diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider
index f77379af1..14e4a4d39 100644
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@@ -36,6 +36,7 @@ profile epiphany-search-provider @{exec_path} {
   owner /tmp/Serialized* rw,
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/firmware/acpi/pm_profile r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
@@ -46,6 +47,8 @@ profile epiphany-search-provider @{exec_path} {
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/statm r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index c42aad369..c0ba6d9ca 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -16,6 +16,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/deny-sensitive-home>
   include <abstractions/gnome-strict>
+  include <abstractions/nameservice-strict>
   include <abstractions/trash>
 
   @{exec_path} mr,
@@ -25,6 +26,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/{,**} rw,
 
+  owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters
index b40ec9b25..5b4cb3147 100644
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@@ -18,7 +18,7 @@ profile gnome-characters @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
-  dbus bind bus=session name=org.gnome.Characters,
+  # dbus: own bus=session name=org.gnome.Characters
   dbus receive bus=session path=/org/gnome/Characters/SearchProvider
        interface=org.gnome.Shell.SearchProvider2
        peer=(name=:*, label=gnome-shell),
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index ad7afb263..2145ce9d5 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -30,7 +30,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   @{bin}/ r,
   @{bin}/env r,
   @{bin}/python3.@{int} rix,
-  @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,
+  @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw,
 
   /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
   /usr/share/org.gnome.Music/{,**} r,
@@ -45,8 +45,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
 
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
-  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
   owner /var/tmp/etilqs_@{hex} rw,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 872b62683..4246341bc 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -288,6 +288,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_music_dirs}/**.{png,jpg,svg} r,
 
   owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
+  owner @{user_config_dirs}/background r,
   owner @{user_config_dirs}/ibus/ w,
   owner @{user_config_dirs}/monitors.xml{,~} rwl,
   owner @{user_config_dirs}/pulse/ rw,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 3d84ac308..77ba0fea3 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -91,8 +91,8 @@ profile gnome-software @{exec_path} {
   owner /tmp/#@{int} rw,
 
   owner @{run}/user/@{uid}/.dbus-proxy/ rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
   owner @{run}/user/@{uid}/.flatpak-cache rw,
   owner @{run}/user/@{uid}/.flatpak/{,**} rw,
   owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 677b8105c..9d59607ce 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Jeroen Rijken
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,9 +14,8 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/consoles>
-  include <abstractions/dri>
+  include <abstractions/graphics>
   include <abstractions/kde-strict>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
 
   ptrace (read),
@@ -25,10 +25,13 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   @{exec_path}                          mr,
   @{bin}/@{shells}                      rUx,
   @{browsers_path}                      rPx,
-  @{lib}/@{multiarch}/utempter/utempter rPUx,
+
+  @{lib}/{,@{multiarch}/}utempter/utempter  rPx,
 
   /usr/share/color-schemes/{,**} r,
+  /usr/share/knotifications5/plasma_workspace.notifyrc r,
   /usr/share/konsole/{,**} r,
+  /usr/share/sounds/** r,
 
   /etc/xdg/konsolerc r,
   /etc/xdg/ui/ui_standards.rc r,
@@ -36,31 +39,25 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_SSH_DIR}/config r,
 
   owner @{user_config_dirs}/#@{int} rwl,
-  owner @{user_config_dirs}/konsolerc{,**} rw,
+  owner @{user_config_dirs}/konsolerc rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/konsolerc.lock rwlk,
-  owner @{user_config_dirs}/konsolesshconfig rw,
+  owner @{user_config_dirs}/konsolerc.lock rwk,
+  owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.lock rwk,
-  owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_share_dirs}/konsole/{,**} rw,
 
-  # Required including abstractions/audio for sending notifications
-  /usr/share/knotifications5/plasma_workspace.notifyrc r,
-  /usr/share/sounds/** r,
-
   owner /tmp/#@{int} rw,
   owner /tmp/konsole.@{rand6} rw,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,
-
+        @{PROC}/sys/kernel/core_pattern r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/stat r,
-  @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/ptmx rw,
 
   include if exists <local/konsole>
 }
diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter
index 1b425a541..639cfc171 100644
--- a/apparmor.d/groups/kde/utempter
+++ b/apparmor.d/groups/kde/utempter
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/utempter/utempter
+@{exec_path} = @{lib}/{,@{multiarch}/}utempter/utempter
 profile utempter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index 4d3a53874..51bec315c 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -23,11 +23,11 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   /etc/netplan/{,*} r,
 
   @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
-  @{run}/NetworkManager/system-connections/ r,
+  @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
-  @{run}/systemd/system/systemd-networkd.service.wants/ r,
+  @{run}/systemd/system/systemd-networkd.service.wants/ rw,
   @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
   @{run}/udev/rules.d/ r,
   @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index cc244ca5f..1247ef1c3 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -28,6 +28,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed        rix,
   @{bin}/sort       rix,
   @{bin}/stat       rix,
+  @{bin}/pacman     rCx -> pacman,
 
   /usr/share/mkinitcpio/*.preset r,
 
@@ -47,5 +48,26 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   deny network inet6 stream,
   deny network inet stream,
 
+  profile pacman {
+    include <abstractions/base>
+    include <abstractions/openssl>
+
+    capability dac_read_search,
+
+    @{bin}/pacman mr,
+  
+    @{bin}/gpg rix,
+    @{bin}/gpgconf rix,
+    @{bin}/gpgsm rix,
+  
+    /etc/pacman.conf r,
+    /etc/pacman.d/{,**} r,
+    /etc/pacman.d/gnupg/** rwkl,
+
+    /var/lib/pacman/local/{,**} r,
+
+    include if exists <local/pacman-hook-mkinitcpio_pacman>
+  }
+
   include if exists <local/pacman-hook-mkinitcpio>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index bc5ab4fc2..243a8dc1b 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -22,6 +22,8 @@ profile busctl @{exec_path} {
 
   unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
 
+  signal (send) set=(cont) peer=child-pager,
+
   dbus eavesdrop bus=session,
   dbus eavesdrop bus=system,
 
@@ -36,12 +38,12 @@ profile busctl @{exec_path} {
   @{bin}/more  rPx -> child-pager,
   @{bin}/pager rPx -> child-pager,
 
-  owner @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/sessionid r,
-  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/busctl>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify
index 980df562e..282135b91 100644
--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@@ -22,10 +22,19 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
   @{bin}/tr                      rix,
   @{bin}/uname                   rix,
 
+  /etc/cloud/{,**} r,
+
   @{run}/cloud-init/{,.}ds-identify.* rw,
 
+  @{sys}/devices/virtual/dmi/id/chassis_asset_tag r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_serial r,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
   @{PROC}/cmdline r,
   @{PROC}/uptime r,
+  @{PROC}/@{pid}/environ r,
 
   include if exists <local/systemd-generator-ds-identify>
 }
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index af934de3f..42bb03a24 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -16,7 +16,7 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{exec_path} mr,
 
   @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
   @{lib}/udev/hwdb.bin w,
 
   /etc/udev/.#hwdb.bind* rw,
diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined
index 8ab95b699..692a347aa 100644
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@@ -37,5 +37,10 @@ profile systemd-machined @{exec_path} {
   @{run}/systemd/userdb/io.systemd.Machine rw,
   @{run}/systemd/notify w,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/cpu r,
+  @{PROC}/pressure/io r,
+  @{PROC}/pressure/memory r,
+
   include if exists <local/systemd-machined>
 }
diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index ba89c4243..6bddd8a5f 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -33,17 +33,16 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   /etc/{passwd,shadow} rw,
   /etc/{passwd,shadow}- rw,
   /etc/{passwd,shadow}+ rw,
-  /etc/.#{passwd,shadow}[0-9a-zA-Z]* rw,
+  /etc/.#{passwd,shadow}@{hex} rw,
   /etc/{group,gshadow} rw,
   /etc/{group,gshadow}- rw,
   /etc/{group,gshadow}+ rw,
-  /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
+  /etc/.#{group,gshadow}@{hex} rw,
   /etc/.pwd.lock rwk,
 
         /dev/tty@{int} rw,
   owner /dev/pts/@{int} rw,
 
-
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done
index ba66a1276..1acb6aea5 100644
--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@@ -16,9 +16,9 @@ profile systemd-update-done @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/.#.updated[0-9a-zA-Z]* rw,
+  /etc/.#.updated@{hex} rw,
   /etc/.updated w,
-  /var/.#.updated[0-9a-zA-Z]* rw,
+  /var/.#.updated@{hex} rw,
   /var/.updated w,
 
   @{run}/host/container-manager r,
diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator
index 4cc42c0d9..5ccba4981 100644
--- a/apparmor.d/groups/systemd/zram-generator
+++ b/apparmor.d/groups/systemd/zram-generator
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/system-generators/zram-generator
-profile zram-generator @{exec_path} {
+profile zram-generator @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport
index 423281623..dbc08c1f3 100644
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@@ -16,6 +16,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
   include <abstractions/openssl>
   include <abstractions/python>
 
+  capability chown,
   capability dac_read_search,
   capability fsetid,
   capability setgid,
diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk
index 9a738b25d..920e74f98 100644
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@@ -32,6 +32,9 @@ profile check-new-release-gtk @{exec_path} {
   @{bin}/ischroot     rix,
   @{bin}/lsb_release  rPx -> lsb_release,
 
+  @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+  @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+
   /usr/share/distro-info/{,**} r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
   /usr/share/update-manager/{,**} r,
diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure
index 893805fb1..2b6fddba8 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-ensure
+++ b/apparmor.d/groups/virt/cockpit-certificate-ensure
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-certificate-ensure
-profile cockpit-certificate-ensure @{exec_path} {
+profile cockpit-certificate-ensure @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability dac_override,
diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls
index 8d627bf8c..f80c6f8d3 100644
--- a/apparmor.d/groups/virt/cockpit-tls
+++ b/apparmor.d/groups/virt/cockpit-tls
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-tls
-profile cockpit-tls @{exec_path} {
+profile cockpit-tls @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   network inet stream,
diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd
new file mode 100644
index 000000000..9e89b7b33
--- /dev/null
+++ b/apparmor.d/groups/virt/cockpit-update-motd
@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/cockpit/motd/update-motd
+profile cockpit-update-motd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{sh_path}        rix,
+  @{bin}/hostname   rix,
+  @{bin}/ip         rPx,
+  @{bin}/sed        rix,
+  @{bin}/systemctl  rCx -> systemctl,
+
+  @{run}/cockpit/active.motd rw,
+
+  owner /dev/tty rw,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+  
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+    include if exists <local/cockpit-update-motd_systemctl>
+  }
+
+  include if exists <local/cockpit-update-motd>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify
index 51835f9dc..5dda75fc6 100644
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@@ -19,6 +19,8 @@ profile aa-notify @{exec_path} {
 
   ptrace (read),
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   @{bin}/ r,
diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman
index 49c988494..49ac837b9 100644
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@@ -33,7 +33,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{bin}/{b,d}ash            rix,
+  @{sh_path}           rix,
 
   @{bin}/blueman-tray  rPx,
   @{open_path}         rPx -> child-open,
diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass
index a8ab54684..33f07a98e 100644
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@@ -18,11 +18,11 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   @{bin}/gpg{2,} rCx -> gpg,
 
   owner @{HOME}/.password-store/{,**} r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
+  owner @{HOME}/.mozilla/firefox/@{rand8}.*/.parentlock rw,
+  owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
   owner /tmp/mozilla-temp-@{int} r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@@ -32,8 +32,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6,
   deny network inet,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw,
+  deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/features/*/*.xpi r,
+  deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/storage/default/{,**} rw,
   deny owner @{user_download_dirs}/{,**} rw,
   deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
   deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 3962861dc..960797ea2 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -14,7 +14,8 @@
 #
 # 1. All of this will have to be improved. However, as of today, it is the only way
 # to not break some (major) flatpak app.
-# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
+# 2. It is not a big deal as flatpak is responsible for the sandbox anyway. This this only defence in depth. 
+# 3. The main purpose of this profile is to ensure all processes are confined.
 
 abi <abi/3.0>,
 
@@ -67,9 +68,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   /app/.ref k,
   /app/extra/** rw,
   /bindfile@{rand6} rw,
-  /newroot/{,**} rw,
-  /tmp/newroot/ w,
-  /tmp/oldroot/ w,
 
   /var/lib/flatpak/app/{,**} r,
   /var/lib/flatpak/exports/** rw,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 84868aac6..befd0b3dd 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -135,12 +135,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
     @{bin}/gpgconf    mr,
     @{bin}/gpgsm      mr,
     @{bin}/gpg-agent  mrix,
+    @{lib}/gnupg/scdaemon rix,
 
     owner /var/lib/fwupd/gnupg/ rw,
     owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
 
     owner @{PROC}/@{pids}/fd/ r,
 
+    include if exists <local/fwupd_gpg>
   }
 
   include if exists <local/fwupd>
diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd
index 2221aa4d4..f0b837c6a 100644
--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@@ -13,7 +13,7 @@ profile gitstatusd @{exec_path} {
   @{exec_path} mr,
 
   owner @{user_projects_dirs}/{,**} r,
-  owner @{user_projects_dirs}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw,
+  owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw,
 
   owner @{HOME}/.gitconfig r,
   owner @{user_config_dirs}/git/{,*} r,
diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk
index 4ab63b137..b6ba5dfb5 100644
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@@ -5,19 +5,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/rustdesk
+@{exec_path} = @{bin}/rustdesk
 profile rustdesk @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
-  include <abstractions/X-strict>
 
   capability dac_read_search,
   capability dac_override,
@@ -37,44 +35,29 @@ profile rustdesk @{exec_path} {
   @{bin}/curl     rix,
   @{bin}/ls       rix,
 
+  @{bin}/sudo rCx           -> sudo,
   @{bin}/python3.@{int} rPx -> rustdesk_python,
   @{sh_path}            rPx -> rustdesk_shell,
 
   /etc/gdm{,3}/custom.conf r,
 
+  owner @{HOME}/ r,  # fails otherwise
+  owner @{HOME}/[rR]ust[dD]esk/{,**} rw,
+
   owner @{HOME}/.local/ w,
   owner @{user_share_dirs}/ w,
   owner @{user_share_dirs}/logs/ w,
   owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw,
   owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw,
 
+  /tmp/[rR]ust[dD]esk/{,**} rw,
+
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
 
         @{PROC}/uptime r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
 
-  # grep ps
-  @{PROC} r,
-  capability sys_ptrace,
-  ptrace (read),
-  @{PROC}/@{pid}/stat r,
-  @{PROC}/@{pid}/cmdline r,
-  @{PROC}/@{pid}/environ r,
-  @{PROC}/@{pid}/io r,
-  @{PROC}/@{pid}/task/ r,
-  @{PROC}/@{pid}/task/@{tid}/stat r,
-  @{PROC}/@{pid}/task/@{tid}/io r,
-  @{PROC}/@{pid}/task/@{tid}/status r,
-
-  # service and GUI intercommunication
-  @{HOME}/.Xauthority r,
-  @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
-  @{run}/user/@{uid}/gdm{,3}/Xauthority r,
-  /tmp/[rR]ust[dD]esk/{,**} rw,
-  /tmp/.X11-unix/ r,
-  /var/lib/lightdm/.Xauthority r,
-
   # pulse
   /dev/shm/ r,
   /etc/pulse/client.conf r,
@@ -86,24 +69,6 @@ profile rustdesk @{exec_path} {
   owner @{user_config_dirs}/pulse/@{md5}-runtime{,.tmp} rw,
   owner /tmp/pulse-*/ rw,
 
-  # gtk-tiny
-  /usr/share/themes/{,**} r,
-  /etc/gtk-3.0/settings.ini r,
-  /usr/share/themes/*/gtk-3.0/gtk.css r,
-
-  # file transfer
-  owner @{HOME}/ r,  # fails otherwise
-  owner @{HOME}/[rR]ust[dD]esk/{,**} rw,
-
-  # file_inherit, X-tiny
-  owner @{HOME}/.xsession-errors w,
-
-  # Do not reveal username (pop-up only)
-#  deny /etc/passwd r,
-
-  # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary.
-#  deny @{bin}/sudo   x,
-  @{bin}/sudo rCx -> sudo,
   profile sudo {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
@@ -118,7 +83,9 @@ profile rustdesk @{exec_path} {
 
     network netlink raw,
 
-    @{bin}/sudo r,
+    @{bin}/sudo rm,
+    @{bin}/rustdesk rPx,
+    @{bin}/python3.@{int}    rPx -> rustdesk_python,
 
     /etc/sudo.conf r,
     /etc/sudoers r,
@@ -133,16 +100,10 @@ profile rustdesk @{exec_path} {
     /etc/environment r,
     /etc/default/locale r,
 
-    @{lib}/sudo/libsudo_util.so* mr,
-    @{lib}/sudo/sudoers.so mr,
-
           @{PROC}/1/limits r,
     owner @{PROC}/@{pid}/stat r,
     owner @{PROC}/@{pid}/fd/ r,
 
-    /{,usr/}{,local/}bin/rustdesk rPx,
-    @{bin}/python3.@{int}    rPx -> rustdesk_python,
-
     include if exists <local/rustdesk_sudo>
   }
 
@@ -172,7 +133,6 @@ profile rustdesk_python {
   @{bin}/uname rPx,
   /usr/share/rustdesk/files/pynput_service.py rPx,
 
-  /usr/local/lib/python3.@{int}/dist-packages/pynput/{,**} r,
   /usr/share/[rR]ust[dD]esk/files/{,**} r,
   /tmp/[rR]ust[dD]esk/ w,
   /tmp/[rR]ust[dD]esk/pynput_service rw,
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index d0b274b26..7f72e2eb6 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -64,7 +64,7 @@ profile snap @{exec_path} {
   owner /tmp/snapd-auto-import-mount-@{int}/ rw,
 
         @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize
index c097ead1d..f708aa80b 100644
--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@@ -23,7 +23,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
 
   @{sys}/devices/system/node/node@{int}/cpumap r,
 
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index 89fa5e56f..7474810fa 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -11,8 +11,8 @@ include <tunables/global>
 profile steam-gameoverlayui @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
-  include <abstractions/fonts>
-  include <abstractions/nvidia>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
 
   network inet stream,
   network inet6 stream,
@@ -40,11 +40,6 @@ profile steam-gameoverlayui @{exec_path} {
   owner @{user_share_dirs}/Steam/resource/{,**} rk,
   owner @{user_share_dirs}/Steam/userdata/@{int}/{,**} rk,
 
-  owner /var/cache/fontconfig/ rw,
-
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
   owner /dev/shm/u@{uid}-Shm_@{hex} rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
   owner /dev/shm/ValveIPCSHM_@{uid} rw,
@@ -53,12 +48,6 @@ profile steam-gameoverlayui @{exec_path} {
   owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
   owner /tmp/miles_image_* mrw,
 
-  @{sys}/ r,
-  @{sys}/devices/system/cpu/cpu@{int}/** r,
-  @{sys}/kernel/ r,
-
-  @{PROC}/version r,
-
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/steam-gameoverlayui>