diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app
index 2ee1bc2c..cee41dec 100644
--- a/apparmor.d/abstractions/bwrap-app
+++ b/apparmor.d/abstractions/bwrap-app
@@ -12,22 +12,16 @@
   include <abstractions/consoles>
   include <abstractions/dbus-session>
   include <abstractions/deny-sensitive-home>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/disks-read>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-intel>
-  include <abstractions/opencl-mesa>
-  include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
   include <abstractions/video>
-  include <abstractions/vulkan>
 
   /usr/** r,
 
diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium
index bc80935f..ba182c7f 100644
--- a/apparmor.d/abstractions/chromium
+++ b/apparmor.d/abstractions/chromium
@@ -16,20 +16,15 @@
 
   include <abstractions/audio>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics-full>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
   include <abstractions/user-read>
-  include <abstractions/vulkan>
-  include <abstractions/wayland>
 
   # userns,
 
@@ -97,7 +92,6 @@
   /usr/share/chromium/extensions/{,**} r,
   /usr/share/egl/{,**} r,
   /usr/share/hwdata/pnp.ids r,
-  /usr/share/libdrm/*.ids r,
   /usr/share/mozilla/extensions/{,**} r,
   /usr/share/qt{5,}/translations/*.qm r,
   /usr/share/webext/{,**} r,
@@ -105,7 +99,6 @@
   /etc/@{name}/{,**} r,
   /etc/fstab r,
   /etc/igfx_user_feature{,_next}.txt w,
-  /etc/libva.conf r,
   /etc/opensc.conf r,
 
   /var/lib/dbus/machine-id r,
@@ -119,10 +112,7 @@
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/gtk-3.0/servers r,
-  owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/.@{domain}.* rw,
 
   owner @{config_dirs}/ rw,
@@ -182,20 +172,16 @@
 
   @{sys}/bus/ r,
   @{sys}/bus/**/devices/ r,
-  @{sys}/class/ r,
   @{sys}/class/**/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
   @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/{resource,irq} r,
   @{sys}/devices/@{pci}/report_descriptor r,
-  @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
   @{sys}/devices/system/cpu/kernel_max r,
-  @{sys}/devices/system/cpu/present r,
   @{sys}/devices/virtual/**/report_descriptor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/tty/tty[0-9]/active r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
   /dev/ r,
   /dev/hidraw@{int} rw,
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index b07343b4..a56d370a 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -27,7 +27,7 @@
   #owner /tmp/orcexec.* mrw,
   #owner @{HOME}/orcexec.* mrw,
 
-  @{run}/udev/data/+drm:card[0-9]-* r,    # For screen outputs
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
   @{run}/udev/data/+usb:* r,              # For /dev/bus/usb/**
 
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict
index 2a150c90..6dd9b4a7 100644
--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@@ -5,7 +5,6 @@
 
   abi <abi/3.0>,
 
-  # new user; change to 'c'
   owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
   owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
 
diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default
index 386b4f7f..bb8331f6 100644
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@@ -16,20 +16,14 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/consoles>
   include <abstractions/dbus-session>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/devices-usb>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-intel>
-  include <abstractions/opencl-mesa>
-  include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
   include <abstractions/video>
-  include <abstractions/vulkan>
   include <abstractions/zsh>
 
   capability dac_override,
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
index 3f43a990..ec48587a 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dirs-update
 profile xdg-user-dirs-update @{exec_path} {
   include <abstractions/base>
+  include <abstractions/xdg-desktop>
 
   @{exec_path} mr,
 
@@ -39,7 +40,6 @@ profile xdg-user-dirs-update @{exec_path} {
   /var/lib/sddm/@{XDG_TEMPLATES_DIR}/ rw,
   /var/lib/sddm/@{XDG_VIDEOS_DIR}/ rw,
 
-  # new user; change to 'c'
   owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
   owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
   owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
@@ -48,7 +48,6 @@ profile xdg-user-dirs-update @{exec_path} {
   owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w,
   owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
   owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
-  owner @{user_config_dirs}/ w,
 
   owner @{user_config_dirs}/user-dirs.dirs rw,
   owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index 87ed8e49..545d9f55 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/gnome-music
-profile gnome-music @{exec_path} {
+profile gnome-music @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/dconf-write>
@@ -48,6 +48,7 @@ profile gnome-music @{exec_path} {
         @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
+  owner /var/tmp/etilqs_@{hex} rw,
 
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cmdline r,
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 22f49c7b..e8433897 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -12,6 +12,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/com.canonical.Unity.LauncherEntry>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.hostname1>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
@@ -69,11 +70,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
        member=Print
        peer=(name=:*, label=nautilus),
 
-  dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
-       interface=com.canonical.Unity.LauncherEntry
-       member=Update
-       peer=(name=org.freedesktop.DBus, label=gnome-shell),
-
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=ListActivatableNames
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index a3b01111..ad4e7853 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -22,9 +22,9 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
 
   /etc/netplan/{,*} r,
 
-  @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} w,
+  @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
   @{run}/NetworkManager/system-connections/ r,
-  @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} w,
+  @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
   @{run}/systemd/system/systemd-networkd.service.wants/ r,
@@ -51,8 +51,12 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/systemd-common>
 
+    capability net_admin,
+
     @{bin}/systemctl mr,
 
+    owner @{run}/systemd/private rw,
+
     include if exists <local/netplan.script_systemctl>
   }
 
diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance
index ace3cb95..f9dc5914 100644
--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@@ -10,6 +10,7 @@ include <tunables/global>
 profile irqbalance @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  capability net_admin,
   capability setpcap,
 
   network netlink raw,