diff --git a/apparmor.d/groups/browsers/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater
index 3bc8e591..5aaa82c2 100644
--- a/apparmor.d/groups/browsers/torbrowser-updater
+++ b/apparmor.d/groups/browsers/torbrowser-updater
@@ -16,7 +16,7 @@ profile torbrowser-updater @{exec_path} {
   @{exec_path} mr,
 
   @{lib_dirs}/*.so              mr,
-  @{lib_dirs}/firefox{,.real}   Px,
+  @{lib_dirs}/firefox{,.real}   Px -> torbrowser,
 
   owner @{lib_dirs}/{,**} rw,
 
diff --git a/apparmor.d/groups/browsers/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest
index 7570d6ce..cf68f3ea 100644
--- a/apparmor.d/groups/browsers/torbrowser-vaapitest
+++ b/apparmor.d/groups/browsers/torbrowser-vaapitest
@@ -24,6 +24,7 @@ profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) {
   deny @{lib_dirs}/{,browser/}omni.ja r,
   deny @{cache_dirs}/profile.default/startupCache/* r,
   deny @{config_dirs}/.parentlock rw,
+  deny @{config_dirs}/extensions/*.xpi r,
 
   include if exists <local/torbrowser-vaapitest>
 }