diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control
new file mode 100644
index 000000000..1cdcf66f2
--- /dev/null
+++ b/apparmor.d/abstractions/media-control
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows access to media controller such as microphones, and video capture hardware.
+# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst
+
+  abi <abi/4.0>,
+
+  # Control of media devices
+  /dev/media@{int} rwk,
+
+  # Access to V4L subnodes configuration
+  # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html
+  /dev/v4l-subdev@{int} rw,
+
+  include if exists <abstractions/media-control.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index c8c89ac13..04b08ecc4 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -15,6 +15,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/camera>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
@@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/attr/apparmor/current r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /dev/media@{int} rw,
-
   include if exists <local/pipewire>
 }
 
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 28d8b9d31..5c7c49c3d 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -26,6 +26,7 @@ profile pulseaudio @{exec_path} {
   include <abstractions/desktop>
   include <abstractions/gstreamer>
   include <abstractions/hosts_access>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
 
   ptrace (trace) peer=@{profile_name},
@@ -113,8 +114,6 @@ profile pulseaudio @{exec_path} {
   owner @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/cmdline r,
 
-  /dev/media@{int} r,
-
   # file_inherit
   owner /dev/tty@{int} rw,
 
diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber
index 708e5a6e8..aa78d9667 100644
--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@@ -18,6 +18,7 @@ profile wireplumber @{exec_path} {
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/camera>
   include <abstractions/devices-usb>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
 
   network bluetooth raw,
@@ -65,7 +66,6 @@ profile wireplumber @{exec_path} {
   @{run}/systemd/users/@{uid} r,
 
   @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)
-  @{run}/udev/data/c81:@{int}  r,         # For video4linux
   @{run}/udev/data/c116:@{int} r,         # For ALSA
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
@@ -86,7 +86,6 @@ profile wireplumber @{exec_path} {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /dev/media@{int} rw,
   /dev/udmabuf rw,
 
   include if exists <local/wireplumber>
diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes
index 1447715b7..cd46dd069 100644
--- a/apparmor.d/groups/gnome/gnome-boxes
+++ b/apparmor.d/groups/gnome/gnome-boxes
@@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.timedate1>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
@@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
 
-  /dev/media@{int} rw,
-  /dev/video@{int} rw,
-
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   profile virsh {
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 111facf64..10f310232 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -17,11 +17,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/camera>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
@@ -191,8 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/task/*/comm rw,
 
   /dev/ r,
-  /dev/media@{int} r,
-  /dev/video@{int} rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 0876b90d1..7344b735b 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -32,18 +32,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/ibus>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/notifications>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/video>
 
   capability sys_nice,
   capability sys_ptrace,
@@ -321,7 +322,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{run}/udev/data/+acpi:* r,             # Exposes ACPI objects (power buttons, batteries, thermal)
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+sound:card@{int} r,   # for sound card
-  @{run}/udev/data/+usb:* r,              # Identifies all USB devices
   @{run}/udev/data/+i2c:* r,              # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
   @{run}/udev/data/+hid:* r,              # For Human Interface Device (mice, controllers, drawing tablets, scanners)
   @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
@@ -379,7 +379,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
-        /dev/media@{int} rw,
         /dev/tty@{int} rw,
   @{att}/dev/dri/card@{int} rw,
   @{att}/dev/input/event@{int} rw,
diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch
index 049b3c402..d5700db7c 100644
--- a/apparmor.d/groups/gnome/localsearch
+++ b/apparmor.d/groups/gnome/localsearch
@@ -68,9 +68,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /dev/media@{int} rw,
-  /dev/video@{int} rw,
-
   include if exists <local/localsearch>
 }
 
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index f084e7b12..e1bde2238 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -10,14 +10,15 @@ include <tunables/global>
 profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/video>
 
   network netlink raw,
 
@@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/task/@{tid}/comm w,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
-  /dev/media@{int} r,
-
   include if exists <local/org.gnome.NautilusPreviewer>
 }
 
diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese
index b89fa42f2..33b933be2 100644
--- a/apparmor.d/profiles-a-f/cheese
+++ b/apparmor.d/profiles-a-f/cheese
@@ -11,10 +11,12 @@ include <tunables/global>
 profile cheese @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-write>
 
@@ -49,9 +51,6 @@ profile cheese @{exec_path} {
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /dev/media@{int} rw,
-  /dev/video@{int} rw,
-
   include if exists <local/cheese>
 }
 
diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl
index e398049de..ddb86b9a2 100644
--- a/apparmor.d/profiles-s-z/v4l2-ctl
+++ b/apparmor.d/profiles-s-z/v4l2-ctl
@@ -9,14 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/v4l2-ctl
 profile v4l2-ctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/camera>
   include <abstractions/consoles>
-  include <abstractions/devices-usb>
+  include <abstractions/media-control>
 
   @{exec_path} mr,
 
-  /dev/media@{int} rw,
-  /dev/video@{int} rw,
-
   include if exists <local/v4l2-ctl>
 }
 
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index 8a1b5f355..f820d2953 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -16,12 +16,14 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/ssl_certs>
@@ -101,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
 
-  /dev/media@{int} r,
-  /dev/video@{int} rw,
-
   # Silence the noise
   deny /usr/share/virt-manager/{,**} w,
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,