diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix
index bfeaf5b..34a4a0e 100644
--- a/common/tooling/apparmor/default.nix
+++ b/common/tooling/apparmor/default.nix
@@ -32,6 +32,15 @@ in
         @{bin}/mbrola rix,
       '';
 
+      "local/pass" = ''
+        ${getExe' pkgs.pass ".pass-wrapped"} rix,
+        ${getExe' pkgs.coreutils "coreutils"} rix,
+      '';
+
+      "local/firefox" = ''
+        ${pkgs.passff-host}/share/** rPx -> passff,
+      '';
+
       "local/thunderbird" = ''
         ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
         /dev/urandom w,
@@ -58,6 +67,21 @@ in
     };
     
     security.apparmor.policies = {
+      passff = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          abi <abi/4.0>,
+          include <tunables/global>
+          profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
+            include <abstractions/base> # read access to /nix/store, basic presets for most apps
+            include <abstractions/python>
+            ${getExe pkgs.pass} Px,
+          }
+        '';
+
+      };
+      
       swaymux = {
         enable = true;
         enforce = true;
@@ -127,6 +151,27 @@ in
           include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
         '';
       };
+      firefox-glxtest = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"
+        '';
+      };
+      firefox = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"
+        '';
+      };
+      pass = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
+        '';
+      };
     };
   };
 }