  include if exists <local/initd-kmod>
 }
diff --git a/apparmor.d/install-printerdriver b/apparmor.d/install-printerdriver
index b520d5405..5d8f8e1ac 100644
--- a/apparmor.d/install-printerdriver
+++ b/apparmor.d/install-printerdriver
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/install-printerdriver
 @{exec_path} += /usr/share/system-config-printer/install-printerdriver.py
 profile install-printerdriver @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} mrix,
 
@@ -26,5 +26,5 @@ profile install-printerdriver @{exec_path} flags=(complain) {
 
   /usr/share/system-config-printer/{,**} r,
 
-  #include if exists <local/install-printerdriver>
+  include if exists <local/install-printerdriver>
 }
diff --git a/apparmor.d/inxi b/apparmor.d/inxi
index 702e75143..e6da6f4b0 100644
--- a/apparmor.d/inxi
+++ b/apparmor.d/inxi
@@ -9,16 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/inxi
 profile inxi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -77,6 +83,9 @@ profile inxi @{exec_path} {
   @{HOME}/.local/share/xorg/ r,
   @{HOME}/.local/share/xorg/Xorg.[0-9]*.log r,
 
+  # For shell pwd
+  /root/ r,
+
   @{run}/ r,
 
   @{PROC}/asound/ r,
@@ -103,10 +112,13 @@ profile inxi @{exec_path} {
   @{sys}/bus/usb/devices/ r,
   @{sys}/devices/{,**} r,
   @{sys}/module/*/version r,
+  @{sys}/power/wakeup_count r,
 
 
   profile ip {
-    #include <abstractions/base>
+    include <abstractions/base>
+
+    network netlink raw,
 
     /{usr/,}bin/ip mr,
 
@@ -117,7 +129,7 @@ profile inxi @{exec_path} {
   }
 
   profile systemd {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/systemd/systemd mr,
 
@@ -131,7 +143,7 @@ profile inxi @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -149,7 +161,7 @@ profile inxi @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -158,5 +170,5 @@ profile inxi @{exec_path} {
 
   }
 
-  #include if exists <local/inxi>
+  include if exists <local/inxi>
 }
diff --git a/apparmor.d/ioping b/apparmor.d/ioping
index c1baca1e4..64db88c05 100644
--- a/apparmor.d/ioping
+++ b/apparmor.d/ioping
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ioping
 profile ioping @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # For pinging other users files as root.
   capability dac_read_search,
@@ -51,5 +51,5 @@ profile ioping @{exec_path} {
   # This was created when ioping was used on an external SD card.
   /**/ioping.tmp.* w,
 
-  #include if exists <local/ioping>
+  include if exists <local/ioping>
 }
diff --git a/apparmor.d/iotop b/apparmor.d/iotop
index 921aa07c0..1f57e362a 100644
--- a/apparmor.d/iotop
+++ b/apparmor.d/iotop
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iotop
 profile iotop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
 
@@ -42,5 +42,5 @@ profile iotop @{exec_path} {
   # For file
   /etc/magic r,
 
-  #include if exists <local/iotop>
+  include if exists <local/iotop>
 }
diff --git a/apparmor.d/ip b/apparmor.d/ip
index 3432e14c3..2e9e4a734 100644
--- a/apparmor.d/ip
+++ b/apparmor.d/ip
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # When "ip netns" is issued, the following error will be printed:
 #  "Failed name lookup - disconnected path" error=-13 profile="ip" name="".
 @{exec_path} = /{usr/,}bin/ip
 profile ip @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -27,6 +27,8 @@ profile ip @{exec_path} flags=(attach_disconnected) {
   # Needed?
   audit deny capability sys_module,
 
+  network netlink raw,
+
   @{exec_path} mrix,
 
   mount options=(rw, rshared)   -> /{var/,}run/netns/,
@@ -50,5 +52,5 @@ profile ip @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/net/igmp{,6} r,
   owner @{PROC}/sys/net/ipv{4,6}/route/flush w,
 
-  #include if exists <local/ip>
+  include if exists <local/ip>
 }
diff --git a/apparmor.d/ipcalc b/apparmor.d/ipcalc
index 529d3b491..84d0311b5 100644
--- a/apparmor.d/ipcalc
+++ b/apparmor.d/ipcalc
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ipcalc
 profile ipcalc @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
-  #include if exists <local/ipcalc>
+  include if exists <local/ipcalc>
 }
diff --git a/apparmor.d/iw b/apparmor.d/iw
index c171ccb47..2442d34cc 100644
--- a/apparmor.d/iw
+++ b/apparmor.d/iw
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iw
 profile iw @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -23,10 +23,12 @@ profile iw @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/iw>
+  include if exists <local/iw>
 }
diff --git a/apparmor.d/iwconfig b/apparmor.d/iwconfig
index 2afb56276..049f98b28 100644
--- a/apparmor.d/iwconfig
+++ b/apparmor.d/iwconfig
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iwconfig
 profile iwconfig @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -23,11 +23,14 @@ profile iwconfig @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
         @{PROC}/net/wireless r,
   owner @{PROC}/@{pid}/net/wireless r,
   owner @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/iwconfig>
+  include if exists <local/iwconfig>
 }
diff --git a/apparmor.d/iwlist b/apparmor.d/iwlist
index 0b847465f..c9c919b5d 100644
--- a/apparmor.d/iwlist
+++ b/apparmor.d/iwlist
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iwlist
 profile iwlist @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -25,5 +25,5 @@ profile iwlist @{exec_path} {
         @{PROC}/net/wireless r,
   owner @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/iwlist>
+  include if exists <local/iwlist>
 }
diff --git a/apparmor.d/jdownloader b/apparmor.d/jdownloader
index 87b9cac68..ed7ccc50f 100644
--- a/apparmor.d/jdownloader
+++ b/apparmor.d/jdownloader
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{JD_INSTALLDIR} = /home/*/jd2
 
 @{exec_path} = @{JD_INSTALLDIR}/*JDownloader*
 profile jdownloader @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} rix,
 
@@ -106,8 +106,8 @@ profile jdownloader @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -124,5 +124,5 @@ profile jdownloader @{exec_path} {
 
   }
 
-  #include if exists <local/jdownloader>
+  include if exists <local/jdownloader>
 }
diff --git a/apparmor.d/jdownloader-install b/apparmor.d/jdownloader-install
index 6bbf2187f..7428013df 100644
--- a/apparmor.d/jdownloader-install
+++ b/apparmor.d/jdownloader-install
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{JD_INSTALLDIR} = /home/*/jd2
 @{JD_SH_PATH} = /home/*/[dD]ownload{,s}
@@ -19,12 +19,12 @@
 
 @{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh
 profile jdownloader-install @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -107,5 +107,5 @@ profile jdownloader-install @{exec_path} {
   deny owner @{JD_INSTALLDIR}/jre/lib/*/*.so m,
   deny owner @{JD_INSTALLDIR}/JDownloader2 rx,
 
-  #include if exists <local/jdownloader-install>
+  include if exists <local/jdownloader-install>
 }
diff --git a/apparmor.d/jekyll b/apparmor.d/jekyll
index ce212606d..ad0d2adf3 100644
--- a/apparmor.d/jekyll
+++ b/apparmor.d/jekyll
@@ -11,16 +11,16 @@
 
 @{JEKYLL_DIR}=@{HOME}/morfikov.github.io
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/jekyll
 profile jekyll @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/ruby>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/ruby>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* r,
@@ -36,5 +36,5 @@ profile jekyll @{exec_path} {
 
   @{PROC}/version r,
 
-  #include if exists <local/jekyll>
+  include if exists <local/jekyll>
 }
diff --git a/apparmor.d/jgmenu b/apparmor.d/jgmenu
index 8bff2daa1..7193043b7 100644
--- a/apparmor.d/jgmenu
+++ b/apparmor.d/jgmenu
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/jgmenu{,_run}
 profile jgmenu @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} mrix,
 
@@ -39,7 +39,7 @@ profile jgmenu @{exec_path} {
   owner @{HOME}/ r,
   owner @{HOME}/.jgmenu-lockfile rwk,
 
-  owner @{HOME}/.config/tint2/tint2rc r,
+  owner @{HOME}/.config/tint2/* r,
 
   owner @{HOME}/.config/jgmenu/ rw,
   owner @{HOME}/.config/jgmenu/** rw,
@@ -62,5 +62,5 @@ profile jgmenu @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/jgmenu>
+  include if exists <local/jgmenu>
 }
diff --git a/apparmor.d/kanyremote b/apparmor.d/kanyremote
index 7b044e101..35599cd0a 100644
--- a/apparmor.d/kanyremote
+++ b/apparmor.d/kanyremote
@@ -9,27 +9,30 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kanyremote
 profile kanyremote @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/deny-root-dir-access>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -87,8 +90,8 @@ profile kanyremote @{exec_path} {
 
 
   profile killall {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_ptrace,
 
@@ -106,8 +109,8 @@ profile kanyremote @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/pgrep mr,
 
@@ -120,5 +123,5 @@ profile kanyremote @{exec_path} {
 
   }
 
-  #include if exists <local/kanyremote>
+  include if exists <local/kanyremote>
 }
diff --git a/apparmor.d/kcheckpass b/apparmor.d/kcheckpass
index e3acc174c..0c70cfe5b 100644
--- a/apparmor.d/kcheckpass
+++ b/apparmor.d/kcheckpass
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass
 profile kcheckpass @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   signal (receive) peer=kscreenlocker-greet,
 
@@ -29,5 +29,5 @@ profile kcheckpass @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/kcheckpass>
+  include if exists <local/kcheckpass>
 }
diff --git a/apparmor.d/kconfig-hardened-check b/apparmor.d/kconfig-hardened-check
index b5d0f0555..9f417de95 100644
--- a/apparmor.d/kconfig-hardened-check
+++ b/apparmor.d/kconfig-hardened-check
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kconfig-hardened-check
 profile kconfig-hardened-check @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -31,5 +31,5 @@ profile kconfig-hardened-check @{exec_path} {
   # This is for kernels, which are built manually
   /**/.config r,
 
-  #include if exists <local/kconfig-hardened-check>
+  include if exists <local/kconfig-hardened-check>
 }
diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc
index 89b3c8298..9a5d852d9 100644
--- a/apparmor.d/keepassxc
+++ b/apparmor.d/keepassxc
@@ -9,29 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{KP_DB} = @{HOME}/keepass-baza
 
 @{exec_path} = /{usr/,}bin/keepassxc
 profile keepassxc @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -121,8 +128,8 @@ profile keepassxc @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -139,5 +146,5 @@ profile keepassxc @{exec_path} {
 
   }
 
-  #include if exists <local/keepassxc>
+  include if exists <local/keepassxc>
 }
diff --git a/apparmor.d/keepassxc-cli b/apparmor.d/keepassxc-cli
index 8ec49ddd6..76d4c81c1 100644
--- a/apparmor.d/keepassxc-cli
+++ b/apparmor.d/keepassxc-cli
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/keepassxc-cli
 profile keepassxc-cli @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
-  #include if exists <local/keepassxc-cli>
+  include if exists <local/keepassxc-cli>
 }
diff --git a/apparmor.d/keepassxc-proxy b/apparmor.d/keepassxc-proxy
index a729a1703..729e7a7d8 100644
--- a/apparmor.d/keepassxc-proxy
+++ b/apparmor.d/keepassxc-proxy
@@ -9,18 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/keepassxc-proxy
 profile keepassxc-proxy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # file_inherit
@@ -40,5 +44,5 @@ profile keepassxc-proxy @{exec_path} {
   #
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/keepassxc-proxy>
+  include if exists <local/keepassxc-proxy>
 }
diff --git a/apparmor.d/kernel-install b/apparmor.d/kernel-install
index e40fafb2b..8751059a7 100644
--- a/apparmor.d/kernel-install
+++ b/apparmor.d/kernel-install
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kernel-install
 profile kernel-install @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -63,7 +63,7 @@ profile kernel-install @{exec_path} flags=(complain) {
 
 
   profile kmod flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -72,5 +72,5 @@ profile kernel-install @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/kernel-install>
+  include if exists <local/kernel-install>
 }
diff --git a/apparmor.d/kerneloops b/apparmor.d/kerneloops
index e27aa18eb..1952e019b 100644
--- a/apparmor.d/kerneloops
+++ b/apparmor.d/kerneloops
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/kerneloops
 profile kerneloops @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability syslog,
 
@@ -31,5 +31,5 @@ profile kerneloops @{exec_path} {
   # When found a kernel OOPS make a tmp file and fill it with the OOPS message
   /tmp/kerneloops.* rw,
 
-  #include if exists <local/kerneloops>
+  include if exists <local/kerneloops>
 }
diff --git a/apparmor.d/kerneloops-applet b/apparmor.d/kerneloops-applet
index b6dc61a28..cb5f6dd32 100644
--- a/apparmor.d/kerneloops-applet
+++ b/apparmor.d/kerneloops-applet
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kerneloops-applet
 profile kerneloops-applet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -37,5 +37,5 @@ profile kerneloops-applet @{exec_path} {
   # Fonts
   /usr/share/poppler/cMap/Adobe-Japan2/ r,
 
-  #include if exists <local/kerneloops-applet>
+  include if exists <local/kerneloops-applet>
 }
diff --git a/apparmor.d/kexec b/apparmor.d/kexec
index 01c19b26d..38ea385ad 100644
--- a/apparmor.d/kexec
+++ b/apparmor.d/kexec
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/kexec
 profile kexec @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_boot,
 
@@ -32,5 +32,5 @@ profile kexec @{exec_path} flags=(complain) {
 
   /dev/fb[0-9] r,
 
-  #include if exists <local/kexec>
+  include if exists <local/kexec>
 }
diff --git a/apparmor.d/kmod b/apparmor.d/kmod
index e81113781..cc137c404 100644
--- a/apparmor.d/kmod
+++ b/apparmor.d/kmod
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path}  = /{usr/,}bin/{kmod,lsmod}
 @{exec_path} += /{usr/,}sbin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
 profile kmod @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # To load/unload kernel modules
   #  modprobe: ERROR: could not insert '*': Operation not permitted
@@ -60,5 +60,5 @@ profile kmod @{exec_path} {
   owner @{BUILD_DIR}/**/debian/*/lib/modules/*/kernel/{,**/} r,
   owner @{BUILD_DIR}/**/debian/*/lib/modules/*/kernel/**/*.ko r,
 
-  #include if exists <local/kmod>
+  include if exists <local/kmod>
 }
diff --git a/apparmor.d/kodi b/apparmor.d/kodi
index 8492c7fd1..24b5f2153 100644
--- a/apparmor.d/kodi
+++ b/apparmor.d/kodi
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin
 profile kodi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/mesa>
-  #include <abstractions/python>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/audio>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/mesa>
+  include <abstractions/python>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -93,7 +93,7 @@ profile kodi @{exec_path} {
   /etc/machine-id r,
 
   profile df {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/df mr,
 
@@ -107,5 +107,5 @@ profile kodi @{exec_path} {
 
   }
 
-  #include if exists <local/kodi>
+  include if exists <local/kodi>
 }
diff --git a/apparmor.d/kodi-xrandr b/apparmor.d/kodi-xrandr
index 5f817b213..bfbcb4a0c 100644
--- a/apparmor.d/kodi-xrandr
+++ b/apparmor.d/kodi-xrandr
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr
 profile kodi-xrandr @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile kodi-xrandr @{exec_path} {
   @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r,
   owner @{HOME}/.kodi/temp/kodi.log w,
 
-  #include if exists <local/kodi-xrandr>
+  include if exists <local/kodi-xrandr>
 }
diff --git a/apparmor.d/kscreenlocker-greet b/apparmor.d/kscreenlocker-greet
index 419946937..76cf6917c 100644
--- a/apparmor.d/kscreenlocker-greet
+++ b/apparmor.d/kscreenlocker-greet
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet
 profile kscreenlocker-greet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) peer=kcheckpass,
 
@@ -79,5 +79,5 @@ profile kscreenlocker-greet @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/kscreenlocker-greet>
+  include if exists <local/kscreenlocker-greet>
 }
diff --git a/apparmor.d/kvm-ok b/apparmor.d/kvm-ok
index 21a34a01d..e89edc846 100644
--- a/apparmor.d/kvm-ok
+++ b/apparmor.d/kvm-ok
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/kvm-ok
 profile kvm-ok @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -32,9 +32,12 @@ profile kvm-ok @{exec_path} {
   #/dev/kvm r,
   #/dev/cpu/[0-9]*/msr r,
 
+  # For shell pwd
+  /root/ r,
+
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -47,5 +50,5 @@ profile kvm-ok @{exec_path} {
 
   }
 
-  #include if exists <local/kvm-ok>
+  include if exists <local/kvm-ok>
 }
diff --git a/apparmor.d/kwalletd5 b/apparmor.d/kwalletd5
index 8d9024e38..c62ea6e5d 100644
--- a/apparmor.d/kwalletd5
+++ b/apparmor.d/kwalletd5
@@ -9,26 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kwalletd5
 profile kwalletd5 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -70,7 +70,7 @@ profile kwalletd5 @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
     /{usr/,}bin/gpg mr,
@@ -81,6 +81,6 @@ profile kwalletd5 @{exec_path} {
 
   }
 
-  #include if exists <local/kwalletd5>
+  include if exists <local/kwalletd5>
 }
 
diff --git a/apparmor.d/kwalletmanager5 b/apparmor.d/kwalletmanager5
index bc3c1e9a2..0ec301c3f 100644
--- a/apparmor.d/kwalletmanager5
+++ b/apparmor.d/kwalletmanager5
@@ -9,27 +9,27 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kwalletmanager5
 profile kwalletmanager5 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -78,5 +78,5 @@ profile kwalletmanager5 @{exec_path} {
 
   owner /tmp/xauth-[0-9]*-_[0-9] r,
 
-  #include if exists <local/kwalletmanager5>
+  include if exists <local/kwalletmanager5>
 }
diff --git a/apparmor.d/libvirt/TEMPLATE.lxc b/apparmor.d/libvirt/TEMPLATE.lxc
index f1005dc57..6894aa6ba 100644
--- a/apparmor.d/libvirt/TEMPLATE.lxc
+++ b/apparmor.d/libvirt/TEMPLATE.lxc
@@ -2,10 +2,10 @@
 # This profile is for the domain whose UUID matches this file.
 #
 
-#include <tunables/global>
+include <tunables/global>
 
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
-  #include <abstractions/libvirt-lxc>
+  include <abstractions/libvirt-lxc>
 
   # Globally allows everything to run under this profile
   # These can be narrowed depending on the container's use.
diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu
index a327315d9..b242a775b 100644
--- a/apparmor.d/libvirt/TEMPLATE.qemu
+++ b/apparmor.d/libvirt/TEMPLATE.qemu
@@ -2,8 +2,8 @@
 # This profile is for the domain whose UUID matches this file.
 #
 
-#include <tunables/global>
+include <tunables/global>
 
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
-  #include <abstractions/libvirt-qemu>
+  include <abstractions/libvirt-qemu>
 }
diff --git a/apparmor.d/light b/apparmor.d/light
index 1da36f74f..916339eed 100644
--- a/apparmor.d/light
+++ b/apparmor.d/light
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/light
 profile light @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile light @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/light>
+  include if exists <local/light>
 }
diff --git a/apparmor.d/light-locker b/apparmor.d/light-locker
index 108996fa6..c197b7a1a 100644
--- a/apparmor.d/light-locker
+++ b/apparmor.d/light-locker
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/light-locker
 profile light-locker @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wayland>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -41,7 +41,7 @@ profile light-locker @{exec_path} {
   ##include <abstractions/dconf>
   #owner @{run}/user/[0-9]*/dconf/ w,
   #owner @{run}/user/[0-9]*/dconf/user rw,
-  #include <abstractions/deny-dconf>
+  include <abstractions/deny-dconf>
 
   @{sys}/devices/pci[0-9]*/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/vendor r,
@@ -52,5 +52,5 @@ profile light-locker @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/light-locker>
+  include if exists <local/light-locker>
 }
diff --git a/apparmor.d/light-locker-command b/apparmor.d/light-locker-command
index 3470393af..9cb6c7eea 100644
--- a/apparmor.d/light-locker-command
+++ b/apparmor.d/light-locker-command
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/light-locker-command
 profile light-locker-command @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
-  #include if exists <local/light-locker-command>
+  include if exists <local/light-locker-command>
 }
diff --git a/apparmor.d/lightdm b/apparmor.d/lightdm
index 325c6f2a2..070fbc8f4 100644
--- a/apparmor.d/lightdm
+++ b/apparmor.d/lightdm
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/lightdm
 profile lightdm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   # To remove the following errors:
   #  lightdm[]: Could not chown user data directory /var/lib/lightdm/data/lightdm: Error setting
@@ -126,5 +126,5 @@ profile lightdm @{exec_path} {
   /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
   /usr/libexec/at-spi-bus-launcher             rPUx,
 
-  #include if exists <local/lightdm>
+  include if exists <local/lightdm>
 }
diff --git a/apparmor.d/lightdm-gtk-greeter b/apparmor.d/lightdm-gtk-greeter
index 2390c9cba..dd8c16e96 100644
--- a/apparmor.d/lightdm-gtk-greeter
+++ b/apparmor.d/lightdm-gtk-greeter
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/lightdm-gtk-greeter
 profile lightdm-gtk-greeter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
 
   signal (receive) set=(term, kill) peer=lightdm,
 
@@ -62,7 +62,7 @@ profile lightdm-gtk-greeter @{exec_path} {
 
 
   profile systemd {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/systemd/systemd mr,
 
@@ -81,5 +81,5 @@ profile lightdm-gtk-greeter @{exec_path} {
 
   }
 
-  #include if exists <local/lightdm-gtk-greeter>
+  include if exists <local/lightdm-gtk-greeter>
 }
diff --git a/apparmor.d/lightdm-guest-session b/apparmor.d/lightdm-guest-session
index f666cf75c..0e80dde20 100644
--- a/apparmor.d/lightdm-guest-session
+++ b/apparmor.d/lightdm-guest-session
@@ -1,14 +1,14 @@
 # vim:syntax=apparmor
 # Profile for restricting lightdm guest session
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session {
   # Most applications are confined via the main abstraction
-  #include <abstractions/lightdm>
+  include <abstractions/lightdm>
 
   # chromium-browser needs special confinement due to its sandboxing
-  #include <abstractions/lightdm_chromium-browser>
+  include <abstractions/lightdm_chromium-browser>
 
   # fcitx and friends needs special treatment due to C/S design
   /usr/bin/fcitx ix,
diff --git a/apparmor.d/lightworks b/apparmor.d/lightworks
index 23212dc72..7582c4e3d 100644
--- a/apparmor.d/lightworks
+++ b/apparmor.d/lightworks
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lightworks
 profile lightworks @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh          rix,
@@ -31,5 +31,5 @@ profile lightworks @{exec_path} {
   owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w,
   owner @{HOME}/Lightworks/machine.num w,
 
-  #include if exists <local/lightworks>
+  include if exists <local/lightworks>
 }
diff --git a/apparmor.d/lightworks-ntcardvt b/apparmor.d/lightworks-ntcardvt
index fdc9c142a..b6ea584d1 100644
--- a/apparmor.d/lightworks-ntcardvt
+++ b/apparmor.d/lightworks-ntcardvt
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/lightworks/ntcardvt
 profile lightworks-ntcardvt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
-  #include if exists <local/lightworks-ntcardvt>
+  include if exists <local/lightworks-ntcardvt>
 }
diff --git a/apparmor.d/linssid b/apparmor.d/linssid
index 531a785d7..3b65f31ca 100644
--- a/apparmor.d/linssid
+++ b/apparmor.d/linssid
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/linssid /{usr/,}bin/linssid-pkexec
 profile linssid @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
 
   # For reading/saving config/log files when linssid is started via pkexec
   #capability dac_read_search,
@@ -76,16 +76,21 @@ profile linssid @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  # For shell pwd
+  /root/ r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
 
   profile iw {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability net_admin,
     deny capability sys_module,
 
+    network netlink raw,
+
     /{usr/,}sbin/iw mr,
 
     # file_inherit
@@ -97,8 +102,8 @@ profile linssid @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -110,5 +115,5 @@ profile linssid @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/linssid>
+  include if exists <local/linssid>
 }
diff --git a/apparmor.d/linux-check-removal b/apparmor.d/linux-check-removal
index 0595f00c5..7650b92f9 100644
--- a/apparmor.d/linux-check-removal
+++ b/apparmor.d/linux-check-removal
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/linux-check-removal
 profile linux-check-removal @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -28,10 +28,10 @@ profile linux-check-removal @{exec_path} flags=(complain) {
 
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -54,5 +54,5 @@ profile linux-check-removal @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/linux-check-removal>
+  include if exists <local/linux-check-removal>
 }
diff --git a/apparmor.d/linux-version b/apparmor.d/linux-version
index 49ba413bc..fc5827a84 100644
--- a/apparmor.d/linux-version
+++ b/apparmor.d/linux-version
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/linux-version
 profile linux-version @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
   /boot/ r,
 
-  #include if exists <local/linux-version>
+  include if exists <local/linux-version>
 }
diff --git a/apparmor.d/localepurge b/apparmor.d/localepurge
index 4ac3c1143..e78df2474 100644
--- a/apparmor.d/localepurge
+++ b/apparmor.d/localepurge
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/localepurge
 profile localepurge @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -62,5 +62,5 @@ profile localepurge @{exec_path} {
 
   /tmp/ r,
 
-  #include if exists <local/localepurge>
+  include if exists <local/localepurge>
 }
diff --git a/apparmor.d/logrotate b/apparmor.d/logrotate
index 885d19074..070763de5 100644
--- a/apparmor.d/logrotate
+++ b/apparmor.d/logrotate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/logrotate
-profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed for logfiles owned by other users than root, for instance exim.
   capability dac_read_search,
@@ -43,7 +43,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
   #/{usr/,}bin/systemctl              rCx -> systemctl,
   /{usr/,}bin/systemctl rix,
   /{usr/,}sbin/runlevel rix,
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
   ptrace (read),
   capability sys_ptrace,
   owner @{PROC}/@{pid}/stat r,
@@ -70,8 +70,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
 
 
   profile systemctl flags=(attach_disconnected, complain) {
-    #include <abstractions/base>
-    #include <abstractions/wutmp>
+    include <abstractions/base>
+    include <abstractions/wutmp>
 
     capability sys_ptrace,
     ptrace (read),
@@ -88,5 +88,5 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
 
   }
 
-  #include if exists <local/logrotate>
+  include if exists <local/logrotate>
 }
diff --git a/apparmor.d/lsb_release b/apparmor.d/lsb_release
index 5cc6890b7..56e4adea4 100644
--- a/apparmor.d/lsb_release
+++ b/apparmor.d/lsb_release
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsb_release
 profile lsb_release @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -36,5 +36,5 @@ profile lsb_release @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/lsb_release>
+  include if exists <local/lsb_release>
 }
diff --git a/apparmor.d/lsblk b/apparmor.d/lsblk
index 3a1be9484..9fb89a27b 100644
--- a/apparmor.d/lsblk
+++ b/apparmor.d/lsblk
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsblk
 profile lsblk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile lsblk @{exec_path} {
 
   @{run}/mount/utab r,
 
-  #include if exists <local/lsblk>
+  include if exists <local/lsblk>
 }
diff --git a/apparmor.d/lscpu b/apparmor.d/lscpu
index b728125ab..0b73db40e 100644
--- a/apparmor.d/lscpu
+++ b/apparmor.d/lscpu
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lscpu
 profile lscpu @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile lscpu @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/cpumap r,
 
-  #include if exists <local/lscpu>
+  include if exists <local/lscpu>
 }
diff --git a/apparmor.d/lsinitramfs b/apparmor.d/lsinitramfs
index e95b9c909..1dbe085c3 100644
--- a/apparmor.d/lsinitramfs
+++ b/apparmor.d/lsinitramfs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsinitramfs
 profile lsinitramfs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh    rix,
@@ -25,5 +25,5 @@ profile lsinitramfs @{exec_path} {
 
   /{usr/,}bin/unmkinitramfs rPx,
 
-  #include if exists <local/lsinitramfs>
+  include if exists <local/lsinitramfs>
 }
diff --git a/apparmor.d/lspci b/apparmor.d/lspci
index 945379849..f93032c3b 100644
--- a/apparmor.d/lspci
+++ b/apparmor.d/lspci
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lspci
 profile lspci @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed when run as root
   capability sys_admin,
@@ -42,5 +42,5 @@ profile lspci @{exec_path} {
   # file_inherit
   @{PROC}/ioports r,
 
-  #include if exists <local/lspci>
+  include if exists <local/lspci>
 }
diff --git a/apparmor.d/lsusb b/apparmor.d/lsusb
index 0f4a4efa9..9aaba704c 100644
--- a/apparmor.d/lsusb
+++ b/apparmor.d/lsusb
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsusb
 profile lsusb @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -33,5 +35,5 @@ profile lsusb @{exec_path} {
 
   /etc/udev/hwdb.bin r,
 
-  #include if exists <local/lsusb>
+  include if exists <local/lsusb>
 }
diff --git a/apparmor.d/lxappearance b/apparmor.d/lxappearance
index 8a8a67c2b..f580d2a52 100644
--- a/apparmor.d/lxappearance
+++ b/apparmor.d/lxappearance
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lxappearance
 profile lxappearance @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} mr,
 
@@ -58,8 +58,8 @@ profile lxappearance @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -71,5 +71,5 @@ profile lxappearance @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/lxappearance>
+  include if exists <local/lxappearance>
 }
diff --git a/apparmor.d/lxc-containers b/apparmor.d/lxc-containers
index 0644cf2d3..4e94d77e8 100644
--- a/apparmor.d/lxc-containers
+++ b/apparmor.d/lxc-containers
@@ -2,6 +2,6 @@
 # listed under /etc/apparmor.d/lxc get loaded at boot.  Please do
 # not edit this file.
 
-#include <tunables/global>
+include <tunables/global>
 
-#include <lxc>
+include <lxc>
diff --git a/apparmor.d/lxc/lxc-default b/apparmor.d/lxc/lxc-default
index 9a96a2e50..266edc196 100644
--- a/apparmor.d/lxc/lxc-default
+++ b/apparmor.d/lxc/lxc-default
@@ -2,7 +2,7 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
+  include <abstractions/lxc/container-base>
 
   # the container may never be allowed to mount devpts.  If it does, it
   # will remount the host's devpts.  We could allow it to do it with
diff --git a/apparmor.d/lxc/lxc-default-cgns b/apparmor.d/lxc/lxc-default-cgns
index f69eb994b..d582a407d 100644
--- a/apparmor.d/lxc/lxc-default-cgns
+++ b/apparmor.d/lxc/lxc-default-cgns
@@ -2,7 +2,7 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
+  include <abstractions/lxc/container-base>
 
   # the container may never be allowed to mount devpts.  If it does, it
   # will remount the host's devpts.  We could allow it to do it with
diff --git a/apparmor.d/lxc/lxc-default-with-mounting b/apparmor.d/lxc/lxc-default-with-mounting
index 8a9a6b717..7b5db2ca1 100644
--- a/apparmor.d/lxc/lxc-default-with-mounting
+++ b/apparmor.d/lxc/lxc-default-with-mounting
@@ -2,7 +2,7 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
+  include <abstractions/lxc/container-base>
 
 # allow standard blockdevtypes.
 # The concern here is in-kernel superblock parsers bringing down the
diff --git a/apparmor.d/lxc/lxc-default-with-nesting b/apparmor.d/lxc/lxc-default-with-nesting
index cd198beb8..25e3feffc 100644
--- a/apparmor.d/lxc/lxc-default-with-nesting
+++ b/apparmor.d/lxc/lxc-default-with-nesting
@@ -2,8 +2,8 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
-  #include <abstractions/lxc/start-container>
+  include <abstractions/lxc/container-base>
+  include <abstractions/lxc/start-container>
 
   deny /dev/.lxc/proc/** rw,
   deny /dev/.lxc/sys/** rw,
diff --git a/apparmor.d/lynx b/apparmor.d/lynx
index d04276522..0c88208a3 100644
--- a/apparmor.d/lynx
+++ b/apparmor.d/lynx
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lynx
 profile lynx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -36,5 +41,7 @@ profile lynx @{exec_path} {
   owner /tmp/lynxXXXX*/ rw,
   owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw,
 
-  #include if exists <local/lynx>
+  owner @{HOME}/ r,
+
+  include if exists <local/lynx>
 }
diff --git a/apparmor.d/macchanger b/apparmor.d/macchanger
index 3cafe7094..d58383dcf 100644
--- a/apparmor.d/macchanger
+++ b/apparmor.d/macchanger
@@ -9,21 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/macchanger
 profile macchanger @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability net_admin,
 
+  network inet dgram,
+  network inet6 dgram,
+ 
   @{exec_path} mr,
 
   /usr/share/macchanger/*.list r,
 
   /dev/hwrng r,
 
-  #include if exists <local/macchanger>
+  include if exists <local/macchanger>
 }
diff --git a/apparmor.d/mediainfo b/apparmor.d/mediainfo
index 6824b9107..1109abde2 100644
--- a/apparmor.d/mediainfo
+++ b/apparmor.d/mediainfo
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -40,8 +40,8 @@
 
 @{exec_path} = /{usr/,}bin/mediainfo
 profile mediainfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -54,5 +54,5 @@ profile mediainfo @{exec_path} {
   owner /media/**/ r,
   owner /{home,media}/**.@{mediainfo_ext} r,
 
-  #include if exists <local/mediainfo>
+  include if exists <local/mediainfo>
 }
diff --git a/apparmor.d/megasync b/apparmor.d/megasync
index d9ec33f11..7700b59c0 100644
--- a/apparmor.d/megasync
+++ b/apparmor.d/megasync
@@ -9,30 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{SYNC_FOLDER}=/media/*/cloud_storage
 
 @{exec_path} = /{usr/,}bin/megasync
 profile megasync @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
 
   @{exec_path} mrix,
 
@@ -91,8 +97,8 @@ profile megasync @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -111,5 +117,5 @@ profile megasync @{exec_path} {
 
   }
 
-  #include if exists <local/megasync>
+  include if exists <local/megasync>
 }
diff --git a/apparmor.d/memtester b/apparmor.d/memtester
index 04adc6e70..913a079fa 100644
--- a/apparmor.d/memtester
+++ b/apparmor.d/memtester
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/memtester
 profile memtester @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/memtester>
+  include if exists <local/memtester>
 }
diff --git a/apparmor.d/mimetype b/apparmor.d/mimetype
index 491715c55..1a1f1ee96 100644
--- a/apparmor.d/mimetype
+++ b/apparmor.d/mimetype
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mimetype
 profile mimetype @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /usr/bin/perl r,
@@ -34,5 +34,5 @@ profile mimetype @{exec_path} {
   # To read files
   /** r,
 
-  #include if exists <local/mimetype>
+  include if exists <local/mimetype>
 }
diff --git a/apparmor.d/minitube b/apparmor.d/minitube
index 558b7c07a..8a0cf7afa 100644
--- a/apparmor.d/minitube
+++ b/apparmor.d/minitube
@@ -9,28 +9,35 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/minitube
 profile minitube @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -100,8 +107,8 @@ profile minitube @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -117,5 +124,5 @@ profile minitube @{exec_path} {
 
   }
 
-  #include if exists <local/minitube>
+  include if exists <local/minitube>
 }
diff --git a/apparmor.d/mke2fs b/apparmor.d/mke2fs
index 5b90f2083..6d6b84579 100644
--- a/apparmor.d/mke2fs
+++ b/apparmor.d/mke2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
 profile mke2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -42,5 +42,5 @@ profile mke2fs @{exec_path} {
   # For virt-resize
   owner /var/tmp/.guestfs-[0-9]*/** rwk,
 
-  #include if exists <local/mke2fs>
+  include if exists <local/mke2fs>
 }
diff --git a/apparmor.d/mkfs-btrfs b/apparmor.d/mkfs-btrfs
index ef1810176..03d6c3567 100644
--- a/apparmor.d/mkfs-btrfs
+++ b/apparmor.d/mkfs-btrfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mkfs.btrfs
 profile mkfs-btrfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -33,5 +33,5 @@ profile mkfs-btrfs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/mkfs-btrfs>
+  include if exists <local/mkfs-btrfs>
 }
diff --git a/apparmor.d/mkfs-fat b/apparmor.d/mkfs-fat
index dc82306ef..b0c20d7ad 100644
--- a/apparmor.d/mkfs-fat
+++ b/apparmor.d/mkfs-fat
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
 profile mkfs-fat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -29,5 +29,5 @@ profile mkfs-fat @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/mkfs-fat>
+  include if exists <local/mkfs-fat>
 }
diff --git a/apparmor.d/mkinitramfs b/apparmor.d/mkinitramfs
index 304d51a8e..b640d4dcc 100644
--- a/apparmor.d/mkinitramfs
+++ b/apparmor.d/mkinitramfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mkinitramfs
 profile mkinitramfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   capability syslog,
   capability chown,
@@ -97,8 +97,8 @@ profile mkinitramfs @{exec_path} {
 
 
   profile ldd {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/ldd mr,
 
@@ -111,8 +111,8 @@ profile mkinitramfs @{exec_path} {
   }
 
   profile ldconfig {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_chroot,
 
@@ -134,8 +134,8 @@ profile mkinitramfs @{exec_path} {
   }
 
   profile find {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/find mr,
 
@@ -152,8 +152,8 @@ profile mkinitramfs @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/kmod mr,
 
@@ -169,5 +169,5 @@ profile mkinitramfs @{exec_path} {
 
   }
 
-  #include if exists <local/mkinitramfs>
+  include if exists <local/mkinitramfs>
 }
diff --git a/apparmor.d/mkntfs b/apparmor.d/mkntfs
index 4fb302845..00690f35b 100644
--- a/apparmor.d/mkntfs
+++ b/apparmor.d/mkntfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{mkntfs,mkfs.ntfs}
 profile mkntfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile mkntfs @{exec_path} {
 
   owner @{PROC}/@{pids}/mounts r,
 
-  #include if exists <local/mkntfs>
+  include if exists <local/mkntfs>
 }
diff --git a/apparmor.d/mkswap b/apparmor.d/mkswap
index 5a11d8954..0ee6b2f19 100644
--- a/apparmor.d/mkswap
+++ b/apparmor.d/mkswap
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mkswap
 profile mkswap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile mkswap @{exec_path} {
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/mkswap>
+  include if exists <local/mkswap>
 }
diff --git a/apparmor.d/mkvmerge b/apparmor.d/mkvmerge
index 30463322d..428f3ca2b 100644
--- a/apparmor.d/mkvmerge
+++ b/apparmor.d/mkvmerge
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,9 +46,9 @@
 
 @{exec_path} = /{usr/,}bin/mkvmerge
 profile mkvmerge @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
 
@@ -69,5 +69,5 @@ profile mkvmerge @{exec_path} {
   # file_inherit
   /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/mkvmerge>
+  include if exists <local/mkvmerge>
 }
diff --git a/apparmor.d/mkvtoolnix-gui b/apparmor.d/mkvtoolnix-gui
index bdaad7b02..587578172 100644
--- a/apparmor.d/mkvtoolnix-gui
+++ b/apparmor.d/mkvtoolnix-gui
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,21 +46,21 @@
 
 @{exec_path} = /{usr/,}bin/mkvtoolnix-gui
 profile mkvtoolnix-gui @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mkvmerge,
 
@@ -113,5 +113,5 @@ profile mkvtoolnix-gui @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/mkvtoolnix-gui>
+  include if exists <local/mkvtoolnix-gui>
 }
diff --git a/apparmor.d/mlocate b/apparmor.d/mlocate
index 335985aa2..6517b562d 100644
--- a/apparmor.d/mlocate
+++ b/apparmor.d/mlocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mlocate
 profile mlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # When run as root
   capability dac_read_search,
@@ -25,5 +25,5 @@ profile mlocate @{exec_path} {
 
   /var/lib/mlocate/mlocate.db r,
 
-  #include if exists <local/mlocate>
+  include if exists <local/mlocate>
 }
diff --git a/apparmor.d/mount b/apparmor.d/mount
index 13f00521b..7c320556b 100644
--- a/apparmor.d/mount
+++ b/apparmor.d/mount
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mount
 profile mount @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
 
   # To be able to mount anything
   #  mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted)
@@ -60,5 +60,5 @@ profile mount @{exec_path} flags=(complain) {
   owner @{run}/mount/utab{,.*} rw,
   owner @{run}/mount/utab.lock wk,
 
-  #include if exists <local/mount>
+  include if exists <local/mount>
 }
diff --git a/apparmor.d/mount.cifs b/apparmor.d/mount.cifs
index eb04aaa10..e56991585 100644
--- a/apparmor.d/mount.cifs
+++ b/apparmor.d/mount.cifs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mount.cifs
 profile mount.cifs @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To mount anything.
   capability sys_admin,
@@ -23,6 +23,10 @@ profile mount.cifs @{exec_path} flags=(complain) {
   # (#FIXME#)
   capability setpcap,
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/fstab r,
@@ -37,5 +41,5 @@ profile mount.cifs @{exec_path} flags=(complain) {
   mount fstype=cifs -> /media/*/,
   mount fstype=cifs -> /media/*/*/,
 
-  #include if exists <local/mount.cifs>
+  include if exists <local/mount.cifs>
 }
diff --git a/apparmor.d/mpsyt b/apparmor.d/mpsyt
index 9dd9c0ed6..171bb30ca 100644
--- a/apparmor.d/mpsyt
+++ b/apparmor.d/mpsyt
@@ -9,22 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mpsyt
 profile mpsyt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mpv,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
@@ -62,5 +68,8 @@ profile mpsyt @{exec_path} {
   owner /tmp/mpsyt-input* rw,
   owner /tmp/mpsyt-mpv*.sock rw,
 
-  #include if exists <local/mpsyt>
+  # Silencer
+  /usr/lib/python3/** w,
+
+  include if exists <local/mpsyt>
 }
diff --git a/apparmor.d/mpv b/apparmor.d/mpv
index 02dce8048..0021e57b1 100644
--- a/apparmor.d/mpv
+++ b/apparmor.d/mpv
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -62,25 +62,31 @@
 
 @{exec_path} = /{usr/,}bin/mpv
 profile mpv @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/vulkan>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
   signal (send) set=(term, kill) peer=youtube-dl,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # MPV config files
@@ -151,5 +157,5 @@ profile mpv @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/mpv>
+  include if exists <local/mpv>
 }
diff --git a/apparmor.d/mtools b/apparmor.d/mtools
index 6d4402497..59b838e85 100644
--- a/apparmor.d/mtools
+++ b/apparmor.d/mtools
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
 profile mtools @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   capability setuid,
   capability setgid,
@@ -36,5 +36,5 @@ profile mtools @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/mtools>
+  include if exists <local/mtools>
 }
diff --git a/apparmor.d/mumble b/apparmor.d/mumble
index d03c9d633..e9689280a 100644
--- a/apparmor.d/mumble
+++ b/apparmor.d/mumble
@@ -9,29 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mumble
 profile mumble @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -79,8 +86,8 @@ profile mumble @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -96,5 +103,5 @@ profile mumble @{exec_path} {
 
   }
 
-  #include if exists <local/mumble>
+  include if exists <local/mumble>
 }
diff --git a/apparmor.d/mumble-overlay b/apparmor.d/mumble-overlay
index 747eee910..d8dcd69c9 100644
--- a/apparmor.d/mumble-overlay
+++ b/apparmor.d/mumble-overlay
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mumble-overlay
 profile mumble-overlay @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -29,5 +29,5 @@ profile mumble-overlay @{exec_path} {
 
   /etc/magic r,
 
-  #include if exists <local/mumble-overlay>
+  include if exists <local/mumble-overlay>
 }
diff --git a/apparmor.d/netcap b/apparmor.d/netcap
index 1242bbdfc..908819fa4 100644
--- a/apparmor.d/netcap
+++ b/apparmor.d/netcap
@@ -9,14 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/netcap
 profile netcap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -28,14 +29,14 @@ profile netcap @{exec_path} {
 
   @{exec_path} mr,
 
-        @{PROC}/ r,
-        @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pid}/net/tcp{,6} r,
-  owner @{PROC}/@{pid}/net/udp{,6} r,
-  owner @{PROC}/@{pid}/net/raw{,6} r,
-  owner @{PROC}/@{pid}/net/packet r,
-  owner @{PROC}/@{pid}/net/dev r,
+  @{PROC}/ r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pid}/net/tcp{,6} r,
+  @{PROC}/@{pid}/net/udp{,6} r,
+  @{PROC}/@{pid}/net/raw{,6} r,
+  @{PROC}/@{pid}/net/packet r,
+  @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/netcap>
+  include if exists <local/netcap>
 }
diff --git a/apparmor.d/nethogs b/apparmor.d/nethogs
index a839e9993..1d4b80ea7 100644
--- a/apparmor.d/nethogs
+++ b/apparmor.d/nethogs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/nethogs
 profile nethogs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability syslog,
   capability net_raw,
@@ -25,6 +25,9 @@ profile nethogs @{exec_path} {
 
   ptrace (read),
 
+  network netlink raw,
+  network packet raw,
+
   @{exec_path} mr,
 
   @{PROC}/ r,
@@ -32,5 +35,5 @@ profile nethogs @{exec_path} {
   @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/net/tcp{,6} r,
 
-  #include if exists <local/nethogs>
+  include if exists <local/nethogs>
 }
diff --git a/apparmor.d/networkctl b/apparmor.d/networkctl
index 6f2221f26..48c967a4e 100644
--- a/apparmor.d/networkctl
+++ b/apparmor.d/networkctl
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/networkctl
 profile networkctl @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces,
   capability net_admin,
@@ -26,6 +26,10 @@ profile networkctl @{exec_path} flags=(complain) {
 
   signal send peer=child-pager,
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/pager            rPx -> child-pager,
@@ -37,6 +41,7 @@ profile networkctl @{exec_path} flags=(complain) {
   @{run}/systemd/netif/links/[0-9]* r,
   @{run}/systemd/netif/state r,
 
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/random/boot_id r,
 
@@ -53,5 +58,5 @@ profile networkctl @{exec_path} flags=(complain) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/networkctld>
+  include if exists <local/networkctld>
 }
diff --git a/apparmor.d/newgrp b/apparmor.d/newgrp
index 2ff834ec8..b0f3cec88 100644
--- a/apparmor.d/newgrp
+++ b/apparmor.d/newgrp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/newgrp
 profile newgrp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -29,6 +29,8 @@ profile newgrp @{exec_path} {
   # newgrp is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # Shells to use
@@ -41,5 +43,5 @@ profile newgrp @{exec_path} {
 
   owner @{PROC}/@{pid}/loginuid r,
 
-  #include if exists <local/newgrp>
+  include if exists <local/newgrp>
 }
diff --git a/apparmor.d/nft b/apparmor.d/nft
index 0f01a16ae..8148d791c 100644
--- a/apparmor.d/nft
+++ b/apparmor.d/nft
@@ -9,22 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/nft
 profile nft @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner /etc/iproute2/** r,
 
   owner /etc/nftables/**.nft r,
 
-  #include if exists <local/nft>
+  include if exists <local/nft>
 }
diff --git a/apparmor.d/nmap b/apparmor.d/nmap
index 246718124..a69f30f0d 100644
--- a/apparmor.d/nmap
+++ b/apparmor.d/nmap
@@ -9,22 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/nmap
 profile nmap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   capability net_raw,
   capability net_bind_service,
 
   signal (receive) set=(term, kill) peer=zenmap,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network netlink raw,
+  network packet raw,
+
   @{exec_path} r,
 
   owner @{PROC}/@{pid}/net/dev r,
@@ -35,5 +42,5 @@ profile nmap @{exec_path} {
   owner /tmp/zenmap-stdout-* rw,
   owner /tmp/zenmap-*.xml rw,
 
-  #include if exists <local/nmap>
+  include if exists <local/nmap>
 }
diff --git a/apparmor.d/ntfs-3g b/apparmor.d/ntfs-3g
index c1cc9dc39..b9670b3bd 100644
--- a/apparmor.d/ntfs-3g
+++ b/apparmor.d/ntfs-3g
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/{low,}ntfs{,-3g}
 @{exec_path} += /{usr/,}sbin/mount.{low,}ntfs{,-3g}
 profile ntfs-3g @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
   # When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume
-  #include <abstractions/nameservice-strict>
+  include <abstractions/nameservice-strict>
 
   # Needed in order to mount ntfs disks
   capability setgid,
@@ -50,5 +50,5 @@ profile ntfs-3g @{exec_path} {
   # kmod is used to load the fuse kernel module
   /{usr/,}bin/kmod rPx,
 
-  #include if exists <local/ntfs-3g>
+  include if exists <local/ntfs-3g>
 }
diff --git a/apparmor.d/ntfs-3g-probe b/apparmor.d/ntfs-3g-probe
index 2723ea846..01efa8fdd 100644
--- a/apparmor.d/ntfs-3g-probe
+++ b/apparmor.d/ntfs-3g-probe
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfs-3g.probe
 profile ntfs-3g-probe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
   @{exec_path} mr,
 
-  #include if exists <local/ntfs-3g-probe>
+  include if exists <local/ntfs-3g-probe>
 }
diff --git a/apparmor.d/ntfscat b/apparmor.d/ntfscat
index a9cf08e98..20064e025 100644
--- a/apparmor.d/ntfscat
+++ b/apparmor.d/ntfscat
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfscat
 profile ntfscat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfscat @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscat>
+  include if exists <local/ntfscat>
 }
diff --git a/apparmor.d/ntfsclone b/apparmor.d/ntfsclone
index a03807516..65718aa08 100644
--- a/apparmor.d/ntfsclone
+++ b/apparmor.d/ntfsclone
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfsclone
 profile ntfsclone @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -28,5 +28,5 @@ profile ntfsclone @{exec_path} {
   @{HOME}/** rwk,
   /media/*/** rwk,
 
-  #include if exists <local/ntfsclone>
+  include if exists <local/ntfsclone>
 }
diff --git a/apparmor.d/ntfscluster b/apparmor.d/ntfscluster
index ab863d6f9..53a7fe923 100644
--- a/apparmor.d/ntfscluster
+++ b/apparmor.d/ntfscluster
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfscluster
 profile ntfscluster @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfscluster @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscluster>
+  include if exists <local/ntfscluster>
 }
diff --git a/apparmor.d/ntfscmp b/apparmor.d/ntfscmp
index 0fe0870b0..f7178f285 100644
--- a/apparmor.d/ntfscmp
+++ b/apparmor.d/ntfscmp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfscmp
 profile ntfscmp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfscmp @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscmp>
+  include if exists <local/ntfscmp>
 }
diff --git a/apparmor.d/ntfscp b/apparmor.d/ntfscp
index a88f021fe..f8eb3825b 100644
--- a/apparmor.d/ntfscp
+++ b/apparmor.d/ntfscp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfscp
 profile ntfscp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -31,5 +31,5 @@ profile ntfscp @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscp>
+  include if exists <local/ntfscp>
 }
diff --git a/apparmor.d/ntfsdecrypt b/apparmor.d/ntfsdecrypt
index 1909dbd94..286bb16ab 100644
--- a/apparmor.d/ntfsdecrypt
+++ b/apparmor.d/ntfsdecrypt
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsdecrypt
 profile ntfsdecrypt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -26,5 +26,5 @@ profile ntfsdecrypt @{exec_path} {
   owner /tmp/*.key r,
   owner @{HOME}/*.key r,
 
-  #include if exists <local/ntfsdecrypt>
+  include if exists <local/ntfsdecrypt>
 }
diff --git a/apparmor.d/ntfsfallocate b/apparmor.d/ntfsfallocate
index 04c6a7673..236aeba3c 100644
--- a/apparmor.d/ntfsfallocate
+++ b/apparmor.d/ntfsfallocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsfallocate
 profile ntfsfallocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsfallocate @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsfallocate>
+  include if exists <local/ntfsfallocate>
 }
diff --git a/apparmor.d/ntfsfix b/apparmor.d/ntfsfix
index 0bb2e87b7..e01deb50f 100644
--- a/apparmor.d/ntfsfix
+++ b/apparmor.d/ntfsfix
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsfix
 profile ntfsfix @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsfix @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsfix>
+  include if exists <local/ntfsfix>
 }
diff --git a/apparmor.d/ntfsinfo b/apparmor.d/ntfsinfo
index 0d310537b..39fe58d6e 100644
--- a/apparmor.d/ntfsinfo
+++ b/apparmor.d/ntfsinfo
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsinfo
 profile ntfsinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsinfo @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsinfo>
+  include if exists <local/ntfsinfo>
 }
diff --git a/apparmor.d/ntfslabel b/apparmor.d/ntfslabel
index d830a4e81..f086ce411 100644
--- a/apparmor.d/ntfslabel
+++ b/apparmor.d/ntfslabel
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfslabel
 profile ntfslabel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfslabel @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfslabel>
+  include if exists <local/ntfslabel>
 }
diff --git a/apparmor.d/ntfsls b/apparmor.d/ntfsls
index 9614213b4..93487fc57 100644
--- a/apparmor.d/ntfsls
+++ b/apparmor.d/ntfsls
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsls
 profile ntfsls @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsls @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsls>
+  include if exists <local/ntfsls>
 }
diff --git a/apparmor.d/ntfsmove b/apparmor.d/ntfsmove
index d990cce68..68a73af44 100644
--- a/apparmor.d/ntfsmove
+++ b/apparmor.d/ntfsmove
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsmove
 profile ntfsmove @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsmove @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsmove>
+  include if exists <local/ntfsmove>
 }
diff --git a/apparmor.d/ntfsrecover b/apparmor.d/ntfsrecover
index 61ff6c183..73ba2548e 100644
--- a/apparmor.d/ntfsrecover
+++ b/apparmor.d/ntfsrecover
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsrecover
 profile ntfsrecover @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsrecover @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsrecover>
+  include if exists <local/ntfsrecover>
 }
diff --git a/apparmor.d/ntfsresize b/apparmor.d/ntfsresize
index 20a410024..3f7194c50 100644
--- a/apparmor.d/ntfsresize
+++ b/apparmor.d/ntfsresize
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfsresize
 profile ntfsresize @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsresize @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsresize>
+  include if exists <local/ntfsresize>
 }
diff --git a/apparmor.d/ntfssecaudit b/apparmor.d/ntfssecaudit
index 0ff4e42c2..30a8c6370 100644
--- a/apparmor.d/ntfssecaudit
+++ b/apparmor.d/ntfssecaudit
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfssecaudit
 profile ntfssecaudit @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
@@ -25,5 +25,5 @@ profile ntfssecaudit @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfssecaudit>
+  include if exists <local/ntfssecaudit>
 }
diff --git a/apparmor.d/ntfstruncate b/apparmor.d/ntfstruncate
index 77695d6ab..083bfd2ec 100644
--- a/apparmor.d/ntfstruncate
+++ b/apparmor.d/ntfstruncate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfstruncate
 profile ntfstruncate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfstruncate @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfstruncate>
+  include if exists <local/ntfstruncate>
 }
diff --git a/apparmor.d/ntfsundelete b/apparmor.d/ntfsundelete
index 26d50ead6..d3a8ad888 100644
--- a/apparmor.d/ntfsundelete
+++ b/apparmor.d/ntfsundelete
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfsundelete
 profile ntfsundelete @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -28,5 +28,5 @@ profile ntfsundelete @{exec_path} {
   owner /tmp/ntfs-recovery/ r,
   owner /tmp/ntfs-recovery/* rw,
 
-  #include if exists <local/ntfsundelete>
+  include if exists <local/ntfsundelete>
 }
diff --git a/apparmor.d/ntfsusermap b/apparmor.d/ntfsusermap
index 26111eb82..f638e6475 100644
--- a/apparmor.d/ntfsusermap
+++ b/apparmor.d/ntfsusermap
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsusermap
 profile ntfsusermap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
@@ -29,5 +29,5 @@ profile ntfsusermap @{exec_path} {
   owner /root/UserMapping w,
   owner /tmp/UserMapping w,
 
-  #include if exists <local/ntfsusermap>
+  include if exists <local/ntfsusermap>
 }
diff --git a/apparmor.d/ntfswipe b/apparmor.d/ntfswipe
index 0e0ad9c15..c2679826c 100644
--- a/apparmor.d/ntfswipe
+++ b/apparmor.d/ntfswipe
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfswipe
 profile ntfswipe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfswipe @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfswipe>
+  include if exists <local/ntfswipe>
 }
diff --git a/apparmor.d/numlockx b/apparmor.d/numlockx
index e6261432e..f20662032 100644
--- a/apparmor.d/numlockx
+++ b/apparmor.d/numlockx
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/numlockx
 profile numlockx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile numlockx @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/numlockx>
+  include if exists <local/numlockx>
 }
diff --git a/apparmor.d/nvidia_modprobe b/apparmor.d/nvidia_modprobe
index 2c29b9970..2502c49d4 100644
--- a/apparmor.d/nvidia_modprobe
+++ b/apparmor.d/nvidia_modprobe
@@ -1,9 +1,11 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile nvidia_modprobe {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Capabilities
 
@@ -35,7 +37,7 @@ profile nvidia_modprobe {
   # Child profiles
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Capabilities
 
@@ -60,6 +62,6 @@ profile nvidia_modprobe {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/nvidia_modprobe>
+  include if exists <local/nvidia_modprobe>
 }
 
diff --git a/apparmor.d/obamenu b/apparmor.d/obamenu
index 4c8567f01..de90ad41f 100644
--- a/apparmor.d/obamenu
+++ b/apparmor.d/obamenu
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/obamenu
 profile obamenu @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* rix,
@@ -29,5 +29,5 @@ profile obamenu @{exec_path} {
   /usr/share/pixmaps/ r,
   /usr/share/*/*.desktop r,
 
-  #include if exists <local/obamenu>
+  include if exists <local/obamenu>
 }
diff --git a/apparmor.d/obconf b/apparmor.d/obconf
index 030130b3f..b1452d395 100644
--- a/apparmor.d/obconf
+++ b/apparmor.d/obconf
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/obconf
 profile obconf @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -45,5 +45,5 @@ profile obconf @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/obconf>
+  include if exists <local/obconf>
 }
diff --git a/apparmor.d/obxprop b/apparmor.d/obxprop
index 9d50727b3..f1497232d 100644
--- a/apparmor.d/obxprop
+++ b/apparmor.d/obxprop
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/obxprop
 profile obxprop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile obxprop @{exec_path} {
   owner @{HOME}/.icons/default/index.theme r,
   /usr/share/icons/*/cursors/crosshair r,
 
-  #include if exists <local/obxprop>
+  include if exists <local/obxprop>
 }
diff --git a/apparmor.d/okular b/apparmor.d/okular
index 0737ef28b..aec594de6 100644
--- a/apparmor.d/okular
+++ b/apparmor.d/okular
@@ -9,29 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{okular_ext}  = [pP][dD][fF]
 
 @{exec_path} = /{usr/,}bin/okular
 profile okular @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/kde-icon-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/audio>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/kde-icon-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -104,8 +104,8 @@ profile okular @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -121,5 +121,5 @@ profile okular @{exec_path} {
 
   }
 
-  #include if exists <local/okular>
+  include if exists <local/okular>
 }
diff --git a/apparmor.d/on-ac-power b/apparmor.d/on-ac-power
index 0d70d4019..7a42dee53 100644
--- a/apparmor.d/on-ac-power
+++ b/apparmor.d/on-ac-power
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/on_ac_power /{usr/,}bin/on_ac_power
 profile on-ac-power @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -29,7 +29,9 @@ profile on-ac-power @{exec_path} {
   @{PROC}/pmu/info r,
   @{PROC}/apm r,
 
+  # For shell pwd
   / r,
+  owner @{HOME}/ r,
 
-  #include if exists <local/on-ac-power>
+  include if exists <local/on-ac-power>
 }
diff --git a/apparmor.d/openbox b/apparmor.d/openbox
index 66bbb6c6b..b6a46dc62 100644
--- a/apparmor.d/openbox
+++ b/apparmor.d/openbox
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/openbox
 profile openbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill),
 
@@ -56,7 +56,7 @@ profile openbox @{exec_path} {
 
 
   profile autostart {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/@{multiarch}/openbox-autostart mr,
     /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix,
@@ -82,8 +82,8 @@ profile openbox @{exec_path} {
     owner @{HOME}/.xsession-errors w,
     owner /dev/tty[0-9]* rw,
 
-    #include if exists <local/openbox_autostart>
+    include if exists <local/openbox_autostart>
   }
 
-  #include if exists <local/openbox>
+  include if exists <local/openbox>
 }
diff --git a/apparmor.d/openbox-session b/apparmor.d/openbox-session
index 64d6c63ba..a1a169a4c 100644
--- a/apparmor.d/openbox-session
+++ b/apparmor.d/openbox-session
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/openbox-session
 profile openbox-session @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -31,5 +31,5 @@ profile openbox-session @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/openbox-session>
+  include if exists <local/openbox-session>
 }
diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn
index 4bbcdc9d1..c45a63049 100644
--- a/apparmor.d/openvpn
+++ b/apparmor.d/openvpn
@@ -19,21 +19,25 @@
 #   DNS/resolver script is stored in: /etc/openvpn/update-resolv-conf{,.sh}
 # If a user wants to type user/pass interactively, systemd-ask-password is invoked for that.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/openvpn
 profile openvpn @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   capability net_admin,
   # These are needed when user/group are set in a OpenVPN config file
   capability setuid,
   capability setgid,
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # OpenVPN config
@@ -56,8 +60,8 @@ profile openvpn @{exec_path} {
 
 
   profile systemd-ask-password {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/systemd-ask-password mr,
 
@@ -67,9 +71,9 @@ profile openvpn @{exec_path} {
   }
 
   profile update-resolv {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability net_admin,
 
@@ -87,12 +91,14 @@ profile openvpn @{exec_path} {
   }
 
   profile force-user-traffic-via-vpn {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability net_admin,
 
+    network netlink raw,
+
     /etc/openvpn/ r,
     /etc/openvpn/force-user-traffic-via-vpn.sh r,
 
@@ -114,5 +120,5 @@ profile openvpn @{exec_path} {
 
   }
 
-  #include if exists <local/openvpn>
+  include if exists <local/openvpn>
 }
diff --git a/apparmor.d/opera b/apparmor.d/opera
index 03b86d946..1e8e6e0dd 100644
--- a/apparmor.d/opera
+++ b/apparmor.d/opera
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
 @{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@@ -19,21 +19,21 @@
 
 @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
 profile opera @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -48,6 +48,12 @@ profile opera @{exec_path} {
   signal (send) set=(term, kill) peer=opera-sandbox,
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/which                        rix,
@@ -178,8 +184,8 @@ profile opera @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -194,5 +200,5 @@ profile opera @{exec_path} {
 
   }
 
-  #include if exists <local/opera>
+  include if exists <local/opera>
 }
diff --git a/apparmor.d/opera-crashreporter b/apparmor.d/opera-crashreporter
index 9f688a89c..2cd96ca80 100644
--- a/apparmor.d/opera-crashreporter
+++ b/apparmor.d/opera-crashreporter
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
 @{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@@ -19,14 +19,14 @@
 
 @{exec_path} = @{OPERA_INSTALLDIR}/opera_crashreporter
 profile opera-crashreporter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (trace, read) peer=opera,
 
@@ -42,5 +42,5 @@ profile opera-crashreporter @{exec_path} {
 
   deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
 
-  #include if exists <local/opera-crashreporter>
+  include if exists <local/opera-crashreporter>
 }
diff --git a/apparmor.d/opera-sandbox b/apparmor.d/opera-sandbox
index 6319676cb..e80e0c79b 100644
--- a/apparmor.d/opera-sandbox
+++ b/apparmor.d/opera-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
 @{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@@ -19,10 +19,10 @@
 
 @{exec_path} = @{OPERA_INSTALLDIR}/opera_sandbox
 profile opera-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -42,5 +42,5 @@ profile opera-sandbox @{exec_path} {
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/opera-sandbox>
+  include if exists <local/opera-sandbox>
 }
diff --git a/apparmor.d/orage b/apparmor.d/orage
index 4c0eeb861..fb1cd2d77 100644
--- a/apparmor.d/orage
+++ b/apparmor.d/orage
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/orage
 profile orage @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -53,8 +53,8 @@ profile orage @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -70,5 +70,5 @@ profile orage @{exec_path} {
 
   }
 
-  #include if exists <local/orage>
+  include if exists <local/orage>
 }
diff --git a/apparmor.d/pacmd b/apparmor.d/pacmd
index f903af484..9ea3b9e3b 100644
--- a/apparmor.d/pacmd
+++ b/apparmor.d/pacmd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pacmd
 profile pacmd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   #capability sys_ptrace,
   ptrace peer=pulseaudio,
@@ -29,5 +29,5 @@ profile pacmd @{exec_path} {
 
   owner @{PROC}/@{pids}/stat r,
 
-  #include if exists <local/pacmd>
+  include if exists <local/pacmd>
 }
diff --git a/apparmor.d/pactl b/apparmor.d/pactl
index 0e45b1941..c504ff60f 100644
--- a/apparmor.d/pactl
+++ b/apparmor.d/pactl
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pactl
 profile pactl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   /{usr/,}bin/pactl mr,
 
@@ -33,5 +33,5 @@ profile pactl @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  #include if exists <local/pactl>
+  include if exists <local/pactl>
 }
diff --git a/apparmor.d/pagesize b/apparmor.d/pagesize
index 33861dc21..caa6fe496 100644
--- a/apparmor.d/pagesize
+++ b/apparmor.d/pagesize
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pagesize
 profile pagesize @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   # For HugePages
   @{sys}/kernel/mm/hugepages/ r,
 
-  #include if exists <local/pagesize>
+  include if exists <local/pagesize>
 }
diff --git a/apparmor.d/pam-auth-update b/apparmor.d/pam-auth-update
index 2c9f606c9..104bf6019 100644
--- a/apparmor.d/pam-auth-update
+++ b/apparmor.d/pam-auth-update
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/pam-auth-update
 profile pam-auth-update @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
 
   @{exec_path} mr,
   /{usr/,}bin/perl r,
@@ -34,10 +34,10 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -53,10 +53,10 @@ profile pam-auth-update @{exec_path} flags=(complain) {
     /usr/share/debconf/templates/adequate.templates r,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -67,5 +67,5 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/pam-auth-update>
+  include if exists <local/pam-auth-update>
 }
diff --git a/apparmor.d/pam/mappings b/apparmor.d/pam/mappings
index 9ce90c0b9..99a473209 100644
--- a/apparmor.d/pam/mappings
+++ b/apparmor.d/pam/mappings
@@ -20,8 +20,8 @@
 # necessary to transition to the user's login shell. All other permissions have
 # been moved into the default_user profile.
 ^DEFAULT {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
+  include <abstractions/authentication>
+  include <abstractions/nameservice>
   capability dac_override,
   capability setgid,
   capability setuid,
@@ -36,8 +36,8 @@
 # to transition to gray's login shell. All other permissions have been
 # moved into the confined_user profile.
 ^morfik {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
+  include <abstractions/authentication>
+  include <abstractions/nameservice>
 
   capability dac_override,
   capability audit_write,
@@ -57,9 +57,9 @@
 # confined. Systems without this special primary group may want to define an
 # unconfined 'root' hat in this manner (depending on site policy).
 ^root {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
-  #include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>
 
   capability dac_override,
   capability audit_write,
diff --git a/apparmor.d/pam_roles b/apparmor.d/pam_roles
index 5ac7a703b..7d82ce70a 100644
--- a/apparmor.d/pam_roles
+++ b/apparmor.d/pam_roles
@@ -15,18 +15,18 @@
 # This file contains the roles as referenced by pam/mappings
 #
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # By default, allow users to read, lock and link to their own files anywhere,
 # but only write to files in their home directory. Only allow limited execution
 # of files.
 profile default_user flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   deny capability sys_ptrace,
 
@@ -43,10 +43,10 @@ profile default_user flags=(complain) {
 # Allow confined_users to read, write, lock and link to their own files
 # anywhere, and execute from some places.
 profile confined_user flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   deny capability sys_ptrace,
 
diff --git a/apparmor.d/parted b/apparmor.d/parted
index 919fc7e24..0eadca5bc 100644
--- a/apparmor.d/parted
+++ b/apparmor.d/parted
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/parted
 profile parted @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -57,7 +57,7 @@ profile parted @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -75,7 +75,7 @@ profile parted @{exec_path} {
           @{PROC}/sys/kernel/random/boot_id r,
 
     # file_inherit
-    #include <abstractions/disks-write>  # lots of files in this abstraction get inherited
+    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
     owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
     owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
     owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
@@ -83,5 +83,5 @@ profile parted @{exec_path} {
 
   }
 
-  #include if exists <local/parted>
+  include if exists <local/parted>
 }
diff --git a/apparmor.d/partprobe b/apparmor.d/partprobe
index c75080c6c..8380fd28a 100644
--- a/apparmor.d/partprobe
+++ b/apparmor.d/partprobe
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/partprobe
 profile partprobe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # To remove the following errors:
   #  device-mapper: version ioctl on   failed: Permission denied
@@ -48,7 +48,7 @@ profile partprobe @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -66,10 +66,10 @@ profile partprobe @{exec_path} {
           @{PROC}/sys/kernel/random/boot_id r,
 
     # file_inherit
-    #include <abstractions/disks-write>  # lots of files in this abstraction get inherited
+    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
     /dev/mapper/control rw,
 
   }
 
-  #include if exists <local/partprobe>
+  include if exists <local/partprobe>
 }
diff --git a/apparmor.d/passwd b/apparmor.d/passwd
index f3fa1a932..b8bcb0550 100644
--- a/apparmor.d/passwd
+++ b/apparmor.d/passwd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -33,6 +33,8 @@ profile passwd @{exec_path} {
   # passwd is a SETUID binary, but it looks like it doesn't want this CAP.
   #capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -44,5 +46,5 @@ profile passwd @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/passwd>
+  include if exists <local/passwd>
 }
diff --git a/apparmor.d/pavucontrol b/apparmor.d/pavucontrol
index 9ef1f82cc..e3f67730e 100644
--- a/apparmor.d/pavucontrol
+++ b/apparmor.d/pavucontrol
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pavucontrol
 profile pavucontrol @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -43,5 +43,5 @@ profile pavucontrol @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/pavucontrol>
+  include if exists <local/pavucontrol>
 }
diff --git a/apparmor.d/php-fpm b/apparmor.d/php-fpm
new file mode 100644
index 000000000..32a786400
--- /dev/null
+++ b/apparmor.d/php-fpm
@@ -0,0 +1,60 @@
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile php-fpm /usr/sbin/php-fpm* flags=(complain,attach_disconnected) {
+  # load common libraries and their support files
+  include <abstractions/base>
+  # resolve hostnames/usernames
+  include <abstractions/nameservice>
+  # common php files and support files that php needs
+  include <abstractions/php>
+  # read openssl configuration
+  include <abstractions/openssl>
+  # read the system certificates
+  include <abstractions/ssl_certs>
+
+  /etc/php{,5,7}/** r,
+
+  capability net_admin,
+  # change user/group of a pool
+  capability setuid,
+  capability setgid,
+  # change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
+  capability chown,
+  # we want to be able to kill our child processes
+  capability kill,
+  # to provide sockets with acls different than root
+  capability dac_override,
+
+  # we need write access here to move it into a different apparmor sub profile
+  @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+
+  # the main log file
+  /var/log/php*-fpm.log rw,
+
+  # we need to be able to create all sockets
+  @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+
+  # to reload
+  /usr/sbin/php-fpm* rix,
+
+  # no idea why php tries to open / read/write
+  deny / rw,
+
+  # allow sending signals to our subprocesses
+  signal (send) peer=php-fpm//*,
+
+  # allow switching processes to those subprofiles
+  change_profile -> php-fpm//*,
+
+  # load all files from this directory
+  # store your configurations per pool in this dir
+  include if exists <php-fpm.d>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/php-fpm>
+}
diff --git a/apparmor.d/pinentry-gtk-2 b/apparmor.d/pinentry-gtk-2
index e011bd108..374d89f3b 100644
--- a/apparmor.d/pinentry-gtk-2
+++ b/apparmor.d/pinentry-gtk-2
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pinentry-gtk-2
 profile pinentry-gtk-2 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} mr,
 
-  #include if exists <local/pinentry-gtk-2>
+  include if exists <local/pinentry-gtk-2>
 }
diff --git a/apparmor.d/pinentry-kwallet b/apparmor.d/pinentry-kwallet
index 949df6daa..f5cc11988 100644
--- a/apparmor.d/pinentry-kwallet
+++ b/apparmor.d/pinentry-kwallet
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pinentry-kwallet
 profile pinentry-kwallet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=gpg-agent,
 
@@ -41,7 +41,7 @@ profile pinentry-kwallet @{exec_path} {
 
 
   profile kwalletcli {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kwalletcli mr,
 
@@ -56,5 +56,5 @@ profile pinentry-kwallet @{exec_path} {
 
   }
 
-  #include if exists <local/pinentry-kwallet>
+  include if exists <local/pinentry-kwallet>
 }
diff --git a/apparmor.d/pinentry-qt b/apparmor.d/pinentry-qt
index a86b3edd2..219a094e6 100644
--- a/apparmor.d/pinentry-qt
+++ b/apparmor.d/pinentry-qt
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pinentry-qt
 profile pinentry-qt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -44,5 +44,5 @@ profile pinentry-qt @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  #include if exists <local/pinentry-qt>
+  include if exists <local/pinentry-qt>
 }
diff --git a/apparmor.d/pkexec b/apparmor.d/pkexec
index 586781989..82b2f4a47 100644
--- a/apparmor.d/pkexec
+++ b/apparmor.d/pkexec
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pkexec
 profile pkexec @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -36,6 +36,8 @@ profile pkexec @{exec_path} flags=(complain) {
 
   ptrace (read),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/shells r,
@@ -56,5 +58,5 @@ profile pkexec @{exec_path} flags=(complain) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/pkexec>
+  include if exists <local/pkexec>
 }
diff --git a/apparmor.d/polipo b/apparmor.d/polipo
index 672b8be17..1edc884b7 100644
--- a/apparmor.d/polipo
+++ b/apparmor.d/polipo
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/polipo
 profile polipo @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile polipo @{exec_path} {
   # Nameservice
   /etc/resolv.conf r,
 
-  #include if exists <local/polipo>
+  include if exists <local/polipo>
 }
diff --git a/apparmor.d/polkit-agent-helper b/apparmor.d/polkit-agent-helper
index 0dd3fe982..9c6955a33 100644
--- a/apparmor.d/polkit-agent-helper
+++ b/apparmor.d/polkit-agent-helper
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
   signal (receive) set=(term, kill) peer=pkexec,
@@ -32,11 +32,13 @@ profile polkit-agent-helper @{exec_path} {
   # Needed?
   deny capability sys_nice,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/polkit-agent-helper>
+  include if exists <local/polkit-agent-helper>
 }
diff --git a/apparmor.d/polkit-kde-authentication-agent b/apparmor.d/polkit-kde-authentication-agent
index f68b79dc2..1d264b393 100644
--- a/apparmor.d/polkit-kde-authentication-agent
+++ b/apparmor.d/polkit-kde-authentication-agent
@@ -9,25 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/libexec/polkit-kde-authentication-agent-[0-9]
 profile polkit-kde-authentication-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/mesa>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/mesa>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -58,5 +58,5 @@ profile polkit-kde-authentication-agent @{exec_path} {
   owner /tmp/#[0-9]*[0-9] rw,
   owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9],
 
-  #include if exists <local/polkit-kde-authentication-agent>
+  include if exists <local/polkit-kde-authentication-agent>
 }
diff --git a/apparmor.d/polkit-mate-authentication-agent b/apparmor.d/polkit-mate-authentication-agent
index 1e1064bb0..279b16540 100644
--- a/apparmor.d/polkit-mate-authentication-agent
+++ b/apparmor.d/polkit-mate-authentication-agent
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
 profile polkit-mate-authentication-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -44,5 +44,5 @@ profile polkit-mate-authentication-agent @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/polkit-mate-authentication-agent>
+  include if exists <local/polkit-mate-authentication-agent>
 }
diff --git a/apparmor.d/polkitd b/apparmor.d/polkitd
index 44e85cb8f..3410265ac 100644
--- a/apparmor.d/polkitd
+++ b/apparmor.d/polkitd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/polkit-1/polkitd
 profile polkitd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Tu run as polkitd:nogroup
   capability setuid,
@@ -46,5 +46,5 @@ profile polkitd @{exec_path} {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/[0-9]* r,
 
-  #include if exists <local/polkitd>
+  include if exists <local/polkitd>
 }
diff --git a/apparmor.d/popcon-largest-unused b/apparmor.d/popcon-largest-unused
index 10842b5f5..a4a195d93 100644
--- a/apparmor.d/popcon-largest-unused
+++ b/apparmor.d/popcon-largest-unused
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/popcon-largest-unused
 profile popcon-largest-unused @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -33,5 +33,8 @@ profile popcon-largest-unused @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  #include if exists <local/popcon-largest-unused>
+  # For shell pwd
+  /root/ r,
+
+  include if exists <local/popcon-largest-unused>
 }
diff --git a/apparmor.d/popularity-contest b/apparmor.d/popularity-contest
index 8689cfb1b..456d6d358 100644
--- a/apparmor.d/popularity-contest
+++ b/apparmor.d/popularity-contest
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/popularity-contest
 profile popularity-contest @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   # For popularity-contest --su-nobody
   capability setuid,
@@ -59,5 +59,5 @@ profile popularity-contest @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/popularity-contest>
+  include if exists <local/popularity-contest>
 }
diff --git a/apparmor.d/ps b/apparmor.d/ps
index 049acd22b..d9ab3d20d 100644
--- a/apparmor.d/ps
+++ b/apparmor.d/ps
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # When any of the "*ns" parameters is used, the following error will be printed:
 #  "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
 @{exec_path} = /{usr/,}bin/ps
 profile ps @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
@@ -67,5 +67,5 @@ profile ps @{exec_path} flags=(attach_disconnected) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/ps>
+  include if exists <local/ps>
 }
diff --git a/apparmor.d/ps-mem b/apparmor.d/ps-mem
index b1d86c7be..418f3a19c 100644
--- a/apparmor.d/ps-mem
+++ b/apparmor.d/ps-mem
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ps_mem
 profile ps-mem @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   capability sys_ptrace,
 
@@ -35,5 +35,5 @@ profile ps-mem @{exec_path} {
   # For the "--swap" flag
   @{PROC}/@{pid}/smaps r,
 
-  #include if exists <local/ps-mem>
+  include if exists <local/ps-mem>
 }
diff --git a/apparmor.d/pscap b/apparmor.d/pscap
index 608e3394c..c4b2f3834 100644
--- a/apparmor.d/pscap
+++ b/apparmor.d/pscap
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pscap
 profile pscap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -28,5 +28,5 @@ profile pscap @{exec_path} {
   @{PROC}/ r,
   @{PROC}/@{pids}/stat r,
 
-  #include if exists <local/pscap>
+  include if exists <local/pscap>
 }
diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus
index 38a27f335..08a6d5938 100644
--- a/apparmor.d/psi-plus
+++ b/apparmor.d/psi-plus
@@ -9,33 +9,39 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/psi-plus
 profile psi-plus @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=child-lsb_release,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
@@ -104,8 +110,8 @@ profile psi-plus @{exec_path} {
 
 
   profile aplay {
-    #include <abstractions/base>
-    #include <abstractions/audio>
+    include <abstractions/base>
+    include <abstractions/audio>
 
     /{usr/,}bin/aplay mr,
     #/{usr/,}bin/pulseaudio rPUx,
@@ -123,7 +129,7 @@ profile psi-plus @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -136,8 +142,8 @@ profile psi-plus @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -153,5 +159,5 @@ profile psi-plus @{exec_path} {
 
   }
 
-  #include if exists <local/psi-plus>
+  include if exists <local/psi-plus>
 }
diff --git a/apparmor.d/pulseaudio b/apparmor.d/pulseaudio
index 0f54a3532..aa07d128f 100644
--- a/apparmor.d/pulseaudio
+++ b/apparmor.d/pulseaudio
@@ -9,22 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pulseaudio
 profile pulseaudio @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 
   signal (receive) peer=pacmd,
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
@@ -83,5 +87,5 @@ profile pulseaudio @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/pulseaudio>
+  include if exists <local/pulseaudio>
 }
diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent
index a89c29b9b..702101eee 100644
--- a/apparmor.d/qbittorrent
+++ b/apparmor.d/qbittorrent
@@ -9,34 +9,41 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{TORRENT_DIR} = /media/*/torrent
 
 @{exec_path} = /{usr/,}bin/qbittorrent
 profile qbittorrent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=qbittorrent//python3,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # For "search engine"
@@ -113,14 +120,18 @@ profile qbittorrent @{exec_path} {
 
 
   profile python3 {
-    #include <abstractions/base>
-    #include <abstractions/python>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/python>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+    include <abstractions/nameservice-strict>
 
     signal (receive) set=(term, kill) peer=qbittorrent,
 
+    network inet dgram,
+    network inet6 dgram,
+    network netlink raw,
+
     /{usr/,}bin/python3.[0-9]* r,
 
     owner @{HOME}/.local/share/data/qBittorrent/nova[0-9]/{,**} rw,
@@ -140,8 +151,8 @@ profile qbittorrent @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -171,5 +182,5 @@ profile qbittorrent @{exec_path} {
 
   }
 
-  #include if exists <local/qbittorrent>
+  include if exists <local/qbittorrent>
 }
diff --git a/apparmor.d/qbittorrent-nox b/apparmor.d/qbittorrent-nox
index cc7f11ab7..7eea78861 100644
--- a/apparmor.d/qbittorrent-nox
+++ b/apparmor.d/qbittorrent-nox
@@ -9,19 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{TORRENT_DIR} = /media/*/torrent
 
 @{exec_path} = /{usr/,}bin/qbittorrent-nox
 profile qbittorrent-nox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -68,5 +75,5 @@ profile qbittorrent-nox @{exec_path} {
   owner /tmp/mozilla_*/*.torrent rw,
   owner /tmp/.*/{,s} rw,
 
-  #include if exists <local/qbittorrent-nox>
+  include if exists <local/qbittorrent-nox>
 }
diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi
index 2a1361bef..de3e4db1c 100644
--- a/apparmor.d/qnapi
+++ b/apparmor.d/qnapi
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,24 +46,31 @@
 
 @{exec_path} = /{usr/,}bin/qnapi
 profile qnapi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
   # action (stop qnapi), the apps send the term/kill signal to qnapi.
   signal (receive) set=(kill, term),
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/7z        rix,
@@ -124,8 +131,8 @@ profile qnapi @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -141,5 +148,5 @@ profile qnapi @{exec_path} {
 
   }
 
-  #include if exists <local/qnapi>
+  include if exists <local/qnapi>
 }
diff --git a/apparmor.d/qpdfview b/apparmor.d/qpdfview
index 73d6b2a72..e533ec20a 100644
--- a/apparmor.d/qpdfview
+++ b/apparmor.d/qpdfview
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Ebooks extensions
 # pdf, epub, djvu
@@ -21,20 +21,20 @@
 
 @{exec_path} = /{usr/,}bin/qpdfview
 profile qpdfview @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -104,8 +104,8 @@ profile qpdfview @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -121,7 +121,7 @@ profile qpdfview @{exec_path} {
 
   }
 
-  #include if exists <local/qpdfview>
+  include if exists <local/qpdfview>
 }
 
 
diff --git a/apparmor.d/qt5ct b/apparmor.d/qt5ct
index 88cd43efd..392539de4 100644
--- a/apparmor.d/qt5ct
+++ b/apparmor.d/qt5ct
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/qt5ct
 profile qt5ct @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -57,5 +57,5 @@ profile qt5ct @{exec_path} {
 
   /dev/shm/#[0-9]*[0-9] rw,
 
-  #include if exists <local/qt5ct>
+  include if exists <local/qt5ct>
 }
diff --git a/apparmor.d/qtchooser b/apparmor.d/qtchooser
index 690f64354..5d8971d86 100644
--- a/apparmor.d/qtchooser
+++ b/apparmor.d/qtchooser
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/qtchooser
 profile qtchooser @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile qtchooser @{exec_path} flags=(complain) {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/qtchooser>
+  include if exists <local/qtchooser>
 }
diff --git a/apparmor.d/querybts b/apparmor.d/querybts
index c7bfd0f18..e5e634b04 100644
--- a/apparmor.d/querybts
+++ b/apparmor.d/querybts
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/querybts
 profile querybts @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/apt-common>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/apt-common>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -59,8 +65,8 @@ profile querybts @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -76,5 +82,5 @@ profile querybts @{exec_path} {
 
   }
 
-  #include if exists <local/querybts>
+  include if exists <local/querybts>
 }
diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss
index e73f0eb67..689f4a0c3 100644
--- a/apparmor.d/quiterss
+++ b/apparmor.d/quiterss
@@ -9,31 +9,38 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/quiterss
 profile quiterss @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/wayland>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/wayland>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   # This one is needed when you want to receive sound notifications
-  ##include <abstractions/audio>
+  include <abstractions/audio>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -90,8 +97,8 @@ profile quiterss @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -107,5 +114,5 @@ profile quiterss @{exec_path} {
 
   }
 
-  #include if exists <local/quiterss>
+  include if exists <local/quiterss>
 }
diff --git a/apparmor.d/rdmsr b/apparmor.d/rdmsr
index 85a57cb3c..8fa618585 100644
--- a/apparmor.d/rdmsr
+++ b/apparmor.d/rdmsr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/rdmsr
 profile rdmsr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To access /dev/cpu/*/msr .
   capability sys_rawio,
@@ -24,5 +24,5 @@ profile rdmsr @{exec_path} {
 
   owner /dev/cpu/[0-9]*/msr r,
 
-  #include if exists <local/rdmsr>
+  include if exists <local/rdmsr>
 }
diff --git a/apparmor.d/redshift b/apparmor.d/redshift
index 02542bd80..26b4ca8d2 100644
--- a/apparmor.d/redshift
+++ b/apparmor.d/redshift
@@ -10,14 +10,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/redshift
 profile redshift @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile redshift @{exec_path} {
   owner @{HOME}/.Xauthority r,
   owner /tmp/xauth-[0-9]*-_[0-9] r,
 
-  #include if exists <local/redshift>
+  include if exists <local/redshift>
 }
diff --git a/apparmor.d/repo b/apparmor.d/repo
index 62536305c..7ff5112a6 100644
--- a/apparmor.d/repo
+++ b/apparmor.d/repo
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/repo
-profile repo @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+profile repo @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* rix,
@@ -59,24 +64,26 @@ profile repo @{exec_path} flags=(complain) {
   owner /dev/shm/sem.mp* rwl -> /dev/shm/*,
 
 
-  profile curl flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+  profile curl {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/curl mr,
 
   }
 
-  profile gpg flags=(complain) {
-    #include <abstractions/base>
+  profile gpg {
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
     owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**,
 
+    owner /tmp/.git_vtag_tmp* r,
+
   }
 
-  #include if exists <local/repo>
+  include if exists <local/repo>
 }
diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug
index c2abcbf0f..cf544f1bf 100644
--- a/apparmor.d/reportbug
+++ b/apparmor.d/reportbug
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/reportbug
 profile reportbug @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/enchant>
-  #include <abstractions/python>
-  #include <abstractions/apt-common>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/enchant>
+  include <abstractions/python>
+  include <abstractions/apt-common>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -89,14 +95,14 @@ profile reportbug @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -108,8 +114,8 @@ profile reportbug @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -125,5 +131,5 @@ profile reportbug @{exec_path} {
 
   }
 
-  #include if exists <local/reportbug>
+  include if exists <local/reportbug>
 }
diff --git a/apparmor.d/reprepro b/apparmor.d/reprepro
index 5ff17efcd..092166927 100644
--- a/apparmor.d/reprepro
+++ b/apparmor.d/reprepro
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{REPO_DIR}  = /media/debuilder/repo
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/reprepro
 profile reprepro @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -63,7 +63,7 @@ profile reprepro @{exec_path} {
   owner @{BUILD_DIR}/pbuilder/result/*.tar.* r,
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
     /{usr/,}bin/gpg mr,
@@ -74,5 +74,5 @@ profile reprepro @{exec_path} {
 
   }
 
-  #include if exists <local/reprepro>
+  include if exists <local/reprepro>
 }
diff --git a/apparmor.d/resize2fs b/apparmor.d/resize2fs
index e2714f965..718c98085 100644
--- a/apparmor.d/resize2fs
+++ b/apparmor.d/resize2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/resize2fs
 profile resize2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile resize2fs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/resize2fs>
+  include if exists <local/resize2fs>
 }
diff --git a/apparmor.d/rfkill b/apparmor.d/rfkill
index 144371f4d..75154b1fc 100644
--- a/apparmor.d/rfkill
+++ b/apparmor.d/rfkill
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/rfkill
 profile rfkill @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile rfkill @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/rfkill[0-9]/{name,type} r,
   @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r,
 
-  #include if exists <local/rfkill>
+  include if exists <local/rfkill>
 }
diff --git a/apparmor.d/rpi-imager b/apparmor.d/rpi-imager
index 944ad368b..bbfd3a1aa 100644
--- a/apparmor.d/rpi-imager
+++ b/apparmor.d/rpi-imager
@@ -9,29 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/rpi-imager
 profile rpi-imager @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/openssl>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/disks-write>
 
   #capability sys_admin,
   deny capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream, 
+  network netlink dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /usr/bin/lsblk rCx -> lsblk,
@@ -85,9 +92,9 @@ profile rpi-imager @{exec_path} {
 
 
   profile lsblk {
-    #include <abstractions/base>
-    #include <abstractions/disks-read>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/disks-read>
+    include <abstractions/nameservice-strict>
 
     /usr/bin/lsblk mr,
 
@@ -99,5 +106,5 @@ profile rpi-imager @{exec_path} {
 
   }
 
-  #include if exists <local/rpi-imager>
+  include if exists <local/rpi-imager>
 }
diff --git a/apparmor.d/rredtool b/apparmor.d/rredtool
index c8842289a..f1688539c 100644
--- a/apparmor.d/rredtool
+++ b/apparmor.d/rredtool
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/rredtool
 profile rredtool @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/rredtool>
+  include if exists <local/rredtool>
 }
diff --git a/apparmor.d/rsyslogd b/apparmor.d/rsyslogd
index ff37cc8b5..6affe0c3e 100644
--- a/apparmor.d/rsyslogd
+++ b/apparmor.d/rsyslogd
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Debugging the syslogger can be difficult if it can't write to the file
 # that the kernel is logging denials to. In these cases, you can do the
@@ -20,8 +20,8 @@
 
 @{exec_path} = /{usr/,}sbin/rsyslogd
 profile rsyslogd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability syslog,
 
@@ -55,5 +55,5 @@ profile rsyslogd @{exec_path} {
   /etc/CA/*.crt r,
   /etc/CA/*.key r,
 
-  #include if exists <local/rsyslogd>
+  include if exists <local/rsyslogd>
 }
diff --git a/apparmor.d/rtkit-daemon b/apparmor.d/rtkit-daemon
index 02fb286d9..eac84366d 100644
--- a/apparmor.d/rtkit-daemon
+++ b/apparmor.d/rtkit-daemon
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 
 @{exec_path} = /usr/libexec/rtkit-daemon
 profile rtkit-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To raise process nice and set scheduling policies (real-time) and priorities
   capability sys_nice,
@@ -40,5 +40,5 @@ profile rtkit-daemon @{exec_path} {
   @{PROC}/@{pids}/task/@{tid}/stat r,
   @{PROC}/@{pids}/limits r,
 
-  #include if exists <local/rtkit-daemon>
+  include if exists <local/rtkit-daemon>
 }
diff --git a/apparmor.d/rtkitctl b/apparmor.d/rtkitctl
index ed3bcc14f..3014abaee 100644
--- a/apparmor.d/rtkitctl
+++ b/apparmor.d/rtkitctl
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/rtkitctl
 profile rtkitctl @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/rtkitctl>
+  include if exists <local/rtkitctl>
 }
diff --git a/apparmor.d/run-parts b/apparmor.d/run-parts
index 2fbf74f32..21130cc9f 100644
--- a/apparmor.d/run-parts
+++ b/apparmor.d/run-parts
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/run-parts
 profile run-parts @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -48,7 +48,7 @@ profile run-parts @{exec_path} {
 
 
   profile motd {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     / r,
     /etc/update-motd.d/[0-9]*-[a-z]* r,
@@ -60,8 +60,8 @@ profile run-parts @{exec_path} {
   }
 
   profile kernel-pre-post {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /etc/kernel/header_postinst.d/* r,
     /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
@@ -115,5 +115,5 @@ profile run-parts @{exec_path} {
 
   }
 
-  #include if exists <local/run-parts>
+  include if exists <local/run-parts>
 }
diff --git a/apparmor.d/runuser b/apparmor.d/runuser
index e817b2fd3..77f300fad 100644
--- a/apparmor.d/runuser
+++ b/apparmor.d/runuser
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/runuser
 profile runuser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
   # To remove the following errors:
   #  runuser: cannot set user id: Operation not permitted
@@ -51,5 +51,5 @@ profile runuser @{exec_path} {
   # file_inherit
   owner /tmp/debian-security-support.postinst.*/output w,
 
-  #include if exists <local/runuser>
+  include if exists <local/runuser>
 }
diff --git a/apparmor.d/sbin.klogd b/apparmor.d/sbin.klogd
index 8f4b22d32..b44c4da07 100644
--- a/apparmor.d/sbin.klogd
+++ b/apparmor.d/sbin.klogd
@@ -9,10 +9,12 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_admin, # for backward compatibility with kernel <= 2.6.37
   capability syslog,
@@ -26,10 +28,10 @@ profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) {
 
   /{usr/,}{bin,sbin}/klogd	rmix,
   /var/log/boot.msg     rwl,
-  /{,var/}run/klogd.pid    krwl,
-  /{,var/}run/klogd/klogd.pid krwl,
-  /{,var/}run/klogd/kmsg   r,
+  @{run}/klogd.pid    krwl,
+  @{run}/klogd/klogd.pid krwl,
+  @{run}/klogd/kmsg   r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/sbin.klogd>
+  include if exists <local/sbin.klogd>
 }
diff --git a/apparmor.d/sbin.syslog-ng b/apparmor.d/sbin.syslog-ng
index b03af238c..1f0d229ea 100644
--- a/apparmor.d/sbin.syslog-ng
+++ b/apparmor.d/sbin.syslog-ng
@@ -10,18 +10,21 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 #define this to be where syslog-ng is chrooted
 @{CHROOT_BASE}=""
 
 profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/mysql>
-  #include <abstractions/openssl>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/mysql>
+  include <abstractions/openssl>
+  include <abstractions/python>
+  include <abstractions/hosts_access>
 
   capability chown,
   capability dac_override,
@@ -45,8 +48,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
   /etc/syslog-ng/conf.d/ r,
   /etc/syslog-ng/conf.d/* r,
   @{PROC}/kmsg r,
-  /etc/hosts.deny r,
-  /etc/hosts.allow r,
   /{usr/,}{bin,sbin}/syslog-ng mr,
   @{sys}/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
@@ -55,14 +56,14 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
   @{CHROOT_BASE}/var/lib/*/dev/log w,
   @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
   @{CHROOT_BASE}/var/log/** w,
-  @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
-  @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+  @{CHROOT_BASE}/@{run}/syslog-ng.pid krw,
+  @{CHROOT_BASE}/@{run}/syslog-ng.ctl rw,
   /{var,var/run,run}/log/journal/ r,
   /{var,var/run,run}/log/journal/*/ r,
   /{var,var/run,run}/log/journal/*/*.journal r,
-  /{var/,}run/syslog-ng.ctl a,
-  /{var/,}run/syslog-ng/additional-log-sockets.conf r,
+  @{run}/syslog-ng.ctl a,
+  @{run}/syslog-ng/additional-log-sockets.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/sbin.syslog-ng>
+  include if exists <local/sbin.syslog-ng>
 }
diff --git a/apparmor.d/sbin.syslogd b/apparmor.d/sbin.syslogd
index 1b54029de..bcd632aab 100644
--- a/apparmor.d/sbin.syslogd
+++ b/apparmor.d/sbin.syslogd
@@ -9,12 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/consoles>
 
   capability sys_tty_config,
   capability dac_override,
@@ -34,10 +36,10 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) {
   /etc/syslog.conf              r,
   /{usr/,}{bin,sbin}/syslogd    rmix,
   /var/log/**                   rw,
-  /{,var/}run/syslogd.pid          krwl,
-  /{,var/}run/utmp                 rw,
+  @{run}/syslogd.pid          krwl,
+  @{run}/utmp                 rw,
   /var/spool/compaq/nic/messages_fifo rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/sbin.syslogd>
+  include if exists <local/sbin.syslogd>
 }
diff --git a/apparmor.d/scdaemon b/apparmor.d/scdaemon
index c73c96f35..ea03bfcc3 100644
--- a/apparmor.d/scdaemon
+++ b/apparmor.d/scdaemon
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/gnupg/scdaemon
 profile scdaemon @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -34,5 +36,5 @@ profile scdaemon @{exec_path} {
   @{sys}/class/ r,
   @{sys}/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent,bConfigurationValue} r,
 
-  #include if exists <local/scdaemon>
+  include if exists <local/scdaemon>
 }
diff --git a/apparmor.d/scrot b/apparmor.d/scrot
index 86c8c842b..9ce34a17e 100644
--- a/apparmor.d/scrot
+++ b/apparmor.d/scrot
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/scrot
 profile scrot @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile scrot @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/scrot>
+  include if exists <local/scrot>
 }
diff --git a/apparmor.d/sddm b/apparmor.d/sddm
index 73c349715..46b097154 100644
--- a/apparmor.d/sddm
+++ b/apparmor.d/sddm
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sddm
 profile sddm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/dri-common>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/dri-common>
+  include <abstractions/nameservice-strict>
 
   # To remove the following errors:
   #  chown("/tmp/sddm-:0-YPUOCV", 123, 132) = -1 EPERM (Operation not permitted)
@@ -169,9 +169,9 @@ profile sddm @{exec_path} {
 
 
   profile sddm-scripts {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/bash>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/bash>
 
     /usr/share/sddm/scripts/Xsetup r,
     /usr/share/sddm/scripts/Xstop r,
@@ -192,7 +192,7 @@ profile sddm @{exec_path} {
   }
 
   profile xauth {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/xauth mr,
 
@@ -208,5 +208,5 @@ profile sddm @{exec_path} {
 
   }
 
-  #include if exists <local/sddm>
+  include if exists <local/sddm>
 }
diff --git a/apparmor.d/sddm-greeter b/apparmor.d/sddm-greeter
index 53f020a74..6530b76fc 100644
--- a/apparmor.d/sddm-greeter
+++ b/apparmor.d/sddm-greeter
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sddm-greeter
 profile sddm-greeter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -83,7 +83,7 @@ profile sddm-greeter @{exec_path} {
   owner @{HOME}/.cache/plasma_theme_*.kcache rw,
   owner @{HOME}/.cache/plasma-svgelements-* rw,
 
-  #include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-compose-cache-write>
 
   owner @{PROC}/@{pid}/cmdline r,
   #------------------------------------------------------------------
@@ -105,5 +105,5 @@ profile sddm-greeter @{exec_path} {
   # file_inherit
   #/dev/tty[0-9]* rw,
 
-  #include if exists <local/sddm-greeter>
+  include if exists <local/sddm-greeter>
 }
diff --git a/apparmor.d/sddm-xsession b/apparmor.d/sddm-xsession
index a24295d3f..147ef66a8 100644
--- a/apparmor.d/sddm-xsession
+++ b/apparmor.d/sddm-xsession
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/sddm/Xsession
 profile sddm-xsession @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/bash>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/bash>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -79,7 +79,7 @@ profile sddm-xsession @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -92,7 +92,7 @@ profile sddm-xsession @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/dbus-update-activation-environment mr,
 
@@ -102,7 +102,7 @@ profile sddm-xsession @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
 
@@ -116,7 +116,7 @@ profile sddm-xsession @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -139,5 +139,5 @@ profile sddm-xsession @{exec_path} {
 
   }
 
-  #include if exists <local/sddm-xsession>
+  include if exists <local/sddm-xsession>
 }
diff --git a/apparmor.d/sensors b/apparmor.d/sensors
index 4bf1e69d6..335ab2efa 100644
--- a/apparmor.d/sensors
+++ b/apparmor.d/sensors
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sensors
 profile sensors @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -46,5 +46,5 @@ profile sensors @{exec_path} {
   deny @{PROC}/loadavg r,
   deny @{PROC}/@{pid}/io r,
 
-  #include if exists <local/sensors>
+  include if exists <local/sensors>
 }
diff --git a/apparmor.d/sensors-detect b/apparmor.d/sensors-detect
index 678b983b9..9bb179cd1 100644
--- a/apparmor.d/sensors-detect
+++ b/apparmor.d/sensors-detect
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/sensors-detect
 profile sensors-detect @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   capability syslog,
 
@@ -48,7 +48,7 @@ profile sensors-detect @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_ptrace,
 
@@ -66,7 +66,7 @@ profile sensors-detect @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -79,5 +79,5 @@ profile sensors-detect @{exec_path} {
 
   }
 
-  #include if exists <local/sensors-detect>
+  include if exists <local/sensors-detect>
 }
diff --git a/apparmor.d/setpci b/apparmor.d/setpci
index fb3fbc394..49e864b72 100644
--- a/apparmor.d/setpci
+++ b/apparmor.d/setpci
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/setpci
 profile setpci @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/pci[0-9]*/** r,
 
-  #include if exists <local/setpci>
+  include if exists <local/setpci>
 }
diff --git a/apparmor.d/setpriv b/apparmor.d/setpriv
index 7e515485a..3f3b3c0cf 100644
--- a/apparmor.d/setpriv
+++ b/apparmor.d/setpriv
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/setpriv
 profile setpriv @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
   /{usr/,}bin/[a-z0-9]* rPUx,
   /{usr/,}sbin/[a-z0-9]* rPUx,
 
-  #include if exists <local/setpriv>
+  include if exists <local/setpriv>
 }
diff --git a/apparmor.d/sfdisk b/apparmor.d/sfdisk
index bbe7f39f4..bf0dad47f 100644
--- a/apparmor.d/sfdisk
+++ b/apparmor.d/sfdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/sfdisk
 profile sfdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to avoid the following error:
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -39,5 +39,5 @@ profile sfdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/sfdisk>
+  include if exists <local/sfdisk>
 }
diff --git a/apparmor.d/sgdisk b/apparmor.d/sgdisk
index 129695516..37e976fb6 100644
--- a/apparmor.d/sgdisk
+++ b/apparmor.d/sgdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/sgdisk
 profile sgdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -39,5 +39,5 @@ profile sgdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/sgdisk>
+  include if exists <local/sgdisk>
 }
diff --git a/apparmor.d/signal-desktop b/apparmor.d/signal-desktop
index c796a7152..c7e1f91d3 100644
--- a/apparmor.d/signal-desktop
+++ b/apparmor.d/signal-desktop
@@ -8,26 +8,26 @@
 #    License published by the Free Software Foundation.
 #
 # ------------------------------------------------------------------
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
 @{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
 
 @{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
 profile signal-desktop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -75,5 +75,5 @@ profile signal-desktop @{exec_path} {
 
   /{usr/,}bin/getconf rix,
 
-  #include if exists <local/signal-desktop>
+  include if exists <local/signal-desktop>
 }
diff --git a/apparmor.d/signal-desktop-chrome-sandbox b/apparmor.d/signal-desktop-chrome-sandbox
index 1379816c5..604707166 100644
--- a/apparmor.d/signal-desktop-chrome-sandbox
+++ b/apparmor.d/signal-desktop-chrome-sandbox
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
 @{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
 
 @{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
 profile signal-desktop-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
   @{SIGNAL_INSTALLDIR}/signal-desktop rPx,
 
-  #include if exists <local/signal-desktop-chrome-sandbox>
+  include if exists <local/signal-desktop-chrome-sandbox>
 }
 
diff --git a/apparmor.d/smartctl b/apparmor.d/smartctl
index fef20c00e..74a2154ad 100644
--- a/apparmor.d/smartctl
+++ b/apparmor.d/smartctl
@@ -9,14 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/smartctl
 profile smartctl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
 
   # To remove the following errors:
   #  Probable ATA device behind a SAT layer
@@ -27,5 +28,5 @@ profile smartctl @{exec_path} {
 
   /var/lib/smartmontools/** r,
 
-  #include if exists <local/smartctl>
+  include if exists <local/smartctl>
 }
diff --git a/apparmor.d/smartd b/apparmor.d/smartd
index f2761caa8..41f34453c 100644
--- a/apparmor.d/smartd
+++ b/apparmor.d/smartd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/smartd
 profile smartd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # To remove the following errors:
   #  Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device
@@ -45,5 +45,5 @@ profile smartd @{exec_path} {
   /dev/ r,
   @{PROC}/devices r,
 
-  #include if exists <local/smartd>
+  include if exists <local/smartd>
 }
diff --git a/apparmor.d/smplayer b/apparmor.d/smplayer
index 7f579aaef..a13203ac1 100644
--- a/apparmor.d/smplayer
+++ b/apparmor.d/smplayer
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -59,26 +59,25 @@
 # For Qbittorrent !qB extension
 @{smplayer_ext} += "!qB"
 
-
 @{exec_path} = /{usr/,}bin/smplayer
 profile smplayer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/deny-root-dir-access>
 
   # Needed for hardware decoding
   ##include <abstractions/nvidia>
@@ -86,6 +85,12 @@ profile smplayer @{exec_path} {
   signal (send) set=(term, kill),
   signal (receive) set=(term, kill),
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+
   @{exec_path} mrix,
 
   # Which media files SMPlayer should be able to open
@@ -146,6 +151,6 @@ profile smplayer @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  #include if exists <local/smplayer>
+  include if exists <local/smplayer>
 }
 
diff --git a/apparmor.d/smtube b/apparmor.d/smtube
index 85a421f95..85df3f236 100644
--- a/apparmor.d/smtube
+++ b/apparmor.d/smtube
@@ -9,25 +9,32 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/smtube
 profile smtube @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -86,8 +93,8 @@ profile smtube @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -103,5 +110,5 @@ profile smtube @{exec_path} {
 
   }
 
-  #include if exists <local/smtube>
+  include if exists <local/smtube>
 }
diff --git a/apparmor.d/spacefm b/apparmor.d/spacefm
index 36f71bdf5..83a9d0ae4 100644
--- a/apparmor.d/spacefm
+++ b/apparmor.d/spacefm
@@ -9,26 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spacefm
 profile spacefm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/disks-read>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/disks-read>
+  include <abstractions/consoles>
 
   # This should be tightened when the "profile has merged rule with conflicting x modifiers" error
   # will be fixed. (#FIXME#)
-  #include <abstractions/app-launcher-user>
-  #include <abstractions/app-launcher-root>
+  include <abstractions/app-launcher-user>
+  include <abstractions/app-launcher-root>
 
   # For root window
   deny capability dac_read_search,
@@ -40,6 +40,10 @@ profile spacefm @{exec_path} {
   # SpaceFM needs this for killing/terminating processes it initiates.
   signal (send) set=(term, kill),
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mountinfo r,
@@ -97,5 +101,5 @@ profile spacefm @{exec_path} {
         /var/**   r,
   owner /var/**   rw,
 
-  #include if exists <local/spacefm>
+  include if exists <local/spacefm>
 }
diff --git a/apparmor.d/spacefm-auth b/apparmor.d/spacefm-auth
index cfa280578..9a0618331 100644
--- a/apparmor.d/spacefm-auth
+++ b/apparmor.d/spacefm-auth
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spacefm-auth
 profile spacefm-auth @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/spacefm-auth>
+  include if exists <local/spacefm-auth>
 }
diff --git a/apparmor.d/spectre-meltdown-checker b/apparmor.d/spectre-meltdown-checker
index 6033900ba..3569d84f1 100644
--- a/apparmor.d/spectre-meltdown-checker
+++ b/apparmor.d/spectre-meltdown-checker
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spectre-meltdown-checker
 profile spectre-meltdown-checker @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed to read the /dev/cpu/[0-9]*/msr device
   capability sys_rawio,
@@ -26,6 +26,7 @@ profile spectre-meltdown-checker @{exec_path} {
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
+  /{usr/,}bin/           r,
   /{usr/,}bin/dirname    rix,
   /{usr/,}bin/uname      rix,
   /{usr/,}bin/cut        rix,
@@ -38,6 +39,9 @@ profile spectre-meltdown-checker @{exec_path} {
   /{usr/,}bin/id         rix,
   /{usr/,}bin/gunzip     rix,
   /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/zstd       rix,
+  /{usr/,}bin/bunzip2    rix,
+  /{usr/,}bin/lzop       rix,
   /{usr/,}bin/mktemp     rix,
   /{usr/,}bin/tr         rix,
   /{usr/,}bin/stat       rix,
@@ -56,6 +60,7 @@ profile spectre-meltdown-checker @{exec_path} {
   /{usr/,}bin/{,@{multiarch}-}objdump rix,
   /{usr/,}sbin/iucode_tool            rix,
   /{usr/,}bin/dmesg                   rix,
+  /{usr/,}bin/mount      rix,
 
   /{usr/,}bin/pgrep      rCx -> pgrep,
   /{usr/,}bin/ccache     rCx -> ccache,
@@ -74,15 +79,18 @@ profile spectre-meltdown-checker @{exec_path} {
   owner @{HOME}/.mcedb rw,
   owner /{usr/,}bin/spectre-meltdown-checker w,
 
+        /tmp/ r,
   owner /tmp/{config,kernel}-* rw,
 
   owner /dev/cpu/[0-9]*/cpuid r,
   owner /dev/cpu/[0-9]*/msr rw,
   owner /dev/kmsg r,
 
+  /boot/ r,
   /boot/{config,vmlinuz,System.map}-* r,
 
   @{sys}/devices/system/cpu/vulnerabilities/* r,
+  @{sys}/module/kvm_intel/parameters/ept r,
 
   @{PROC}/ r,
   @{PROC}/config.gz r,
@@ -93,9 +101,13 @@ profile spectre-meltdown-checker @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  # For shell pwd
+  /root/ r,
+  /etc/ r,
+
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -106,7 +118,7 @@ profile spectre-meltdown-checker @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/pgrep mr,
 
@@ -118,11 +130,11 @@ profile spectre-meltdown-checker @{exec_path} {
   }
 
   profile mcedb {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/sqlite3 mr,
@@ -139,7 +151,7 @@ profile spectre-meltdown-checker @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -150,5 +162,5 @@ profile spectre-meltdown-checker @{exec_path} {
 
   }
 
-  #include if exists <local/spectre-meltdown-checker>
+  include if exists <local/spectre-meltdown-checker>
 }
diff --git a/apparmor.d/speedtest b/apparmor.d/speedtest
index 5daeb310d..c95013a75 100644
--- a/apparmor.d/speedtest
+++ b/apparmor.d/speedtest
@@ -9,17 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/speedtest{,-cli}
 profile speedtest @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -34,5 +40,5 @@ profile speedtest @{exec_path} {
 
   /etc/magic r,
 
-  #include if exists <local/speedtest>
+  include if exists <local/speedtest>
 }
diff --git a/apparmor.d/spflashtool b/apparmor.d/spflashtool
index d28562a93..a4f680eea 100644
--- a/apparmor.d/spflashtool
+++ b/apparmor.d/spflashtool
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
 profile spflashtool @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -69,5 +69,5 @@ profile spflashtool @{exec_path} {
   # Silence the noise
   /opt/SPFlashTool/** w,
 
-  #include if exists <local/spflashtool>
+  include if exists <local/spflashtool>
 }
diff --git a/apparmor.d/spotify b/apparmor.d/spotify
index ca2338d9c..904e58b4b 100644
--- a/apparmor.d/spotify
+++ b/apparmor.d/spotify
@@ -9,26 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify
 profile spotify @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/audio>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/audio>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -90,5 +90,5 @@ profile spotify @{exec_path} {
   deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
-  #include if exists <local/spotify>
+  include if exists <local/spotify>
 }
diff --git a/apparmor.d/ssh-agent b/apparmor.d/ssh-agent
index c56f93fc1..6f8ed02b4 100644
--- a/apparmor.d/ssh-agent
+++ b/apparmor.d/ssh-agent
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ssh-agent
 profile ssh-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/openssl>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile ssh-agent @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/ssh-agent>
+  include if exists <local/ssh-agent>
 }
diff --git a/apparmor.d/startx b/apparmor.d/startx
index 8f7ffaf6c..a8e44df24 100644
--- a/apparmor.d/startx
+++ b/apparmor.d/startx
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/startx
 profile startx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,5 +49,5 @@ profile startx @{exec_path} {
         /dev/ r,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/startx>
+  include if exists <local/startx>
 }
diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry
index 453902912..0bfcef51a 100644
--- a/apparmor.d/strawberry
+++ b/apparmor.d/strawberry
@@ -9,33 +9,40 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/strawberry
 profile strawberry @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=strawberry-tagreader,
 
   signal (receive) set=(term, kill) peer=anyremote//*,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/strawberry-tagreader rPx,
@@ -117,8 +124,8 @@ profile strawberry @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -134,5 +141,5 @@ profile strawberry @{exec_path} {
 
   }
 
-  #include if exists <local/strawberry>
+  include if exists <local/strawberry>
 }
diff --git a/apparmor.d/strawberry-tagreader b/apparmor.d/strawberry-tagreader
index 0eb6cd19f..c7d19457a 100644
--- a/apparmor.d/strawberry-tagreader
+++ b/apparmor.d/strawberry-tagreader
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/strawberry-tagreader
 profile strawberry-tagreader @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=strawberry,
   signal (receive) set=(term, kill) peer=anyremote//*,
@@ -35,5 +35,5 @@ profile strawberry-tagreader @{exec_path} {
   owner @{HOME}/.anyRemote/anyremote.stdout w,
   owner @{HOME}/.cache/gstreamer-*/registry.x86_64.bin.tmp* rw,
 
-  #include if exists <local/strawberry-tagreader>
+  include if exists <local/strawberry-tagreader>
 }
diff --git a/apparmor.d/su b/apparmor.d/su
index 479ab961d..fff527adc 100644
--- a/apparmor.d/su
+++ b/apparmor.d/su
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/su
 profile su @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
-# #include <pam/mappings>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
+# include <pam/mappings>
 
   # To remove the following errors:
   #  su: cannot set groups: Operation not permitted
@@ -39,6 +39,8 @@ profile su @{exec_path} {
   signal (send)    set=(term,kill),
   signal (receive) set=(int,quit,term),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # Shells to use
@@ -64,5 +66,5 @@ profile su @{exec_path} {
   @{PROC}/cmdline r,
   @{sys}/devices/virtual/tty/console/active r,
 
-  #include if exists <local/su>
+  include if exists <local/su>
 }
diff --git a/apparmor.d/sudo b/apparmor.d/sudo
index a00328849..b8cd2a68c 100644
--- a/apparmor.d/sudo
+++ b/apparmor.d/sudo
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sudo
 profile sudo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
-# #include <pam/mappings>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
+# include <pam/mappings>
 
   # To remove the following errors:
   #  sudo: unable to change to root gid: Operation not permitted
@@ -68,5 +68,5 @@ profile sudo @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/sudo>
+  include if exists <local/sudo>
 }
diff --git a/apparmor.d/suid3num b/apparmor.d/suid3num
index 2963f9330..6761e4f6a 100644
--- a/apparmor.d/suid3num
+++ b/apparmor.d/suid3num
@@ -9,16 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/suid3num
 @{exec_path} += /{usr/,}bin/suid3num.py
 profile suid3num @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
+  capability dac_read_search,
   capability sys_ptrace,
 
   ptrace (read),
@@ -37,5 +38,5 @@ profile suid3num @{exec_path} {
   deny /media/ r,
   deny /media/**/ r,
 
-  #include if exists <local/suid3num>
+  include if exists <local/suid3num>
 }
diff --git a/apparmor.d/swaplabel b/apparmor.d/swaplabel
index e3daf1441..98bdad2c0 100644
--- a/apparmor.d/swaplabel
+++ b/apparmor.d/swaplabel
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/swaplabel
 profile swaplabel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/swaplabel>
+  include if exists <local/swaplabel>
 }
diff --git a/apparmor.d/swapoff b/apparmor.d/swapoff
index b68632db6..7ea8882be 100644
--- a/apparmor.d/swapoff
+++ b/apparmor.d/swapoff
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/swapoff
 profile swapoff @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -29,6 +29,6 @@ profile swapoff @{exec_path} {
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/swapoff>
+  include if exists <local/swapoff>
 }
 
diff --git a/apparmor.d/swapon b/apparmor.d/swapon
index ebbbb9112..659e4aabe 100644
--- a/apparmor.d/swapon
+++ b/apparmor.d/swapon
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/swapon
 profile swapon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -29,5 +29,5 @@ profile swapon @{exec_path} {
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/swapon>
+  include if exists <local/swapon>
 }
diff --git a/apparmor.d/synaptic b/apparmor.d/synaptic
index 398674928..33275668a 100644
--- a/apparmor.d/synaptic
+++ b/apparmor.d/synaptic
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
 @{BUILD_DIR} = /media/debuilder/
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec
 profile synaptic @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/apt-common>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-dconf>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -166,8 +166,8 @@ profile synaptic @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -179,5 +179,5 @@ profile synaptic @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/synaptic>
+  include if exists <local/synaptic>
 }
diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing
index d3d6a3ce3..a548125ff 100644
--- a/apparmor.d/syncthing
+++ b/apparmor.d/syncthing
@@ -9,16 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/syncthing
 profile syncthing @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -44,8 +50,8 @@ profile syncthing @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -61,5 +67,5 @@ profile syncthing @{exec_path} {
 
   }
 
-  #include if exists <local/syncthing>
+  include if exists <local/syncthing>
 }
diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer
index 65ef0ef70..a2781cae6 100644
--- a/apparmor.d/system-config-printer
+++ b/apparmor.d/system-config-printer
@@ -9,22 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/system-config-printer /usr/share/system-config-printer/system-config-printer.py
 profile system-config-printer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/openssl>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mrix,
 
@@ -33,6 +36,7 @@ profile system-config-printer @{exec_path} {
 
   /usr/share/system-config-printer/{,**} r,
 
+  owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/mountinfo r,
@@ -48,5 +52,5 @@ profile system-config-printer @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/system-config-printer>
+  include if exists <local/system-config-printer>
 }
diff --git a/apparmor.d/system-config-printer-applet b/apparmor.d/system-config-printer-applet
index 22f0e2cd0..a50db5b4e 100644
--- a/apparmor.d/system-config-printer-applet
+++ b/apparmor.d/system-config-printer-applet
@@ -9,16 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py
 profile system-config-printer-applet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mrix,
 
@@ -29,5 +32,5 @@ profile system-config-printer-applet @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/system-config-printer-applet>
+  include if exists <local/system-config-printer-applet>
 }
diff --git a/apparmor.d/system_tor b/apparmor.d/system_tor
index dfaa967ce..5e927f2ff 100644
--- a/apparmor.d/system_tor
+++ b/apparmor.d/system_tor
@@ -1,9 +1,9 @@
 # vim:syntax=apparmor
-#include <tunables/global>
+include <tunables/global>
 
 profile system_tor flags=(attach_disconnected) {
-  #include <abstractions/tor>
-  #include <abstractions/openssl>
+  include <abstractions/tor>
+  include <abstractions/openssl>
 
   owner /var/lib/tor/** rwk,
   owner /var/lib/tor/ r,
@@ -22,5 +22,5 @@ profile system_tor flags=(attach_disconnected) {
   /{,var/}run/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/system_tor>
+  include <local/system_tor>
 }
diff --git a/apparmor.d/systemd-analyze b/apparmor.d/systemd-analyze
index 73e5e91c2..724eaf364 100644
--- a/apparmor.d/systemd-analyze
+++ b/apparmor.d/systemd-analyze
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   # Needed for the prctl's PR_SET_MM option:
   #  prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)
@@ -58,5 +58,5 @@ profile systemd-analyze @{exec_path} {
 
   /etc/default/locale r,
 
-  #include if exists <local/systemd-analyze>
+  include if exists <local/systemd-analyze>
 }
diff --git a/apparmor.d/systemd-fsck b/apparmor.d/systemd-fsck
index ac59ec6a0..57571dd10 100644
--- a/apparmor.d/systemd-fsck
+++ b/apparmor.d/systemd-fsck
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-fsck
 profile systemd-fsck @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/disks-read>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability sys_resource,
@@ -30,5 +30,5 @@ profile systemd-fsck @{exec_path} flags=(complain) {
 
   owner @{run}/systemd/quotacheck w,
 
-  #include if exists <local/systemd-fsck>
+  include if exists <local/systemd-fsck>
 }
diff --git a/apparmor.d/systemd-fsckd b/apparmor.d/systemd-fsckd
index fc799f975..2facf213e 100644
--- a/apparmor.d/systemd-fsckd
+++ b/apparmor.d/systemd-fsckd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
 profile systemd-fsckd @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability sys_tty_config,
@@ -26,5 +26,5 @@ profile systemd-fsckd @{exec_path} flags=(complain) {
 
   owner @{run}/systemd/fsck.progress w,
 
-  #include if exists <local/systemd-fsckd>
+  include if exists <local/systemd-fsckd>
 }
diff --git a/apparmor.d/systemd-journalctl b/apparmor.d/systemd-journalctl
index 06995c9ac..48522feb7 100644
--- a/apparmor.d/systemd-journalctl
+++ b/apparmor.d/systemd-journalctl
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/journalctl
 profile systemd-journalctl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   capability sys_resource,
 
@@ -46,5 +46,7 @@ profile systemd-journalctl @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/systemd-journalctl>
+  owner @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/systemd-journalctl>
 }
diff --git a/apparmor.d/systemd-journald b/apparmor.d/systemd-journald
index 30a303bcf..71931f46c 100644
--- a/apparmor.d/systemd-journald
+++ b/apparmor.d/systemd-journald
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-journald
 profile systemd-journald @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   capability syslog,
   capability sys_ptrace,
@@ -52,6 +52,7 @@ profile systemd-journald @{exec_path} {
 
   @{sys}/devices/**/uevent r,
   @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/module/printk/parameters/time r,
 
   @{PROC}/@{pids}/comm r,
   @{PROC}/@{pids}/cmdline r,
@@ -64,9 +65,8 @@ profile systemd-journald @{exec_path} {
 
   /dev/kmsg rw,
 
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/systemd-journald>
+  include if exists <local/systemd-journald>
 }
diff --git a/apparmor.d/systemd-modules-load b/apparmor.d/systemd-modules-load
index 96b55bbe5..7010869c0 100644
--- a/apparmor.d/systemd-modules-load
+++ b/apparmor.d/systemd-modules-load
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-modules-load
 profile systemd-modules-load @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   # To load kernel modules
   capability sys_module,
@@ -33,5 +33,5 @@ profile systemd-modules-load @{exec_path} {
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 
-  #include if exists <local/systemd-modules-load>
+  include if exists <local/systemd-modules-load>
 }
diff --git a/apparmor.d/systemd-networkd b/apparmor.d/systemd-networkd
index 7e70e252f..d4a4145df 100644
--- a/apparmor.d/systemd-networkd
+++ b/apparmor.d/systemd-networkd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-networkd
 profile systemd-networkd @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability net_raw,
@@ -49,5 +49,5 @@ profile systemd-networkd @{exec_path} flags=(complain) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/systemd-networkd>
+  include if exists <local/systemd-networkd>
 }
diff --git a/apparmor.d/systemd-networkd-wait-online b/apparmor.d/systemd-networkd-wait-online
index 7ab4c7aa2..4bf673cb4 100644
--- a/apparmor.d/systemd-networkd-wait-online
+++ b/apparmor.d/systemd-networkd-wait-online
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-networkd-wait-online
 profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   @{exec_path} mr,
 
   @{run}/systemd/netif/links/[0-9]* r,
 
-  #include if exists <local/systemd-networkd-wait-online>
+  include if exists <local/systemd-networkd-wait-online>
 }
diff --git a/apparmor.d/systemd-rfkill b/apparmor.d/systemd-rfkill
index c27e7ca27..8010e5947 100644
--- a/apparmor.d/systemd-rfkill
+++ b/apparmor.d/systemd-rfkill
@@ -9,17 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-rfkill
 profile systemd-rfkill @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability net_admin,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /dev/rfkill rw,
@@ -32,5 +34,5 @@ profile systemd-rfkill @{exec_path} {
 
   @{run}/udev/data/+rfkill:* r,
 
-  #include if exists <local/systemd-rfkill>
+  include if exists <local/systemd-rfkill>
 }
diff --git a/apparmor.d/systemd-shutdown b/apparmor.d/systemd-shutdown
index 98e5c014b..81fcdfef3 100644
--- a/apparmor.d/systemd-shutdown
+++ b/apparmor.d/systemd-shutdown
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-shutdown
 profile systemd-shutdown @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability sys_resource,
   capability sys_boot,
@@ -34,5 +34,5 @@ profile systemd-shutdown @{exec_path} flags=(complain) {
   owner @{PROC}/sys/kernel/core_pattern w,
   owner @{PROC}/sys/kernel/printk rw,
 
-  #include if exists <local/systemd-shutdown>
+  include if exists <local/systemd-shutdown>
 }
diff --git a/apparmor.d/systemd-sysctl b/apparmor.d/systemd-sysctl
index c634f4010..8879c6e68 100644
--- a/apparmor.d/systemd-sysctl
+++ b/apparmor.d/systemd-sysctl
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
 profile systemd-sysctl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   # Are these needed?
   deny capability sys_ptrace,
@@ -33,5 +33,5 @@ profile systemd-sysctl @{exec_path} {
 
   /etc/sysctl.conf r,
 
-  #include if exists <local/systemd-sysctl>
+  include if exists <local/systemd-sysctl>
 }
diff --git a/apparmor.d/systemd-timedated b/apparmor.d/systemd-timedated
index 6363e5cea..22c08d5be 100644
--- a/apparmor.d/systemd-timedated
+++ b/apparmor.d/systemd-timedated
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-timedated
 profile systemd-timedated @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability sys_time,
 
@@ -33,5 +33,5 @@ profile systemd-timedated @{exec_path} {
   /etc/.#timezone* rw,
   /etc/timezone rw,
 
-  #include if exists <local/systemd-timedated>
+  include if exists <local/systemd-timedated>
 }
diff --git a/apparmor.d/systemd-timesyncd b/apparmor.d/systemd-timesyncd
index a9af280cb..2a7cfeed5 100644
--- a/apparmor.d/systemd-timesyncd
+++ b/apparmor.d/systemd-timesyncd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
 profile systemd-timesyncd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+  include <abstractions/nameservice-strict>
 
   capability sys_time,
 
@@ -30,5 +30,5 @@ profile systemd-timesyncd @{exec_path} {
   owner @{run}/systemd/timesync/synchronized rw,
         @{run}/systemd/netif/state r,
 
-  #include if exists <local/systemd-timesyncd>
+  include if exists <local/systemd-timesyncd>
 }
diff --git a/apparmor.d/tasksel b/apparmor.d/tasksel
index 890e721a2..458480ace 100644
--- a/apparmor.d/tasksel
+++ b/apparmor.d/tasksel
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tasksel
 profile tasksel @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -44,7 +44,7 @@ profile tasksel @{exec_path} flags=(complain) {
 
 
   profile tasksel-tests flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/tasksel/tests/* r,
     /{usr/,}bin/{,ba,da}sh rix,
@@ -52,10 +52,10 @@ profile tasksel @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -80,5 +80,5 @@ profile tasksel @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/tasksel>
+  include if exists <local/tasksel>
 }
diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop
index a8d0ffcf9..9c3fa1b34 100644
--- a/apparmor.d/telegram-desktop
+++ b/apparmor.d/telegram-desktop
@@ -9,32 +9,39 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{TELEGRAM_WORK_DIR} = /media/Kabi/telegram
 
 @{exec_path} = /{usr/,}bin/telegram-desktop
 profile telegram-desktop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/enchant>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/enchant>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -85,8 +92,8 @@ profile telegram-desktop @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -107,5 +114,5 @@ profile telegram-desktop @{exec_path} {
 
   }
 
-  #include if exists <local/telegram-desktop>
+  include if exists <local/telegram-desktop>
 }
diff --git a/apparmor.d/tftp b/apparmor.d/tftp
index dc137b271..0aa03ab50 100644
--- a/apparmor.d/tftp
+++ b/apparmor.d/tftp
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tftp
 profile tftp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
-  #include if exists <local/tftp>
+  include if exists <local/tftp>
 }
diff --git a/apparmor.d/thinkfan b/apparmor.d/thinkfan
index fe22079b3..8a1a0a7d9 100644
--- a/apparmor.d/thinkfan
+++ b/apparmor.d/thinkfan
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/thinkfan
 profile thinkfan @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -30,6 +30,6 @@ profile thinkfan @{exec_path} {
 
   owner @{run}/thinkfan.pid rw,
 
-  #include if exists <local/thinkfan>
+  include if exists <local/thinkfan>
 }
 
diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird
index a516ed3a8..e03a3a77f 100644
--- a/apparmor.d/thunderbird
+++ b/apparmor.d/thunderbird
@@ -12,9 +12,9 @@
 # http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
 #
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
 @{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@@ -23,25 +23,31 @@
 @{exec_path}  = @{MOZ_LIBDIR}/thunderbird{,-bin}
 @{exec_path} += /{usr/,}bin/thunderbird
 profile thunderbird @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   ptrace peer=@{profile_name},
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
   capability sys_admin,
@@ -192,8 +198,12 @@ profile thunderbird @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
 
     /{usr/,}bin/gpgconf           mr,
     /{usr/,}bin/gpg               mr,
@@ -237,8 +247,8 @@ profile thunderbird @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open                                    mr,
     /{usr/,}bin/exo-open                                    mr,
@@ -260,5 +270,5 @@ profile thunderbird @{exec_path} {
 
   }
 
-  #include if exists <local/thunderbird>
+  include if exists <local/thunderbird>
 }
diff --git a/apparmor.d/tint2 b/apparmor.d/tint2
index d374565c1..ad1ef41aa 100644
--- a/apparmor.d/tint2
+++ b/apparmor.d/tint2
@@ -9,18 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tint2
 profile tint2 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
+  include <abstractions/app-launcher-user>
+
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -65,5 +67,5 @@ profile tint2 @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/tint2>
+  include if exists <local/tint2>
 }
diff --git a/apparmor.d/tint2conf b/apparmor.d/tint2conf
index 79a76d7c5..6c05ec138 100644
--- a/apparmor.d/tint2conf
+++ b/apparmor.d/tint2conf
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tint2conf
 profile tint2conf @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -46,5 +46,5 @@ profile tint2conf @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/tint2conf>
+  include if exists <local/tint2conf>
 }
diff --git a/apparmor.d/top b/apparmor.d/top
index e73d2f795..3c159049e 100644
--- a/apparmor.d/top
+++ b/apparmor.d/top
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # When any of the "ns*" fields is displayed, the following error will be printed:
 #  "Failed name lookup - disconnected path" error=-13 profile="top" name="".
 @{exec_path} = /{usr/,}bin/top
 profile top @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
 
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
@@ -76,5 +76,5 @@ profile top @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.config/procps/ rw,
   owner @{HOME}/.config/procps/toprc rw,
 
-  #include if exists <local/top>
+  include if exists <local/top>
 }
diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox
index 57c03594b..c8236f6b1 100644
--- a/apparmor.d/torbrowser.Browser.firefox
+++ b/apparmor.d/torbrowser.Browser.firefox
@@ -1,15 +1,15 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
+include <tunables/global>
+include <tunables/torbrowser>
 
 @{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
 
 profile torbrowser_firefox @{torbrowser_firefox_executable} {
-  #include <abstractions/audio>
-  #include <abstractions/gnome>
+  include <abstractions/audio>
+  include <abstractions/gnome>
 
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
-  # #include <abstractions/user-download>
+  # include <abstractions/user-download>
   # @{HOME}/ r,
 
   # Audio support
@@ -148,5 +148,5 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,
 
-  #include <local/torbrowser.Browser.firefox>
+  include <local/torbrowser.Browser.firefox>
 }
diff --git a/apparmor.d/torbrowser.Browser.plugin-container b/apparmor.d/torbrowser.Browser.plugin-container
index fdf5fda19..b96dcb511 100644
--- a/apparmor.d/torbrowser.Browser.plugin-container
+++ b/apparmor.d/torbrowser.Browser.plugin-container
@@ -1,10 +1,10 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
+include <tunables/global>
+include <tunables/torbrowser>
 
 @{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
 
 profile torbrowser_plugin_container {
-  #include <abstractions/gnome>
+  include <abstractions/gnome>
 
   # Uncomment the following lines if you want Tor Browser
   # to have direct access to your sound hardware. You will also
@@ -12,7 +12,7 @@ profile torbrowser_plugin_container {
   #  - the "deny" word in the machine-id lines
   #  - the rules that deny reading /etc/pulse/client.conf
   #    and executing /usr/bin/pulseaudio
-  # #include <abstractions/audio>
+  # include <abstractions/audio>
   # /etc/asound.conf r,
   # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
 
@@ -100,5 +100,5 @@ profile torbrowser_plugin_container {
   deny /etc/pulse/client.conf r,
   deny /usr/bin/pulseaudio x,
 
-  #include <local/torbrowser.Browser.plugin-container>
+  include <local/torbrowser.Browser.plugin-container>
 }
diff --git a/apparmor.d/torbrowser.Tor.tor b/apparmor.d/torbrowser.Tor.tor
index f5b817790..cb15d6c8f 100644
--- a/apparmor.d/torbrowser.Tor.tor
+++ b/apparmor.d/torbrowser.Tor.tor
@@ -1,10 +1,10 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
+include <tunables/global>
+include <tunables/torbrowser>
 
 @{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
 
 profile torbrowser_tor @{torbrowser_tor_executable} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   network netlink raw,
   network tcp,
@@ -24,7 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   # Support some of the included pluggable transports
   owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
   @{PROC}/sys/net/core/somaxconn r,
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
 
   # Silence file_inherit logs
   deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
@@ -42,5 +42,5 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   # OnionShare compatibility
   /tmp/onionshare/** rw,
 
-  #include <local/torbrowser.Tor.tor>
+  include <local/torbrowser.Tor.tor>
 }
diff --git a/apparmor.d/torify b/apparmor.d/torify
index 279db4236..d15583776 100644
--- a/apparmor.d/torify
+++ b/apparmor.d/torify
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/torify
 profile torify @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/torify>
+  include if exists <local/torify>
 }
diff --git a/apparmor.d/torsocks b/apparmor.d/torsocks
index cb1a5db33..e5119281f 100644
--- a/apparmor.d/torsocks
+++ b/apparmor.d/torsocks
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/torsocks
 profile torsocks @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/torsocks>
+  include if exists <local/torsocks>
 }
diff --git a/apparmor.d/tpacpi-bat b/apparmor.d/tpacpi-bat
index 742966980..ca4cc9d89 100644
--- a/apparmor.d/tpacpi-bat
+++ b/apparmor.d/tpacpi-bat
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tpacpi-bat
 profile tpacpi-bat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} mr,
   /{usr/,}bin/perl r,
@@ -32,5 +32,5 @@ profile tpacpi-bat @{exec_path} {
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/**/path r,
 
-  #include if exists <local/tpacpi-bat>
+  include if exists <local/tpacpi-bat>
 }
diff --git a/apparmor.d/tunables/apparmorfs b/apparmor.d/tunables/apparmorfs
index 8df867592..2028097f5 100644
--- a/apparmor.d/tunables/apparmorfs
+++ b/apparmor.d/tunables/apparmorfs
@@ -6,6 +6,6 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/securityfs>
+include <tunables/securityfs>
 
 @{apparmorfs}=@{securityfs}/apparmor/
diff --git a/apparmor.d/tunables/etc b/apparmor.d/tunables/etc
new file mode 100644
index 000000000..c144621df
--- /dev/null
+++ b/apparmor.d/tunables/etc
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{etc_ro} contains a space-separated list of the system configuration directories.
+# Traditionally this means /etc/, but when using a read-only / filesystem and/or
+# with the goal of having only user-modified config files in /etc/, directories
+# like /usr/etc/ get introduced for storing the default config.
+
+# @{etc_ro} contains read-only directories with configuration files.
+# Do not use @{etc_ro} in rules that allow write access.
+@{etc_ro}=/etc/ /usr/etc/
+
+# @{etc_rw} contains directories where writing to configuration files is allowed.
+@{etc_rw}=/etc/
+
+# Also, include files in tunables/etc.d/ for site-specific adjustments to
+# @{etc_ro} and @{etc_rw}.
+include if exists <tunables/etc.d>
diff --git a/apparmor.d/tunables/global b/apparmor.d/tunables/global
index 3b6f99cc7..3dd4bfdb1 100644
--- a/apparmor.d/tunables/global
+++ b/apparmor.d/tunables/global
@@ -12,11 +12,12 @@
 # All the tunables definitions that should be available to every profile
 # should be included here
 
-#include <tunables/home>
-#include <tunables/multiarch>
-#include <tunables/proc>
-#include <tunables/alias>
-#include <tunables/kernelvars>
-#include <tunables/xdg-user-dirs>
-#include <tunables/share>
-#include <tunables/run>
+include <tunables/home>
+include <tunables/multiarch>
+include <tunables/proc>
+include <tunables/alias>
+include <tunables/kernelvars>
+include <tunables/xdg-user-dirs>
+include <tunables/share>
+include <tunables/etc>
+include <tunables/run>
diff --git a/apparmor.d/tunables/home b/apparmor.d/tunables/home
index 550ccd5d7..4df34b55f 100644
--- a/apparmor.d/tunables/home
+++ b/apparmor.d/tunables/home
@@ -22,4 +22,4 @@
 
 # Also, include files in tunables/home.d for site-specific adjustments to
 # @{HOMEDIRS}.
-#include <tunables/home.d>
+include <tunables/home.d>
diff --git a/apparmor.d/tunables/multiarch b/apparmor.d/tunables/multiarch
index c54082e02..32fd1aa10 100644
--- a/apparmor.d/tunables/multiarch
+++ b/apparmor.d/tunables/multiarch
@@ -14,4 +14,4 @@
 
 # Also, include files in tunables/multiarch.d for site and packaging
 # specific adjustments to @{multiarch}.
-#include <tunables/multiarch.d>
+include <tunables/multiarch.d>
diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs
index fcaf8d40d..9488f96a2 100644
--- a/apparmor.d/tunables/xdg-user-dirs
+++ b/apparmor.d/tunables/xdg-user-dirs
@@ -21,4 +21,4 @@
 
 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
 # to the various XDG directories
-#include <tunables/xdg-user-dirs.d>
+include <tunables/xdg-user-dirs.d>
diff --git a/apparmor.d/tune2fs b/apparmor.d/tune2fs
index 9646466a5..33333e075 100644
--- a/apparmor.d/tune2fs
+++ b/apparmor.d/tune2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{tune2fs,e2label}
 profile tune2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -33,5 +33,5 @@ profile tune2fs @{exec_path} {
   @{HOME}/** rw,
   /media/*/** rw,
 
-  #include if exists <local/tune2fs>
+  include if exists <local/tune2fs>
 }
diff --git a/apparmor.d/ucf b/apparmor.d/ucf
index 13a2a14da..3b90c5db2 100644
--- a/apparmor.d/ucf
+++ b/apparmor.d/ucf
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ucf
 profile ucf @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh     rix,
@@ -73,8 +73,8 @@ profile ucf @{exec_path} flags=(complain) {
 
 
   profile pager flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/                r,
     /{usr/,}bin/sensible-pager mr,
@@ -85,10 +85,10 @@ profile ucf @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -103,10 +103,10 @@ profile ucf @{exec_path} flags=(complain) {
     owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -115,5 +115,5 @@ profile ucf @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/ucf>
+  include if exists <local/ucf>
 }
diff --git a/apparmor.d/udevadm b/apparmor.d/udevadm
index 2c9bbf726..18f48320b 100644
--- a/apparmor.d/udevadm
+++ b/apparmor.d/udevadm
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/udevadm
 @{exec_path} += /{usr/,}lib/systemd/systemd-udevd
 profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   # (##FIXME##)
   capability sys_admin,
@@ -34,6 +34,10 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
 
   ptrace (read),
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/chgrp rix,
@@ -83,5 +87,5 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/udevadm>
+  include if exists <local/udevadm>
 }
diff --git a/apparmor.d/udiskie b/apparmor.d/udiskie
index 0f4508297..e1c0d092c 100644
--- a/apparmor.d/udiskie
+++ b/apparmor.d/udiskie
@@ -9,25 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie
 profile udiskie @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -54,8 +54,8 @@ profile udiskie @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -71,5 +71,5 @@ profile udiskie @{exec_path} {
 
   }
 
-  #include if exists <local/udiskie>
+  include if exists <local/udiskie>
 }
diff --git a/apparmor.d/udiskie-info b/apparmor.d/udiskie-info
index 7bdfaa1c9..afb06a459 100644
--- a/apparmor.d/udiskie-info
+++ b/apparmor.d/udiskie-info
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie-info
 profile udiskie-info @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -28,5 +28,5 @@ profile udiskie-info @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/udiskie-info>
+  include if exists <local/udiskie-info>
 }
diff --git a/apparmor.d/udiskie-mount b/apparmor.d/udiskie-mount
index 7bdf8770b..eee23302c 100644
--- a/apparmor.d/udiskie-mount
+++ b/apparmor.d/udiskie-mount
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie-mount
 profile udiskie-mount @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -28,5 +28,5 @@ profile udiskie-mount @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/udiskie-mount>
+  include if exists <local/udiskie-mount>
 }
diff --git a/apparmor.d/udiskie-umount b/apparmor.d/udiskie-umount
index 8e21a0839..ffe1affe3 100644
--- a/apparmor.d/udiskie-umount
+++ b/apparmor.d/udiskie-umount
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie-umount
 profile udiskie-umount @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -28,5 +28,5 @@ profile udiskie-umount @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/udiskie-umount>
+  include if exists <local/udiskie-umount>
 }
diff --git a/apparmor.d/udisksctl b/apparmor.d/udisksctl
index 8d2d62abd..d96df14d6 100644
--- a/apparmor.d/udisksctl
+++ b/apparmor.d/udisksctl
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udisksctl
 profile udisksctl @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/udisksctl>
+  include if exists <local/udisksctl>
 }
diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd
index 6e472617e..25d609bd5 100644
--- a/apparmor.d/udisksd
+++ b/apparmor.d/udisksd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/udisks2/udisksd
 @{exec_path} += /usr/libexec/udisks2/udisksd
 profile udisksd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/disks-write>
 
   # To remove the following errors:
   #  udisksd[]: Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sda':
@@ -33,6 +33,8 @@ profile udisksd @{exec_path} {
   # Needed?
   deny capability sys_nice,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh      rix,
@@ -131,7 +133,7 @@ profile udisksd @{exec_path} {
 
 
   profile systemd-escape {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -149,5 +151,5 @@ profile udisksd @{exec_path} {
 
   }
 
-  #include if exists <local/udisksd>
+  include if exists <local/udisksd>
 }
diff --git a/apparmor.d/umount b/apparmor.d/umount
index b55a082c8..f72b0166d 100644
--- a/apparmor.d/umount
+++ b/apparmor.d/umount
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/umount
 profile umount @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to umount anything
   #  umount2("/mnt", 0)               = -1 EPERM (Operation not permitted)
@@ -28,6 +28,9 @@ profile umount @{exec_path} flags=(complain) {
 
   umount,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   # Mount points
@@ -48,5 +51,5 @@ profile umount @{exec_path} flags=(complain) {
   owner @{run}/mount/utab{,.*} rw,
   owner @{run}/mount/utab.lock wk,
 
-  #include if exists <local/umount>
+  include if exists <local/umount>
 }
diff --git a/apparmor.d/uname b/apparmor.d/uname
index 2cfc94050..edadf2230 100644
--- a/apparmor.d/uname
+++ b/apparmor.d/uname
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/uname
 profile uname @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/uname>
+  include if exists <local/uname>
 }
diff --git a/apparmor.d/unhide-linux b/apparmor.d/unhide-linux
index 9f48f3b95..89548433d 100644
--- a/apparmor.d/unhide-linux
+++ b/apparmor.d/unhide-linux
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide{,-linux}
 profile unhide-linux @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability kill,
   capability sys_ptrace,
@@ -40,5 +40,5 @@ profile unhide-linux @{exec_path} {
   @{PROC}/sys/kernel/pid_max r,
   @{PROC}/sys/kernel/osrelease r,
 
-  #include if exists <local/unhide-linux>
+  include if exists <local/unhide-linux>
 }
diff --git a/apparmor.d/unhide-posix b/apparmor.d/unhide-posix
index 550a55cbc..07eaf0a3d 100644
--- a/apparmor.d/unhide-posix
+++ b/apparmor.d/unhide-posix
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide-posix
 profile unhide-posix @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -43,5 +43,5 @@ profile unhide-posix @{exec_path} {
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/tty/drivers r,
 
-  #include if exists <local/unhide-posix>
+  include if exists <local/unhide-posix>
 }
diff --git a/apparmor.d/unhide-rb b/apparmor.d/unhide-rb
index 8ca7c5453..984a1b979 100644
--- a/apparmor.d/unhide-rb
+++ b/apparmor.d/unhide-rb
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide_rb
 profile unhide-rb @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_ptrace,
 
@@ -27,5 +27,5 @@ profile unhide-rb @{exec_path} {
   @{PROC}/@{pids}/task/ r,
 
 
-  #include if exists <local/unhide-rb>
+  include if exists <local/unhide-rb>
 }
diff --git a/apparmor.d/unhide-tcp b/apparmor.d/unhide-tcp
index 48917e271..457744cfe 100644
--- a/apparmor.d/unhide-tcp
+++ b/apparmor.d/unhide-tcp
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide-tcp
 profile unhide-tcp @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability net_bind_service,
   capability syslog,
@@ -38,5 +38,5 @@ profile unhide-tcp @{exec_path} {
   # For logs
   /**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w,
 
-  #include if exists <local/unhide-tcp>
+  include if exists <local/unhide-tcp>
 }
diff --git a/apparmor.d/unix-chkpwd b/apparmor.d/unix-chkpwd
index 5e2542c9f..57bf62c93 100644
--- a/apparmor.d/unix-chkpwd
+++ b/apparmor.d/unix-chkpwd
@@ -9,18 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unix_chkpwd
 profile unix-chkpwd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/shadow r,
@@ -28,5 +30,5 @@ profile unix-chkpwd @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/unix-chkpwd>
+  include if exists <local/unix-chkpwd>
 }
diff --git a/apparmor.d/unmkinitramfs b/apparmor.d/unmkinitramfs
index a6330fde8..4af9bd707 100644
--- a/apparmor.d/unmkinitramfs
+++ b/apparmor.d/unmkinitramfs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/unmkinitramfs
 profile unmkinitramfs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To avoid the following error:
   #  cpio: etc/console-setup/null: Cannot mknod: Operation not permitted
@@ -49,5 +49,5 @@ profile unmkinitramfs @{exec_path} {
         /var/tmp/ r,
   owner /var/tmp/unmkinitramfs_* rw,
 
-  #include if exists <local/unmkinitramfs>
+  include if exists <local/unmkinitramfs>
 }
diff --git a/apparmor.d/update-alternatives b/apparmor.d/update-alternatives
index 3c4d35687..f1db00cec 100644
--- a/apparmor.d/update-alternatives
+++ b/apparmor.d/update-alternatives
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/update-alternatives
 profile update-alternatives @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -35,5 +35,5 @@ profile update-alternatives @{exec_path} {
 
   /usr/** rw,
 
-  #include if exists <local/update-alternatives>
+  include if exists <local/update-alternatives>
 }
diff --git a/apparmor.d/update-apt-xapian-index b/apparmor.d/update-apt-xapian-index
index 3dbec0323..65ec6a8f5 100644
--- a/apparmor.d/update-apt-xapian-index
+++ b/apparmor.d/update-apt-xapian-index
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-apt-xapian-index
 profile update-apt-xapian-index @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/apt-common>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/apt-common>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -43,6 +43,6 @@ profile update-apt-xapian-index @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/update-apt-xapian-index>
+  include if exists <local/update-apt-xapian-index>
 }
 
diff --git a/apparmor.d/update-ca-certificates b/apparmor.d/update-ca-certificates
index 18682176d..8acedd0b0 100644
--- a/apparmor.d/update-ca-certificates
+++ b/apparmor.d/update-ca-certificates
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-ca-certificates
 profile update-ca-certificates @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ssl_certs>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -38,9 +38,11 @@ profile update-ca-certificates @{exec_path} {
 
   /{usr/,}bin/openssl    rix,
 
+  /etc/ca-certificates/update.d/             r,
   /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore,
   /{usr/,}bin/run-parts                      rCx -> run-parts,
 
+  /etc/ r,
   /etc/ca-certificates.conf r,
   /etc/ssl/certs/ca-certificates.crt rw,
   /etc/ssl/certs/*.pem rw,
@@ -48,13 +50,19 @@ profile update-ca-certificates @{exec_path} {
 
   /{usr/,}lib/locale/locale-archive r,
 
+        /tmp/ r,
   owner /tmp/ca-certificates{,.crt}.tmp.* rw,
 
+  # For shell pwd
+  /root/ r,
+
+  /usr/local/share/ r,
+
   @{PROC}/filesystems r,
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -66,13 +74,16 @@ profile update-ca-certificates @{exec_path} {
   }
 
   profile jks-keystore {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/ssl_certs>
 
     /etc/ca-certificates/update.d/jks-keystore mr,
 
+    /{usr/,}lib/ r,
     /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java     rix,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
 
     /{usr/,}bin/{,ba,da}sh rix,
     /{usr/,}bin/sed        rix,
@@ -89,6 +100,8 @@ profile update-ca-certificates @{exec_path} {
 
     /etc/java-[0-9]*-openjdk/{,**} r,
 
+    owner @{PROC}/@{pid}/coredump_filter rw,
+    owner @{PROC}/@{pid}/coredump rw,
     owner @{PROC}/@{pid}/cgroup r,
     owner @{PROC}/@{pid}/mountinfo r,
     @{sys}/fs/cgroup/** r,
@@ -101,5 +114,5 @@ profile update-ca-certificates @{exec_path} {
 
   }
 
-  #include if exists <local/update-ca-certificates>
+  include if exists <local/update-ca-certificates>
 }
diff --git a/apparmor.d/update-command-not-found b/apparmor.d/update-command-not-found
index c01b15330..116262f98 100644
--- a/apparmor.d/update-command-not-found
+++ b/apparmor.d/update-command-not-found
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /usr/share/command-not-found/cnf-update-db
 @{exec_path} += /{usr/,}sbin/update-command-not-found
 profile update-command-not-found @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
 
   #capability sys_tty_config,
 
@@ -48,5 +48,5 @@ profile update-command-not-found @{exec_path} {
   # file_inherit
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/update-command-not-found>
+  include if exists <local/update-command-not-found>
 }
diff --git a/apparmor.d/update-desktop-database b/apparmor.d/update-desktop-database
index 1e21e7ca7..bfa10b1fa 100644
--- a/apparmor.d/update-desktop-database
+++ b/apparmor.d/update-desktop-database
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/update-desktop-database
 profile update-desktop-database @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile update-desktop-database @{exec_path} {
 
   /usr/share/*/*.desktop r,
 
-  #include if exists <local/update-desktop-database>
+  include if exists <local/update-desktop-database>
 }
diff --git a/apparmor.d/update-dlocatedb b/apparmor.d/update-dlocatedb
index d1bfddb0b..c1d500f23 100644
--- a/apparmor.d/update-dlocatedb
+++ b/apparmor.d/update-dlocatedb
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-dlocatedb
 profile update-dlocatedb @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -37,12 +37,12 @@ profile update-dlocatedb @{exec_path} {
   /var/lib/dlocate/dpkg-list w,
 
   # For shell pwd
-  / r,
+  /root/ r,
 
 
   profile updatedb {
-    #include <abstractions/base>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/perl>
 
     /usr/share/dlocate/updatedb r,
     /{usr/,}bin/perl r,
@@ -66,5 +66,5 @@ profile update-dlocatedb @{exec_path} {
 
   }
 
-  #include if exists <local/update-dlocatedb>
+  include if exists <local/update-dlocatedb>
 }
diff --git a/apparmor.d/update-initramfs b/apparmor.d/update-initramfs
index e8793583e..bcb5727f6 100644
--- a/apparmor.d/update-initramfs
+++ b/apparmor.d/update-initramfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-initramfs
 profile update-initramfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh    rix,
@@ -55,5 +55,5 @@ profile update-initramfs @{exec_path} {
   owner /boot/initrd.img-* rw,
   owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*,
 
-  #include if exists <local/update-initramfs>
+  include if exists <local/update-initramfs>
 }
diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids
index d29747f92..d10b58893 100644
--- a/apparmor.d/update-pciids
+++ b/apparmor.d/update-pciids
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-pciids
 profile update-pciids @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,10 +49,15 @@ profile update-pciids @{exec_path} {
 
 
   profile browse {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
@@ -66,5 +71,5 @@ profile update-pciids @{exec_path} {
 
   }
 
-  #include if exists <local/update-pciids>
+  include if exists <local/update-pciids>
 }
diff --git a/apparmor.d/update-smart-drivedb b/apparmor.d/update-smart-drivedb
index c9d2afddf..5e7439300 100644
--- a/apparmor.d/update-smart-drivedb
+++ b/apparmor.d/update-smart-drivedb
@@ -9,13 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-smart-drivedb
 profile update-smart-drivedb @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -32,6 +33,7 @@ profile update-smart-drivedb @{exec_path} {
   /{usr/,}bin/mv         rix,
   /{usr/,}bin/cmp        rix,
 
+  /{usr/,}sbin/          r,
   /{usr/,}sbin/smartctl  rPx,
 
   /{usr/,}bin/gpg        rCx -> gpg,
@@ -43,9 +45,13 @@ profile update-smart-drivedb @{exec_path} {
 
   owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/{,**} rw,
 
+  # For shell pwd
+  /root/ r,
+
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/gpg mr,
 
@@ -61,10 +67,16 @@ profile update-smart-drivedb @{exec_path} {
   }
 
   profile browse {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
@@ -85,5 +97,5 @@ profile update-smart-drivedb @{exec_path} {
 
   }
 
-  #include if exists <local/update-smart-drivedb>
+  include if exists <local/update-smart-drivedb>
 }
diff --git a/apparmor.d/updatedb-mlocate b/apparmor.d/updatedb-mlocate
index 064e13a1d..d50d19655 100644
--- a/apparmor.d/updatedb-mlocate
+++ b/apparmor.d/updatedb-mlocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/updatedb.mlocate
 profile updatedb-mlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability fowner,
@@ -68,5 +68,5 @@ profile updatedb-mlocate @{exec_path} {
 
   /etc/updatedb.conf r,
 
-  #include if exists <local/updatedb-mlocate>
+  include if exists <local/updatedb-mlocate>
 }
diff --git a/apparmor.d/upower b/apparmor.d/upower
index eb77816e7..ddc2a564f 100644
--- a/apparmor.d/upower
+++ b/apparmor.d/upower
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/upower
 profile upower @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed?
   deny capability sys_nice,
 
   @{exec_path} mr,
 
-  #include if exists <local/upower>
+  include if exists <local/upower>
 }
diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd
index 68688aed1..33808aace 100644
--- a/apparmor.d/upowerd
+++ b/apparmor.d/upowerd
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd
 profile upowerd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -58,5 +60,5 @@ profile upowerd @{exec_path} {
 
   @{run}/systemd/inhibit/[0-9]*.ref rw,
 
-  #include if exists <local/upowerd>
+  include if exists <local/upowerd>
 }
diff --git a/apparmor.d/uptime b/apparmor.d/uptime
index 59bcd59a7..4fb083a9d 100644
--- a/apparmor.d/uptime
+++ b/apparmor.d/uptime
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/uptime
 profile uptime @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/wutmp>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile uptime @{exec_path} {
   @{PROC}/loadavg r,
   @{PROC}/sys/kernel/osrelease r,
 
-  #include if exists <local/uptime>
+  include if exists <local/uptime>
 }
diff --git a/apparmor.d/usb-devices b/apparmor.d/usb-devices
index 1e8367229..6117a9ae7 100644
--- a/apparmor.d/usb-devices
+++ b/apparmor.d/usb-devices
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/usb-devices
 profile usb-devices @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -31,5 +31,8 @@ profile usb-devices @{exec_path} {
 
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
 
-  #include if exists <local/usb-devices>
+  # For shell pwd
+  /root/ r,
+
+  include if exists <local/usb-devices>
 }
diff --git a/apparmor.d/usbguard b/apparmor.d/usbguard
index ca3126c68..1010d7234 100644
--- a/apparmor.d/usbguard
+++ b/apparmor.d/usbguard
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/usbguard
 profile usbguard @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -33,5 +33,5 @@ profile usbguard @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r,
 
-  #include if exists <local/usbguard>
+  include if exists <local/usbguard>
 }
diff --git a/apparmor.d/usbguard-applet-qt b/apparmor.d/usbguard-applet-qt
index bfc0a709b..c8ecc9f6c 100644
--- a/apparmor.d/usbguard-applet-qt
+++ b/apparmor.d/usbguard-applet-qt
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/usbguard-applet-qt
 profile usbguard-applet-qt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   # Needed?
   ptrace (read),
@@ -54,5 +54,5 @@ profile usbguard-applet-qt @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/usbguard-applet-qt>
+  include if exists <local/usbguard-applet-qt>
 }
diff --git a/apparmor.d/usbguard-daemon b/apparmor.d/usbguard-daemon
index 67554cde5..282113b15 100644
--- a/apparmor.d/usbguard-daemon
+++ b/apparmor.d/usbguard-daemon
@@ -9,19 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/usbguard-daemon
 profile usbguard-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed? (##FIXME##)
   #capability chown,
   #capability fowner,
 
+  network netlink dgram,
+
   @{exec_path} mr,
 
   /etc/usbguard/*.conf rw,
@@ -42,5 +44,5 @@ profile usbguard-daemon @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r,
 
-  #include if exists <local/usbguard-daemon>
+  include if exists <local/usbguard-daemon>
 }
diff --git a/apparmor.d/usbguard-dbus b/apparmor.d/usbguard-dbus
index 8fd8fb748..ebcd36b36 100644
--- a/apparmor.d/usbguard-dbus
+++ b/apparmor.d/usbguard-dbus
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/usbguard-dbus
 profile usbguard-dbus @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed?
   deny capability sys_nice,
@@ -24,5 +24,5 @@ profile usbguard-dbus @{exec_path} {
   /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
   /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
 
-  #include if exists <local/usbguard-dbus>
+  include if exists <local/usbguard-dbus>
 }
diff --git a/apparmor.d/uscan b/apparmor.d/uscan
index d937d6771..3d8be013c 100644
--- a/apparmor.d/uscan
+++ b/apparmor.d/uscan
@@ -9,20 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/uscan
 profile uscan @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -58,7 +64,7 @@ profile uscan @{exec_path} {
   owner /tmp/*/trustedkeys.gpg w,
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg  mr,
     /{usr/,}bin/gpgv mr,
@@ -73,5 +79,5 @@ profile uscan @{exec_path} {
 
   }
 
-  #include if exists <local/uscan>
+  include if exists <local/uscan>
 }
diff --git a/apparmor.d/useradd b/apparmor.d/useradd
index e21428980..bde29be8f 100644
--- a/apparmor.d/useradd
+++ b/apparmor.d/useradd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/useradd
 profile useradd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To create a user home dir and give it proper permissions:
   #  mkdir("/home/user", 000)      = 0
@@ -39,6 +39,8 @@ profile useradd @{exec_path} {
   # To write records to the kernel auditing log.
   capability audit_write,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/usermod     rPx,
@@ -77,9 +79,9 @@ profile useradd @{exec_path} {
 
 
   profile pam_tally2 {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability audit_write,
 
@@ -89,5 +91,5 @@ profile useradd @{exec_path} {
 
   }
 
-  #include if exists <local/useradd>
+  include if exists <local/useradd>
 }
diff --git a/apparmor.d/userdel b/apparmor.d/userdel
index bcad77dfe..2a610f1f7 100644
--- a/apparmor.d/userdel
+++ b/apparmor.d/userdel
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/userdel
 profile userdel @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The userdel command is issued as root and its task is to delete regular user accounts. It
   # optionally can remove user files (via --remove). Because of that, the userdel command needs the
@@ -36,6 +36,8 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   capability sys_ptrace,
   ptrace (read),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -66,5 +68,5 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   # To remove user mail
   /var/mail/* w,
 
-  #include if exists <local/userdel>
+  include if exists <local/userdel>
 }
diff --git a/apparmor.d/usermod b/apparmor.d/usermod
index 36398914c..29ef512c1 100644
--- a/apparmor.d/usermod
+++ b/apparmor.d/usermod
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/usermod
 profile usermod @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -64,5 +64,5 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
   @{HOME}/{,**} rw,
   /var/{,**}    rw,
 
-  #include if exists <local/usermod>
+  include if exists <local/usermod>
 }
diff --git a/apparmor.d/usr.bin.irssi b/apparmor.d/usr.bin.irssi
index 9ba8e1c03..149c2e5ff 100644
--- a/apparmor.d/usr.bin.irssi
+++ b/apparmor.d/usr.bin.irssi
@@ -1,12 +1,12 @@
 # Author: Jamie Strandboge
 #         For use with irssi within screen
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/irssi flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/perl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/perl>
+  include <abstractions/ssl_certs>
 
   /usr/share/irssi/themes/*.theme r,
   /usr/share/irssi/help/* r,
@@ -17,7 +17,7 @@
   /{usr/,}bin/dash ix,
 
   # for screen_away
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
   /usr/bin/screen ix,
   owner /{,var/}run/screen/** r,
   owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]* w,
@@ -50,5 +50,5 @@
   owner @{HOME}/.irssi/fnotify rwk,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.irssi>
+  include <local/usr.bin.irssi>
 }
diff --git a/apparmor.d/usr.bin.lxc-start b/apparmor.d/usr.bin.lxc-start
index 2f2896273..e9fdd43b6 100644
--- a/apparmor.d/usr.bin.lxc-start
+++ b/apparmor.d/usr.bin.lxc-start
@@ -1,5 +1,5 @@
-#include <tunables/global>
+include <tunables/global>
 
 profile lxc-start /usr/bin/lxc-start flags=(attach_disconnected) {
-  #include <abstractions/lxc/start-container>
+  include <abstractions/lxc/start-container>
 }
diff --git a/apparmor.d/usr.bin.man b/apparmor.d/usr.bin.man
index 2d2ca199b..4b87c63b7 100644
--- a/apparmor.d/usr.bin.man
+++ b/apparmor.d/usr.bin.man
@@ -1,9 +1,9 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/man {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Use a special profile when man calls anything groff-related.  We only
   # include the programs that actually parse input data in a non-trivial
@@ -50,15 +50,15 @@
   signal peer=/usr/bin/man//&man_filter,
 
   # Site-specific additions and overrides.  See local/README for details.
-  #include <local/usr.bin.man>
+  include <local/usr.bin.man>
 }
 
 profile man_groff {
-  #include <abstractions/base>
+  include <abstractions/base>
   # Recent kernels revalidate open FDs, and there are often some still
   # open on TTYs.  This is temporary until man learns to close irrelevant
   # open FDs before execve.
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
   # man always runs its groff pipeline with the input file open on stdin,
   # so we can skip <abstractions/user-manpages>.
 
@@ -88,11 +88,11 @@ profile man_groff {
 }
 
 profile man_filter {
-  #include <abstractions/base>
+  include <abstractions/base>
   # Recent kernels revalidate open FDs, and there are often some still
   # open on TTYs.  This is temporary until man learns to close irrelevant
   # open FDs before execve.
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
 
   /{,usr/}bin/bzip2 rm,
   /{,usr/}bin/gzip rm,
diff --git a/apparmor.d/usr.bin.pidgin b/apparmor.d/usr.bin.pidgin
index 5e1870201..1f6eee540 100644
--- a/apparmor.d/usr.bin.pidgin
+++ b/apparmor.d/usr.bin.pidgin
@@ -1,24 +1,24 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/pidgin {
-  #include <abstractions/audio>
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/dconf>
-  #include <abstractions/enchant>
-  #include <abstractions/gnome>
-  #include <abstractions/gstreamer>
-  #include <abstractions/ibus>
-  #include <abstractions/nameservice>
-  #include <abstractions/private-files-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/ubuntu-browsers>
-  #include <abstractions/ubuntu-helpers>
-  #include <abstractions/user-download>
+  include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/dconf>
+  include <abstractions/enchant>
+  include <abstractions/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/ibus>
+  include <abstractions/nameservice>
+  include <abstractions/private-files-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/ubuntu-browsers>
+  include <abstractions/ubuntu-helpers>
+  include <abstractions/user-download>
 
   dbus receive
        bus=system
@@ -83,5 +83,5 @@
   owner @{PROC}/@{pid}/fd/ r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pidgin>
+  include <local/usr.bin.pidgin>
 }
diff --git a/apparmor.d/usr.bin.totem b/apparmor.d/usr.bin.totem
index 1176965e7..8701b89e7 100644
--- a/apparmor.d/usr.bin.totem
+++ b/apparmor.d/usr.bin.totem
@@ -1,17 +1,17 @@
 # vim:syntax=apparmor
 # Author: Jamie Strandboge <jamie@canonical.com>
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/totem {
-  #include <abstractions/audio>
-  #include <abstractions/dconf>
-  #include <abstractions/ibus>
-  #include <abstractions/mesa>
-  #include <abstractions/nvidia>
-  #include <abstractions/python>
-  #include <abstractions/totem>
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/audio>
+  include <abstractions/dconf>
+  include <abstractions/ibus>
+  include <abstractions/mesa>
+  include <abstractions/nvidia>
+  include <abstractions/python>
+  include <abstractions/totem>
+  include <abstractions/ubuntu-helpers>
 
   signal (send) set=("kill") peer=unconfined,
 
@@ -38,7 +38,7 @@
 
   # Allow read and write on almost anything in @{HOME}. Lenient, but
   # private-files-strict is in effect.
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   owner @{HOME}/[^.]*    rw,
   owner @{HOME}/[^.]*/** rw,
 
@@ -53,5 +53,5 @@
   /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.totem>
+  include <local/usr.bin.totem>
 }
diff --git a/apparmor.d/usr.bin.totem-previewers b/apparmor.d/usr.bin.totem-previewers
index 7b861d0a8..76204b23d 100644
--- a/apparmor.d/usr.bin.totem-previewers
+++ b/apparmor.d/usr.bin.totem-previewers
@@ -1,10 +1,10 @@
 # vim:syntax=apparmor
 # Author: Jamie Strandboge <jamie@canonical.com>
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/totem-video-thumbnailer flags=(attach_disconnected) {
-  #include <abstractions/totem>
+  include <abstractions/totem>
 
   # Probably needed due to this program being run with bwrap
   @{HOMEDIRS} w,
@@ -12,7 +12,7 @@
 
   # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   owner @{HOME}/[^.]*    rw,
   owner @{HOME}/[^.]*/** rw,
 
@@ -23,19 +23,19 @@
   /usr/bin/totem-video-thumbnailer rm,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.totem-previewers>
+  include <local/usr.bin.totem-previewers>
 }
 
 /usr/bin/totem-audio-preview flags=(attach_disconnected) {
-  #include <abstractions/totem>
-  #include <abstractions/audio>
+  include <abstractions/totem>
+  include <abstractions/audio>
 
   # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   owner @{HOME}/[^.]*    rw,
   owner @{HOME}/[^.]*/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.totem-previewers>
+  include <local/usr.bin.totem-previewers>
 }
diff --git a/apparmor.d/usr.lib.libreoffice.program.oosplash b/apparmor.d/usr.lib.libreoffice.program.oosplash
index 565cb03c0..f5b055a1a 100644
--- a/apparmor.d/usr.lib.libreoffice.program.oosplash
+++ b/apparmor.d/usr.lib.libreoffice.program.oosplash
@@ -12,11 +12,11 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+include <tunables/global>
 
 profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/X>
 
   /etc/libreoffice/                     r,
   /etc/libreoffice/**                   r,
diff --git a/apparmor.d/usr.lib.libreoffice.program.senddoc b/apparmor.d/usr.lib.libreoffice.program.senddoc
index 75ae73fe8..12724fd6a 100644
--- a/apparmor.d/usr.lib.libreoffice.program.senddoc
+++ b/apparmor.d/usr.lib.libreoffice.program.senddoc
@@ -12,12 +12,12 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+include <tunables/global>
 
-profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc {
-  #include <abstractions/base>
+profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain) {
+  include <abstractions/base>
 
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
 
   /{usr/,}bin/sh        rmix,
   /{usr/,}bin/bash      rmix,
diff --git a/apparmor.d/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/usr.lib.libreoffice.program.soffice.bin
index 5b33af2a3..57dd9c994 100644
--- a/apparmor.d/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/usr.lib.libreoffice.program.soffice.bin
@@ -73,32 +73,32 @@
 
 @{libo_user_dirs} = @{HOME} /mnt /media
 
-#include <tunables/global>
+include <tunables/global>
 
 profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
 
-  #include <abstractions/audio>
-  #include <abstractions/bash>
-  #include <abstractions/cups-client>
-  #include <abstractions/dbus>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-accessibility>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/ibus>
-  #include <abstractions/nameservice>
-  #include <abstractions/gnome>
+  include <abstractions/audio>
+  include <abstractions/bash>
+  include <abstractions/cups-client>
+  include <abstractions/dbus>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-accessibility>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/ibus>
+  include <abstractions/nameservice>
+  include <abstractions/gnome>
 # GnuPG1 only...
-# #include <abstractions/gnupg>
-  #include <abstractions/python>
-  #include <abstractions/p11-kit>
+# include <abstractions/gnupg>
+  include <abstractions/python>
+  include <abstractions/p11-kit>
 
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
 
-  #include <abstractions/opencl-intel>
-  #include <abstractions/opencl-mesa>
-  #include <abstractions/opencl-nvidia>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
 
   #List directories for file browser
   /                                     r,
@@ -214,8 +214,8 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   owner @{HOME}/.local/share/user-places.xbel r,
 
   # there is abstractions/gnupg but that's just for gpg1...
-  profile gpg {
-    #include <abstractions/base>
+  profile gpg flags=(complain) {
+    include <abstractions/base>
 
    /usr/bin/gpgconf rm,
    /usr/bin/gpg rm,
diff --git a/apparmor.d/usr.lib.libreoffice.program.xpdfimport b/apparmor.d/usr.lib.libreoffice.program.xpdfimport
index bdfc55726..04c469e63 100644
--- a/apparmor.d/usr.lib.libreoffice.program.xpdfimport
+++ b/apparmor.d/usr.lib.libreoffice.program.xpdfimport
@@ -12,12 +12,12 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+include <tunables/global>
 
-profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport {
-  #include <abstractions/base>
+profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(complain) {
+  include <abstractions/base>
 
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
 
   /usr/share/poppler/**     r,
   /usr/share/libreoffice/share/config/* r,
diff --git a/apparmor.d/usr.lib.libvirt.virt-aa-helper b/apparmor.d/usr.lib.libvirt.virt-aa-helper
index 3eebc207b..867c7295e 100644
--- a/apparmor.d/usr.lib.libvirt.virt-aa-helper
+++ b/apparmor.d/usr.lib.libvirt.virt-aa-helper
@@ -1,7 +1,7 @@
-#include <tunables/global>
+include <tunables/global>
 
 profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # needed for searching directories
   capability dac_override,
@@ -70,5 +70,5 @@ profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper {
   /**/disk{,.*} r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.lib.libvirt.virt-aa-helper>
+  include <local/usr.lib.libvirt.virt-aa-helper>
 }
diff --git a/apparmor.d/usr.sbin.apt-cacher-ng b/apparmor.d/usr.sbin.apt-cacher-ng
index 8a5e854ec..571f58be5 100644
--- a/apparmor.d/usr.sbin.apt-cacher-ng
+++ b/apparmor.d/usr.sbin.apt-cacher-ng
@@ -2,13 +2,13 @@
 
 @{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
 
-#include <tunables/global>
+include <tunables/global>
 
-profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/user-tmp>
+profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/user-tmp>
 
   /etc/apt-cacher-ng/ r,
   /etc/apt-cacher-ng/** r,
@@ -31,5 +31,5 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
   /usr/lib/apt-cacher-ng/acngtool ixr,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.apt-cacher-ng>
+  include <local/usr.sbin.apt-cacher-ng>
 }
diff --git a/apparmor.d/usr.sbin.avahi-daemon b/apparmor.d/usr.sbin.avahi-daemon
index 62f56df78..7de07d3ec 100644
--- a/apparmor.d/usr.sbin.avahi-daemon
+++ b/apparmor.d/usr.sbin.avahi-daemon
@@ -1,9 +1,11 @@
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/dbus>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus>
+  include <abstractions/nameservice>
 
   capability chown,
   capability dac_override,
@@ -23,11 +25,11 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) {
   /usr/{bin,sbin}/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
   /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
-  /{,var/}run/avahi-daemon/ w,
-  /{,var/}run/avahi-daemon/pid krw,
-  /{,var/}run/avahi-daemon/socket w,
-  /{,var/}run/systemd/notify w,
+  @{run}/avahi-daemon/ w,
+  @{run}/avahi-daemon/pid krw,
+  @{run}/avahi-daemon/socket w,
+  @{run}/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.avahi-daemon>
+  include if exists <local/usr.sbin.avahi-daemon>
 }
diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd
index 9b8d0668d..f30cba718 100644
--- a/apparmor.d/usr.sbin.cupsd
+++ b/apparmor.d/usr.sbin.cupsd
@@ -2,17 +2,17 @@
 # Last Modified: Thu Aug  2 12:54:46 2007
 # Author: Martin Pitt <martin.pitt@ubuntu.com>
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/sbin/cupsd flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/authentication>
-  #include <abstractions/dbus>
-  #include <abstractions/fonts>
-  #include <abstractions/nameservice>
-  #include <abstractions/perl>
-  #include <abstractions/user-tmp>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/authentication>
+  include <abstractions/dbus>
+  include <abstractions/fonts>
+  include <abstractions/nameservice>
+  include <abstractions/perl>
+  include <abstractions/user-tmp>
 
   capability chown,
   capability fowner,
@@ -169,15 +169,15 @@
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.cupsd>
+  include <local/usr.sbin.cupsd>
 }
 
 # separate profile since this needs to write into /home
 /usr/lib/cups/backend/cups-pdf {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-tmp>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
 
   capability chown,
   capability fowner,
@@ -211,7 +211,7 @@
   # allow read and write on almost anything in @{HOME} (lenient, but
   # private-files-strict is in effect), to support customized "Out"
   # setting in cups-pdf.conf (Debian#940578)
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   @{HOME}/[^.]*/{,**/} rw,
   @{HOME}/[^.]*/**     rw,
 }
diff --git a/apparmor.d/usr.sbin.dnsmasq b/apparmor.d/usr.sbin.dnsmasq
index 88f09913f..d911b60de 100644
--- a/apparmor.d/usr.sbin.dnsmasq
+++ b/apparmor.d/usr.sbin.dnsmasq
@@ -9,19 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-@{TFTP_DIR}=/var/tftp /srv/tftpboot
+abi <abi/3.0>,
 
-#include <tunables/global>
+@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
 
-# This profile has the name "/usr/sbin/dnsmasq", but attaches to both /usr/bin/dnsmasq and /usr/sbin/dnsmasq.
-# We are sorry for the confusion ;-) but this trick is needed to support distributions with merged bin and sbin
-# while not breaking the libvirtd profile that has rules with peer=/usr/sbin/dnsmasq
-# Future versions of AppArmor (> 2.13.x) will have "dnsmasq" as profile name.
-
-profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/dbus>
-  #include <abstractions/nameservice>
+include <tunables/global>
+profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dbus>
+  include <abstractions/nameservice>
 
   capability chown,
   capability net_bind_service,
@@ -34,10 +30,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   network inet6 raw,
 
   signal (receive) peer=/usr/{bin,sbin}/libvirtd,
-  signal (receive) peer=/usr/sbin/libvirtd,
   signal (receive) peer=libvirtd,
   ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
-  ptrace (readby) peer=/usr/sbin/libvirtd,
   ptrace (readby) peer=libvirtd,
 
   owner /dev/tty rw,
@@ -54,6 +48,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   /etc/NetworkManager/dnsmasq.d/* r,
   /etc/NetworkManager/dnsmasq-shared.d/ r,
   /etc/NetworkManager/dnsmasq-shared.d/* r,
+  /etc/dnsmasq-conf.conf r,
+  /etc/dnsmasq-resolv.conf r,
 
   /usr/{bin,sbin}/dnsmasq mr,
 
@@ -62,10 +58,10 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   /usr/share/dnsmasq{-base,}/ r,
   /usr/share/dnsmasq{-base,}/* r,
 
-  /{,var/}run/*dnsmasq*.pid w,
-  /{,var/}run/dnsmasq-forwarders.conf r,
-  /{,var/}run/dnsmasq/ r,
-  /{,var/}run/dnsmasq/* rw,
+  @{run}/*dnsmasq*.pid w,
+  @{run}/dnsmasq-forwarders.conf r,
+  @{run}/dnsmasq/ r,
+  @{run}/dnsmasq/* rw,
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
@@ -74,6 +70,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   # access to iface mtu needed for Router Advertisement messages in IPv6
   # Neighbor Discovery protocol (RFC 2461)
   @{PROC}/sys/net/ipv6/conf/*/mtu r,
+  # closing superfluous file descriptors scans /proc/self/fd/ to find open ones
+  @{PROC}/@{pid}/fd/ r,
 
   # for the read-only TFTP server
   @{TFTP_DIR}/ r,
@@ -84,19 +82,19 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   /var/lib/libvirt/dnsmasq/*         r,
 
   # libvirt pid files for dnsmasq
-  /{,var/}run/libvirt/network/      r,
-  /{,var/}run/libvirt/network/*.pid rw,
+  @{run}/libvirt/network/      r,
+  @{run}/libvirt/network/*.pid rw,
 
   # libvirt lease helper
   /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
   /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
 
   # lxc-net pid and lease files
-  /{,var/}run/lxc/dnsmasq.pid    rw,
+  @{run}/lxc/dnsmasq.pid    rw,
   /var/lib/misc/dnsmasq.*.leases rw,
 
   # lxd-bridge pid and lease files
-  /{,var/}run/lxd-bridge/dnsmasq.pid   rw,
+  @{run}/lxd-bridge/dnsmasq.pid   rw,
   /var/lib/lxd-bridge/dnsmasq.*.leases rw,
   /var/lib/lxd/networks/*/dnsmasq.* r,
   /var/lib/lxd/networks/*/dnsmasq.leases rw,
@@ -104,15 +102,15 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
 
   # NetworkManager integration
   /var/lib/NetworkManager/dnsmasq-*.leases rw,
-  /{,var/}run/nm-dns-dnsmasq.conf r,
-  /{,var/}run/nm-dnsmasq-*.pid rw,
-  /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
-  /{,var/}run/NetworkManager/dnsmasq.conf r,
-  /{,var/}run/NetworkManager/dnsmasq.pid w,
-  /{,var/}run/NetworkManager/NetworkManager.pid w,
+  @{run}/nm-dns-dnsmasq.conf r,
+  @{run}/nm-dnsmasq-*.pid rw,
+  @{run}/sendsigs.omit.d/*dnsmasq.pid w,
+  @{run}/NetworkManager/dnsmasq.conf r,
+  @{run}/NetworkManager/dnsmasq.pid w,
+  @{run}/NetworkManager/NetworkManager.pid w,
 
   profile libvirt_leaseshelper {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /etc/libnl-3/classid r,
 
@@ -130,9 +128,9 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
     /var/lib/libvirt/dnsmasq/*.leases  rw,
     /var/lib/libvirt/dnsmasq/*.status* rw,
 
-    /{,var/}run/leaseshelper.pid rwk,
+    @{run}/leaseshelper.pid rwk,
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.dnsmasq>
+  include if exists <local/usr.sbin.dnsmasq>
 }
diff --git a/apparmor.d/usr.sbin.fwknopd b/apparmor.d/usr.sbin.fwknopd
index e70b3cae9..461174238 100644
--- a/apparmor.d/usr.sbin.fwknopd
+++ b/apparmor.d/usr.sbin.fwknopd
@@ -1,10 +1,10 @@
 # Last Modified: Sun Aug 18 22:54:57 2013
 # Assumes fwknopd was built with:
 #    './configure --prefix=/usr --sysconfdir=/etc --localstatedir=/run'
-#include <tunables/global>
+include <tunables/global>
 
-/usr/sbin/fwknopd {
-  #include <abstractions/base>
+/usr/sbin/fwknopd flags=(complain) {
+  include <abstractions/base>
 
   capability ipc_lock,
   capability net_admin,
diff --git a/apparmor.d/usr.sbin.identd b/apparmor.d/usr.sbin.identd
index 08d751e91..09c478e7a 100644
--- a/apparmor.d/usr.sbin.identd
+++ b/apparmor.d/usr.sbin.identd
@@ -9,11 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile identd /usr/{bin,sbin}/identd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
   capability net_bind_service,
   capability setgid,
   capability setuid,
@@ -24,10 +26,10 @@ profile identd /usr/{bin,sbin}/identd flags=(complain) {
   /usr/{bin,sbin}/identd   rmix,
   @{PROC}/net/tcp          r,
   @{PROC}/net/tcp6         r,
-  /{,var/}run/identd.pid   w,
-  /{,var/}run/identd/           w,
-  /{,var/}run/identd/identd.pid w,
+  @{run}/identd.pid   w,
+  @{run}/identd/           w,
+  @{run}/identd/identd.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.identd>
+  include if exists <local/usr.sbin.identd>
 }
diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd
index 60829ee00..1badcca27 100644
--- a/apparmor.d/usr.sbin.libvirtd
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -1,9 +1,9 @@
-#include <tunables/global>
+include <tunables/global>
 @{LIBVIRT}="libvirt"
 
 profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/dbus>
+  include <abstractions/base>
+  include <abstractions/dbus>
 
   capability kill,
   capability net_admin,
@@ -115,7 +115,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {
-   #include <abstractions/base>
+   include <abstractions/base>
 
    capability setuid,
    capability setgid,
@@ -137,5 +137,5 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.libvirtd>
+  include <local/usr.sbin.libvirtd>
 }
diff --git a/apparmor.d/usr.sbin.mdnsd b/apparmor.d/usr.sbin.mdnsd
index 82b4088ea..9852fbf38 100644
--- a/apparmor.d/usr.sbin.mdnsd
+++ b/apparmor.d/usr.sbin.mdnsd
@@ -9,12 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   capability net_bind_service,
   capability setgid,
@@ -28,9 +30,9 @@ profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) {
 
   @{PROC}/net/ r,
   @{PROC}/net/unix r,
-  /{,var/}run/mdnsd lw,
-  /{,var/}run/mdnsd.pid w,
+  @{run}/mdnsd lw,
+  @{run}/mdnsd.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.mdnsd>
+  include if exists <local/usr.sbin.mdnsd>
 }
diff --git a/apparmor.d/usr.sbin.nmbd b/apparmor.d/usr.sbin.nmbd
index e0e9cd0ce..a796d2426 100644
--- a/apparmor.d/usr.sbin.nmbd
+++ b/apparmor.d/usr.sbin.nmbd
@@ -1,9 +1,11 @@
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/samba>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
 
   capability net_bind_service,
 
@@ -24,12 +26,11 @@ profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) {
   /var/{cache,lib}/samba/unexpected rw,
   /var/cache/samba/msg/ rw,
   /var/cache/samba/msg/* w,
-  /var/cache/samba/msg.lock/{,*} rwk,
 
-  /{,var/}run/nmbd.pid rwk,
-  /{,var/}run/samba/** rwk,
-  /{,var/}run/systemd/notify w,
+  @{run}/nmbd.pid rwk,
+  @{run}/samba/** rwk,
+  @{run}/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.nmbd>
+  include if exists <local/usr.sbin.nmbd>
 }
diff --git a/apparmor.d/usr.sbin.nscd b/apparmor.d/usr.sbin.nscd
index b1b1b9535..0d2c4d143 100644
--- a/apparmor.d/usr.sbin.nscd
+++ b/apparmor.d/usr.sbin.nscd
@@ -9,12 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/ssl_certs>
 
   deny capability block_suspend,
   capability net_bind_service,
@@ -24,12 +26,12 @@ profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
   /etc/netgroup r,
   /etc/nscd.conf r,
   /usr/{bin,sbin}/nscd rmix,
-  /{,var/}run/.nscd_socket wl,
-  /{,var/}run/nscd/ rw,
-  /{,var/}run/nscd/db* rwl,
-  /{,var/}run/nscd/socket wl,
+  @{run}/.nscd_socket wl,
+  @{run}/nscd/ rw,
+  @{run}/nscd/db* rwl,
+  @{run}/nscd/socket wl,
   /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
-  /{,var/}run/{nscd/,}nscd.pid rwl,
+  @{run}/{nscd/,}nscd.pid rwl,
   /var/lib/libvirt/dnsmasq/ r,
   /var/lib/libvirt/dnsmasq/*.status r,
   /var/log/nscd.log rw,
@@ -39,5 +41,5 @@ profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
   @{PROC}/@{pid}/mounts r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.nscd>
+  include if exists <local/usr.sbin.nscd>
 }
diff --git a/apparmor.d/usr.sbin.ntpd b/apparmor.d/usr.sbin.ntpd
index e8225d7d0..b54a35e1e 100644
--- a/apparmor.d/usr.sbin.ntpd
+++ b/apparmor.d/usr.sbin.ntpd
@@ -11,13 +11,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
-#include <tunables/ntpd>
+include <tunables/global>
+include <tunables/ntpd>
 /usr/sbin/ntpd flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-tmp>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+  include <abstractions/openssl>
 
   capability ipc_lock,
   capability net_admin,
@@ -87,5 +87,5 @@
   #     capability ipc_owner,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.ntpd>
+  include <local/usr.sbin.ntpd>
 }
diff --git a/apparmor.d/usr.sbin.smbd b/apparmor.d/usr.sbin.smbd
index 7d8b68a9f..aed862acd 100644
--- a/apparmor.d/usr.sbin.smbd
+++ b/apparmor.d/usr.sbin.smbd
@@ -1,14 +1,16 @@
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile smbd /usr/{bin,sbin}/smbd flags=(complain) {
-  #include <abstractions/authentication>
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/cups-client>
-  #include <abstractions/nameservice>
-  #include <abstractions/samba>
-  #include <abstractions/user-tmp>
-  #include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/cups-client>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
+  include <abstractions/user-tmp>
+  include <abstractions/wutmp>
 
   capability audit_write,
   capability dac_override,
@@ -43,22 +45,21 @@ profile smbd /usr/{bin,sbin}/smbd flags=(complain) {
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,
   /var/lib/sss/pubconf/kdcinfo.* r,
-  /{,var/}run/dbus/system_bus_socket rw,
-  /{,var/}run/smbd.pid rwk,
-  /{,var/}run/samba/** rk,
-  /{,var/}run/samba/ncalrpc/ rw,
-  /{,var/}run/samba/ncalrpc/** rw,
-  /{,var/}run/samba/smbd.pid rw,
-  /{,var/}run/samba/msg.lock/ rw,
-  /{,var/}run/samba/msg.lock/[0-9]* rwk,
+  @{run}/dbus/system_bus_socket rw,
+  @{run}/smbd.pid rwk,
+  @{run}/samba/** rk,
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
+  @{run}/samba/smbd.pid rw,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,
+  /var/lib/samba/usershares/{,**} lrwk,
 
   # Permissions for all configured shares (file autogenerated by
   # update-apparmor-samba-profile on service startup.
-  #include if exists <samba/smbd-shares>
+  include if exists <samba/smbd-shares>
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.smbd>
+  include if exists <local/usr.sbin.smbd>
 }
diff --git a/apparmor.d/usr.sbin.smbldap-useradd b/apparmor.d/usr.sbin.smbldap-useradd
index d52307a7e..d1f75740d 100644
--- a/apparmor.d/usr.sbin.smbldap-useradd
+++ b/apparmor.d/usr.sbin.smbldap-useradd
@@ -1,11 +1,14 @@
 # Last Modified: Tue Jan  3 00:17:40 2012
-#include <tunables/global>
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/nameservice>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/nameservice>
+  include <abstractions/perl>
 
   /dev/tty rw,
   /{,usr/}bin/bash ix,
@@ -18,11 +21,11 @@ profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) {
   /var/log/samba/log.smbd w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.smbldap-useradd>
+  include if exists <local/usr.sbin.smbldap-useradd>
 
   profile /etc/init.d/nscd flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice>
+    include <abstractions/base>
+    include <abstractions/nameservice>
 
     capability sys_ptrace,
 
diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.sbin.tcpdump
index c3b91896e..ae69e145a 100644
--- a/apparmor.d/usr.sbin.tcpdump
+++ b/apparmor.d/usr.sbin.tcpdump
@@ -1,10 +1,10 @@
 # vim:syntax=apparmor
-#include <tunables/global>
+include <tunables/global>
 
 profile tcpdump /usr/sbin/tcpdump {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-tmp>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
 
   capability net_raw,
   capability setuid,
@@ -61,5 +61,5 @@ profile tcpdump /usr/sbin/tcpdump {
   /usr/sbin/tcpdump mr,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.tcpdump>
+  include <local/usr.sbin.tcpdump>
 }
diff --git a/apparmor.d/usr.sbin.traceroute b/apparmor.d/usr.sbin.traceroute
index 2c08027f4..926ccdafe 100644
--- a/apparmor.d/usr.sbin.traceroute
+++ b/apparmor.d/usr.sbin.traceroute
@@ -9,11 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   deny capability net_admin, # noisy setsockopt() calls
   capability net_raw,
@@ -26,5 +28,5 @@ profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/tracerou
   @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.traceroute>
+  include if exists <local/usr.sbin.traceroute>
 }
diff --git a/apparmor.d/uupdate b/apparmor.d/uupdate
index 579cc5cdc..bafdbede5 100644
--- a/apparmor.d/uupdate
+++ b/apparmor.d/uupdate
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/uupdate
 profile uupdate @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -58,5 +58,5 @@ profile uupdate @{exec_path} flags=(complain) {
   # For package building
   owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/uupdates>
+  include if exists <local/uupdates>
 }
diff --git a/apparmor.d/vcsi b/apparmor.d/vcsi
index ff9cda23a..c82ae6b84 100644
--- a/apparmor.d/vcsi
+++ b/apparmor.d/vcsi
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/vcsi
 profile vcsi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -37,5 +37,5 @@ profile vcsi @{exec_path} {
 
   owner /tmp/* rw,
 
-  #include if exists <local/vcsi>
+  include if exists <local/vcsi>
 }
diff --git a/apparmor.d/vidcutter b/apparmor.d/vidcutter
index db9da1cba..8c19b886a 100644
--- a/apparmor.d/vidcutter
+++ b/apparmor.d/vidcutter
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -40,24 +40,24 @@
 
 @{exec_path} = /{usr/,}bin/vidcutter
 profile vidcutter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -139,8 +139,8 @@ profile vidcutter @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -157,5 +157,5 @@ profile vidcutter @{exec_path} {
 
   }
 
-  #include if exists <local/vidcutter>
+  include if exists <local/vidcutter>
 }
diff --git a/apparmor.d/vipw-vigr b/apparmor.d/vipw-vigr
index a3a6b9a7d..c89532d5d 100644
--- a/apparmor.d/vipw-vigr
+++ b/apparmor.d/vipw-vigr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/vi{pw,gr}
 profile vipw-vigr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability chown,
 
@@ -45,8 +45,8 @@ profile vipw-vigr @{exec_path} {
 
 
   profile editor {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     capability fsetid,
 
@@ -68,5 +68,5 @@ profile vipw-vigr @{exec_path} {
 
   }
 
-  #include if exists <local/vipw-vigr>
+  include if exists <local/vipw-vigr>
 }
diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager
index 0e44dc558..68edd4e21 100644
--- a/apparmor.d/virt-manager
+++ b/apparmor.d/virt-manager
@@ -9,29 +9,33 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/virt-manager
 @{exec_path} += /usr/share/virt-manager/virt-manager
-profile virt-manager @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/openssl>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-dconf>
+profile virt-manager @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-dconf>
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -84,6 +88,7 @@ profile virt-manager @{exec_path} flags=(complain) {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/net/route r,
 
   /dev/ r,
 
@@ -126,5 +131,5 @@ profile virt-manager @{exec_path} flags=(complain) {
   # Silecne the noise
   deny /usr/share/virt-manager/{,**} w,
 
-  #include if exists <local/virt-manager>
+  include if exists <local/virt-manager>
 }
diff --git a/apparmor.d/vlc b/apparmor.d/vlc
index 4a9cfa14f..4277eece9 100644
--- a/apparmor.d/vlc
+++ b/apparmor.d/vlc
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -58,27 +58,33 @@
 
 @{exec_path} = /{usr/,}bin/{c,}vlc
 profile vlc @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/nvidia>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/vlc-art-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/vulkan>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/nvidia>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/vlc-art-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/user-download-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=anyremote//*,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   # Which media files VLC should be able to open
@@ -154,5 +160,5 @@ profile vlc @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  #include if exists <local/vlc>
+  include if exists <local/vlc>
 }
diff --git a/apparmor.d/vnstat b/apparmor.d/vnstat
index 51933602e..805237fc8 100644
--- a/apparmor.d/vnstat
+++ b/apparmor.d/vnstat
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/vnstat
 profile vnstat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed when adding a new interface to the vnstat database. Usually this
   # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
@@ -71,5 +71,5 @@ profile vnstat @{exec_path} {
   deny @{sys}/devices/**/hwmon/**/temp*_input r,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/vnstat>
+  include if exists <local/vnstat>
 }
diff --git a/apparmor.d/vnstatd b/apparmor.d/vnstatd
index 43c60fd68..57166e153 100644
--- a/apparmor.d/vnstatd
+++ b/apparmor.d/vnstatd
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/vnstatd
 profile vnstatd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -34,5 +34,5 @@ profile vnstatd @{exec_path} {
   owner /var/lib/vnstat/vnstat.db rwk,
   owner /var/lib/vnstat/vnstat.db-journal rw,
 
-  #include if exists <local/vnstatd>
+  include if exists <local/vnstatd>
 }
diff --git a/apparmor.d/volumeicon b/apparmor.d/volumeicon
index fff723c29..9a68a6a6c 100644
--- a/apparmor.d/volumeicon
+++ b/apparmor.d/volumeicon
@@ -9,24 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/volumeicon
 profile volumeicon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wayland>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -49,5 +49,5 @@ profile volumeicon @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/volumeicon>
+  include if exists <local/volumeicon>
 }
diff --git a/apparmor.d/vsftpd b/apparmor.d/vsftpd
index 97735c2f4..3a994aebb 100644
--- a/apparmor.d/vsftpd
+++ b/apparmor.d/vsftpd
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/vsftpd
 profile vsftpd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/deny-root-dir-access>
 
   # Only for local users authentication
-  #include <abstractions/authentication>
+  include <abstractions/authentication>
 
   # To be able to listen on ports < 1024
   capability net_bind_service,
@@ -48,7 +48,7 @@ profile vsftpd @{exec_path} {
   capability net_admin,
   capability dac_read_search,
   # If session_support=YES, vsftpd will also try and update utmp and wtmp
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
 
   # To validate allowed users shells
   /etc/shells r,
@@ -79,5 +79,5 @@ profile vsftpd @{exec_path} {
   /media/ftp/ r,
   /media/ftp/** rwk,
 
-  #include if exists <local/vsftpd>
+  include if exists <local/vsftpd>
 }
diff --git a/apparmor.d/wavemon b/apparmor.d/wavemon
index 43630aebe..bc07f6822 100644
--- a/apparmor.d/wavemon
+++ b/apparmor.d/wavemon
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/wavemon
 profile wavemon @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To scan WiFi networks
   capability net_admin,
@@ -28,5 +28,5 @@ profile wavemon @{exec_path} {
 
   @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/wavemon>
+  include if exists <local/wavemon>
 }
diff --git a/apparmor.d/wget b/apparmor.d/wget
index 1c171cef7..257f7b5e3 100644
--- a/apparmor.d/wget
+++ b/apparmor.d/wget
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/wget
 profile wget @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   # For downloading files as root to user owned dirs
   capability dac_read_search,
   capability dac_override,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/wgetrc r,
@@ -38,5 +44,5 @@ profile wget @{exec_path} {
   owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w,
   owner /var/cache/google-android-platform-*-installer/platform-*.zip w,
 
-  #include if exists <local/wget>
+  include if exists <local/wget>
 }
diff --git a/apparmor.d/whdd b/apparmor.d/whdd
index c18aac1c4..d45ea8d9c 100644
--- a/apparmor.d/whdd
+++ b/apparmor.d/whdd
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/whdd
 profile whdd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_rawio,
   capability sys_admin,
@@ -38,5 +38,5 @@ profile whdd @{exec_path} {
 
   /dev/sd[a-z] rw,
 
-  #include if exists <local/whdd>
+  include if exists <local/whdd>
 }
diff --git a/apparmor.d/whiptail b/apparmor.d/whiptail
index 6d7d8f8b8..c947bb02f 100644
--- a/apparmor.d/whiptail
+++ b/apparmor.d/whiptail
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/whiptail
 profile whiptail @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   owner /tmp/gpm* w,
 
-  #include if exists <local/whiptail>
+  include if exists <local/whiptail>
 }
diff --git a/apparmor.d/who b/apparmor.d/who
index e4ac4f6f5..adfe1ac99 100644
--- a/apparmor.d/who
+++ b/apparmor.d/who
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/who
 profile who @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
   capability kill,
 
   @{exec_path} mr,
 
-  #include if exists <local/who>
+  include if exists <local/who>
 }
diff --git a/apparmor.d/wireshark b/apparmor.d/wireshark
index 2a905e31a..9999baa5e 100644
--- a/apparmor.d/wireshark
+++ b/apparmor.d/wireshark
@@ -10,28 +10,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # pcap pcapng
 @{wireshark_ext} = [pP][cC][aA][pP]{,[nN][gG]}
 
 @{exec_path} = /{usr/,}bin/wireshark
 profile wireshark @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/user-download-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
 
   signal (send) peer=dumpcap,
 
@@ -95,8 +95,8 @@ profile wireshark @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -112,5 +112,5 @@ profile wireshark @{exec_path} {
 
   }
 
-  #include if exists <local/wireshark>
+  include if exists <local/wireshark>
 }
diff --git a/apparmor.d/wmctrl b/apparmor.d/wmctrl
index b6e301db5..58da5bc1f 100644
--- a/apparmor.d/wmctrl
+++ b/apparmor.d/wmctrl
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/wmctrl
 profile wmctrl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/wmctrl>
+  include if exists <local/wmctrl>
 }
diff --git a/apparmor.d/wpa-gui b/apparmor.d/wpa-gui
index b7662a8a1..fa2641f38 100644
--- a/apparmor.d/wpa-gui
+++ b/apparmor.d/wpa-gui
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/wpa_gui
 profile wpa-gui @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -45,5 +45,5 @@ profile wpa-gui @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/wpa-gui>
+  include if exists <local/wpa-gui>
 }
diff --git a/apparmor.d/wpa-supplicant b/apparmor.d/wpa-supplicant
index 37cec03fb..06cd2331d 100644
--- a/apparmor.d/wpa-supplicant
+++ b/apparmor.d/wpa-supplicant
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/wpa_supplicant
 profile wpa-supplicant @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
 
   # To remove the following errors:
   #  wpa_supplicant[]: wlan0: Failed to initialize driver interface
@@ -35,6 +35,9 @@ profile wpa-supplicant @{exec_path} {
   capability fsetid,
   audit deny capability sys_module,
 
+  network packet raw,
+  network packet dgram,
+
   @{exec_path} mr,
 
   owner @{run}/wpa_supplicant/ rw,
@@ -54,5 +57,5 @@ profile wpa-supplicant @{exec_path} {
   #/etc/wpa_supplicant/wpa_supplicant.conf w,
   #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
 
-  #include if exists <local/wpa-supplicant>
+  include if exists <local/wpa-supplicant>
 }
diff --git a/apparmor.d/wpa_cli b/apparmor.d/wpa_cli
index a9fadcfbd..8f03fda05 100644
--- a/apparmor.d/wpa_cli
+++ b/apparmor.d/wpa_cli
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/wpa_cli
 profile wpa_cli @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile wpa_cli @{exec_path} {
   owner @{HOME}/.wpa_cli_history rw,
   owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
 
-  #include if exists <local/wpa_cli>
+  include if exists <local/wpa_cli>
 }
diff --git a/apparmor.d/wrmsr b/apparmor.d/wrmsr
index c21122425..302e1db9c 100644
--- a/apparmor.d/wrmsr
+++ b/apparmor.d/wrmsr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/wrmsr
 profile wrmsr @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To access /dev/cpu/*/msr .
   capability sys_rawio,
@@ -24,5 +24,5 @@ profile wrmsr @{exec_path} flags=(complain) {
 
   owner /dev/cpu/[0-9]*/msr w,
 
-  #include if exists <local/wrmsr>
+  include if exists <local/wrmsr>
 }
diff --git a/apparmor.d/x11-xsession b/apparmor.d/x11-xsession
index 80c3f97f9..37efad088 100644
--- a/apparmor.d/x11-xsession
+++ b/apparmor.d/x11-xsession
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/X11/Xsession
 profile x11-xsession @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -66,7 +66,7 @@ profile x11-xsession @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -81,7 +81,7 @@ profile x11-xsession @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/dbus-update-activation-environment mr,
 
@@ -91,7 +91,7 @@ profile x11-xsession @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
 
@@ -105,7 +105,7 @@ profile x11-xsession @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -128,5 +128,5 @@ profile x11-xsession @{exec_path} {
 
   }
 
-  #include if exists <local/x11-xsession>
+  include if exists <local/x11-xsession>
 }
diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver
index 9b369e08a..0d41058d9 100644
--- a/apparmor.d/xarchiver
+++ b/apparmor.d/xarchiver
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xarchiver
 profile xarchiver @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -81,8 +81,8 @@ profile xarchiver @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -102,5 +102,5 @@ profile xarchiver @{exec_path} {
 
   }
 
-  #include if exists <local/xarchiver>
+  include if exists <local/xarchiver>
 }
diff --git a/apparmor.d/xauth b/apparmor.d/xauth
index 914e3afbc..00193783d 100644
--- a/apparmor.d/xauth
+++ b/apparmor.d/xauth
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xauth
 profile xauth @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile xauth @{exec_path} {
   owner /tmp/serverauth.*-n rw,
   owner /tmp/serverauth.*   rwl -> /tmp/serverauth.*-n,
 
-  #include if exists <local/xauth>
+  include if exists <local/xauth>
 }
diff --git a/apparmor.d/xautolock b/apparmor.d/xautolock
index aa0d21782..9ccb2d968 100644
--- a/apparmor.d/xautolock
+++ b/apparmor.d/xautolock
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xautolock
 profile xautolock @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -34,5 +34,5 @@ profile xautolock @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/xautolock>
+  include if exists <local/xautolock>
 }
diff --git a/apparmor.d/xbacklight b/apparmor.d/xbacklight
index 0545df977..973e2b971 100644
--- a/apparmor.d/xbacklight
+++ b/apparmor.d/xbacklight
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xbacklight
 profile xbacklight @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/xbacklight>
+  include if exists <local/xbacklight>
 }
diff --git a/apparmor.d/xdg-desktop-menu b/apparmor.d/xdg-desktop-menu
index 87fdce014..68a5c3a58 100644
--- a/apparmor.d/xdg-desktop-menu
+++ b/apparmor.d/xdg-desktop-menu
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-desktop-menu
 profile xdg-desktop-menu @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -49,5 +49,5 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
   /usr/share/applications/defaults.list r,
   /usr/share/applications/defaults.list.new w,
 
-  #include if exists <local/xdg-desktop-menu>
+  include if exists <local/xdg-desktop-menu>
 }
diff --git a/apparmor.d/xdg-email b/apparmor.d/xdg-email
index ec88d4752..76cfcd816 100644
--- a/apparmor.d/xdg-email
+++ b/apparmor.d/xdg-email
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path}  r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/xdg-email>
+  include if exists <local/xdg-email>
 }
diff --git a/apparmor.d/xdg-icon-resource b/apparmor.d/xdg-icon-resource
index 72016d29c..03270d2a6 100644
--- a/apparmor.d/xdg-icon-resource
+++ b/apparmor.d/xdg-icon-resource
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-icon-resource
 profile xdg-icon-resource @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -46,5 +46,5 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
   owner @{HOME}/.local/share/icons/**/.xdg-icon-resource-dummy rw,
   /opt/**/*.png r,
 
-  #include if exists <local/xdg-icon-resource>
+  include if exists <local/xdg-icon-resource>
 }
diff --git a/apparmor.d/xdg-mime b/apparmor.d/xdg-mime
index 227b68ca9..677ab6d45 100644
--- a/apparmor.d/xdg-mime
+++ b/apparmor.d/xdg-mime
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-mime
 profile xdg-mime @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
@@ -53,13 +53,16 @@ profile xdg-mime @{exec_path} {
 
   owner @{run}/user/[0-9]*/ r,
 
+  # For shell pwd
+  owner @{HOME}/ r,
+
   # file_inherit
   /media/** rw,
 
 
-  profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+  profile dbus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -71,5 +74,5 @@ profile xdg-mime @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/xdg-mime>
+  include if exists <local/xdg-mime>
 }
diff --git a/apparmor.d/xdg-open b/apparmor.d/xdg-open
index 019959982..36f940007 100644
--- a/apparmor.d/xdg-open
+++ b/apparmor.d/xdg-open
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-open
 profile xdg-open @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} r,
 
@@ -59,8 +59,8 @@ profile xdg-open @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -72,5 +72,5 @@ profile xdg-open @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/xdg-open>
+  include if exists <local/xdg-open>
 }
diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver
index 05384ade4..327fb2d11 100644
--- a/apparmor.d/xdg-screensaver
+++ b/apparmor.d/xdg-screensaver
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-screensaver
 profile xdg-screensaver @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -53,8 +53,8 @@ profile xdg-screensaver @{exec_path} {
 
 
   profile xautolock {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/xautolock mr,
 
@@ -66,8 +66,8 @@ profile xdg-screensaver @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/dbus-send     mr,
 
@@ -76,5 +76,5 @@ profile xdg-screensaver @{exec_path} {
 
   }
 
-  #include if exists <local/xdg-screensaver>
+  include if exists <local/xdg-screensaver>
 }
diff --git a/apparmor.d/xdg-settings b/apparmor.d/xdg-settings
index 1c2e2cd05..7e008bff2 100644
--- a/apparmor.d/xdg-settings
+++ b/apparmor.d/xdg-settings
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-settings
 profile xdg-settings @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
 
@@ -48,7 +48,6 @@ profile xdg-settings @{exec_path} {
   /{usr/,}bin/xprop    rPx,
   /{usr/,}bin/xdg-mime rPx,
 
-
   owner @{PROC}/@{pid}/fd/ r,
 
   /etc/xdg/xfce4/helpers.rc r,
@@ -59,10 +58,15 @@ profile xdg-settings @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  # For shell pwd
+  owner @{HOME}/ r,
+
+  @{run}/user/[0-9]*/ r,
+
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -74,5 +78,5 @@ profile xdg-settings @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/xdg-settings>
+  include if exists <local/xdg-settings>
 }
diff --git a/apparmor.d/xdpyinfo b/apparmor.d/xdpyinfo
index 30adae516..b38cf4159 100644
--- a/apparmor.d/xdpyinfo
+++ b/apparmor.d/xdpyinfo
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdpyinfo
 profile xdpyinfo @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile xdpyinfo @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xdpyinfo>
+  include if exists <local/xdpyinfo>
 }
diff --git a/apparmor.d/xfce4-notifyd b/apparmor.d/xfce4-notifyd
index cf9d4ba91..974a25b85 100644
--- a/apparmor.d/xfce4-notifyd
+++ b/apparmor.d/xfce4-notifyd
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce4/notifyd/xfce4-notifyd
 profile xfce4-notifyd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -38,5 +38,5 @@ profile xfce4-notifyd @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/xfce4-notifyd>
+  include if exists <local/xfce4-notifyd>
 }
diff --git a/apparmor.d/xfconfd b/apparmor.d/xfconfd
index 21a1f02c0..96a73c71b 100644
--- a/apparmor.d/xfconfd
+++ b/apparmor.d/xfconfd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd
 profile xfconfd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile xfconfd @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xfconfd>
+  include if exists <local/xfconfd>
 }
diff --git a/apparmor.d/xhost b/apparmor.d/xhost
index 5cbcee527..4e234d0e6 100644
--- a/apparmor.d/xhost
+++ b/apparmor.d/xhost
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xhost
 profile xhost @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile xhost @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xhost>
+  include if exists <local/xhost>
 }
diff --git a/apparmor.d/xinit b/apparmor.d/xinit
index c5fcc2e17..a0cbdb73d 100644
--- a/apparmor.d/xinit
+++ b/apparmor.d/xinit
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xinit
 profile xinit @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -79,7 +79,7 @@ profile xinit @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -93,7 +93,7 @@ profile xinit @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
 
@@ -111,7 +111,7 @@ profile xinit @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -138,5 +138,5 @@ profile xinit @{exec_path} {
 
   }
 
-  #include if exists <local/xinit>
+  include if exists <local/xinit>
 }
diff --git a/apparmor.d/xinput b/apparmor.d/xinput
index 81231e0d6..a634bc82b 100644
--- a/apparmor.d/xinput
+++ b/apparmor.d/xinput
@@ -9,18 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xinput
 profile xinput @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/xinput>
+  include if exists <local/xinput>
 }
diff --git a/apparmor.d/xkbcomp b/apparmor.d/xkbcomp
index cbbeb17c8..a2a95c4ec 100644
--- a/apparmor.d/xkbcomp
+++ b/apparmor.d/xkbcomp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xkbcomp
 profile xkbcomp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -38,5 +38,5 @@ profile xkbcomp @{exec_path} {
   owner /var/log/lightdm/x-[0-9]*.log w,
   /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/xkbcomp>
+  include if exists <local/xkbcomp>
 }
diff --git a/apparmor.d/xorg b/apparmor.d/xorg
index 928535daf..41b475976 100644
--- a/apparmor.d/xorg
+++ b/apparmor.d/xorg
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # The attach_disconnected flag is needed when xserver is started via startx, or the mouse/keyboard
 # won't work.
@@ -23,13 +23,13 @@
 @{exec_path} += /{usr/,}bin/Xorg
 @{exec_path} += /{usr/,}lib/xorg/Xorg
 profile xorg @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   ##include <abstractions/deny-root-dir-access>
 
   # When the Xserver is started via startx as a regular user, there's no need for any of the
@@ -65,6 +65,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   signal (receive) peer=sddm,
   signal (receive) peer=xinit,
 
+  network netlink raw,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -157,5 +159,5 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /usr/share/glvnd/egl_vendor.d/ r,
   /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r,
 
-  #include if exists <local/xorg>
+  include if exists <local/xorg>
 }
diff --git a/apparmor.d/xprop b/apparmor.d/xprop
index 32ce6044d..7ff5fcd93 100644
--- a/apparmor.d/xprop
+++ b/apparmor.d/xprop
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xprop
 profile xprop @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile xprop @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xprop>
+  include if exists <local/xprop>
 }
diff --git a/apparmor.d/xrandr b/apparmor.d/xrandr
index a4bc6352b..24952b6b7 100644
--- a/apparmor.d/xrandr
+++ b/apparmor.d/xrandr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xrandr
 profile xrandr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile xrandr @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/xrandr>
+  include if exists <local/xrandr>
 }
diff --git a/apparmor.d/xrdb b/apparmor.d/xrdb
index 8e5582194..1437614ae 100644
--- a/apparmor.d/xrdb
+++ b/apparmor.d/xrdb
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xrdb
 profile xrdb @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -43,6 +43,6 @@ profile xrdb @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xrdb>
+  include if exists <local/xrdb>
 }
 
diff --git a/apparmor.d/xsel b/apparmor.d/xsel
index 1e3d91d49..ead35e00c 100644
--- a/apparmor.d/xsel
+++ b/apparmor.d/xsel
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xsel
 profile xsel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -32,5 +32,5 @@ profile xsel @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xsel>
+  include if exists <local/xsel>
 }
diff --git a/apparmor.d/xset b/apparmor.d/xset
index c394a82a3..abd0ee044 100644
--- a/apparmor.d/xset
+++ b/apparmor.d/xset
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xset
 profile xset @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile xset @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   deny /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/xset>
+  include if exists <local/xset>
 }
diff --git a/apparmor.d/xsetroot b/apparmor.d/xsetroot
index 2cfb417ac..2d226a3a0 100644
--- a/apparmor.d/xsetroot
+++ b/apparmor.d/xsetroot
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xsetroot
 profile xsetroot @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -29,5 +29,5 @@ profile xsetroot @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xsetroot>
+  include if exists <local/xsetroot>
 }
diff --git a/apparmor.d/youtube-dl b/apparmor.d/youtube-dl
index 9bfa857af..0bfbe2d9e 100644
--- a/apparmor.d/youtube-dl
+++ b/apparmor.d/youtube-dl
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -47,21 +47,27 @@
 
 @{exec_path} = /{usr/,}bin/youtube-dl
 profile youtube-dl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/audio>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=mpv,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
@@ -92,5 +98,5 @@ profile youtube-dl @{exec_path} {
   /{usr/,}bin/ffmpeg  rPUx,
   /{usr/,}bin/ffprobe rPUx,
 
-  #include if exists <local/youtube-dl>
+  include if exists <local/youtube-dl>
 }
diff --git a/apparmor.d/youtube-viewer b/apparmor.d/youtube-viewer
index 78501f641..aab58fc62 100644
--- a/apparmor.d/youtube-viewer
+++ b/apparmor.d/youtube-viewer
@@ -9,22 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/youtube-viewer
 profile youtube-viewer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
@@ -49,11 +55,11 @@ profile youtube-viewer @{exec_path} {
 
 
   profile wget {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/user-download-strict>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/user-download-strict>
+    include <abstractions/ssl_certs>
 
     signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm,
 
@@ -66,5 +72,5 @@ profile youtube-viewer @{exec_path} {
 
   }
 
-  #include if exists <local/youtube-viewer>
+  include if exists <local/youtube-viewer>
 }
diff --git a/apparmor.d/ytdl b/apparmor.d/ytdl
index 19de628e8..fdd9d91e7 100644
--- a/apparmor.d/ytdl
+++ b/apparmor.d/ytdl
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -47,12 +47,18 @@
 
 @{exec_path} = /{usr/,}bin/ytdl
 profile ytdl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -75,5 +81,5 @@ profile ytdl @{exec_path} {
   # Needed when displaying info on available formats
   owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js*.json r,
 
-  #include if exists <local/ytdl>
+  include if exists <local/ytdl>
 }
diff --git a/apparmor.d/zenmap b/apparmor.d/zenmap
index d7f07bd38..69c6ac58e 100644
--- a/apparmor.d/zenmap
+++ b/apparmor.d/zenmap
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{zenmap,nmapfe}
 profile zenmap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
 
   signal (send) set=(term, kill) peer=nmap,
 
@@ -46,5 +46,5 @@ profile zenmap @{exec_path} {
   owner /tmp/* rw,
   owner /tmp/zenmap-stdout-* rw,
 
-  #include if exists <local/zenmap>
+  include if exists <local/zenmap>
 }