From 555b5e3c3ffad2a45df04af885886a6c0ed66b43 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Feb 2024 17:17:20 +0000
Subject: [PATCH] feat(profile): general update.

---
 .../abstractions/bus/org.freedesktop.Accounts |  7 ++-
 .../bus/org.freedesktop.NetworkManager        |  5 ++
 .../bus/org.freedesktop.PolicyKit1            |  4 ++
 .../abstractions/bus/org.freedesktop.locale1  |  6 ++-
 apparmor.d/groups/bus/dbus-broker             |  4 +-
 apparmor.d/groups/bus/dbus-broker-launch      |  2 +-
 apparmor.d/groups/freedesktop/colord          |  5 ++
 apparmor.d/groups/freedesktop/upowerd         |  1 +
 .../freedesktop/xdg-desktop-portal-gnome      |  9 ++--
 apparmor.d/groups/freedesktop/xdg-mime        |  1 +
 apparmor.d/groups/gnome/gnome-control-center  | 17 +++---
 apparmor.d/groups/gnome/gnome-session-ctl     |  2 +-
 apparmor.d/groups/gnome/gnome-shell           | 12 ++---
 apparmor.d/groups/gnome/gnome-system-monitor  |  1 +
 .../groups/gnome/org.gnome.NautilusPreviewer  |  2 +-
 apparmor.d/groups/kde/kde-powerdevil          |  1 +
 apparmor.d/groups/kde/kioslave5               |  2 +
 apparmor.d/groups/kde/ksplashqml              |  1 -
 apparmor.d/groups/kde/plasmashell             |  1 +
 apparmor.d/groups/network/networkd-dispatcher |  8 ++-
 apparmor.d/groups/network/nm-dispatcher       |  4 +-
 apparmor.d/groups/pacman/paccache             | 14 +++--
 apparmor.d/groups/ssh/sshd                    |  6 +--
 apparmor.d/groups/systemd/networkctl          |  7 ++-
 apparmor.d/groups/systemd/systemd-backlight   |  2 +-
 apparmor.d/groups/systemd/systemd-detect-virt |  1 +
 apparmor.d/groups/systemd/systemd-hostnamed   |  5 ++
 apparmor.d/groups/systemd/systemd-logind      |  2 +
 apparmor.d/groups/systemd/systemd-networkd    |  9 ++++
 apparmor.d/groups/ubuntu/ubuntu-report        |  2 +
 apparmor.d/groups/virt/libvirtd               |  7 +--
 apparmor.d/groups/virt/virtiofsd              |  2 +-
 apparmor.d/profiles-a-f/btop                  | 16 +++---
 apparmor.d/profiles-a-f/dkms                  |  4 +-
 apparmor.d/profiles-a-f/flatpak               |  5 +-
 apparmor.d/profiles-a-f/fsck                  | 10 ++--
 apparmor.d/profiles-g-l/initd-kexec           |  1 +
 apparmor.d/profiles-g-l/kerneloops-applet     | 10 +---
 .../profiles-g-l/landscape-sysinfo.wrapper    |  1 +
 apparmor.d/profiles-m-r/pass                  |  4 +-
 apparmor.d/profiles-s-z/spflashtool           | 53 -------------------
 apparmor.d/profiles-s-z/switcheroo-control    |  3 +-
 apparmor.d/profiles-s-z/udisksd               |  7 +--
 43 files changed, 142 insertions(+), 124 deletions(-)
 delete mode 100644 apparmor.d/profiles-s-z/spflashtool

diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
index 3cfc3d77..c6ffc74b 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
@@ -4,7 +4,7 @@
 
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
-       member=FindUserByName
+       member={FindUserByName,ListCachedUsers}
        peer=(name=:*, label=accounts-daemon),
 
   dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
@@ -17,6 +17,11 @@
        member=*Changed
        peer=(name=:*, label=accounts-daemon),
 
+  dbus receive bus=system path=/org/freedesktop/Accounts
+       interface=org.freedesktop.Accounts
+       member=UserAdded
+       peer=(name=:*, label=accounts-daemon),
+
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.DBus.Properties
        member=*Changed
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
index 69b0c389..2151eebc 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@@ -47,6 +47,11 @@
        member=CheckPermissions
        peer=(name=:*, label=NetworkManager),
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=CheckPermissions
+       peer=(name=:*, label=NetworkManager),
+
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
        member={DeviceAdded,DeviceRemoved,StateChanged}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
index 438602f9..a258ca1d 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
@@ -15,6 +15,10 @@
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization
        peer=(name=:*, label=polkitd),
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.PolicyKit1.Authority
+       member=CheckAuthorization
+       peer=(name=org.freedesktop.PolicyKit1),
 
   dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1
index d39a153e..6d8c9649 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@@ -5,6 +5,10 @@
   dbus send bus=system path=/org/freedesktop/locale1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="{:*,org.freedesktop.locale1}", label=systemd-localed),
+       peer=(name=:*, label=systemd-localed),
+  dbus send bus=system path=/org/freedesktop/locale1
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.locale1),
 
   include if exists <abstractions/bus/org.freedesktop.locale1.d>
diff --git a/apparmor.d/groups/bus/dbus-broker b/apparmor.d/groups/bus/dbus-broker
index 84e7b5af..98d6a44f 100644
--- a/apparmor.d/groups/bus/dbus-broker
+++ b/apparmor.d/groups/bus/dbus-broker
@@ -18,7 +18,7 @@ profile dbus-broker @{exec_path} flags=(attach_disconnected) {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  signal (receive) set=(cont, term) peer=systemd-user,
+  signal (receive) set=(cont, term) peer=@{systemd_user},
 
   dbus bus=accessibility,
   dbus bus=session,
@@ -41,5 +41,7 @@ profile dbus-broker @{exec_path} flags=(attach_disconnected) {
   /dev/dri/card@{int} rw,
   /dev/input/event@{int} rw,
 
+  @{PROC}/sys/kernel/cap_last_cap r,
+
   include if exists <local/dbus-broker>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/bus/dbus-broker-launch b/apparmor.d/groups/bus/dbus-broker-launch
index 33342570..035b50b8 100644
--- a/apparmor.d/groups/bus/dbus-broker-launch
+++ b/apparmor.d/groups/bus/dbus-broker-launch
@@ -17,7 +17,7 @@ profile dbus-broker-launch @{exec_path} flags=(attach_disconnected)  {
 
   @{exec_path} mr,
 
-  @{bin}/dbus-broker rPUx,
+  @{bin}/dbus-broker rPx,
 
   /usr/share/dbus-1/{,**} r,
   /usr/share/defaults/**.conf r,
diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index feadbdc9..4927d8ff 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -17,6 +17,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
+  network inet dgram,
+  network inet6 dgram,
   network netlink raw,
 
   # dbus: own bus=system name=org.freedesktop.ColorManager
@@ -61,6 +63,9 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
+        @{PROC}/sys/dev/parport/ r,
+        @{PROC}/sys/dev/parport/parport@{int}/base-addr r,
+        @{PROC}/sys/dev/parport/parport@{int}/irq r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index 4f96fa31..73fa4c6c 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -30,6 +30,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/ r,
   @{run}/udev/data/+acpi:* r,             # for acpi
   @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+i2c:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+pci:* r,
   @{run}/udev/data/+platform:* r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index c3c8c800..39416eeb 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -18,14 +18,11 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
-  include <abstractions/dri>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/nvidia>
   include <abstractions/user-download>
-  include <abstractions/vulkan>
 
   network unix stream,
 
@@ -68,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   @{bin}/* r,
 
   /usr/share/dconf/profile/gdm r,
+  /usr/share/thumbnailers/{,**} r,
 
   /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
@@ -75,6 +73,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
 
   owner @{HOME}/*/{,**} rw,
 
+  owner /tmp/.goutputstream-@{rand6} rw,
+  owner /tmp/@{rand6} rw,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/ r,
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index c7a0a253..9d1a2884 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -23,6 +23,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{bin}/head       rix,
   @{bin}/mv         rix,
   @{bin}/readlink   rix,
+  @{bin}/realpath   rix,
   @{bin}/sed        rix,
   @{bin}/tr         rix,
   @{bin}/uname      rix,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index f3faef85..4d1e23af 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -56,6 +56,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /usr/share/language-tools/language2locale      rix,
   /usr/share/language-tools/language-options    rPUx,
 
+  /opt/**/share/icons/{,**} r,
   /snap/*/@{int}/**.png r,
   /usr/share/backgrounds/{,**} r,
   /usr/share/cups/data/testprint r,
@@ -71,11 +72,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /usr/share/pipewire/client.conf r,
   /usr/share/thumbnailers/{,*} r,
   /usr/share/wallpapers/{,**} r,
-  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
+  /usr/share/xml/iso-codes/{,**} r,
 
   /etc/cups/client.conf r,
   /etc/machine-info r,
-  /etc/pipewire/client.conf.d/ r,
+  /etc/pipewire/client.conf.d/{,**} r,
   /etc/rygel.conf r,
   /etc/security/pwquality.conf r,
   /etc/security/pwquality.conf.d/{,**} r,
@@ -92,14 +93,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.cert/nm-openvpn/*.pem r,
   owner @{HOME}/.face r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+
   owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
   owner @{user_cache_dirs}/thumbnails/{,**} rw,
+
   owner @{user_config_dirs}/gnome-control-center/{,**} rw,
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
   owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
   owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
+
   owner @{user_games_dirs}/**.png r,
+
   owner @{user_share_dirs}/backgrounds/{,**} rw,
   owner @{user_share_dirs}/gnome-remote-desktop/ w,
   owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
@@ -108,15 +113,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
-  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
-  owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
-  owner @{run}/user/@{uid}/pipewire-@{int} rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
         @{run}/cups/cups.sock rw,
         @{run}/samba/ rw,
         @{run}/systemd/sessions/  r,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/users/@{uid} r,
+  owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
+  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
 
   @{run}/udev/data/+dmi:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl
index ab21fb06..004a8681 100644
--- a/apparmor.d/groups/gnome/gnome-session-ctl
+++ b/apparmor.d/groups/gnome/gnome-session-ctl
@@ -18,7 +18,7 @@ profile gnome-session-ctl @{exec_path} {
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member={StartUnit,StopUnit}
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 82fd7d15..872b6268 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -63,6 +63,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   network unix stream,
 
   ptrace (read),
+  ptrace (readby) peer=pipewire,
 
   signal (receive) set=(cont, term) peer=systemd-user,
   signal (receive) set=(term, hup) peer=gdm*,
@@ -178,7 +179,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   dbus receive bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member=JobRemoved
-       peer=(name=:*, label="@{systemd}"),
+       peer=(name=:*, label="@{systemd_user}"),
 
   dbus send bus=session path=/MenuBar
        interface=com.canonical.dbusmenu
@@ -213,19 +214,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
 
+  /opt/**/share/icons/{,**} r,
   /opt/*/**/*.png r,
   /snap/*/@{uid}/**.png r,
   /usr/share/{,zoneinfo-}icu/{,**} r,
   /usr/share/**.{png,jpg,svg} r,
-  /usr/share/app-info/icons/{,**} r,
+  /usr/share/**/icons/{,**} r,
   /usr/share/backgrounds/{,**} r,
   /usr/share/byobu/desktop/byobu* r,
   /usr/share/dconf/profile/gdm r,
   /usr/share/desktop-base/** r,
   /usr/share/desktop-directories/{,*.directory} r,
   /usr/share/egl/{,**} r,
-  /usr/share/evolution-data-server/icons/{,**} r,
-  /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
   /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
   /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/gdm/greeter/applications/{,**} r,
@@ -238,7 +238,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /usr/share/pipewire/client.conf r,
   /usr/share/wallpapers/** r,
   /usr/share/wayland-sessions/{,*.desktop} r,
-  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
+  /usr/share/xml/iso-codes/{,**} r,
 
   /.flatpak-info r,
   /etc/fstab r,
@@ -340,7 +340,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+sound:card@{int} r,   # for sound
   @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
   @{run}/udev/data/+i2c:* r,
-  @{run}/udev/data/+hid:* r     ,         # for HID-Compliant Keyboard
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
   @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
   @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
   @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index d91a2542..0d460b4e 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/sessions/*     r,
   @{run}/systemd/sessions/*.ref r,
+  @{run}/mount/utab r,
 
   @{sys}/devices/@{pci}/net/*/statistics/collisions r,
   @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index 6cbd2fad..c364789b 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -39,7 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/a*org.gnome.NautilusPreviewer.slice/*/memory.* r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
         @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index ca17640a..77abba25 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -61,6 +61,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{sys}/devices/i2c-@{int}/name r,
   @{sys}/devices/platform/*/i2c-@{int}/name r,
 
+  @{PROC}/@{pid}/fd/ r,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
   @{PROC}/sys/kernel/random/boot_id r,
diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5
index 61117960..36720c59 100644
--- a/apparmor.d/groups/kde/kioslave5
+++ b/apparmor.d/groups/kde/kioslave5
@@ -67,6 +67,8 @@ profile kioslave5 @{exec_path} {
   deny /tmp/.* rw,
   deny /tmp/.*/{,**} rw,
 
+  owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int},
+
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kio_http/* rwl,
   owner @{user_cache_dirs}/ksycoca5_* r,
diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml
index 033ccfa3..8559520f 100644
--- a/apparmor.d/groups/kde/ksplashqml
+++ b/apparmor.d/groups/kde/ksplashqml
@@ -17,7 +17,6 @@ profile ksplashqml @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/plasma/** r,
-  /usr/share/qt/translations/*.qm r,
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/ksplash/ rw,
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 2c96258a..34623a92 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -128,6 +128,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_config_dirs}/kwalletrc r,
   owner @{user_config_dirs}/menus/{,**} r,
   owner @{user_config_dirs}/plasma* rwlk,
+  owner @{user_config_dirs}/pulse/ rw,
   owner @{user_config_dirs}/pulse/cookie rwk,
   owner @{user_config_dirs}/trashrc r,
 
diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher
index f4e96fbe..d0ca4473 100644
--- a/apparmor.d/groups/network/networkd-dispatcher
+++ b/apparmor.d/groups/network/networkd-dispatcher
@@ -17,15 +17,21 @@ profile networkd-dispatcher @{exec_path} {
   dbus receive bus=system path=/org/freedesktop/network1{,/link/*}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*),
+       peer=(name=:*, label=systemd-networkd),
 
   @{exec_path} mr,
 
   @{bin}/ r,
   @{bin}/networkctl  rPx,
+  @{bin}/ls          rix,
+  @{bin}/sed         rix,
+
+  @{lib}/networkd-dispatcher/routable.d/postfix rix,
 
   /etc/networkd-dispatcher/{,**} r,
 
+  /var/spool/postfix/pid/master.pid r,
+
   @{run}/systemd/notify rw,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index c5d05678..2cbea227 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -18,7 +18,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   capability sys_nice,
   capability sys_ptrace,
 
-  ptrace (read) peer=unconfined,
+  ptrace (read) peer=@{systemd},
 
   # dbus: own bus=system name=org.freedesktop.nm_dispatcher
 
@@ -73,7 +73,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
     /etc/network/if-*.d/* rPUx,
     /etc/wpa_supplicant/ifupdown.sh rPUx,
 
-    include if exists <local/anacron_run_parts>
+    include if exists <local/nm-dispatcher_run-parts>
   }
 
   include if exists <local/nm-dispatcher>
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index e175e83b..fa3589f3 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -7,9 +7,10 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/paccache
-profile paccache @{exec_path} {
+profile paccache @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   capability dac_read_search,
   capability mknod,
@@ -20,8 +21,11 @@ profile paccache @{exec_path} {
   @{bin}/bash         rix,
   @{bin}/cat          rix,
   @{bin}/gettext      rix,
-  @{bin}/pacman       rPx,
-  @{bin}/pacman-conf  rPx,
+  @{bin}/gpg{,2}      rix,
+  @{bin}/gpgconf      rix,
+  @{bin}/gpgsm        rix,
+  @{bin}/pacman       rix,
+  @{bin}/pacman-conf  rix,
   @{bin}/pacsort      rix,
   @{bin}/rm           rix,
   @{bin}/stat         rix,
@@ -31,7 +35,11 @@ profile paccache @{exec_path} {
   /usr/share/makepkg/util/*.sh r,
   /usr/share/terminfo/** r,
 
+  /etc/pacman.conf r,
+  /etc/pacman.d/{,**} r,
+
   /var/cache/pacman/pkg/{,*} rw,
+  /var/lib/pacman/{,**} r,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index b5ff71af..8a640b31 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -55,9 +55,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   ptrace (read,trace) peer=@{systemd},
 
   dbus send bus=system path=/org/freedesktop/login1
-    interface=org.freedesktop.login1.Manager
-    member={CreateSession,ReleaseSession}
-    peer=(name=org.freedesktop.login1, label=systemd-logind),
+       interface=org.freedesktop.login1.Manager
+       member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
+       peer=(name=org.freedesktop.login1, label=systemd-logind),
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index 5e710099..6a9e6cb9 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -14,10 +14,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
 
   capability net_admin,
   capability sys_module,
-
-  # Needed? (#FIXME#)
   audit capability sys_resource,
 
+  ptrace (read) peer=@{systemd},
+
   signal send peer=child-pager,
 
   network inet dgram,
@@ -44,10 +44,13 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
   /{run,var}/log/journal/@{md5}/system.journal* r,
   /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
 
+  @{run}/systemd/netif/leases/@{int} r,
   @{run}/systemd/netif/links/@{int} r,
   @{run}/systemd/netif/state r,
   @{run}/systemd/notify w,
 
+  @{run}/udev/data/n@{int} r,
+
   @{sys}/devices/**/net/**/uevent r,
 
         @{PROC}/sys/kernel/random/boot_id r,
diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight
index 07236904..2bd748d5 100644
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@@ -27,7 +27,7 @@ profile systemd-backlight @{exec_path} {
   @{sys}/class/ r,
   @{sys}/class/backlight/ r,
 
-  @{sys}/devices/pci[0-9]*/*:@{int}.@{int}/**/ r,
+  @{sys}/devices/@{pci}/*:@{int}.@{int}/**/ r,
   @{sys}/devices/@{pci}/ r,
   @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r,
   @{sys}/devices/@{pci}/backlight/**/{uevent,type} r,
diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt
index 97b9208b..1efa0e42 100644
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@@ -20,6 +20,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{run}/host/container-manager r,
+  @{run}/systemd/notify w,
 
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
   @{sys}/devices/virtual/dmi/id/board_vendor r,
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index b89de240..41fb0dea 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -18,6 +18,11 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   # dbus: own bus=system name=org.freedesktop.hostname1
 
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=GetConnectionUnixUser
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
   @{exec_path} mr,
 
   @{etc_rw}/.#hostname* rw,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index ad6ca5d9..d896c5d6 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -27,6 +27,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
 
   network netlink raw,
 
+  # mqueue r type=posix /,
+
   # dbus: own bus=system name=org.freedesktop.login1
 
   # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 935e2b6f..ab144453 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -29,6 +29,15 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
 
   # dbus: own bus=system name=org.freedesktop.network1
 
+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname
+       peer=(name=org.freedesktop.hostname1),
+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname
+       peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed),
+
   @{exec_path} mr,
 
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report
index c29ef321..6bf0e6aa 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@@ -17,6 +17,8 @@ profile ubuntu-report @{exec_path} {
   network inet dgram,
   network inet6 dgram,
 
+  signal (receive) set=(cont term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   @{bin}/dpkg  rPx -> child-dpkg,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 6f855c3d..02161ed3 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -70,10 +70,10 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   ptrace (read,trace) peer=unconfined,
   ptrace (read,trace) peer=@{profile_name},
   ptrace (read,trace) peer=dnsmasq,
-  ptrace (read,trace) peer=libvirt-*,
+  ptrace (read,trace) peer=libvirt-@{uuid},
   ptrace (read,trace) peer=virt-manager,
 
-  signal (read,send) peer=libvirt-*,
+  signal (read,send) peer=libvirt-@{uuid},
   signal (read,send) peer=unconfined,
   signal (send) peer=dnsmasq,
   signal (send) set=(kill, term) peer=virtiofsd,
@@ -246,16 +246,17 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  /dev/cpu/@{int}/msr r,
   /dev/dri/ r,
   /dev/hugepages/{,**} w,
   /dev/kvm rw,
   /dev/mapper/ r,
   /dev/mapper/control rw,
   /dev/net/tun rw,
+  /dev/ptmx rw,
   /dev/shm/libvirt/{,**} rw,
   /dev/vfio/@{int} rwk,
   /dev/vhost-net rw,
-  /dev/ptmx rw,
 
   # Force the use of virt-aa-helper
   audit deny @{bin}/apparmor_parser rwxl,
diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd
index 46b12194..9c0ecccf 100644
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/qemu/virtiofsd @{bin}/virtiofsd
+@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop
index b72bc2db..ec2ba089 100644
--- a/apparmor.d/profiles-a-f/btop
+++ b/apparmor.d/profiles-a-f/btop
@@ -23,17 +23,19 @@ profile btop @{exec_path} {
 
   owner @{user_config_dirs}/btop/{,**} rw,
 
-  @{sys}/class/power_supply/ r,
   @{sys}/class/hwmon/ r,
+  @{sys}/class/power_supply/ r,
+  @{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r,
+  @{sys}/devices/@{pci}/net/*/address r,
+  @{sys}/devices/@{pci}/net/*/statistics/{rx,tx}_bytes r,
+  @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r,
+  @{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
+  @{sys}/devices/virtual/**/net/*/address r,
+  @{sys}/devices/virtual/**/net/*/statistics/{rx,tx}_bytes r,
+  @{sys}/devices/virtual/block/dm-@{int}/stat r,
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r,
-  @{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r,
-  @{sys}/devices/virtual/block/dm-@{int}/stat r,
-  @{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r,
-  @{sys}/devices/{pci[0-9]*,virtual}/{,**/}net/*/statistics/{rx,tx}_bytes r,
-  @{sys}/devices/{pci[0-9]*,virtual}/{,**/}net/*/address r,
-  @{sys}/devices/pci[0-9]*/*/*/usb@{int}/**/power_supply/hidpp_battery_[@{int}/{,hwmon@{int}/} r,
 
         @{PROC} r,
         @{PROC}/loadavg r,
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index b894161f..67e60bef 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -61,7 +61,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{lib}/linux-kbuild-*/tools/objtool/objtool  rix,
   @{lib}/llvm-[0-9]*/bin/clang                 rix,
   @{lib}/modules/*/build/scripts/**            rix,
-  @{lib}/modules/*/build/tools/objtool/objtool rix,
+  @{lib}/modules/*/build/tools/**              rix,
 
   /var/lib/dkms/**/build/* rix,
   /var/lib/dkms/**/configure rix,
@@ -125,6 +125,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
     owner /tmp/tmp.* r,
 
+    @{sys}/module/compression r,
+
     deny /apparmor/.null rw,
 
     include if exists <local/dkms_kmod>
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index 4e103913..21206d61 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -9,11 +9,11 @@ include <tunables/global>
 @{exec_path} = @{bin}/flatpak
 profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.freedesktop.Accounts>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
@@ -44,7 +44,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   @{bin}/gpgsm               rCx -> gpg,
   @{lib}/revokefs-fuse       rix,
 
-  /usr/share/gvfs/remote-volume-monitors/*.monitor r,
   /usr/share/flatpak/{,**} r,
 
   /etc/flatpak/{,**} r,
diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck
index cd91f19f..f512cd05 100644
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@@ -24,16 +24,16 @@ profile fsck @{exec_path} {
   /etc/fstab r,
 
   # When a mount dir is passed to fsck as an argument.
+  @{HOME}/ r,
   @{MOUNTS}/ r,
   /boot/ r,
-  /home/ r,
 
-  owner @{run}/fsck/ rw,
-  owner @{run}/fsck/*.lock rwk,
-  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
-  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
         @{run}/mount/utab r,
         @{run}/systemd/fsck.progress rw,
+  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
+  owner @{run}/blkid/blkid.tab{,-@{rand6}} rw,
+  owner @{run}/fsck/ rw,
+  owner @{run}/fsck/*.lock rwk,
 
   @{PROC}/@{pids}/mountinfo r,
   @{PROC}/partitions r,
diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec
index b295d5e4..ff9e442f 100644
--- a/apparmor.d/profiles-g-l/initd-kexec
+++ b/apparmor.d/profiles-g-l/initd-kexec
@@ -35,6 +35,7 @@ profile initd-kexec @{exec_path} {
 
     /etc/default/kexec.d/ r,
 
+    include if exists <local/initd-kexec_run-parts>
   }
 
   profile systemctl {
diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet
index e71c30b4..01f6aac1 100644
--- a/apparmor.d/profiles-g-l/kerneloops-applet
+++ b/apparmor.d/profiles-g-l/kerneloops-applet
@@ -10,10 +10,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/kerneloops-applet
 profile kerneloops-applet @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
 
   @{exec_path} mr,
 
@@ -21,14 +19,8 @@ profile kerneloops-applet @{exec_path} {
 
   owner @{HOME}/.kerneloops rw,
 
-  owner @{HOME}/.Xauthority r,
-  owner /tmp/xauth-[0-9]*-_[0-9] r,
-
   # When found a kernel OOPS make a tmp file and fill it with the OOPS message
   /tmp/kerneloops.* rw,
 
-  # Fonts
-  /usr/share/poppler/cMap/Adobe-Japan2/ r,
-
   include if exists <local/kerneloops-applet>
 }
diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
index 242ebb59..69732831 100644
--- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
@@ -15,6 +15,7 @@ profile landscape-sysinfo.wrapper @{exec_path} {
   @{sh_path}                rix,
   @{bin}/bc                 rix,
   @{bin}/cat                rix,
+  @{bin}/chmod              rix,
   @{bin}/cut                rix,
   @{bin}/date               rix,
   @{bin}/find               rix,
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index 7e16450f..b91ab9b2 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -16,6 +16,7 @@ profile pass @{exec_path} {
 
   @{sh_path}         rix,
   @{bin}/base64      rix,
+  @{bin}/basename    rix,
   @{bin}/cat         rix,
   @{bin}/cp          rix,
   @{bin}/diff        rix,
@@ -52,7 +53,7 @@ profile pass @{exec_path} {
 
   # Pass extensions
   @{bin}/oathtool       rix,   # pass-otp
-  @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
+  @{bin}/python3.@{int} rPx -> pass-import,  # pass-import, pass-audit
   @{bin}/qrencode       rPUx,  # pass-otp
   @{bin}/tomb           rPUx,  # pass-tomb
 
@@ -138,6 +139,7 @@ profile pass @{exec_path} {
     capability dac_read_search,
 
     @{bin}/gpg{,2}    mr,
+    @{bin}/gpg-agent rPx,
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
diff --git a/apparmor.d/profiles-s-z/spflashtool b/apparmor.d/profiles-s-z/spflashtool
deleted file mode 100644
index 5d391709..00000000
--- a/apparmor.d/profiles-s-z/spflashtool
+++ /dev/null
@@ -1,53 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
-profile spflashtool @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-
-  @{exec_path} mrix,
-
-  # SPFlashTool installation files
-  /opt/SPFlashTool/{,**} r,
-  /opt/SPFlashTool/lib*.so mr,
-  /opt/SPFlashTool/lib/lib*.so.[0-9]* mr,
-  /opt/SPFlashTool/*.ini rk,
-
-  # Session logs
-  owner /tmp/SP_FT_Logs/ rw,
-  owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ rw,
-  owner /tmp/SP_FT_Logs/SP_FT_Dump_*1/QT_FLASH_TOOL.log w,
-  owner /tmp/SP_FT_Logs/SP_FT_Dump_*/BROM_DLL_V[0-9]*.log w,
-  owner /tmp/SP_FT_Logs/SP_FT_Dump_*/GLB_[0-9]*-[0-9]*_[0-9]*.log w,
-  owner /tmp/SP_FT_Logs/SP_FT_Dump_*/QT_FLASH_TOOL.log w,
-  owner /tmp/SP_FT_Logs/SP_FT_Dump_*/ADPT_[0-9]*-[0-9]*_[0-9]*.log w,
-
-  # For reading the scatter.txt file
-  owner /**/scatter.txt r,
-
-  owner @{user_config_dirs}/Trolltech.conf rwk,
-
-  owner @{user_config_dirs}/MTK/ rw,
-  owner @{user_config_dirs}/MTK/Clipper.conf rwk,
-
-  /dev/ r,
-  # For reading/writing from/to phone flash memory
-  /dev/ttyACM[0-9]* rw,
-
-  @{sys}/devices/@{pci}/{idVendor,idProduct} r,
-
-  # Silence the noise
-  /opt/SPFlashTool/** w,
-
-  include if exists <local/spflashtool>
-}
diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control
index 048ae3cd..2b6a51fd 100644
--- a/apparmor.d/profiles-s-z/switcheroo-control
+++ b/apparmor.d/profiles-s-z/switcheroo-control
@@ -29,7 +29,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
   @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/{pci[0-9]*,virtual}/**/uevent r,
+  @{sys}/devices/@{pci}/uevent r,
+  @{sys}/devices/virtual/**/uevent r,
 
   include if exists <local/switcheroo-control>
 }
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index c0d73b02..4bae15a7 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -78,9 +78,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{bin}/fsck.fat             rPx,
   @{bin}/lvm                 rPUx,
   @{bin}/mke2fs               rPx,
-  @{bin}/mkfs.btrfs           rPx,
-  @{bin}/mkfs.ext{2,3,4}      rPx,
-  @{bin}/mkfs.fat             rPx,
+  @{bin}/mkfs.*               rPx,
   @{bin}/mount.exfat-fuse    rPUx,
   @{bin}/ntfs-3g              rPx,
   @{bin}/ntfsfix              rPx,
@@ -94,7 +92,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   /etc/fstab r,
   /etc/crypttab r,
 
-  /var/lib/udisks2/ r,
+  /var/lib/udisks2/{,**} r,
   /var/lib/udisks2/mounted-fs{,*} rw,
 
   # Be able to create/delete dirs for removable media
@@ -113,7 +111,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/+pci:* r,
   @{run}/udev/data/+platform:* r,
-
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/bus/ r,