diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav
index fe462e2d..63e1d850 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@@ -30,5 +30,7 @@ profile gvfsd-dav @{exec_path} {
   owner @{run}/user/@{uid}/gvfsd/ rw,
   owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
 
+  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+
   include if exists <local/gvfsd-dav>
 }
diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp
index 2860ae0b..6e214970 100644
--- a/apparmor.d/groups/gvfs/gvfsd-sftp
+++ b/apparmor.d/groups/gvfs/gvfsd-sftp
@@ -18,6 +18,8 @@ profile gvfsd-sftp @{exec_path} {
 
   /{usr/,}bin/ssh  rPx,
 
+  owner @{run}/user/@{uid}/gvfsd-sftp/ rw,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   /dev/ptmx rw,
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index c286a1d1..5a7ceb0b 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -9,7 +9,7 @@ include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/udevadm
 @{exec_path} += /{usr/,}lib/systemd/systemd-udevd
-profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
+profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -60,6 +60,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
   /{usr/,}lib/crda/*                      rPUx,
   /{usr/,}lib/gdm-runtime-config           rPx,
   /{usr/,}lib/systemd/systemd-*            rPx,
+  @{libexec}/nfsrahead                    rPUx,
   /{usr/,}lib/udev/*                      rPUx,
   /{usr/,}lib/open-iscsi/net-interface-handler rPUx,
   /usr/share/hplip/config_usb_printer.py  rPUx,
diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls
index a0c38fd1..a1b011c2 100644
--- a/apparmor.d/groups/virt/cockpit-tls
+++ b/apparmor.d/groups/virt/cockpit-tls
@@ -10,6 +10,7 @@ include <tunables/global>
 profile cockpit-tls @{exec_path} {
   include <abstractions/base>
 
+  network inet stream,
   network inet6 stream,
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap
index 6c0593e8..1d0325f5 100644
--- a/apparmor.d/profiles-m-r/nmap
+++ b/apparmor.d/profiles-m-r/nmap
@@ -13,10 +13,8 @@ profile nmap @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
-  capability net_raw,
   capability net_bind_service,
-
-  signal (receive) set=(term, kill) peer=zenmap,
+  capability net_raw,
 
   network inet dgram,
   network inet6 dgram,
@@ -27,12 +25,19 @@ profile nmap @{exec_path} {
   network netlink raw,
   network packet raw,
 
+  signal (receive) set=(term, kill) peer=zenmap,
+
   @{exec_path} mr,
 
+  /usr/share/nmap/** r,
+
+  owner /tmp/zenmap-stdout-* rw,
+  owner /tmp/zenmap-*.xml rw,
+
   owner @{PROC}/@{pid}/net/dev r,
   owner @{PROC}/@{pid}/net/if_inet6 r,
-  owner @{PROC}/@{pid}/net/route r,
   owner @{PROC}/@{pid}/net/ipv6_route r,
+  owner @{PROC}/@{pid}/net/route r,
 
   # unprivileged
 #  @{PROC}/@{pid}/net/dev r,
@@ -40,10 +45,5 @@ profile nmap @{exec_path} {
 #  @{PROC}/@{pid}/net/route r,
 #  @{PROC}/@{pid}/net/ipv6_route r,
 
-  /usr/share/nmap/** r,
-
-  owner /tmp/zenmap-stdout-* rw,
-  owner /tmp/zenmap-*.xml rw,
-
   include if exists <local/nmap>
 }
diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy
index 8d065f4f..af7d5588 100644
--- a/apparmor.d/profiles-s-z/scrcpy
+++ b/apparmor.d/profiles-s-z/scrcpy
@@ -25,7 +25,9 @@ profile scrcpy @{exec_path} {
   /{usr/,}bin/adb  rPx,
 
   /usr/share/scrcpy/{,*} r,
-  /usr/share/icons/**/scrcpy.png r,
+  /usr/share/icons/{,**} r,
+
+  /etc/machine-id r,
 
   /var/lib/dbus/machine-id r,
 
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
index aa9ac900..6144503a 100644
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/which{.debianutils,} 
+@{exec_path} = /{usr/,}bin/which{.debianutils,}
 profile which @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action
index 0dbbcb06..9ab5579c 100644
--- a/apparmor.d/profiles-s-z/wpa-action
+++ b/apparmor.d/profiles-s-z/wpa-action
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}sbin/wpa_action
+@{exec_path} = /{usr/,}{s,}bin/wpa_action
 profile wpa-action @{exec_path} {
   include <abstractions/base>
 
@@ -16,27 +16,26 @@ profile wpa-action @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}sbin/wpa_cli   rPx,
+  /{usr/,}{s,}bin/wpa_cli   rPx,
 
   /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/logger     rix,
-  /{usr/,}bin/ln         rix,
-  /{usr/,}sbin/ifup      rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/ip         rix,
   /{usr/,}bin/{,e}grep   rix,
   /{usr/,}bin/cat        rix,
   /{usr/,}bin/date       rix,
+  /{usr/,}bin/ip         rix,
+  /{usr/,}bin/ln         rix,
+  /{usr/,}bin/logger     rix,
+  /{usr/,}bin/rm         rix,
+  /{usr/,}sbin/ifup      rix,
 
   /etc/wpa_supplicant/{,**} r,
+  /etc/network/interfaces r,
+  /etc/network/interfaces.d/{,*} r,
 
   owner @{run}/wpa_action.wlan[0-9]*.ifupdown rw,
   owner @{run}/wpa_action.wlan[0-9]*.timestamp rw,
   owner @{run}/network/ifstate.wlan[0-9]* rwk,
   owner @{run}/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan[0-9]*.pid rw,
 
-  /etc/network/interfaces r,
-  /etc/network/interfaces.d/{,*} r,
-
   include if exists <local/wpa-action>
 }
diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli
index 4427ff38..bb65f3f0 100644
--- a/apparmor.d/profiles-s-z/wpa-cli
+++ b/apparmor.d/profiles-s-z/wpa-cli
@@ -6,21 +6,21 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}sbin/wpa_cli
+@{exec_path} = /{usr/,}{s,}bin/wpa_cli
 profile wpa-cli @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}sbin/wpa_action rPx,
+  /{usr/,}{s,}/wpa_action rPx,
+
+  /etc/inputrc r,
+
+  owner @{HOME}/.wpa_cli_history rw,
+  owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
 
   owner @{run}/wpa_supplicant/ r,
   owner /tmp/wpa_ctrl_@{pid}-[0-9] rw,
 
-  # for interactive mode
-  /etc/inputrc r,
-  owner @{HOME}/.wpa_cli_history rw,
-  owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
-
   include if exists <local/wpa-cli>
 }
diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui
index 0c6d5ff8..7ec22127 100644
--- a/apparmor.d/profiles-s-z/wpa-gui
+++ b/apparmor.d/profiles-s-z/wpa-gui
@@ -9,32 +9,29 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/wpa_gui
 profile wpa-gui @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/X>
 
   @{exec_path} mr,
 
+  /usr/share/hwdata/pnp.ids r,
+  /usr/share/qt5ct/** r,
+
+  owner @{user_config_dirs}/qt5ct/{,**} r,
+
   owner /tmp/wpa_ctrl_@{pid}-[0-9] w,
+  owner /dev/shm/#[0-9]*[0-9] rw,
 
   @{run}/wpa_supplicant/ r,
 
-  /dev/shm/#[0-9]*[0-9] rw,
-
   owner @{PROC}/@{pid}/cmdline r,
 
-  # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
-  owner @{user_config_dirs}/qt5ct/{,**} r,
-  /usr/share/qt5ct/** r,
-
-  /usr/share/hwdata/pnp.ids r,
-
-  # file_inherit
   owner /dev/tty[0-9]* rw,
 
   include if exists <local/wpa-gui>