diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index bdd917cd..5904a6c7 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -37,16 +37,31 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus send bus=session path=/Client0/EntryGroup[0-9]*
+  dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
        member={GetState,AddService,AddServiceSubtype,Commit}
        peer=(name=org.freedesktop.Avahi),
 
-  dbus receive bus=system path=/Client0/EntryGroup[0-9]*
+  dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
        member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
        peer=(name=org.freedesktop.Avahi),
 
+  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member={ItemNew,ItemRemove}
+       peer=(name=org.freedesktop.Avahi), # no peer's label
+
+  dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Found
+       peer=(name=org.freedesktop.Avahi),
+
+  dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi),
+
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index 38cb02d2..263a0137 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -9,10 +9,41 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/dbus-session-strict>
 
   @{exec_path} mr,
 
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner}
+       peer=(label=dbus-daemon),
+
+  dbus (send,receive) bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
+       peer=(label=dbus-daemon),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member=ListConnections
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(label=NetworkManager),
+
   owner @{run}/firejail/dbus/[0-9]*/[0-9]*-{system,user} rw,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 6dd8e228..823151ca 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -43,8 +43,8 @@ profile xdg-settings @{exec_path} {
   /var/lib/snapd/desktop/applications/{,*} r,
 
   # freedesktop.org-strict
-  /usr/share/applications/{,*} r,
-  /usr/share/ubuntu/applications/ r,
+  /usr/{,local/}share/applications/{,*} r,
+  /usr/{,local/}share/ubuntu/applications/ r,
   owner @{user_share_dirs}/applications/ r,
   owner @{user_share_dirs}/applications/*.desktop r,
 
diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5
index 38ea4b42..00ee263f 100644
--- a/apparmor.d/groups/kde/kded5
+++ b/apparmor.d/groups/kde/kded5
@@ -84,6 +84,8 @@ profile kded5 @{exec_path} {
   owner @{user_share_dirs}/kded5/{,**} r,
   owner @{user_share_dirs}/kscreen/{,**} rw,
   owner @{user_share_dirs}/ktp/cache.db rwk,
+  owner @{user_share_dirs}/kcookiejar/#@{hex}* rw,
+  owner @{user_share_dirs}/kcookiejar/cookies.* rwkl,
 
   owner @{run}/user/@{uid}/#[0-9]* rw,
   owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
@@ -120,4 +122,4 @@ profile kded5 @{exec_path} {
   }
 
   include if exists <local/kded5>
-}
\ No newline at end of file
+}
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 2dc7446c..ace3ea45 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -10,6 +10,7 @@ include <tunables/global>
 profile plasmashell @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
+  include <abstractions/dbus-session-strict>
   include <abstractions/disks-read>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
@@ -30,6 +31,11 @@ profile plasmashell @{exec_path} {
 
   signal (send),
 
+  dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,PropertiesChanged}
+       peer=(label=upowerd),
+
   @{exec_path} mr,
 
   @{libexec}/libheif/            r,
diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 6ce12f56..8eb1ef4a 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -40,10 +40,17 @@ profile ssh @{exec_path} {
   owner @{user_projects_dirs}/**/ssh/{,*} r,
   owner @{user_projects_dirs}/**/config r,
 
+  /etc/ssh/ssh_config r,
+  /etc/ssh/ssh_config.d/{,*} r,
+  # Needed to work for systemd-homed users
+  /etc/machine-id r,
+  @{run}/systemd/userdb/ r,
+  
   owner @{run}/user/@{uid}/keyring/ssh rw,
-
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
+
   include if exists <local/ssh>
 }
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index dcf31faa..7c0f9067 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} {
 
   /{usr/,}bin/enlightenment_start  rPUx,
   /{usr/,}bin/gpg-agent             rPx,
+  /{usr/,}bin/im-launch            rPUx,
   /{usr/,}bin/kwalletaskpass       rPUx,
   /{usr/,}bin/openbox-session       rPx,
   /{usr/,}bin/startkde             rPUx,
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index 2d54b708..01430544 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -22,6 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=containerd,
   ptrace (read) peer=unconfined,
 
+  signal (send) set=kill peer=cri-containerd.apparmor.d,
+
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
 
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 7e4e2803..4a0f7d4c 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -28,12 +28,15 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
   ptrace peer=@{profile_name},
   ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
 
-  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
+  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes.
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
   ptrace (read) peer=container-*,
   ptrace (read) peer=docker-*,
   ptrace (read) peer=k3s-*,
   ptrace (read) peer=kubernetes-*,
+  # When using ZFS as storage provider instead of the default overlay2.
+  ptrace (read) peer=zfs,
+  ptrace (read) peer=zpool,
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 4ffcd520..1d0a24e6 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -13,6 +13,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/disks-read>
+  include <abstractions/fonts>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
@@ -38,7 +39,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Properties
-       member={Changed,GetAll},
+       member={Changed,GetAll}
+       peer=(label=polkitd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
        interface=org.freedesktop.DBus.Properties
@@ -52,9 +54,24 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus send bus=system path=/
+       interface=org.freedesktop.fwupd
+       member=Changed
+       peer=(label=fwupdmgr),
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus
+       member=Changed
+       peer=(label=fwupdmgr),
+
   dbus receive bus=system path=/
        interface=org.freedesktop.fwupd,
 
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.DBus.Properties
+       member={Changed,GetAll}
+       peer=(label=polkitd),
+
   dbus receive bus=system path=/
        interface=org.freedesktop.DBus.Properties
        member={GetAll,SetHints,GetPlugins,GetRemotes}
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 5d5c558e..4a4e6ce4 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -63,6 +63,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   owner @{user_cache_dirs}/fwupd/ rw,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
 
+  owner @{run}/systemd/.cache/ rw,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   /dev/tty rw,
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index b7a60564..0348a6a0 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/thermald
-profile thermald @{exec_path} {
+profile thermald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
@@ -39,16 +39,25 @@ profile thermald @{exec_path} {
 
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/{,*} r,
+  @{sys}/devices/platform/**/path r,
+  @{sys}/devices/platform/**/available_uuids r,
+  @{sys}/devices/platform/**/current_uuid rw,
 
   @{sys}/devices/system/cpu/present r,
-  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct r,
+  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
+  @{sys}/devices/system/cpu/intel_pstate/no_turbo rw,
   @{sys}/devices/system/cpu/intel_pstate/status r,
 
   @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
 
   @{sys}/devices/**/hwmon[0-9]*/name r,
   @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
+  @{sys}/devices/**/path r,
 
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_uuid r,
@@ -56,8 +65,11 @@ profile thermald @{exec_path} {
   @{sys}/devices/virtual/thermal/**/{type,temp} r,
 
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
 
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
@@ -66,11 +78,16 @@ profile thermald @{exec_path} {
 
   @{sys}/devices/virtual/powercap/intel-rapl/ r,
   @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+
+  /dev/acpi_thermal_rel rw,
+  /dev/input/ r,
+  /dev/input/event[0-9]* r,
 
   include if exists <local/thermald>
 }
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 3456e9c9..08d712e1 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -54,6 +54,14 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/udisks2/temp-mount-*/,
   umount /media/cdrom[0-9]/,
 
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
   dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
        interface=org.freedesktop.{DBus*,UDisks2*},