From ef1776b8d592735e93a39c1559f0d7790cf83439 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 19 Dec 2023 23:49:30 +0000
Subject: [PATCH] feat(profile): start using new abstractions (3)

---
 apparmor.d/profiles-g-l/keepassxc             | 12 ++--------
 apparmor.d/profiles-m-r/mpv                   |  5 +----
 apparmor.d/profiles-m-r/nvidia-settings       |  5 ++---
 apparmor.d/profiles-m-r/nvtop                 | 10 +--------
 apparmor.d/profiles-s-z/scrcpy                |  6 +----
 apparmor.d/profiles-s-z/spice-vdagent         |  6 +----
 apparmor.d/profiles-s-z/spotify               | 14 ++----------
 apparmor.d/profiles-s-z/steam                 | 22 +++----------------
 apparmor.d/profiles-s-z/steam-fossilize       |  7 +-----
 apparmor.d/profiles-s-z/steam-game            | 14 ++----------
 apparmor.d/profiles-s-z/syncthing             |  1 -
 apparmor.d/profiles-s-z/thunderbird           | 14 ++----------
 apparmor.d/profiles-s-z/thunderbird-glxtest   |  9 +-------
 apparmor.d/profiles-s-z/thunderbird-vaapitest |  9 +-------
 apparmor.d/profiles-s-z/transmission-gtk      | 15 ++-----------
 apparmor.d/profiles-s-z/transmission-qt       | 15 +++++--------
 apparmor.d/profiles-s-z/virt-manager          | 13 ++---------
 apparmor.d/profiles-s-z/vlc                   | 14 ++----------
 apparmor.d/profiles-s-z/xfconfd               |  7 ++----
 apparmor.d/profiles-s-z/yt-dlp                |  3 +--
 20 files changed, 34 insertions(+), 167 deletions(-)

diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index 6794e7a0d..dd05139fc 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -13,23 +13,16 @@ profile keepassxc @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/nvidia>
   include <abstractions/openssl>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
-  include <abstractions/X-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -47,7 +40,6 @@ profile keepassxc @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/keepassxc/{,**} r,
-  /usr/share/libdrm/*.ids r,
   /usr/share/qt*/{,**} r,
 
   /etc/fstab r,
diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv
index 64a6a4b7e..bcd5788b6 100644
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@@ -15,13 +15,11 @@ profile mpv @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
 
   network inet dgram,
   network inet6 dgram,
@@ -41,7 +39,6 @@ profile mpv @{exec_path} {
   @{bin}/youtube-dl rPx,
   @{bin}/yt-dlp     rPx,
 
-  /usr/share/libdrm/{,**} r,
   /usr/share/pipewire/client-rt.conf r,
 
   /etc/libva.conf r,
diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings
index ecfe82a65..7b7fd7dc3 100644
--- a/apparmor.d/profiles-m-r/nvidia-settings
+++ b/apparmor.d/profiles-m-r/nvidia-settings
@@ -10,9 +10,8 @@ include <tunables/global>
 profile nvidia-settings @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/opencl-nvidia>
+  include <abstractions/desktop>
+  include <abstractions/nvidia-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index 7e339a324..e413aaeef 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -10,11 +10,8 @@ include <tunables/global>
 profile nvtop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
+  include <abstractions/graphics-full>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-nvidia>
-  include <abstractions/vulkan>
 
   capability sys_ptrace,
 
@@ -33,9 +30,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/bus/ r,
-  @{sys}/class/ r,
-  @{sys}/class/drm/ r,
-  @{sys}/devices/@{pci}/drm/card@{int}/gt_*_freq_mhz r,
   @{sys}/devices/@{pci}/enable r,
   @{sys}/devices/system/node/node@{int}/cpumap r,
 
@@ -48,8 +42,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   @{PROC}/@{pids}/stat r,
   @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,
 
-  /dev/char/@{dynamic}:@{int} w,  # For dynamic assignment range 234 to 254, 384 to 511
-
   /dev/dri/ r,
   /dev/nvidia-caps/ rw,
   /dev/nvidia-caps/nvidia-cap@{int} rw,
diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy
index c66ae4497..16d4798d4 100644
--- a/apparmor.d/profiles-s-z/scrcpy
+++ b/apparmor.d/profiles-s-z/scrcpy
@@ -9,11 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/scrcpy
 profile scrcpy @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
-  include <abstractions/opencl>
-  include <abstractions/vulkan>
+  include <abstractions/graphics>
 
   network inet stream,
   network inet6 stream,
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index b0771b85e..e88a57963 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -17,7 +17,7 @@ profile spice-vdagent @{exec_path} {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
-  include <abstractions/dri-common>
+  include <abstractions/dri>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
@@ -47,11 +47,7 @@ profile spice-vdagent @{exec_path} {
         @{run}/spice-vdagentd/spice-vdagent-sock rw,
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
 
-  @{sys}/devices/@{pci}/{device,vendor} r,
-
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
-  /dev/dri/card@{int} rw,
-
   include if exists <local/spice-vdagent>
 }
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index 31b1d08a2..0a5b6796c 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -17,15 +17,11 @@ profile spotify @{exec_path} {
   include <abstractions/base>
   include <abstractions/chromium-common>
   include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/vulkan>
 
   network inet dgram,
   network inet6 dgram,
@@ -40,7 +36,6 @@ profile spotify @{exec_path} {
 
   @{open_path}     rPx -> child-open,
 
-  /etc/libva.conf r,
   /etc/machine-id r,
   /etc/spotify-adblock/* r,
   /var/lib/dbus/machine-id r,
@@ -61,18 +56,13 @@ profile spotify @{exec_path} {
 
   owner @{run}/user/@{uid}/pulse/ r,
 
-  @{sys}/devices/@{pci}/irq r,
-  @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r,
-  @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
   @{sys}/devices/system/cpu/kernel_max r,
-  @{sys}/devices/system/cpu/present r,
   @{sys}/devices/virtual/tty/tty@{int}/active r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/stat r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/oom_score_adj w,
   owner @{PROC}/@{pid}/statm r,
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index b909d6a55..5fbd589eb 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -14,17 +14,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
   include <abstractions/chromium-common>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/disks-read>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/ssl_certs>
-  include <abstractions/vulkan>
 
   capability sys_ptrace,
 
@@ -104,8 +98,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
   /usr/lib/os-release rk,
   /usr/share/fonts/**.{ttf,otf} rk,
   /usr/share/terminfo/** r,
-  /usr/share/themes/{,**} r,
-  /usr/share/X11/{,**} r,
   /usr/share/zenity/* r,
 
   /etc/lsb-release r,
@@ -116,15 +108,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
   @{bin}/ r,
   @{lib}/ r,
   / r,
-  /{usr/,}{local/,} r,
-  /{usr/,}{local/,}share/ r,
   /etc/ r,
   /home/ r,
   /run/ r,
   /var/ r,
 
   owner @{HOME}/ r,
-  owner @{HOME}/.local/ r,
   owner @{HOME}/.steam/{,**} rw,
   owner @{HOME}/.steam/registry.vdf rwk,
   owner @{HOME}/.steampath rw,
@@ -132,22 +121,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
 
   owner @{user_games_dirs}/{,**} rwkl,
 
-  owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/autostart/ r,
   owner @{user_config_dirs}/cef_user_data/{,**} r,
   owner @{user_config_dirs}/unity3d/{,**} rwk,
   owner @{user_config_dirs}/user-dirs.dirs r,
 
-  owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/applications/*.desktop w,
   owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
   owner @{user_share_dirs}/Steam/ rw,
   owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**,
   owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
   owner /dev/shm/#@{int} rw,
   owner /dev/shm/fossilize-*-@{int}-@{int} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex} rw,
@@ -241,7 +225,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
     @{sys}/bus/pci/devices/ r,
     @{sys}/bus/pci/slots/ r,
     @{sys}/bus/pci/slots/@{int}/address r,
-    @{sys}/devices/pci[0-9]*/** r,
+    @{sys}/devices/@{pci}/** r,
   
     owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize
index 5c168490c..79cbb634c 100644
--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@@ -10,11 +10,7 @@ include <tunables/global>
 @{exec_path} = @{steam_lib_dirs}/fossilize_replay
 profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
-  include <abstractions/opencl>
-  include <abstractions/vulkan>
+  include <abstractions/graphics>
 
   @{exec_path} mr,
 
@@ -29,7 +25,6 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
-  @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/cpumap r,
 
         @{PROC}/@{pids}/statm r,
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index 188a79d73..f18c152a8 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -24,17 +24,13 @@ include <tunables/global>
 profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-nvidia>
   include <abstractions/python>
   include <abstractions/ssl_certs>
-  include <abstractions/vulkan>
 
   capability dac_override,
   capability dac_read_search,
@@ -120,8 +116,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{run}/host/usr/lib{,32,64}/**.so* rm,
   @{run}/host/usr/bin/localedef rix,
 
-  /usr/share/egl/{,**} r,
-  /usr/share/icons/{,**} r,
   /usr/share/terminfo/** r,
 
   /etc/machine-id r,
@@ -140,14 +134,12 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   /tmp/ r,
 
   owner @{HOME}/ r,
-  owner @{HOME}/.local/ r,
   owner @{HOME}/.steam/steam.pid r,
   owner @{HOME}/.steam/steam.pipe r,
 
   owner @{user_games_dirs}/{,*/} r,
   owner @{user_games_dirs}/*/{,**} rwkl,
 
-  owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/unity3d/{,**} rwk,
 
   owner @{user_share_dirs}/ r,
@@ -173,8 +165,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
         @{run}/host/usr/{,**} r,
   owner @{run}/pressure-vessel/{,**} rw,
   owner @{run}/user/@{uid}/ r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/orcexec.* mrw,  # gstreamer
 
   owner /dev/shm/#@{int} rw,
diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing
index e58584a55..a24aed4fe 100644
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@@ -27,7 +27,6 @@ profile syncthing @{exec_path} {
   /usr/share/mime/{,*} r,
 
   /etc/mime.types r,
-  /usr/share/mime/globs2 r,
 
   owner @{HOME}/ r,
   owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk,
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 734e8e752..c8cfc8700 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -22,20 +22,15 @@ profile thunderbird @{exec_path} {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
-  include <abstractions/wayland>
 
   # userns,
 
@@ -111,14 +106,10 @@ profile thunderbird @{exec_path} {
 
   owner @{HOME}/ r,
 
-  owner @{user_cache_dirs}/ rw,
-
   owner @{user_config_dirs}/kwalletrc r,
   owner @{user_config_dirs}/mimeapps.list.* rw,
   owner @{user_config_dirs}/qt5ct/{,**} r,
 
-  owner @{user_share_dirs}/ r,
-
   owner @{user_mail_dirs}/ rw,
   owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
 
@@ -150,7 +141,6 @@ profile thunderbird @{exec_path} {
         @{PROC}/@{pids}/net/route r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest
index 9206d9d9f..b20dc9289 100644
--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@@ -13,12 +13,8 @@ include <tunables/global>
 @{exec_path} = @{lib_dirs}/glxtest
 profile thunderbird-glxtest @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-nvidia>
-  include <abstractions/vulkan>
   include <abstractions/X-strict>
 
   @{exec_path} mr,
@@ -27,9 +23,6 @@ profile thunderbird-glxtest @{exec_path} {
 
   owner /tmp/thunderbird/.parentlock rw,
 
-  @{sys}/bus/pci/devices/ r,
-  @{sys}/devices/@{pci}/class r,
-
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/thunderbird-glxtest>
diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest
index 909ebc218..853aae2c6 100644
--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@@ -14,23 +14,16 @@ include <tunables/global>
 @{exec_path} = @{lib_dirs}/vaapitest
 profile thunderbird-vaapitest @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dri-enumerate>
-  include <abstractions/dri-common>
-  include <abstractions/nvidia>
-  include <abstractions/vulkan>
+  include <abstractions/graphics>
 
   network netlink raw,
 
   @{exec_path} mr,
 
   /etc/igfx_user_feature{,_next}.txt w,
-  /etc/libva.conf r,
 
   owner /tmp/thunderbird/.parentlock rw,
 
-  @{sys}/devices/@{pci}/{irq,revision,resource} r,
-  @{sys}/devices/@{pci}/config r,
-
   deny @{cache_dirs}/*/startupCache/** r,
   deny @{config_dirs}/*/.parentlock rw,
   deny @{config_dirs}/*/startupCache/** r,
diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk
index b4562c1d8..6dcef0799 100644
--- a/apparmor.d/profiles-s-z/transmission-gtk
+++ b/apparmor.d/profiles-s-z/transmission-gtk
@@ -10,20 +10,13 @@ include <tunables/global>
 profile transmission-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/nvidia>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/trash>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
-  include <abstractions/X-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -35,8 +28,6 @@ profile transmission-gtk @{exec_path} {
 
   @{open_path}         rPx -> child-open,
 
-  /usr/share/X11/xkb/{,**} r,
-
   owner @{user_torrents_dirs}/ r,
   owner @{user_torrents_dirs}/** rw,
 
@@ -47,8 +38,6 @@ profile transmission-gtk @{exec_path} {
   owner @{user_cache_dirs}/transmission/ rw,
   owner @{user_cache_dirs}/transmission/** rwk,
 
-  owner @{user_share_dirs}/ r,
-
   @{run}/mount/utab r,
 
         @{PROC}/@{pid}/net/route r,
diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt
index 08bd18de1..58325d8fa 100644
--- a/apparmor.d/profiles-s-z/transmission-qt
+++ b/apparmor.d/profiles-s-z/transmission-qt
@@ -9,20 +9,15 @@ include <tunables/global>
 @{exec_path} = @{bin}/transmission-qt
 profile transmission-qt @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/user-download-strict>
-  include <abstractions/private-files-strict>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/qt5>
-  include <abstractions/qt5-settings-write>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
+  include <abstractions/private-files-strict>
+  include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index 715e4e5e8..1311f77b5 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -13,22 +13,17 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
-  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -51,7 +46,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   @{open_path}     rPx -> child-open,
 
-  /usr/share/egl/{,**} r,
   /usr/share/gtksourceview-4/{,**} r,
   /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,ladspa.rdfs} r,
@@ -67,10 +61,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   /etc/fstab r,
   /etc/libnl/classid r,
-  /etc/libva.conf r,
 
   owner @{HOME}/ r,
-  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/virt-manager/{,**} rw,
 
   # For disk images
@@ -92,7 +84,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
-  @{sys}/devices/@{pci}/drm/ r,
   @{sys}/devices/virtual/drm/ttm/uevent r,
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc
index 44ed69ace..6a150d471 100644
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@@ -16,19 +16,15 @@ profile vlc @{exec_path} {
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
-  include <abstractions/gtk>
   include <abstractions/ibus>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
 
   network inet dgram,
   network inet6 dgram,
@@ -94,7 +90,6 @@ profile vlc @{exec_path} {
   /usr/share/vlc/{,**} r,
 
   /etc/fstab r,
-  /etc/libva.conf r,
 
   owner @{HOME}/ r,
   owner @{user_music_dirs}/{,**} rw,
@@ -102,8 +97,6 @@ profile vlc @{exec_path} {
   owner @{user_torrents_dirs}/{,**} rw,
   owner @{user_videos_dirs}/{,**} rw,
 
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/vlc/ rw,
   owner @{user_cache_dirs}/vlc/{,**} rw,
@@ -117,12 +110,9 @@ profile vlc @{exec_path} {
   owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
   owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
 
-  @{sys}/devices/@{pci}/irq r,
-
         @{PROC}/@{pids}/net/if_inet6 r,
         @{PROC}/sys/kernel/random/boot_id r,
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
diff --git a/apparmor.d/profiles-s-z/xfconfd b/apparmor.d/profiles-s-z/xfconfd
index 319a57bb1..abea17687 100644
--- a/apparmor.d/profiles-s-z/xfconfd
+++ b/apparmor.d/profiles-s-z/xfconfd
@@ -11,22 +11,19 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd
 profile xfconfd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/xdg-desktop>
 
   @{exec_path} mr,
 
   /etc/xdg/xfce4/xfconf/*/*.xml r,
 
   owner @{HOME}/ r,
+  owner @{HOME}/.xsession-errors w,
 
-  owner @{user_cache_dirs}/ r,
-  owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/xfce4/ r,
   owner @{user_config_dirs}/xfce4/xfconf/*/*.xml{,.new} rw,
-  owner @{user_share_dirs}/ r,
 
-  # file_inherit
   owner /dev/tty@{int} rw,
-  owner @{HOME}/.xsession-errors w,
 
   include if exists <local/xfconfd>
 }
diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp
index 45bde4754..2e2fa0b00 100644
--- a/apparmor.d/profiles-s-z/yt-dlp
+++ b/apparmor.d/profiles-s-z/yt-dlp
@@ -16,6 +16,7 @@ profile yt-dlp @{exec_path} {
   include <abstractions/python>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
+  include <abstractions/xdg-desktop>
 
   network inet dgram,
   network inet6 dgram,
@@ -38,10 +39,8 @@ profile yt-dlp @{exec_path} {
   owner @{user_music_dirs}/{,**} rwk,
   owner @{user_videos_dirs}/{,**} rwk,
 
-  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/yt-dlp/{,**} rw,
 
-  owner @{user_config_dirs}/ rw,
   owner @{user_config_dirs}/yt-dlp/{,**} rw,
 
   owner @{PROC}/@{pid}/fd/ r,