diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index ebe56c1b..cbff00ae 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -48,9 +48,14 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   /var/lib/upower/history-*.dat{,.*} rw,
 
   @{run}/udev/data/ r,
-  @{run}/udev/data/+power_supply* r,
-  @{run}/udev/data/+input* r,
+  @{run}/udev/data/+acpi:* r,
   @{run}/udev/data/+hid* r,
+  @{run}/udev/data/+input* r,
+  @{run}/udev/data/+pci* r,
+  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+power_supply* r,
+  @{run}/udev/data/+sound:card[0-9]* r, # For sound
+  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
   @{run}/udev/data/c13:[0-9]*  r, # for /dev/input/*
 
   @{run}/systemd/inhibit/[0-9]*.ref rw,
@@ -59,6 +64,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/input/ r,
   @{sys}/class/leds/ r,
   @{sys}/class/power_supply/ r,
+  @{sys}/class/sound/ r,
   @{sys}/devices/ r,
   @{sys}/devices/**/capabilities/* r,
   @{sys}/devices/**/power_supply/**/* r,
diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
index 73190c9e..e390493e 100644
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@@ -96,6 +96,10 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/sessions/*     r,
   @{run}/systemd/sessions/*.ref r,
   @{run}/systemd/users/@{uid} r,
+
+  @{run}/udev/data/+drm:card[0-9]-* r,
+  @{run}/udev/data/+pci* r,
+  @{run}/udev/data/c226:[0-9]* r,      # for /dev/dri/card*
   @{run}/udev/tags/master-of-seat/ r,
 
   @{sys}/devices/**/uevent r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
index 4f68eb92..0bd987ff 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -39,6 +39,8 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   /var/lib/flatpak/exports/share/icons/{,**} r,
 
+  owner @{user_config_dirs}/goa-1.0/accounts.conf r,
+
   owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,
 
   owner @{user_share_dirs}/webkitgtk/{,**} rw,
@@ -48,9 +50,10 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r,
 
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+        @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
-        @{PROC}/zoneinfo r,
 
   include if exists <local/gnome-control-center-goa-helper>
 }
diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon
index 22c6ce5a..31825d41 100644
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@@ -70,5 +70,7 @@ profile goa-daemon @{exec_path} {
   owner @{user_config_dirs}/goa-1.0/ rw,
   owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,
 
+  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+
   include if exists <local/goa-daemon>
 }
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index 032c2625..ed62831f 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -187,9 +187,12 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   owner /dev/tty[0-9]* rw,
 
-  @{run}/udev/data/c13:[0-9]* r,      # for /dev/input/*
+  @{run}/udev/data/+sound:card[0-9]* r, # For sound
+  @{run}/udev/data/c13:[0-9]* r,        # for /dev/input/*
+  @{run}/udev/data/c189:[0-9]* r,       # For /dev/bus/usb/**
 
   @{sys}/devices/**/usb[0-9]/{,**} r,
+  @{sys}/devices/pci[0-9]*/**/sound/**/uevent r,
   @{sys}/devices/platform/**/uevent r,
   @{sys}/devices/virtual/**/uevent r,
 
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 3a5c8175..cc6f0ba2 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -186,6 +186,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   @{run}/udev/data/+backlight:* r,
+  @{run}/udev/data/+drm:card* r,
   @{run}/udev/data/+leds:*backlight* r,
 
   @{run}/systemd/inhibit/[0-9]*.ref rw,
diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill
index afb8db67..5fa41884 100644
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@@ -88,9 +88,9 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/virtual/misc/rfkill/uevent r,
 
-  /dev/rfkill rw,
-
   owner /dev/tty[0-9]* rw,
 
+  /dev/rfkill rw,
+
   include if exists <local/gsd-rfkill>
 }
diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index 47fcf75c..c6cf22dc 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -9,6 +9,15 @@ include <tunables/global>
 @{exec_path} = /usr/share/aurpublish/*.hook
 profile aurpublish @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   signal (receive) peer=git,
 
@@ -44,7 +53,7 @@ profile aurpublish @{exec_path} {
   owner @{user_projects_dirs}/**/.SRCINFO rw,
   owner @{user_projects_dirs}/**/PKGBUILD r,
 
-  owner @{user_cache_dirs}/makepkg/src/* r,
+  owner @{user_cache_dirs}/makepkg/src/* rw,
   owner @{user_config_dirs}/pacman/makepkg.conf r,
 
   owner /tmp/tmp.* rw,
diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code
index d3aa3c12..00d47d56 100644
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@@ -15,10 +15,14 @@ profile pacman-hook-code @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba}sh     rix,
-  /{usr/,}bin/sed         rix,
+  /{usr/,}bin/env         rix,
   /{usr/,}bin/grep        rix,
+  /{usr/,}bin/sed         rix,
 
+  /{usr/,}lib/code/product.json rw,
   /{usr/,}lib/code/sed?????? rw,
 
+  /dev/tty rw,
+
   include if exists <local/pacman-hook-code>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index 7c0f9067..db1fb560 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/ssh-agent
 profile ssh-agent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
   signal (receive) set=term peer=cockpit-bridge,
@@ -17,6 +18,7 @@ profile ssh-agent @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/{,ba,da}sh            rix,
   /{usr/,}bin/enlightenment_start  rPUx,
   /{usr/,}bin/gpg-agent             rPx,
   /{usr/,}bin/im-launch            rPUx,
diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight
index 9c315a7a..bcc9f182 100644
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@@ -12,8 +12,7 @@ profile systemd-backlight @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
-  # Needed?
-  deny capability net_admin,
+  capability net_admin,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass
index c49b4e0c..6164d04f 100644
--- a/apparmor.d/groups/virt/cockpit-askpass
+++ b/apparmor.d/groups/virt/cockpit-askpass
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/cockpit/cockpit-askpass
 profile cockpit-askpass @{exec_path} {
   include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index 5ba01787..fc3009a4 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -10,8 +10,10 @@ include <tunables/global>
 profile cockpit-bridge @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/python>
 
   capability dac_read_search,
   capability sys_nice,
@@ -21,6 +23,8 @@ profile cockpit-bridge @{exec_path} {
   network inet6 dgram,
   network inet6 stream,
 
+  ptrace (read),
+
   signal (send) set=term peer=cockpit-pcp,
   signal (send) set=term peer=dbus-daemon,
   signal (send) set=term peer=journalctl,
@@ -48,13 +52,19 @@ profile cockpit-bridge @{exec_path} {
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
   @{run}/utmp r,
 
+  @{sys}/devices/**/hwmon[0-9]*/ r,
+  @{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
+  @{sys}/fs/cgroup/*.slice/**/memory* r,
+
+        @{PROC}/ r,
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pids}/io r,
         @{PROC}/@{pids}/net/dev r,
         @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,
         @{PROC}/uptime r,
-  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
 
diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd
index 68fb4455..44be96b3 100644
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@@ -46,6 +46,8 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c25[0-4]:[0-9]* r,
 
   @{sys}/class/hidraw/ r,
+  @{sys}/devices/pci[0-9]*/**/hidraw/hidraw[0-9]*/uevent r,
+  @{sys}/devices/virtual/**/hidraw/hidraw[0-9]*/uevent r,
 
   include if exists <local/fprintd>
 }
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 4ab5d310..76706d7f 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -61,6 +61,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
   /{usr/,}bin/ldd                    rix,
   /{usr/,}bin/ln                     rix,
   /{usr/,}bin/lsb_release            rPx -> lsb_release,
+  /{usr/,}bin/lsof                   rix,
   /{usr/,}bin/lspci                  rCx -> lspci,
   /{usr/,}bin/mkdir                  rix,
   /{usr/,}bin/mv                     rix,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index a944362a..b99e8ceb 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -38,6 +38,7 @@ profile sudo @{exec_path} {
   signal (send) peer=unconfined,
   signal (send) set=(cont,hup) peer=su,
   signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},
+  signal (send,receive) peer=cockpit-bridge,
 
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm
index 37fe9566..529dd7e8 100644
--- a/apparmor.d/profiles-s-z/swtpm
+++ b/apparmor.d/profiles-s-z/swtpm
@@ -21,6 +21,9 @@ profile swtpm @{exec_path} {
   /var/log/swtpm/libvirt/qemu/*-swtpm.log  w,
 
   /tmp/.swtpm_setup.pidfile.* rw,
+  /tmp/[0-9]*/.lock rwk,
+  /tmp/[0-9]*/TMP* rw,
+  /tmp/[0-9]*/vtpm.sock rw,
 
   @{run}/libvirt/qemu/swtpm/*.sock w,
   @{run}/libvirt/qemu/swtpm/*.pid w,
diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore
index 18480e02..a6d35b39 100644
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@@ -10,6 +10,11 @@ root/usr/lib/systemd/
 
 apparmor.d/groups/apps
 plasma-discover
+steam
+steam-fossilize
+steam-game
+steam-gameoverlayui
+steam-reaper
 
 anki
 man