From 7067edcf70356390709b2c887639eb7aad06a8a5 Mon Sep 17 00:00:00 2001
From: Mikhail Morfikov <mmorfikov@gmail.com>
Date: Thu, 10 Dec 2020 22:33:39 +0100
Subject: [PATCH] update profiles for apparmor3

---
 apparmor.d/abi/3.0                            | 78 +++++++++++++++++++
 apparmor.d/abi/kernel-5.4-outoftree-network   | 76 ++++++++++++++++++
 apparmor.d/abi/kernel-5.4-vanilla             | 68 ++++++++++++++++
 apparmor.d/abstractions/X                     | 12 ++-
 apparmor.d/abstractions/apache2-common        | 13 +++-
 apparmor.d/abstractions/app-launcher-root     |  2 +-
 apparmor.d/abstractions/app-launcher-user     |  2 +-
 .../abstractions/apparmor_api/change_profile  |  6 +-
 apparmor.d/abstractions/apparmor_api/examine  |  4 +-
 .../abstractions/apparmor_api/find_mountpoint |  2 +
 .../abstractions/apparmor_api/introspect      |  4 +-
 .../abstractions/apparmor_api/is_enabled      |  4 +-
 apparmor.d/abstractions/apt-common            |  2 +-
 apparmor.d/abstractions/aspell                |  5 ++
 apparmor.d/abstractions/audio                 | 14 +++-
 apparmor.d/abstractions/authentication        | 34 ++++----
 apparmor.d/abstractions/base                  | 33 +++++---
 apparmor.d/abstractions/bash                  |  5 ++
 apparmor.d/abstractions/consoles              |  5 +-
 apparmor.d/abstractions/cups-client           |  7 +-
 apparmor.d/abstractions/dbus                  |  7 +-
 apparmor.d/abstractions/dbus-accessibility    |  7 +-
 .../abstractions/dbus-accessibility-strict    |  5 ++
 .../abstractions/dbus-network-manager-strict  |  4 +-
 apparmor.d/abstractions/dbus-session          |  7 +-
 apparmor.d/abstractions/dbus-session-strict   |  8 +-
 apparmor.d/abstractions/dbus-strict           |  7 +-
 apparmor.d/abstractions/dconf                 |  7 +-
 apparmor.d/abstractions/deny-dconf            |  2 +-
 apparmor.d/abstractions/deny-root-dir-access  |  2 +-
 apparmor.d/abstractions/disks-read            |  2 +-
 apparmor.d/abstractions/disks-write           |  2 +-
 apparmor.d/abstractions/dovecot-common        |  7 +-
 apparmor.d/abstractions/dri-common            |  5 ++
 apparmor.d/abstractions/dri-enumerate         |  5 ++
 apparmor.d/abstractions/enchant               | 11 ++-
 apparmor.d/abstractions/evince                | 12 +--
 apparmor.d/abstractions/exo-open              | 24 +++---
 apparmor.d/abstractions/fcitx                 |  7 +-
 apparmor.d/abstractions/fcitx-strict          |  7 +-
 apparmor.d/abstractions/file-browsing-strict  |  2 +-
 apparmor.d/abstractions/flatpak-snap          |  2 +-
 apparmor.d/abstractions/fontconfig-cache-read |  2 +-
 .../abstractions/fontconfig-cache-write       |  2 +-
 apparmor.d/abstractions/fonts                 |  5 ++
 apparmor.d/abstractions/freedesktop.org       |  8 +-
 apparmor.d/abstractions/fzf                   |  2 +-
 apparmor.d/abstractions/gio-open              | 16 ++--
 apparmor.d/abstractions/gnome                 | 24 +++---
 apparmor.d/abstractions/gnupg                 |  5 ++
 apparmor.d/abstractions/gstreamer             |  6 +-
 apparmor.d/abstractions/gtk                   |  2 +-
 apparmor.d/abstractions/gvfs-open             | 16 ++--
 apparmor.d/abstractions/hosts_access          |  4 +
 apparmor.d/abstractions/ibus                  |  5 ++
 apparmor.d/abstractions/kde                   | 19 +++--
 apparmor.d/abstractions/kde-globals-write     |  9 ++-
 apparmor.d/abstractions/kde-icon-cache-write  |  5 ++
 apparmor.d/abstractions/kde-language-write    |  8 +-
 apparmor.d/abstractions/kde-open5             | 46 +++++------
 apparmor.d/abstractions/kde4                  |  2 +-
 apparmor.d/abstractions/kde5-plasma5          |  6 +-
 apparmor.d/abstractions/kerberosclient        |  5 ++
 apparmor.d/abstractions/ldapclient            |  9 ++-
 apparmor.d/abstractions/libpam-systemd        |  7 +-
 apparmor.d/abstractions/libvirt-lxc           |  2 +-
 apparmor.d/abstractions/libvirt-qemu          |  6 +-
 apparmor.d/abstractions/lightdm               | 14 ++--
 .../abstractions/lightdm_chromium-browser     |  2 +-
 apparmor.d/abstractions/likewise              |  5 ++
 apparmor.d/abstractions/mdns                  |  7 +-
 apparmor.d/abstractions/mesa                  |  5 ++
 apparmor.d/abstractions/mesa-cache-write      |  2 +-
 apparmor.d/abstractions/mir                   |  5 ++
 apparmor.d/abstractions/mozc                  |  5 ++
 apparmor.d/abstractions/mysql                 |  7 +-
 apparmor.d/abstractions/nameservice           | 76 ++++++++++--------
 apparmor.d/abstractions/nameservice-strict    |  2 +-
 apparmor.d/abstractions/nis                   |  5 ++
 apparmor.d/abstractions/nss-systemd           | 30 +++++++
 apparmor.d/abstractions/nvidia                |  7 +-
 apparmor.d/abstractions/opencl                | 14 +++-
 apparmor.d/abstractions/opencl-common         |  6 ++
 apparmor.d/abstractions/opencl-intel          | 12 ++-
 apparmor.d/abstractions/opencl-mesa           |  8 +-
 apparmor.d/abstractions/opencl-nvidia         | 10 ++-
 apparmor.d/abstractions/opencl-pocl           | 13 +++-
 apparmor.d/abstractions/openssl               |  5 ++
 apparmor.d/abstractions/orbit2                |  5 ++
 apparmor.d/abstractions/p11-kit               |  7 +-
 apparmor.d/abstractions/perl                  |  5 ++
 apparmor.d/abstractions/php                   |  5 ++
 apparmor.d/abstractions/php-worker            | 22 ++++++
 apparmor.d/abstractions/php5                  |  7 +-
 apparmor.d/abstractions/postfix-common        |  9 ++-
 apparmor.d/abstractions/private-files         |  5 ++
 apparmor.d/abstractions/private-files-strict  |  9 ++-
 apparmor.d/abstractions/python                |  6 +-
 apparmor.d/abstractions/qt5                   |  5 ++
 .../abstractions/qt5-compose-cache-write      |  5 ++
 apparmor.d/abstractions/qt5-settings-write    |  5 ++
 .../abstractions/recent-documents-write       |  7 +-
 apparmor.d/abstractions/ruby                  |  5 ++
 apparmor.d/abstractions/samba                 | 13 +++-
 apparmor.d/abstractions/smbpass               |  5 ++
 apparmor.d/abstractions/ssl_certs             |  5 ++
 apparmor.d/abstractions/ssl_keys              |  5 ++
 apparmor.d/abstractions/svn-repositories      |  5 ++
 apparmor.d/abstractions/systemd-common        |  3 +-
 apparmor.d/abstractions/thumbnails-cache-read |  2 +-
 .../abstractions/thumbnails-cache-write       |  2 +-
 apparmor.d/abstractions/tor                   |  6 +-
 apparmor.d/abstractions/totem                 |  8 +-
 apparmor.d/abstractions/trash                 |  2 +-
 .../abstractions/ubuntu-bittorrent-clients    |  9 ++-
 apparmor.d/abstractions/ubuntu-browsers       | 11 ++-
 .../ubuntu-browsers.d/chromium-browser        | 26 +++++++
 .../abstractions/ubuntu-browsers.d/java       | 34 ++++----
 apparmor.d/abstractions/ubuntu-browsers.d/kde |  8 +-
 .../abstractions/ubuntu-browsers.d/mailto     |  8 +-
 .../abstractions/ubuntu-browsers.d/multimedia | 33 +++-----
 .../ubuntu-browsers.d/plugins-common          |  4 +-
 .../ubuntu-browsers.d/productivity            | 10 +--
 .../ubuntu-browsers.d/text-editors            |  6 +-
 .../ubuntu-browsers.d/ubuntu-integration      | 14 ++--
 .../ubuntu-browsers.d/ubuntu-integration-xul  |  4 +-
 .../abstractions/ubuntu-browsers.d/user-files |  4 +-
 .../abstractions/ubuntu-console-browsers      | 11 ++-
 apparmor.d/abstractions/ubuntu-console-email  | 11 ++-
 apparmor.d/abstractions/ubuntu-email          |  9 ++-
 apparmor.d/abstractions/ubuntu-feed-readers   |  9 ++-
 apparmor.d/abstractions/ubuntu-gnome-terminal |  7 +-
 apparmor.d/abstractions/ubuntu-helpers        | 18 +++--
 apparmor.d/abstractions/ubuntu-konsole        |  9 ++-
 apparmor.d/abstractions/ubuntu-media-players  |  9 ++-
 apparmor.d/abstractions/ubuntu-unity7-base    | 11 ++-
 .../abstractions/ubuntu-unity7-launcher       |  5 ++
 .../abstractions/ubuntu-unity7-messaging      |  5 ++
 apparmor.d/abstractions/ubuntu-xterm          |  7 +-
 apparmor.d/abstractions/user-download         |  5 ++
 apparmor.d/abstractions/user-download-strict  |  2 +-
 apparmor.d/abstractions/user-mail             |  5 ++
 apparmor.d/abstractions/user-manpages         |  5 ++
 apparmor.d/abstractions/user-tmp              |  5 ++
 apparmor.d/abstractions/user-write            |  5 ++
 apparmor.d/abstractions/video                 |  5 ++
 apparmor.d/abstractions/vlc-art-cache-write   |  2 +-
 apparmor.d/abstractions/vulkan                |  5 ++
 apparmor.d/abstractions/wayland               |  6 +-
 apparmor.d/abstractions/web-data              |  5 ++
 apparmor.d/abstractions/winbind               |  8 +-
 apparmor.d/abstractions/wutmp                 |  7 +-
 apparmor.d/abstractions/xad                   |  5 ++
 apparmor.d/abstractions/xdg-desktop           |  5 ++
 apparmor.d/abstractions/xdg-open              | 26 ++++---
 apparmor.d/abstractions/zsh                   |  2 +-
 apparmor.d/accounts-daemon                    | 12 +--
 apparmor.d/acpi                               |  8 +-
 apparmor.d/adduser                            | 14 ++--
 apparmor.d/adequate                           | 36 ++++-----
 apparmor.d/amarok                             | 42 +++++-----
 apparmor.d/amixer                             | 10 +--
 apparmor.d/android-studio                     | 53 +++++++------
 apparmor.d/anki                               | 54 ++++++-------
 apparmor.d/anyremote                          | 40 ++++++----
 apparmor.d/apache2.d/phpsysinfo               | 14 ++--
 apparmor.d/aplay                              | 10 +--
 apparmor.d/appstreamcli                       | 18 ++---
 apparmor.d/apt                                | 27 +++----
 apparmor.d/apt-cache                          | 12 +--
 apparmor.d/apt-cdrom                          | 16 ++--
 apparmor.d/apt-config                         | 12 +--
 apparmor.d/apt-extracttemplates               | 12 +--
 apparmor.d/apt-file                           | 12 +--
 apparmor.d/apt-ftparchive                     |  8 +-
 apparmor.d/apt-get                            | 29 +++----
 apparmor.d/apt-key                            | 21 +++--
 apparmor.d/apt-listbugs                       | 30 ++++---
 apparmor.d/apt-listbugs-aptcleanup            | 12 +--
 apparmor.d/apt-listbugs-migratepins           | 12 +--
 apparmor.d/apt-listbugs-prefclean             | 12 +--
 apparmor.d/apt-listchanges                    | 26 +++----
 apparmor.d/apt-mark                           | 10 +--
 apparmor.d/apt-methods-cdrom                  | 10 +--
 apparmor.d/apt-methods-copy                   | 12 +--
 apparmor.d/apt-methods-file                   | 12 +--
 apparmor.d/apt-methods-ftp                    | 10 +--
 apparmor.d/apt-methods-gpgv                   | 12 +--
 apparmor.d/apt-methods-http                   | 20 +++--
 apparmor.d/apt-methods-mirror                 | 10 +--
 apparmor.d/apt-methods-rred                   | 12 +--
 apparmor.d/apt-methods-rsh                    | 10 +--
 apparmor.d/apt-methods-store                  | 12 +--
 apparmor.d/apt-show-versions                  | 14 ++--
 apparmor.d/apt-sortpkgs                       |  8 +-
 apparmor.d/aptitude                           | 23 +++---
 apparmor.d/aptitude-changelog-parser          | 10 +--
 apparmor.d/aptitude-create-state-bundle       | 12 +--
 apparmor.d/aptitude-run-state-bundle          | 14 ++--
 apparmor.d/arandr                             | 24 +++---
 apparmor.d/at-spi-bus-launcher                | 17 ++--
 apparmor.d/at-spi2-registryd                  | 12 +--
 apparmor.d/atftpd                             | 10 +--
 apparmor.d/atom                               | 40 +++++-----
 apparmor.d/badblocks                          | 12 +--
 apparmor.d/bin.netstat                        | 10 +--
 apparmor.d/bin.ping                           | 12 +--
 apparmor.d/biosdecode                         |  8 +-
 apparmor.d/birdtray                           | 42 +++++-----
 apparmor.d/blkid                              | 12 +--
 apparmor.d/blockdev                           | 10 +--
 apparmor.d/bluetoothctl                       |  8 +-
 apparmor.d/bluetoothd                         | 11 ++-
 apparmor.d/bmon                               | 10 ++-
 apparmor.d/borg                               | 12 +--
 apparmor.d/brave                              | 38 ++++-----
 apparmor.d/brave-browser                      | 12 +--
 apparmor.d/brave-sandbox                      | 10 +--
 apparmor.d/btrfs                              | 12 +--
 apparmor.d/btrfs-convert                      | 10 +--
 apparmor.d/btrfs-find-root                    | 10 +--
 apparmor.d/btrfs-image                        | 10 +--
 apparmor.d/btrfs-map-logical                  | 10 +--
 apparmor.d/btrfs-select-super                 | 10 +--
 apparmor.d/btrfstune                          | 10 +--
 apparmor.d/calibre                            | 49 ++++++------
 apparmor.d/cawbird                            | 32 ++++----
 apparmor.d/ccze                               | 12 +--
 apparmor.d/cfdisk                             | 10 +--
 apparmor.d/cgdisk                             | 10 +--
 apparmor.d/cgrulesengd                        | 12 +--
 apparmor.d/chage                              | 12 +--
 apparmor.d/changestool                        | 10 +--
 apparmor.d/check-bios-nx                      | 12 +--
 apparmor.d/check-support-status               | 14 ++--
 apparmor.d/check-support-status-hook          | 44 ++++++-----
 apparmor.d/chfn                               | 18 +++--
 apparmor.d/child-dpkg                         | 10 +--
 apparmor.d/child-dpkg-divert                  |  8 +-
 apparmor.d/child-lsb_release                  | 13 ++--
 apparmor.d/child-pager                        | 10 +--
 apparmor.d/child-systemctl                    | 12 +--
 apparmor.d/chromium                           | 12 +--
 apparmor.d/chromium-chrome-sandbox            | 10 +--
 apparmor.d/chromium-chromium                  | 45 ++++++-----
 apparmor.d/chsh                               | 16 ++--
 apparmor.d/claws-mail                         | 32 ++++----
 apparmor.d/code                               | 28 +++----
 apparmor.d/colord                             | 12 +--
 apparmor.d/colord-sane                        | 10 ++-
 apparmor.d/colord-session                     |  8 +-
 apparmor.d/command-not-found                  | 14 ++--
 apparmor.d/compton                            | 10 +--
 apparmor.d/conky                              | 40 ++++++----
 apparmor.d/convertall                         | 30 +++----
 apparmor.d/cppw-cpgr                          |  8 +-
 apparmor.d/cpuid                              |  8 +-
 apparmor.d/cpupower                           | 10 +--
 apparmor.d/crda                               |  8 +-
 apparmor.d/cron                               | 20 ++---
 apparmor.d/cron-apt                           | 10 +--
 apparmor.d/cron-apt-listbugs                  | 10 +--
 apparmor.d/cron-apt-show-versions             |  8 +-
 apparmor.d/cron-apt-xapian-index              |  8 +-
 apparmor.d/cron-aptitude                      |  8 +-
 apparmor.d/cron-debsums                       | 12 +--
 apparmor.d/cron-dlocate                       |  8 +-
 apparmor.d/cron-ipset-autoban-save            | 10 +--
 apparmor.d/cron-logrotate                     |  8 +-
 apparmor.d/cron-mlocate                       | 10 +--
 apparmor.d/cron-popularity-contest            | 28 +++----
 apparmor.d/crontab                            | 16 ++--
 apparmor.d/curl                               | 23 +++---
 apparmor.d/dbus-daemon                        | 14 ++--
 apparmor.d/dconf-editor                       | 20 ++---
 apparmor.d/dconf-service                      |  8 +-
 apparmor.d/ddclient                           | 16 ++--
 apparmor.d/debconf-apt-progress               | 18 ++---
 apparmor.d/debconf-show                       | 12 +--
 apparmor.d/deborphan                          |  8 +-
 apparmor.d/debsecan                           | 23 +++---
 apparmor.d/debsign                            | 10 +--
 apparmor.d/debsums                            | 11 +--
 apparmor.d/debtags                            | 14 ++--
 apparmor.d/deluser                            | 16 ++--
 apparmor.d/df                                 |  8 +-
 apparmor.d/dfc                                |  8 +-
 apparmor.d/dhclient                           | 17 ++--
 apparmor.d/dhclient-script                    | 16 ++--
 apparmor.d/dig                                | 18 +++--
 apparmor.d/dirmngr                            | 17 ++--
 apparmor.d/discord                            | 52 +++++++------
 apparmor.d/discord-chrome-sandbox             | 10 +--
 apparmor.d/dkms                               | 14 ++--
 apparmor.d/dkms-autoinstaller                 | 14 ++--
 apparmor.d/dlocate                            | 14 ++--
 apparmor.d/dmcrypt-get-device                 |  8 +-
 apparmor.d/dmesg                              |  8 +-
 apparmor.d/dmidecode                          |  8 +-
 apparmor.d/dnscrypt-proxy                     | 20 +++--
 apparmor.d/dpkg                               | 16 ++--
 apparmor.d/dpkg-architecture                  | 12 +--
 apparmor.d/dpkg-buildflags                    | 10 +--
 apparmor.d/dpkg-checkbuilddeps                | 10 +--
 apparmor.d/dpkg-deb                           | 12 +--
 apparmor.d/dpkg-divert                        | 10 +--
 apparmor.d/dpkg-genbuildinfo                  | 10 +--
 apparmor.d/dpkg-genchanges                    | 10 +--
 apparmor.d/dpkg-preconfigure                  | 22 +++---
 apparmor.d/dpkg-query                         | 10 +--
 apparmor.d/dpkg-split                         | 10 +--
 apparmor.d/dpkg-trigger                       | 10 +--
 apparmor.d/dpkg-vendor                        | 10 +--
 apparmor.d/dropbox                            | 34 ++++----
 apparmor.d/dumpcap                            | 17 ++--
 apparmor.d/dumpe2fs                           | 12 +--
 apparmor.d/e2fsck                             | 12 +--
 apparmor.d/e2image                            | 12 +--
 apparmor.d/edid-decode                        |  8 +-
 apparmor.d/eject                              | 10 +--
 apparmor.d/engrampa                           | 30 +++----
 apparmor.d/execute-dcut                       | 12 +--
 apparmor.d/execute-dput                       | 16 ++--
 apparmor.d/exim4                              | 16 ++--
 apparmor.d/exo-compose-mail                   | 10 +--
 apparmor.d/exo-helper                         | 20 ++---
 apparmor.d/exo-open                           | 18 ++---
 apparmor.d/f3brew                             | 10 +--
 apparmor.d/f3fix                              | 12 +--
 apparmor.d/f3probe                            | 10 +--
 apparmor.d/f3read                             |  8 +-
 apparmor.d/f3write                            |  8 +-
 apparmor.d/fatlabel                           | 10 +--
 apparmor.d/fatresize                          | 12 +--
 apparmor.d/fc-list                            | 12 +--
 apparmor.d/fdisk                              | 10 +--
 apparmor.d/ffmpeg                             | 20 ++---
 apparmor.d/ffplay                             | 16 ++--
 apparmor.d/ffprobe                            | 12 +--
 apparmor.d/filecap                            | 10 +--
 apparmor.d/filezilla                          | 22 +++---
 apparmor.d/firefox                            | 45 ++++++-----
 apparmor.d/firefox-crashreporter              | 18 ++---
 apparmor.d/firefox-minidump-analyzer          | 10 +--
 apparmor.d/firefox-pingsender                 | 16 ++--
 apparmor.d/firefox-plugin-container           |  8 +-
 apparmor.d/firejail-default                   | 10 +--
 apparmor.d/flameshot                          | 49 +++++++-----
 apparmor.d/fping                              | 15 ++--
 apparmor.d/freetube                           | 48 +++++++-----
 apparmor.d/freetube-chrome-sandbox            | 12 +--
 apparmor.d/frontend                           | 26 +++----
 apparmor.d/fsck                               | 10 +--
 apparmor.d/fsck-btrfs                         |  8 +-
 apparmor.d/fsck-fat                           | 12 +--
 apparmor.d/fuseiso                            | 10 +--
 apparmor.d/fusermount                         | 10 +--
 apparmor.d/fwupd                              | 12 +--
 apparmor.d/fwupdmgr                           | 18 ++---
 apparmor.d/fzsftp                             | 12 +--
 apparmor.d/gajim                              | 48 +++++++-----
 apparmor.d/games-wesnoth                      | 24 +++---
 apparmor.d/games-wesnoth-sh                   | 10 +--
 apparmor.d/ganyremote                         | 39 +++++-----
 apparmor.d/gconfd                             | 10 +--
 apparmor.d/gdisk                              | 10 +--
 apparmor.d/geany                              | 24 +++---
 apparmor.d/gio-launch-desktop                 | 12 +--
 apparmor.d/git                                | 38 +++++----
 apparmor.d/globaltime                         | 18 ++---
 apparmor.d/glxgears                           | 17 ++--
 apparmor.d/glxinfo                            | 16 ++--
 apparmor.d/gnome-keyring-daemon               | 10 +--
 apparmor.d/google-chrome-chrome               | 42 +++++-----
 apparmor.d/google-chrome-chrome-sandbox       | 10 +--
 apparmor.d/google-chrome-google-chrome        | 12 +--
 apparmor.d/gpa                                | 22 +++---
 apparmor.d/gparted                            | 43 ++++++++--
 apparmor.d/gpartedbin                         | 30 +++----
 apparmor.d/gpasswd                            | 14 ++--
 apparmor.d/gpg                                | 14 ++--
 apparmor.d/gpg-agent                          | 10 +--
 apparmor.d/gpg-connect-agent                  | 11 ++-
 apparmor.d/gpgconf                            | 12 +--
 apparmor.d/gpgsm                              | 10 +--
 apparmor.d/gpo                                | 27 ++++---
 apparmor.d/gpodder                            | 38 +++++----
 apparmor.d/gpodder-migrate2tres               | 12 +--
 apparmor.d/groupadd                           | 14 ++--
 apparmor.d/groupdel                           | 14 ++--
 apparmor.d/groupmod                           | 14 ++--
 apparmor.d/groups                             | 10 +--
 apparmor.d/grpck                              | 10 +--
 apparmor.d/gsmartcontrol                      | 52 ++++++++++---
 apparmor.d/gsmartcontrol-root                 | 10 +--
 apparmor.d/gtk-update-icon-cache              | 10 +--
 apparmor.d/gtk-youtube-viewer                 | 52 +++++++------
 apparmor.d/hardinfo                           | 62 ++++++++++-----
 apparmor.d/hciconfig                          | 10 ++-
 apparmor.d/hddtemp                            | 11 ++-
 apparmor.d/hdparm                             | 10 +--
 apparmor.d/hexchat                            | 38 +++++----
 apparmor.d/hostname                           | 12 +--
 apparmor.d/htop                               | 20 +++--
 apparmor.d/hugeadm                            | 10 +--
 apparmor.d/hugo                               | 11 ++-
 apparmor.d/hw-probe                           | 51 ++++++++----
 apparmor.d/hwinfo                             | 18 +++--
 apparmor.d/i2cdetect                          |  8 +-
 apparmor.d/i3lock                             | 20 ++---
 apparmor.d/i3lock-fancy                       | 21 +++--
 apparmor.d/ifconfig                           | 13 ++--
 apparmor.d/ifup                               | 12 +--
 apparmor.d/initd-kexec                        | 12 +--
 apparmor.d/initd-kexec-load                   | 14 ++--
 apparmor.d/initd-kmod                         | 12 +--
 apparmor.d/install-printerdriver              | 10 +--
 apparmor.d/inxi                               | 34 +++++---
 apparmor.d/ioping                             | 10 +--
 apparmor.d/iotop                              | 12 +--
 apparmor.d/ip                                 | 10 ++-
 apparmor.d/ipcalc                             | 10 +--
 apparmor.d/iw                                 | 10 ++-
 apparmor.d/iwconfig                           | 11 ++-
 apparmor.d/iwlist                             |  8 +-
 apparmor.d/jdownloader                        | 26 +++----
 apparmor.d/jdownloader-install                | 18 ++---
 apparmor.d/jekyll                             | 14 ++--
 apparmor.d/jgmenu                             | 26 +++----
 apparmor.d/kanyremote                         | 47 +++++------
 apparmor.d/kcheckpass                         | 14 ++--
 apparmor.d/kconfig-hardened-check             | 10 +--
 apparmor.d/keepassxc                          | 47 ++++++-----
 apparmor.d/keepassxc-cli                      | 10 +--
 apparmor.d/keepassxc-proxy                    | 16 ++--
 apparmor.d/kernel-install                     | 14 ++--
 apparmor.d/kerneloops                         | 10 +--
 apparmor.d/kerneloops-applet                  | 18 ++---
 apparmor.d/kexec                              |  8 +-
 apparmor.d/kmod                               | 10 +--
 apparmor.d/kodi                               | 26 +++----
 apparmor.d/kodi-xrandr                        | 10 +--
 apparmor.d/kscreenlocker-greet                | 26 +++----
 apparmor.d/kvm-ok                             | 13 ++--
 apparmor.d/kwalletd5                          | 36 ++++-----
 apparmor.d/kwalletmanager5                    | 36 ++++-----
 apparmor.d/libvirt/TEMPLATE.lxc               |  4 +-
 apparmor.d/libvirt/TEMPLATE.qemu              |  4 +-
 apparmor.d/light                              | 10 +--
 apparmor.d/light-locker                       | 26 +++----
 apparmor.d/light-locker-command               | 10 +--
 apparmor.d/lightdm                            | 22 +++---
 apparmor.d/lightdm-gtk-greeter                | 22 +++---
 apparmor.d/lightdm-guest-session              |  6 +-
 apparmor.d/lightworks                         | 10 +--
 apparmor.d/lightworks-ntcardvt                | 10 +--
 apparmor.d/linssid                            | 35 +++++----
 apparmor.d/linux-check-removal                | 20 ++---
 apparmor.d/linux-version                      | 12 +--
 apparmor.d/localepurge                        | 10 +--
 apparmor.d/logrotate                          | 18 ++---
 apparmor.d/lsb_release                        | 12 +--
 apparmor.d/lsblk                              | 12 +--
 apparmor.d/lscpu                              |  8 +-
 apparmor.d/lsinitramfs                        |  8 +-
 apparmor.d/lspci                              | 10 +--
 apparmor.d/lsusb                              | 10 ++-
 apparmor.d/lxappearance                       | 20 ++---
 apparmor.d/lxc-containers                     |  4 +-
 apparmor.d/lxc/lxc-default                    |  2 +-
 apparmor.d/lxc/lxc-default-cgns               |  2 +-
 apparmor.d/lxc/lxc-default-with-mounting      |  2 +-
 apparmor.d/lxc/lxc-default-with-nesting       |  4 +-
 apparmor.d/lynx                               | 25 +++---
 apparmor.d/macchanger                         | 11 ++-
 apparmor.d/mediainfo                          | 10 +--
 apparmor.d/megasync                           | 48 +++++++-----
 apparmor.d/memtester                          |  8 +-
 apparmor.d/mimetype                           | 10 +--
 apparmor.d/minitube                           | 49 +++++++-----
 apparmor.d/mke2fs                             | 12 +--
 apparmor.d/mkfs-btrfs                         | 10 +--
 apparmor.d/mkfs-fat                           | 12 +--
 apparmor.d/mkinitramfs                        | 26 +++----
 apparmor.d/mkntfs                             | 10 +--
 apparmor.d/mkswap                             | 10 +--
 apparmor.d/mkvmerge                           | 12 +--
 apparmor.d/mkvtoolnix-gui                     | 36 ++++-----
 apparmor.d/mlocate                            | 10 +--
 apparmor.d/mount                              | 12 +--
 apparmor.d/mount.cifs                         | 12 ++-
 apparmor.d/mpsyt                              | 29 ++++---
 apparmor.d/mpv                                | 40 ++++++----
 apparmor.d/mtools                             | 14 ++--
 apparmor.d/mumble                             | 51 ++++++------
 apparmor.d/mumble-overlay                     | 12 +--
 apparmor.d/netcap                             | 27 +++----
 apparmor.d/nethogs                            | 13 ++--
 apparmor.d/networkctl                         | 13 +++-
 apparmor.d/newgrp                             | 12 +--
 apparmor.d/nft                                | 12 +--
 apparmor.d/nmap                               | 21 +++--
 apparmor.d/ntfs-3g                            | 12 +--
 apparmor.d/ntfs-3g-probe                      | 10 +--
 apparmor.d/ntfscat                            | 10 +--
 apparmor.d/ntfsclone                          | 10 +--
 apparmor.d/ntfscluster                        | 10 +--
 apparmor.d/ntfscmp                            | 10 +--
 apparmor.d/ntfscp                             | 10 +--
 apparmor.d/ntfsdecrypt                        | 10 +--
 apparmor.d/ntfsfallocate                      | 10 +--
 apparmor.d/ntfsfix                            | 10 +--
 apparmor.d/ntfsinfo                           | 10 +--
 apparmor.d/ntfslabel                          | 10 +--
 apparmor.d/ntfsls                             | 10 +--
 apparmor.d/ntfsmove                           | 10 +--
 apparmor.d/ntfsrecover                        | 10 +--
 apparmor.d/ntfsresize                         | 10 +--
 apparmor.d/ntfssecaudit                       | 12 +--
 apparmor.d/ntfstruncate                       | 10 +--
 apparmor.d/ntfsundelete                       | 10 +--
 apparmor.d/ntfsusermap                        | 12 +--
 apparmor.d/ntfswipe                           | 10 +--
 apparmor.d/numlockx                           | 10 +--
 apparmor.d/nvidia_modprobe                    | 10 ++-
 apparmor.d/obamenu                            | 12 +--
 apparmor.d/obconf                             | 24 +++---
 apparmor.d/obxprop                            | 10 +--
 apparmor.d/okular                             | 40 +++++-----
 apparmor.d/on-ac-power                        | 10 ++-
 apparmor.d/openbox                            | 22 +++---
 apparmor.d/openbox-session                    | 10 +--
 apparmor.d/openvpn                            | 34 ++++----
 apparmor.d/opera                              | 46 ++++++-----
 apparmor.d/opera-crashreporter                | 22 +++---
 apparmor.d/opera-sandbox                      | 14 ++--
 apparmor.d/orage                              | 26 +++----
 apparmor.d/pacmd                              | 14 ++--
 apparmor.d/pactl                              | 14 ++--
 apparmor.d/pagesize                           |  8 +-
 apparmor.d/pam-auth-update                    | 28 +++----
 apparmor.d/pam/mappings                       | 14 ++--
 apparmor.d/pam_roles                          | 20 ++---
 apparmor.d/parted                             | 14 ++--
 apparmor.d/partprobe                          | 14 ++--
 apparmor.d/passwd                             | 16 ++--
 apparmor.d/pavucontrol                        | 20 ++---
 apparmor.d/php-fpm                            | 60 ++++++++++++++
 apparmor.d/pinentry-gtk-2                     | 16 ++--
 apparmor.d/pinentry-kwallet                   | 16 ++--
 apparmor.d/pinentry-qt                        | 28 +++----
 apparmor.d/pkexec                             | 18 +++--
 apparmor.d/polipo                             |  8 +-
 apparmor.d/polkit-agent-helper                | 18 +++--
 apparmor.d/polkit-kde-authentication-agent    | 32 ++++----
 apparmor.d/polkit-mate-authentication-agent   | 26 +++----
 apparmor.d/polkitd                            | 10 +--
 apparmor.d/popcon-largest-unused              | 13 ++--
 apparmor.d/popularity-contest                 | 12 +--
 apparmor.d/ps                                 | 12 +--
 apparmor.d/ps-mem                             | 10 +--
 apparmor.d/pscap                              | 12 +--
 apparmor.d/psi-plus                           | 58 +++++++-------
 apparmor.d/pulseaudio                         | 20 +++--
 apparmor.d/qbittorrent                        | 65 +++++++++-------
 apparmor.d/qbittorrent-nox                    | 23 ++++--
 apparmor.d/qnapi                              | 43 +++++-----
 apparmor.d/qpdfview                           | 38 ++++-----
 apparmor.d/qt5ct                              | 28 +++----
 apparmor.d/qtchooser                          |  8 +-
 apparmor.d/querybts                           | 38 +++++----
 apparmor.d/quiterss                           | 51 ++++++------
 apparmor.d/rdmsr                              |  8 +-
 apparmor.d/redshift                           | 10 +--
 apparmor.d/repo                               | 41 ++++++----
 apparmor.d/reportbug                          | 42 +++++-----
 apparmor.d/reprepro                           | 12 +--
 apparmor.d/resize2fs                          | 12 +--
 apparmor.d/rfkill                             |  8 +-
 apparmor.d/rpi-imager                         | 45 ++++++-----
 apparmor.d/rredtool                           |  8 +-
 apparmor.d/rsyslogd                           | 10 +--
 apparmor.d/rtkit-daemon                       | 10 +--
 apparmor.d/rtkitctl                           |  8 +-
 apparmor.d/run-parts                          | 16 ++--
 apparmor.d/runuser                            | 16 ++--
 apparmor.d/sbin.klogd                         | 14 ++--
 apparmor.d/sbin.syslog-ng                     | 29 +++----
 apparmor.d/sbin.syslogd                       | 16 ++--
 apparmor.d/scdaemon                           | 10 ++-
 apparmor.d/scrot                              | 12 +--
 apparmor.d/sddm                               | 30 +++----
 apparmor.d/sddm-greeter                       | 22 +++---
 apparmor.d/sddm-xsession                      | 22 +++---
 apparmor.d/sensors                            | 10 +--
 apparmor.d/sensors-detect                     | 14 ++--
 apparmor.d/setpci                             |  8 +-
 apparmor.d/setpriv                            | 10 +--
 apparmor.d/sfdisk                             | 10 +--
 apparmor.d/sgdisk                             | 10 +--
 apparmor.d/signal-desktop                     | 28 +++----
 apparmor.d/signal-desktop-chrome-sandbox      | 10 +--
 apparmor.d/smartctl                           | 11 +--
 apparmor.d/smartd                             | 10 +--
 apparmor.d/smplayer                           | 47 ++++++-----
 apparmor.d/smtube                             | 43 +++++-----
 apparmor.d/spacefm                            | 32 ++++----
 apparmor.d/spacefm-auth                       |  8 +-
 apparmor.d/spectre-meltdown-checker           | 36 ++++++---
 apparmor.d/speedtest                          | 22 ++++--
 apparmor.d/spflashtool                        | 14 ++--
 apparmor.d/spotify                            | 34 ++++----
 apparmor.d/ssh-agent                          | 10 +--
 apparmor.d/startx                             | 14 ++--
 apparmor.d/strawberry                         | 49 +++++++-----
 apparmor.d/strawberry-tagreader               | 16 ++--
 apparmor.d/su                                 | 20 ++---
 apparmor.d/sudo                               | 18 ++---
 apparmor.d/suid3num                           | 11 +--
 apparmor.d/swaplabel                          | 10 +--
 apparmor.d/swapoff                            | 10 +--
 apparmor.d/swapon                             | 10 +--
 apparmor.d/synaptic                           | 28 +++----
 apparmor.d/syncthing                          | 24 +++---
 apparmor.d/system-config-printer              | 30 +++----
 apparmor.d/system-config-printer-applet       | 17 ++--
 apparmor.d/system_tor                         |  8 +-
 apparmor.d/systemd-analyze                    | 10 +--
 apparmor.d/systemd-fsck                       | 14 ++--
 apparmor.d/systemd-fsckd                      | 12 +--
 apparmor.d/systemd-journalctl                 | 14 ++--
 apparmor.d/systemd-journald                   | 14 ++--
 apparmor.d/systemd-modules-load               | 10 +--
 apparmor.d/systemd-networkd                   | 10 +--
 apparmor.d/systemd-networkd-wait-online       | 10 +--
 apparmor.d/systemd-rfkill                     | 12 +--
 apparmor.d/systemd-shutdown                   | 10 +--
 apparmor.d/systemd-sysctl                     | 10 +--
 apparmor.d/systemd-timedated                  | 10 +--
 apparmor.d/systemd-timesyncd                  | 12 +--
 apparmor.d/tasksel                            | 20 ++---
 apparmor.d/telegram-desktop                   | 53 +++++++------
 apparmor.d/tftp                               | 12 +--
 apparmor.d/thinkfan                           |  8 +-
 apparmor.d/thunderbird                        | 56 +++++++------
 apparmor.d/tint2                              | 20 ++---
 apparmor.d/tint2conf                          | 18 ++---
 apparmor.d/top                                | 12 +--
 apparmor.d/torbrowser.Browser.firefox         | 12 +--
 .../torbrowser.Browser.plugin-container       | 10 +--
 apparmor.d/torbrowser.Tor.tor                 | 10 +--
 apparmor.d/torify                             |  8 +-
 apparmor.d/torsocks                           |  8 +-
 apparmor.d/tpacpi-bat                         | 10 +--
 apparmor.d/tunables/apparmorfs                |  2 +-
 apparmor.d/tunables/etc                       | 25 ++++++
 apparmor.d/tunables/global                    | 17 ++--
 apparmor.d/tunables/home                      |  2 +-
 apparmor.d/tunables/multiarch                 |  2 +-
 apparmor.d/tunables/xdg-user-dirs             |  2 +-
 apparmor.d/tune2fs                            | 12 +--
 apparmor.d/ucf                                | 30 +++----
 apparmor.d/udevadm                            | 18 +++--
 apparmor.d/udiskie                            | 36 ++++-----
 apparmor.d/udiskie-info                       | 10 +--
 apparmor.d/udiskie-mount                      | 10 +--
 apparmor.d/udiskie-umount                     | 10 +--
 apparmor.d/udisksctl                          |  8 +-
 apparmor.d/udisksd                            | 16 ++--
 apparmor.d/umount                             | 11 ++-
 apparmor.d/uname                              | 10 +--
 apparmor.d/unhide-linux                       |  8 +-
 apparmor.d/unhide-posix                       | 10 +--
 apparmor.d/unhide-rb                          |  8 +-
 apparmor.d/unhide-tcp                         |  8 +-
 apparmor.d/unix-chkpwd                        | 12 +--
 apparmor.d/unmkinitramfs                      |  8 +-
 apparmor.d/update-alternatives                | 10 +--
 apparmor.d/update-apt-xapian-index            | 12 +--
 apparmor.d/update-ca-certificates             | 33 +++++---
 apparmor.d/update-command-not-found           | 12 +--
 apparmor.d/update-desktop-database            | 10 +--
 apparmor.d/update-dlocatedb                   | 16 ++--
 apparmor.d/update-initramfs                   | 10 +--
 apparmor.d/update-pciids                      | 23 +++---
 apparmor.d/update-smart-drivedb               | 30 ++++---
 apparmor.d/updatedb-mlocate                   | 10 +--
 apparmor.d/upower                             |  8 +-
 apparmor.d/upowerd                            | 10 ++-
 apparmor.d/uptime                             | 10 +--
 apparmor.d/usb-devices                        | 11 ++-
 apparmor.d/usbguard                           | 10 +--
 apparmor.d/usbguard-applet-qt                 | 28 +++----
 apparmor.d/usbguard-daemon                    | 12 +--
 apparmor.d/usbguard-dbus                      |  8 +-
 apparmor.d/uscan                              | 26 ++++---
 apparmor.d/useradd                            | 20 ++---
 apparmor.d/userdel                            | 14 ++--
 apparmor.d/usermod                            | 12 +--
 apparmor.d/usr.bin.irssi                      | 14 ++--
 apparmor.d/usr.bin.lxc-start                  |  4 +-
 apparmor.d/usr.bin.man                        | 14 ++--
 apparmor.d/usr.bin.pidgin                     | 36 ++++-----
 apparmor.d/usr.bin.totem                      | 22 +++---
 apparmor.d/usr.bin.totem-previewers           | 16 ++--
 .../usr.lib.libreoffice.program.oosplash      |  6 +-
 .../usr.lib.libreoffice.program.senddoc       |  8 +-
 .../usr.lib.libreoffice.program.soffice.bin   | 44 +++++------
 .../usr.lib.libreoffice.program.xpdfimport    |  8 +-
 apparmor.d/usr.lib.libvirt.virt-aa-helper     |  6 +-
 apparmor.d/usr.sbin.apt-cacher-ng             | 14 ++--
 apparmor.d/usr.sbin.avahi-daemon              | 22 +++---
 apparmor.d/usr.sbin.cupsd                     | 30 +++----
 apparmor.d/usr.sbin.dnsmasq                   | 58 +++++++-------
 apparmor.d/usr.sbin.fwknopd                   |  6 +-
 apparmor.d/usr.sbin.identd                    | 16 ++--
 apparmor.d/usr.sbin.libvirtd                  | 10 +--
 apparmor.d/usr.sbin.mdnsd                     | 16 ++--
 apparmor.d/usr.sbin.nmbd                      | 19 ++---
 apparmor.d/usr.sbin.nscd                      | 24 +++---
 apparmor.d/usr.sbin.ntpd                      | 14 ++--
 apparmor.d/usr.sbin.smbd                      | 39 +++++-----
 apparmor.d/usr.sbin.smbldap-useradd           | 19 +++--
 apparmor.d/usr.sbin.tcpdump                   | 10 +--
 apparmor.d/usr.sbin.traceroute                | 12 +--
 apparmor.d/uupdate                            | 14 ++--
 apparmor.d/vcsi                               | 18 ++---
 apparmor.d/vidcutter                          | 46 +++++------
 apparmor.d/vipw-vigr                          | 12 +--
 apparmor.d/virt-manager                       | 45 ++++++-----
 apparmor.d/vlc                                | 48 +++++++-----
 apparmor.d/vnstat                             | 12 +--
 apparmor.d/vnstatd                            |  8 +-
 apparmor.d/volumeicon                         | 30 +++----
 apparmor.d/vsftpd                             | 18 ++---
 apparmor.d/wavemon                            |  8 +-
 apparmor.d/wget                               | 24 +++---
 apparmor.d/whdd                               |  8 +-
 apparmor.d/whiptail                           | 10 +--
 apparmor.d/who                                | 12 +--
 apparmor.d/wireshark                          | 36 ++++-----
 apparmor.d/wmctrl                             | 10 +--
 apparmor.d/wpa-gui                            | 26 +++----
 apparmor.d/wpa-supplicant                     | 15 ++--
 apparmor.d/wpa_cli                            |  8 +-
 apparmor.d/wrmsr                              |  8 +-
 apparmor.d/x11-xsession                       | 18 ++---
 apparmor.d/xarchiver                          | 28 +++----
 apparmor.d/xauth                              | 12 +--
 apparmor.d/xautolock                          |  8 +-
 apparmor.d/xbacklight                         | 10 +--
 apparmor.d/xdg-desktop-menu                   | 14 ++--
 apparmor.d/xdg-email                          | 10 +--
 apparmor.d/xdg-icon-resource                  | 14 ++--
 apparmor.d/xdg-mime                           | 19 +++--
 apparmor.d/xdg-open                           | 14 ++--
 apparmor.d/xdg-screensaver                    | 20 ++---
 apparmor.d/xdg-settings                       | 20 +++--
 apparmor.d/xdpyinfo                           |  8 +-
 apparmor.d/xfce4-notifyd                      | 26 +++----
 apparmor.d/xfconfd                            | 10 +--
 apparmor.d/xhost                              | 12 +--
 apparmor.d/xinit                              | 18 ++---
 apparmor.d/xinput                             |  9 +--
 apparmor.d/xkbcomp                            | 10 +--
 apparmor.d/xorg                               | 22 +++---
 apparmor.d/xprop                              |  8 +-
 apparmor.d/xrandr                             |  8 +-
 apparmor.d/xrdb                               | 10 +--
 apparmor.d/xsel                               | 12 +--
 apparmor.d/xset                               | 12 +--
 apparmor.d/xsetroot                           | 10 +--
 apparmor.d/youtube-dl                         | 36 +++++----
 apparmor.d/youtube-viewer                     | 36 +++++----
 apparmor.d/ytdl                               | 24 +++---
 apparmor.d/zenmap                             | 20 ++---
 776 files changed, 6867 insertions(+), 5199 deletions(-)
 create mode 100644 apparmor.d/abi/3.0
 create mode 100644 apparmor.d/abi/kernel-5.4-outoftree-network
 create mode 100644 apparmor.d/abi/kernel-5.4-vanilla
 create mode 100644 apparmor.d/abstractions/nss-systemd
 create mode 100644 apparmor.d/abstractions/php-worker
 create mode 100644 apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
 create mode 100644 apparmor.d/php-fpm
 create mode 100644 apparmor.d/tunables/etc

diff --git a/apparmor.d/abi/3.0 b/apparmor.d/abi/3.0
new file mode 100644
index 00000000..4b60c425
--- /dev/null
+++ b/apparmor.d/abi/3.0
@@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/apparmor.d/abi/kernel-5.4-outoftree-network b/apparmor.d/abi/kernel-5.4-outoftree-network
new file mode 100644
index 00000000..6d5e95b6
--- /dev/null
+++ b/apparmor.d/abi/kernel-5.4-outoftree-network
@@ -0,0 +1,76 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/apparmor.d/abi/kernel-5.4-vanilla b/apparmor.d/abi/kernel-5.4-vanilla
new file mode 100644
index 00000000..9fa0e8f5
--- /dev/null
+++ b/apparmor.d/abi/kernel-5.4-vanilla
@@ -0,0 +1,68 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
diff --git a/apparmor.d/abstractions/X b/apparmor.d/abstractions/X
index 194e81d5..1ae3fa2c 100644
--- a/apparmor.d/abstractions/X
+++ b/apparmor.d/abstractions/X
@@ -11,13 +11,14 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
-  #include <abstractions/dri-common>
+  include <abstractions/dri-common>
 
 
   # .ICEauthority files required for X authentication, per user
   owner @{HOME}/.ICEauthority r,
+  owner @{run}/user/*/ICEauthority r,
 
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
@@ -30,7 +31,7 @@
   owner @{run}/user/*/xauth_* r,
 
   # the unix socket to use to connect to the display
-  /tmp/.X11-unix/* rw,
+  /tmp/.X11-unix/* r,
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@@ -58,7 +59,10 @@
   /etc/X11/cursors/**             r,
 
   # Xwayland
-  owner /run/user/*/.mutter-Xwaylandauth.* r,
+  owner @{run}/user/*/.mutter-Xwaylandauth.* r,
 
   # Available Xsessions
   /usr/share/xsessions/{,*.desktop} r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/X.d>
diff --git a/apparmor.d/abstractions/apache2-common b/apparmor.d/abstractions/apache2-common
index 850dd89c..d3f92249 100644
--- a/apparmor.d/abstractions/apache2-common
+++ b/apparmor.d/abstractions/apache2-common
@@ -2,7 +2,9 @@
 
 # This file contains basic permissions for Apache and every vHost
 
-  #include <abstractions/nameservice>
+  abi <abi/3.0>,
+
+  include <abstractions/nameservice>
 
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
@@ -20,7 +22,7 @@
   /usr/share/apache2/** r,
 
   # changehat itself
-  @{PROC}/@{pid}/attr/current                        rw,
+  @{PROC}/@{pid}/attr/{apparmor/,}current                        rw,
 
   # htaccess files - for what ever it is worth
   /**/.htaccess            r,
@@ -28,7 +30,10 @@
   /dev/urandom            r,
 
   # sasl-auth
-  /run/saslauthd/mux rw,
+  @{run}/saslauthd/mux rw,
 
   # OCSP stapling
-  /var/log/apache2/stapling-cache rw,
+  @{run}/lock/apache2/stapling-cache* rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/apache2-common.d>
diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root
index f22be049..ba661821 100644
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # Root app location
   / r,
diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index 7ef7b994..123f5565 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # User app location
   /                     r,
diff --git a/apparmor.d/abstractions/apparmor_api/change_profile b/apparmor.d/abstractions/apparmor_api/change_profile
index 30f6b704..c2dfcba5 100644
--- a/apparmor.d/abstractions/apparmor_api/change_profile
+++ b/apparmor.d/abstractions/apparmor_api/change_profile
@@ -6,6 +6,8 @@
 #
 # ------------------------------------------------------------------
 
-#include <abstractions/apparmor_api/introspect>
+abi <abi/3.0>,
 
-@{PROC}/@{tid}/attr/{current,exec} w,
+include <abstractions/apparmor_api/introspect>
+
+@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,
diff --git a/apparmor.d/abstractions/apparmor_api/examine b/apparmor.d/abstractions/apparmor_api/examine
index 2f2ea15a..655708bf 100644
--- a/apparmor.d/abstractions/apparmor_api/examine
+++ b/apparmor.d/abstractions/apparmor_api/examine
@@ -9,4 +9,6 @@
 # Make sure to include at least tunables/proc and tunables/kernelvars
 # when using this abstraction, if not tunables/global.
 
-@{PROC}/@{pids}/attr/{current,prev,exec} r,
+abi <abi/3.0>,
+
+@{PROC}/@{pids}/attr/{apparmor/,}{current,prev,exec} r,
diff --git a/apparmor.d/abstractions/apparmor_api/find_mountpoint b/apparmor.d/abstractions/apparmor_api/find_mountpoint
index b8ac54d1..d75970e5 100644
--- a/apparmor.d/abstractions/apparmor_api/find_mountpoint
+++ b/apparmor.d/abstractions/apparmor_api/find_mountpoint
@@ -6,6 +6,8 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
+
 #permissions needed for aa_find_mountpoint
 
 # Make sure to include at least tunables/proc and tunables/kernelvars
diff --git a/apparmor.d/abstractions/apparmor_api/introspect b/apparmor.d/abstractions/apparmor_api/introspect
index e110c849..b88da0a4 100644
--- a/apparmor.d/abstractions/apparmor_api/introspect
+++ b/apparmor.d/abstractions/apparmor_api/introspect
@@ -6,7 +6,9 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
+
 # Make sure to include at least tunables/proc and tunables/kernelvars
 # when using this abstraction, if not tunables/global.
 
-@{PROC}/@{tid}/attr/{current,prev,exec} r,
+@{PROC}/@{tid}/attr/{apparmor/,}{current,prev,exec} r,
diff --git a/apparmor.d/abstractions/apparmor_api/is_enabled b/apparmor.d/abstractions/apparmor_api/is_enabled
index a637d3ce..56b1afd1 100644
--- a/apparmor.d/abstractions/apparmor_api/is_enabled
+++ b/apparmor.d/abstractions/apparmor_api/is_enabled
@@ -6,12 +6,14 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
+
 # permissions needed for aa_is_enabled
 
 # Make sure to include tunables/apparmorfs and tunables/global
 # when using this abstraction
 
-#include <abstractions/apparmor_api/find_mountpoint>
+include <abstractions/apparmor_api/find_mountpoint>
 @{sys}/module/apparmor/parameters/enabled r,
 
 # TODO: add alternate apparmorfs interface for enabled
diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common
index 996abfe9..c7e0290f 100644
--- a/apparmor.d/abstractions/apt-common
+++ b/apparmor.d/abstractions/apt-common
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /etc/apt/apt.conf r,
   /etc/apt/apt.conf.d/{,*} r,
diff --git a/apparmor.d/abstractions/aspell b/apparmor.d/abstractions/aspell
index 95476892..eff252bd 100644
--- a/apparmor.d/abstractions/aspell
+++ b/apparmor.d/abstractions/aspell
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # aspell permissions
 
+  abi <abi/3.0>,
+
   # per-user settings and dictionaries
   owner @{HOME}/.aspell.*.{pws,prepl} rwk,
 
@@ -11,3 +13,6 @@
   /usr/share/aspell/ r,
   /usr/share/aspell/* r,
   /var/lib/aspell/* r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/aspell.d>
diff --git a/apparmor.d/abstractions/audio b/apparmor.d/abstractions/audio
index f1ad356f..f558e607 100644
--- a/apparmor.d/abstractions/audio
+++ b/apparmor.d/abstractions/audio
@@ -10,6 +10,7 @@
 #
 # ------------------------------------------------------------------
 
+abi <abi/3.0>,
 
 
 /dev/admmidi*   rw,
@@ -56,13 +57,15 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
 # pulse
 /etc/pulse/ r,
 /etc/pulse/** r,
-/{run,dev}/shm/ r,
-owner /{run,dev}/shm/pulse-shm* rwk,
+/dev/shm/ r,
+@{run}/shm/ r,
+owner /dev/shm/pulse-shm* rwk,
+owner @{run}/shm/pulse-shm* rwk,
 owner @{HOME}/.pulse-cookie rwk,
 owner @{HOME}/.pulse/ rw,
 owner @{HOME}/.pulse/* rwk,
-owner /{,var/}run/user/*/pulse/  rw,
-owner /{,var/}run/user/*/pulse/{native,pid} rwk,
+owner @{run}/user/*/pulse/  rw,
+owner @{run}/user/*/pulse/{native,pid} rwk,
 owner @{HOME}/.config/pulse/*.conf r,
 owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
 owner @{HOME}/.config/pulse/cookie rwk,
@@ -86,3 +89,6 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
 
 # wildmidi
 /etc/wildmidi/wildmidi.cfg r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/audio.d>
diff --git a/apparmor.d/abstractions/authentication b/apparmor.d/abstractions/authentication
index 75771ecd..e8b9f7ac 100644
--- a/apparmor.d/abstractions/authentication
+++ b/apparmor.d/abstractions/authentication
@@ -10,18 +10,19 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
 
 
   # Some services need to perform authentication of users
   # Such authentication almost certainly needs access to the local users
   # databases containing passwords, PAM configuration files, PAM libraries
-  /{usr/,}etc/nologin                r,
-  /{usr/,}etc/pam.d/*                r,
-  /{usr/,}etc/securetty              r,
-  /{usr/,}etc/security/*             r,
-  /{usr/,}etc/shadow                 r,
-  /{usr/,}etc/gshadow                r,
-  /{usr/,}etc/pwdb.conf              r,
+  @{etc_ro}/nologin                r,
+  @{etc_ro}/pam.d/*                r,
+  @{etc_ro}/securetty              r,
+  @{etc_ro}/security/*             r,
+  @{etc_ro}/shadow                 r,
+  @{etc_ro}/gshadow                r,
+  @{etc_ro}/pwdb.conf              r,
 
   /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
   /{usr/,}lib{,32,64}/security/pam_*.so      mr,
@@ -31,22 +32,25 @@
   /{usr/,}lib/@{multiarch}/security/              r,
 
   # kerberos
-  #include <abstractions/kerberosclient>
+  include <abstractions/kerberosclient>
   # SuSE's pwdutils are different:
-  /{usr/,}etc/default/passwd         r,
-  /{usr/,}etc/login.defs             r,
+  @{etc_ro}/default/passwd         r,
+  @{etc_ro}/login.defs             r,
 
   # nis
-  #include <abstractions/nis>
+  include <abstractions/nis>
 
   # winbind
-  #include <abstractions/winbind>
+  include <abstractions/winbind>
 
   # likewise
-  #include <abstractions/likewise>
+  include <abstractions/likewise>
 
   # smbpass
-  #include <abstractions/smbpass>
+  include <abstractions/smbpass>
 
   # p11-kit (PKCS#11 modules configuration)
-  #include <abstractions/p11-kit>
+  include <abstractions/p11-kit>
+
+  # Include additions to the abstraction
+  include if exists <abstractions/authentication.d>
diff --git a/apparmor.d/abstractions/base b/apparmor.d/abstractions/base
index dff09125..5307a72a 100644
--- a/apparmor.d/abstractions/base
+++ b/apparmor.d/abstractions/base
@@ -10,6 +10,7 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
 
 
   # (Note that the ldd profile has inlined this file; if you make
@@ -26,10 +27,10 @@
   # Allow access to the uuidd daemon (this daemon is a thin wrapper around
   # time and getrandom()/{,u}random and, when available, runs under an
   # unprivilged, dedicated user).
-  /run/uuidd/request             r,
-  /etc/locale/**                 r,
-  /etc/locale.alias              r,
-  /etc/localtime                 r,
+  @{run}/uuidd/request           r,
+  @{etc_ro}/locale/**          r,
+  @{etc_ro}/locale.alias       r,
+  @{etc_ro}/localtime          r,
   /etc/writable/localtime        r,
   /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
@@ -39,13 +40,13 @@
   /usr/share/zoneinfo/           r,
   /usr/share/zoneinfo/**         r,
   /usr/share/X11/locale/**       r,
-  /run/systemd/journal/dev-log w,
+  @{run}/systemd/journal/dev-log w,
   # systemd native journal API (see sd_journal_print(4))
-  /run/systemd/journal/socket w,
+  @{run}/systemd/journal/socket  w,
   # Nested containers and anything using systemd-cat need this. 'r' shouldn't
   # be required but applications fail without it. journald doesn't leak
   # anything when reading so this is ok.
-  /run/systemd/journal/stdout rw,
+  @{run}/systemd/journal/stdout  rw,
 
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
@@ -54,14 +55,14 @@
   /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
 
   # used by glibc when binding to ephemeral ports
-  /etc/bindresvport.blacklist    r,
+  @{etc_ro}/bindresvport.blacklist    r,
 
   # ld.so.cache and ld are used to load shared libraries; they are best
   # available everywhere
-  /etc/ld.so.cache               mr,
-  /etc/ld.so.conf                r,
-  /etc/ld.so.conf.d/{,*.conf}    r,
-  /etc/ld.so.preload             r,
+  @{etc_ro}/ld.so.cache               mr,
+  @{etc_ro}/ld.so.conf                r,
+  @{etc_ro}/ld.so.conf.d/{,*.conf}    r,
+  @{etc_ro}/ld.so.preload             r,
   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
@@ -76,6 +77,11 @@
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
   /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,
 
+  # FIPS-140-2 versions of some crypto libraries need to access their
+  # associated integrity verification file, or they will abort.
+  /{usr/,}lib{,32,64}/.lib*.so*.hmac      r,
+  /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,
+
   # /dev/null is pretty harmless and frequently used
   /dev/null                      rw,
   # as is /dev/zero
@@ -180,3 +186,6 @@
   #owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
   #owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/base.d>
diff --git a/apparmor.d/abstractions/bash b/apparmor.d/abstractions/bash
index e8dcd75c..89c1cf1e 100644
--- a/apparmor.d/abstractions/bash
+++ b/apparmor.d/abstractions/bash
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # user-specific bash files
   @{HOMEDIRS}                      r,
   @{HOME}/.bashrc                  r,
@@ -42,3 +44,6 @@
   /etc/DIR_COLORS                  r,
   /{usr/,}bin/ls                   mix,
   /usr/bin/dircolors               mix,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/bash.d>
diff --git a/apparmor.d/abstractions/consoles b/apparmor.d/abstractions/consoles
index a16dffe0..aabf3dd5 100644
--- a/apparmor.d/abstractions/consoles
+++ b/apparmor.d/abstractions/consoles
@@ -9,6 +9,7 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
 
 
   # there are three common ways to refer to consoles
@@ -21,4 +22,6 @@
   /dev/pts/[0-9]*   rw,
   /dev/pts/         r,
 
-  /dev/ptmx rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/consoles.d>
diff --git a/apparmor.d/abstractions/cups-client b/apparmor.d/abstractions/cups-client
index f38ac097..44f36e2b 100644
--- a/apparmor.d/abstractions/cups-client
+++ b/apparmor.d/abstractions/cups-client
@@ -9,10 +9,15 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
-  /{,var/}run/cups/cups.sock rw,
+  @{run}/cups/cups.sock   rw,
   # client should be able to read user-specified cups configuration
   owner @{HOME}/.cups/client.conf r,
   owner @{HOME}/.cups/lpoptions r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/cups-client.d>
diff --git a/apparmor.d/abstractions/dbus b/apparmor.d/abstractions/dbus
index c670fc2d..b96ca09a 100644
--- a/apparmor.d/abstractions/dbus
+++ b/apparmor.d/abstractions/dbus
@@ -9,8 +9,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This abstraction grants full system bus access. Consider using the
   # dbus-strict abstraction for fine-grained bus mediation.
 
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-strict>
   dbus bus=system,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus.d>
diff --git a/apparmor.d/abstractions/dbus-accessibility b/apparmor.d/abstractions/dbus-accessibility
index 40a33084..3c49a32f 100644
--- a/apparmor.d/abstractions/dbus-accessibility
+++ b/apparmor.d/abstractions/dbus-accessibility
@@ -9,8 +9,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This abstraction grants full accessibility bus access. Consider using the
   # dbus-accessibility-strict abstraction for fine-grained bus mediation.
 
-  #include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-accessibility-strict>
   dbus bus=accessibility,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-accessibility.d>
diff --git a/apparmor.d/abstractions/dbus-accessibility-strict b/apparmor.d/abstractions/dbus-accessibility-strict
index a853ce20..8fe06ea6 100644
--- a/apparmor.d/abstractions/dbus-accessibility-strict
+++ b/apparmor.d/abstractions/dbus-accessibility-strict
@@ -9,9 +9,14 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   dbus send
        bus=accessibility
        path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-accessibility-strict.d>
diff --git a/apparmor.d/abstractions/dbus-network-manager-strict b/apparmor.d/abstractions/dbus-network-manager-strict
index 889a9a85..9930c80d 100644
--- a/apparmor.d/abstractions/dbus-network-manager-strict
+++ b/apparmor.d/abstractions/dbus-network-manager-strict
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   dbus send
        bus=system
        path=/org/freedesktop/NetworkManager
@@ -42,4 +44,4 @@
        member=GetSettings
        peer=(name=org.freedesktop.NetworkManager),
 
-  #include if exists <abstractions/dbus-network-manager-strict.d>
+  include if exists <abstractions/dbus-network-manager-strict.d>
diff --git a/apparmor.d/abstractions/dbus-session b/apparmor.d/abstractions/dbus-session
index eb1ed91e..9b8b979e 100644
--- a/apparmor.d/abstractions/dbus-session
+++ b/apparmor.d/abstractions/dbus-session
@@ -9,9 +9,14 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This abstraction grants full session bus access. Consider using the
   # dbus-session-strict abstraction for fine-grained bus mediation.
 
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
   /usr/bin/dbus-launch ix,
   dbus bus=session,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-session.d>
diff --git a/apparmor.d/abstractions/dbus-session-strict b/apparmor.d/abstractions/dbus-session-strict
index 1600554a..a301d45f 100644
--- a/apparmor.d/abstractions/dbus-session-strict
+++ b/apparmor.d/abstractions/dbus-session-strict
@@ -9,17 +9,18 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # unique per-machine identifier
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
-  owner /run/user/*/bus rw,
 
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/dbus-*"),
 
   # dbus with systemd and --enable-user-session
-  owner /run/user/[0-9]*/bus rw,
+  owner @{run}/user/[0-9]*/bus rw,
 
   dbus send
        bus=session
@@ -27,3 +28,6 @@
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-session-strict.d>
diff --git a/apparmor.d/abstractions/dbus-strict b/apparmor.d/abstractions/dbus-strict
index 01a426e4..915195d2 100644
--- a/apparmor.d/abstractions/dbus-strict
+++ b/apparmor.d/abstractions/dbus-strict
@@ -9,7 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  /{,var/}run/dbus/system_bus_socket rw,
+  abi <abi/3.0>,
+
+  @{run}/dbus/system_bus_socket rw,
 
   dbus send
        bus=system
@@ -17,3 +19,6 @@
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-strict.d>
diff --git a/apparmor.d/abstractions/dconf b/apparmor.d/abstractions/dconf
index 7ef69783..fc3b3dbd 100644
--- a/apparmor.d/abstractions/dconf
+++ b/apparmor.d/abstractions/dconf
@@ -1,8 +1,13 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # permissions for querying dconf settings; granting write access should
 # be specified in a specific application's profile.
 
   /etc/dconf/** r,
-  owner /{,var/}run/user/*/dconf/user r,
+  owner @{run}/user/*/dconf/user r,
   owner @{HOME}/.config/dconf/user r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dconf.d>
diff --git a/apparmor.d/abstractions/deny-dconf b/apparmor.d/abstractions/deny-dconf
index bc7683bc..0567f3a9 100644
--- a/apparmor.d/abstractions/deny-dconf
+++ b/apparmor.d/abstractions/deny-dconf
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   deny /etc/dconf/{,**} r,
 
diff --git a/apparmor.d/abstractions/deny-root-dir-access b/apparmor.d/abstractions/deny-root-dir-access
index 9e26510f..19fb6d66 100644
--- a/apparmor.d/abstractions/deny-root-dir-access
+++ b/apparmor.d/abstractions/deny-root-dir-access
@@ -17,7 +17,7 @@
   # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
   # needed files in the user home dir.
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
   audit deny /root/{,**} rwkmlx,
diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read
index 288af63c..bcda24e6 100644
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # The /sys/ entries probably should be tightened
 
diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write
index 42bce3d7..d44b7f95 100644
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # The /sys/ entries probably should be tightened
 
diff --git a/apparmor.d/abstractions/dovecot-common b/apparmor.d/abstractions/dovecot-common
index e1681d9a..35d3cb11 100644
--- a/apparmor.d/abstractions/dovecot-common
+++ b/apparmor.d/abstractions/dovecot-common
@@ -9,6 +9,8 @@
 # ------------------------------------------------------------------
 # used with dovecot/*
 
+  abi <abi/3.0>,
+
   capability setgid,
 
   deny capability block_suspend,
@@ -16,4 +18,7 @@
   # dovecot's master can send us signals
   signal receive peer=dovecot,
 
-  /{var/,}run/dovecot/config rw,
+  owner @{run}/dovecot/config rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dovecot-common.d>
diff --git a/apparmor.d/abstractions/dri-common b/apparmor.d/abstractions/dri-common
index b5e0a5c5..cd9542b0 100644
--- a/apparmor.d/abstractions/dri-common
+++ b/apparmor.d/abstractions/dri-common
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This file contains common DRI-specific rules useful for GUI applications
 # (needed by libdrm and similar).
 
@@ -12,3 +14,6 @@
   /usr/share/drirc.d/{,*.conf}    r,
   owner @{HOME}/.drirc            r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dri-common.d>
diff --git a/apparmor.d/abstractions/dri-enumerate b/apparmor.d/abstractions/dri-enumerate
index e101be5c..b5717cd2 100644
--- a/apparmor.d/abstractions/dri-enumerate
+++ b/apparmor.d/abstractions/dri-enumerate
@@ -1,8 +1,13 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This file contains common DRI-specific rules useful for GUI applications that
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
 # libdrm).
 
   @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dri-enumerate.d>
diff --git a/apparmor.d/abstractions/enchant b/apparmor.d/abstractions/enchant
index d0ff0852..e80373b2 100644
--- a/apparmor.d/abstractions/enchant
+++ b/apparmor.d/abstractions/enchant
@@ -9,14 +9,18 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # abstraction for Enchant spellchecking frontend
 
   /usr/share/enchant/                              r,
   /usr/share/enchant/enchant.ordering              r,
-  /usr/share/enchant-[0-9]*/enchant.ordering       r,
+
+  /usr/share/enchant-2/                            r,
+  /usr/share/enchant-2/enchant.ordering            r,
 
   # aspell
-  #include <abstractions/aspell>
+  include <abstractions/aspell>
   /var/lib/dictionaries-common/aspell/             r,
   /var/lib/dictionaries-common/aspell/*            r,
 
@@ -55,3 +59,6 @@
   # per-user dictionaries
   owner @{HOME}/.config/enchant/                   rw,
   owner @{HOME}/.config/enchant/*                  rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/enchant.d>
diff --git a/apparmor.d/abstractions/evince b/apparmor.d/abstractions/evince
index e6a5757f..8ff3fe06 100644
--- a/apparmor.d/abstractions/evince
+++ b/apparmor.d/abstractions/evince
@@ -3,9 +3,9 @@
 # abstraction used by evince binaries
 #
 
-  #include <abstractions/gnome>
-  #include <abstractions/p11-kit>
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/gnome>
+  include <abstractions/p11-kit>
+  include <abstractions/ubuntu-helpers>
 
   @{PROC}/[0-9]*/fd/ r,
   @{PROC}/[0-9]*/mountinfo r,
@@ -94,7 +94,7 @@
   # access to the Cache directory, which the browser may tell evince to open
   # from directly.
 
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
   audit deny @{HOME}/.gnupg/** mrwkl,
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
@@ -117,8 +117,8 @@
   audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
 
   # When LP: #451422 is fixed, change the above to simply be:
-  ##include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   #owner @{HOME}/.mozilla/**/*Cache/* r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.evince>
+  include <local/usr.bin.evince>
diff --git a/apparmor.d/abstractions/exo-open b/apparmor.d/abstractions/exo-open
index 6b14afa5..5717e4d7 100644
--- a/apparmor.d/abstractions/exo-open
+++ b/apparmor.d/abstractions/exo-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via exo-open helper.
 #
@@ -18,27 +20,27 @@
 #
 # # out-of-line child profile
 # profile foo//exo-open {
-#   #include <abstractions/exo-open>
+#   include <abstractions/exo-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # Add if accesibility access is considered as required
 #   # (for message boxe in case exo-open fails)
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # < add additional allowed applications here >
 # }
 
-  #include <abstractions/X>
-  #include <abstractions/audio> # for alert messages
-  #include <abstractions/base>
-  #include <abstractions/dbus-session-strict>
-  #include <abstractions/gnome>
+  include <abstractions/X>
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/gnome>
 
   # Main executables
 
@@ -71,4 +73,4 @@
   owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/exo-open.d>
+  include if exists <abstractions/exo-open.d>
diff --git a/apparmor.d/abstractions/fcitx b/apparmor.d/abstractions/fcitx
index 3d26cc95..9321bfcd 100644
--- a/apparmor.d/abstractions/fcitx
+++ b/apparmor.d/abstractions/fcitx
@@ -9,5 +9,10 @@
 #
 # ------------------------------------------------------------------
 
-  #include <abstractions/fcitx-strict>
+  abi <abi/3.0>,
+
+  include <abstractions/fcitx-strict>
   dbus bus=fcitx,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/fcitx.d>
diff --git a/apparmor.d/abstractions/fcitx-strict b/apparmor.d/abstractions/fcitx-strict
index d7737341..19d2191d 100644
--- a/apparmor.d/abstractions/fcitx-strict
+++ b/apparmor.d/abstractions/fcitx-strict
@@ -9,7 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  #include <abstractions/dbus-session-strict>
+  abi <abi/3.0>,
+
+  include <abstractions/dbus-session-strict>
 
   dbus send
       bus=fcitx
@@ -19,3 +21,6 @@
       peer=(name=org.freedesktop.DBus),
 
   owner @{HOME}/.config/fcitx/dbus/* r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/fcitx-strict.d>
diff --git a/apparmor.d/abstractions/file-browsing-strict b/apparmor.d/abstractions/file-browsing-strict
index 838dc1d1..dff7f17c 100644
--- a/apparmor.d/abstractions/file-browsing-strict
+++ b/apparmor.d/abstractions/file-browsing-strict
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   deny @{PROC}/@{pid}/mountinfo r,
   deny @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/abstractions/flatpak-snap b/apparmor.d/abstractions/flatpak-snap
index 47fbbbd8..f2259f4a 100644
--- a/apparmor.d/abstractions/flatpak-snap
+++ b/apparmor.d/abstractions/flatpak-snap
@@ -11,7 +11,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # Flatpak
   /var/lib/flatpak/exports/share/{,**} r,
diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read
index ce89f38d..6c5fefd5 100644
--- a/apparmor.d/abstractions/fontconfig-cache-read
+++ b/apparmor.d/abstractions/fontconfig-cache-read
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # The fontconfig cache can be generated via the following command:
   #   $ fc-cache -f -v
diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write
index 81c118a5..a57b7b61 100644
--- a/apparmor.d/abstractions/fontconfig-cache-write
+++ b/apparmor.d/abstractions/fontconfig-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/fontconfig/ rw,
   owner @{HOME}/.cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
diff --git a/apparmor.d/abstractions/fonts b/apparmor.d/abstractions/fonts
index 5d7b173e..402703d7 100644
--- a/apparmor.d/abstractions/fonts
+++ b/apparmor.d/abstractions/fonts
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /usr/share/AbiSuite/fonts/**          r,
 
   /usr/lib/xorg/modules/fonts/**.so*    mr,
@@ -59,3 +61,6 @@
 
   # data files for LibThai
   /usr/share/libthai/thbrk.tri          r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/fonts.d>
diff --git a/apparmor.d/abstractions/freedesktop.org b/apparmor.d/abstractions/freedesktop.org
index 2ffaaf99..7277cc1f 100644
--- a/apparmor.d/abstractions/freedesktop.org
+++ b/apparmor.d/abstractions/freedesktop.org
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # system configuration
   @{system_share_dirs}/applications/{**,} r,
   @{system_share_dirs}/icons/{**,}        r,
@@ -18,7 +20,8 @@
   @{system_share_dirs}/mime/** r,
 
   # per-user configurations
-  owner @{HOME}/.icons/{**,}                  r,
+  owner @{HOME}/.icons/                 r,
+  owner @{HOME}/.icons/default/index.theme r,
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
@@ -26,3 +29,6 @@
   owner @{user_share_dirs}/applications/{**,} r,
   owner @{user_share_dirs}/icons/{**,}        r,
   owner @{user_share_dirs}/mime/{**,}         r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/freedesktop.org.d>
diff --git a/apparmor.d/abstractions/fzf b/apparmor.d/abstractions/fzf
index a45de60a..b9f3ceb3 100644
--- a/apparmor.d/abstractions/fzf
+++ b/apparmor.d/abstractions/fzf
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.fzf/{,**} r,
 
diff --git a/apparmor.d/abstractions/gio-open b/apparmor.d/abstractions/gio-open
index ec6b1873..fda1fb9e 100644
--- a/apparmor.d/abstractions/gio-open
+++ b/apparmor.d/abstractions/gio-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via gio helper.
 #
@@ -18,20 +20,20 @@
 #
 # # out-of-line child profile
 # profile foo//gio-open {
-#   #include <abstractions/gio-open>
+#   include <abstractions/gio-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 
-  #include <abstractions/base>
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
 
   # Main executables
 
@@ -54,4 +56,4 @@
   owner @{PROC}/@{pid}/fd/ r,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/gio-open.d>
+  include if exists <abstractions/gio-open.d>
diff --git a/apparmor.d/abstractions/gnome b/apparmor.d/abstractions/gnome
index 5bb2fc26..94f3da63 100644
--- a/apparmor.d/abstractions/gnome
+++ b/apparmor.d/abstractions/gnome
@@ -9,13 +9,16 @@
 #    License published by the Free Software Foundation.
 #
 # ------------------------------------------------------------------
-#include <abstractions/base>
-#include <abstractions/fonts>
-#include <abstractions/X>
-#include <abstractions/freedesktop.org>
-#include <abstractions/xdg-desktop>
-#include <abstractions/user-tmp>
-#include <abstractions/wayland>
+
+  abi <abi/3.0>,
+
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/xdg-desktop>
+  include <abstractions/user-tmp>
+  include <abstractions/wayland>
 
   # systemwide gtk defaults
   /etc/gnome/gtkrc*               r,
@@ -88,7 +91,7 @@
   /usr/share/gvfs/remote-volume-monitors/  r,
   /usr/share/gvfs/remote-volume-monitors/* r,
   @{PROC}/@{pid}/mounts                    r,
-  /run/mount/utab                          r,
+  @{run}/mount/utab                        r,
 
   # printing
   /etc/papersize                   r,
@@ -96,7 +99,7 @@
   /usr/share/cups/charmaps/**      r,
 
   # holds MIT-MAGIC-COOKIE for gnome
-  owner /{,var/}run/gdm/auth*/database r,
+  owner @{run}/gdm/auth*/database r,
 
   # mime-types
   /etc/gnome/defaults.list r,
@@ -109,3 +112,6 @@
   unix (send, receive, connect)
        type=stream
        peer=(addr="@/dbus-vfs-daemon/socket-*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gnome.d>
diff --git a/apparmor.d/abstractions/gnupg b/apparmor.d/abstractions/gnupg
index d04c920d..050f0435 100644
--- a/apparmor.d/abstractions/gnupg
+++ b/apparmor.d/abstractions/gnupg
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # gnupg sub-process running permissions
 
+  abi <abi/3.0>,
+
   # user configurations
   owner @{HOME}/.gnupg/options     r,
   owner @{HOME}/.gnupg/pubring.gpg r,
@@ -9,3 +11,6 @@
   owner @{HOME}/.gnupg/secring.gpg r,
   owner @{HOME}/.gnupg/so/*.x86_64 mr,
   owner @{HOME}/.gnupg/trustdb.gpg rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gnupg.d>
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index 00f1ac81..c5735569 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -1,8 +1,8 @@
 # vim:syntax=apparmor
 
-  #include <abstractions/base>
-  #include <abstractions/p11-kit>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/p11-kit>
+  include <abstractions/X>
 
   # TODO: adjust when support finer-grained netlink rules
   network netlink raw,
diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk
index 53709667..8daed9cb 100644
--- a/apparmor.d/abstractions/gtk
+++ b/apparmor.d/abstractions/gtk
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /usr/share/themes/{,**} r,
 
diff --git a/apparmor.d/abstractions/gvfs-open b/apparmor.d/abstractions/gvfs-open
index 397423da..32653148 100644
--- a/apparmor.d/abstractions/gvfs-open
+++ b/apparmor.d/abstractions/gvfs-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via gvfs-open helper.
 #
@@ -18,23 +20,23 @@
 #
 # # out-of-line child profile
 # profile foo//gvfs-open {
-#   #include <abstractions/gvfs-open>
+#   include <abstractions/gvfs-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
 
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # gvfs-open is deprecated, it launches gio open <uri>
-  #include <abstractions/gio-open>
+  include <abstractions/gio-open>
 
   # Main executables
 
@@ -42,4 +44,4 @@
   /{,usr/}bin/dash mr,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/gvfs-open.d>
+  include if exists <abstractions/gvfs-open.d>
diff --git a/apparmor.d/abstractions/hosts_access b/apparmor.d/abstractions/hosts_access
index a4ffb022..e5ea88c1 100644
--- a/apparmor.d/abstractions/hosts_access
+++ b/apparmor.d/abstractions/hosts_access
@@ -9,5 +9,9 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/hosts.deny r,
   /etc/hosts.allow r,
+
+  include if exists <abstractions/hosts_access.d>
diff --git a/apparmor.d/abstractions/ibus b/apparmor.d/abstractions/ibus
index a4431b99..0d28b57b 100644
--- a/apparmor.d/abstractions/ibus
+++ b/apparmor.d/abstractions/ibus
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # abstraction for ibus input methods
   owner @{HOME}/.config/ibus/ r,
   owner @{HOME}/.config/ibus/bus/ rw,
@@ -27,3 +29,6 @@
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ibus.d>
diff --git a/apparmor.d/abstractions/kde b/apparmor.d/abstractions/kde
index cad5c7db..a8eb44f8 100644
--- a/apparmor.d/abstractions/kde
+++ b/apparmor.d/abstractions/kde
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#include <abstractions/base>
-#include <abstractions/fonts>
-#include <abstractions/X>
-#include <abstractions/freedesktop.org>
-#include <abstractions/xdg-desktop>
-#include <abstractions/user-tmp>
-#include <abstractions/qt5>
+abi <abi/3.0>,
+
+include <abstractions/base>
+include <abstractions/fonts>
+include <abstractions/X>
+include <abstractions/freedesktop.org>
+include <abstractions/xdg-desktop>
+include <abstractions/user-tmp>
+include <abstractions/qt5>
 
 /etc/qt3/kstylerc r,
 /etc/qt3/qt_plugins_3.3rc r,
@@ -75,3 +77,6 @@ owner @{HOME}/.config/trashrc r, # Used by KFileWidget
 /usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
 /usr/lib/@{multiarch}/qt4/plugins/**  mr,
 /usr/share/qt4/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde.d>
diff --git a/apparmor.d/abstractions/kde-globals-write b/apparmor.d/abstractions/kde-globals-write
index 8425f3f9..5db20a35 100644
--- a/apparmor.d/abstractions/kde-globals-write
+++ b/apparmor.d/abstractions/kde-globals-write
@@ -1,10 +1,15 @@
 # vim:syntax=apparmor
 # Rules for changing KDE settings (for KFileDialog and other).
 
-  # User files
+  abi <abi/3.0>,
 
+  # User files
+ 
   owner @{HOME}/.config/#[0-9]* rw,
   owner @{HOME}/.config/kdeglobals rw,
-  owner @{HOME}/.config/kdeglobals.?????? rwl -> /home/*/.config/#[0-9]*,
+  owner @{HOME}/.config/kdeglobals.?????? rwl -> @{HOME}/.config/#[0-9]*,
   owner @{HOME}/.config/kdeglobals.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-globals-write.d>
diff --git a/apparmor.d/abstractions/kde-icon-cache-write b/apparmor.d/abstractions/kde-icon-cache-write
index d37fb3b8..df3793e1 100644
--- a/apparmor.d/abstractions/kde-icon-cache-write
+++ b/apparmor.d/abstractions/kde-icon-cache-write
@@ -1,7 +1,12 @@
 # vim:syntax=apparmor
 # Rules for writing KDE icon cache
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-icon-cache-write.d>
diff --git a/apparmor.d/abstractions/kde-language-write b/apparmor.d/abstractions/kde-language-write
index ee4d03f3..1314d21c 100644
--- a/apparmor.d/abstractions/kde-language-write
+++ b/apparmor.d/abstractions/kde-language-write
@@ -1,4 +1,7 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # Rules for changing per-application language settings on KDE. Some KDE
 # applications have "Help -> Switch Application Language..." option, that needs
 # write access to language settings file.
@@ -7,6 +10,9 @@
 
   owner @{HOME}/.config/#[0-9]* rw,
   owner @{HOME}/.config/klanguageoverridesrc rw,
-  owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> /home/*/.config/#[0-9]*,
+  owner @{HOME}/.config/klanguageoverridesrc.?????? rwl -> @{HOME}/.config/#[0-9]*,
   owner @{HOME}/.config/klanguageoverridesrc.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-language-write.d>
diff --git a/apparmor.d/abstractions/kde-open5 b/apparmor.d/abstractions/kde-open5
index 4fb651ea..5f4e0f75 100644
--- a/apparmor.d/abstractions/kde-open5
+++ b/apparmor.d/abstractions/kde-open5
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via kde-open5 helper.
 #
@@ -18,40 +20,40 @@
 #
 # # out-of-line child profile
 # profile foo//kde-open5 {
-#   #include <abstractions/kde-open5>
+#   include <abstractions/kde-open5>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # Add if accesibility access is considered as required
 #   # (for message boxe in case exo-open fails)
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # Add if audio support for message box is
 #   # considered as required.
-#   #include if exists <abstractions/gstreamer>
+#   include if exists <abstractions/gstreamer>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
 
-  #include <abstractions/audio> # for alert messages
-  #include <abstractions/base>
-  #include <abstractions/dbus-accessibility-strict>
-  #include <abstractions/dbus-network-manager-strict>
-  #include <abstractions/dbus-session-strict>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/kde-icon-cache-write>
-  #include <abstractions/kde>
-  #include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
-  #include <abstractions/openssl>
-  #include <abstractions/qt5>
-  #include <abstractions/recent-documents-write>
-  #include <abstractions/X>
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/kde-icon-cache-write>
+  include <abstractions/kde>
+  include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+  include <abstractions/openssl>
+  include <abstractions/qt5>
+  include <abstractions/recent-documents-write>
+  include <abstractions/X>
 
   # Main executables
 
@@ -96,9 +98,9 @@
   # User files
 
   owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
-  owner /{,var/}run/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
-  owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
+  owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
+  owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
   owner @{HOME}/.cache/kio_http/ rw,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/kde-open5.d>
+  include if exists <abstractions/kde-open5.d>
diff --git a/apparmor.d/abstractions/kde4 b/apparmor.d/abstractions/kde4
index 6e5e0a54..104a338c 100644
--- a/apparmor.d/abstractions/kde4
+++ b/apparmor.d/abstractions/kde4
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /usr/share/kde4/** r,
 
diff --git a/apparmor.d/abstractions/kde5-plasma5 b/apparmor.d/abstractions/kde5-plasma5
index e0f13103..d8954a2f 100644
--- a/apparmor.d/abstractions/kde5-plasma5
+++ b/apparmor.d/abstractions/kde5-plasma5
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
-  #include <abstractions/thumbnails-cache-read>
+  include <abstractions/thumbnails-cache-read>
 
   # KDE/Plasma5 themes
   #/{usr/,}lib/@{multiarch}/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so mr,
@@ -52,7 +52,7 @@
 
   # Think what to do about this #FIXME#
   # It seems when a QT app is started in Plasma5/KDE5 environment it also wants the following.
-  ##include <abstractions/recent-documents-write>
+  include <abstractions/recent-documents-write>
   #signal (send) set=(term, kill) peer=unconfined,
   #deny @{sys}/bus/ r,
   #deny @{sys}/bus/usb/devices/ r,
diff --git a/apparmor.d/abstractions/kerberosclient b/apparmor.d/abstractions/kerberosclient
index 5b79e3d6..386e8c11 100644
--- a/apparmor.d/abstractions/kerberosclient
+++ b/apparmor.d/abstractions/kerberosclient
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # files required by kerberos client programs
   /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
   /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
@@ -32,3 +34,6 @@
 
   # credential caches
   /tmp/krb5cc* r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kerberosclient.d>
diff --git a/apparmor.d/abstractions/ldapclient b/apparmor.d/abstractions/ldapclient
index 0c527282..550963c4 100644
--- a/apparmor.d/abstractions/ldapclient
+++ b/apparmor.d/abstractions/ldapclient
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
   /etc/ldap.conf            r,
   /etc/ldap.secret          r,
@@ -19,6 +21,9 @@
   /usr/lib{,32,64}/sasl2/*  r,
 
   # local LDAP name service daemon
-  /{,var/}run/nslcd/socket  rw,
+  @{run}/nslcd/socket  rw,
 
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ldapclient.d>
diff --git a/apparmor.d/abstractions/libpam-systemd b/apparmor.d/abstractions/libpam-systemd
index 76ee8693..b99765f9 100644
--- a/apparmor.d/abstractions/libpam-systemd
+++ b/apparmor.d/abstractions/libpam-systemd
@@ -9,7 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#include <abstractions/dbus-strict>
+  abi <abi/3.0>,
+
+include <abstractions/dbus-strict>
 
   # libpam-systemd notifies systemd-logind about session logins/logouts
   dbus send
@@ -17,3 +19,6 @@
     path=/org/freedesktop/login1
     interface=org.freedesktop.login1.Manager
     member={CreateSession,ReleaseSession},
+
+  # Include additions to the abstraction
+  include if exists <abstractions/libpam-systemd.d>
diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc
index e556f2a7..51516e68 100644
--- a/apparmor.d/abstractions/libvirt-lxc
+++ b/apparmor.d/abstractions/libvirt-lxc
@@ -1,4 +1,4 @@
-  #include <abstractions/base>
+  include <abstractions/base>
 
   umount,
 
diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu
index a03e9e2c..98be0d4a 100644
--- a/apparmor.d/abstractions/libvirt-qemu
+++ b/apparmor.d/abstractions/libvirt-qemu
@@ -1,6 +1,6 @@
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   # required for reading disk images
   capability dac_override,
diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm
index 1e64fd25..a8ed92dd 100644
--- a/apparmor.d/abstractions/lightdm
+++ b/apparmor.d/abstractions/lightdm
@@ -9,13 +9,13 @@
 
 # Requires apparmor 2.9
 
-  #include <abstractions/authentication>
-  #include <abstractions/cups-client>
-  #include <abstractions/dbus>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-accessibility>
-  #include <abstractions/nameservice>
-  #include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/cups-client>
+  include <abstractions/dbus>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-accessibility>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>
 
   # bug in compiz https://launchpad.net/bugs/697678
   /etc/compizconfig/config rw,
diff --git a/apparmor.d/abstractions/lightdm_chromium-browser b/apparmor.d/abstractions/lightdm_chromium-browser
index c8d6e6e6..0547de06 100644
--- a/apparmor.d/abstractions/lightdm_chromium-browser
+++ b/apparmor.d/abstractions/lightdm_chromium-browser
@@ -31,7 +31,7 @@
 
   profile chromium {
     # Allow all the same accesses as other applications in the guest session
-    #include <abstractions/lightdm>
+    include <abstractions/lightdm>
 
     # but also allow a few things because of chromium-browser's sandboxing that
     # are not appropriate to other guest session applications.
diff --git a/apparmor.d/abstractions/likewise b/apparmor.d/abstractions/likewise
index 7482842a..3cf9c92c 100644
--- a/apparmor.d/abstractions/likewise
+++ b/apparmor.d/abstractions/likewise
@@ -9,5 +9,10 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /tmp/.lwidentity/pipe       rw,
   /var/lib/likewise-open/lwidentity_privileged/pipe rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/likewise.d>
diff --git a/apparmor.d/abstractions/mdns b/apparmor.d/abstractions/mdns
index 14c31b8c..0e4a5dc0 100644
--- a/apparmor.d/abstractions/mdns
+++ b/apparmor.d/abstractions/mdns
@@ -8,7 +8,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # mdnsd
   /etc/mdns.allow r,
   /etc/nss_mdns.conf r,
-  /{,var/}run/mdnsd w,
+  @{run}/mdnsd w,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mdns.d>
diff --git a/apparmor.d/abstractions/mesa b/apparmor.d/abstractions/mesa
index be699c77..01609ff9 100644
--- a/apparmor.d/abstractions/mesa
+++ b/apparmor.d/abstractions/mesa
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Rules for Mesa implementation of the OpenGL API
 
+  abi <abi/3.0>,
+
   # System files
   /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
 
@@ -15,3 +17,6 @@
   owner @{HOME}/.cache/mesa_shader_cache/??/ w,
   owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mesa.d>
diff --git a/apparmor.d/abstractions/mesa-cache-write b/apparmor.d/abstractions/mesa-cache-write
index 80f8850a..ae016a0f 100644
--- a/apparmor.d/abstractions/mesa-cache-write
+++ b/apparmor.d/abstractions/mesa-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   # System files
   /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
diff --git a/apparmor.d/abstractions/mir b/apparmor.d/abstractions/mir
index 16c57ec3..4ccc22ee 100644
--- a/apparmor.d/abstractions/mir
+++ b/apparmor.d/abstractions/mir
@@ -9,9 +9,14 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # mir libraries sometimes do not have a lib prefix
   # see LP: #1422521
   /usr/lib/@{multiarch}/mir/*.so* mr,
   /usr/lib/@{multiarch}/mir/**/*.so* mr,
 
   # unprivileged mir socket for clients
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mir.d>
diff --git a/apparmor.d/abstractions/mozc b/apparmor.d/abstractions/mozc
index f736bc26..e7480c2e 100644
--- a/apparmor.d/abstractions/mozc
+++ b/apparmor.d/abstractions/mozc
@@ -9,4 +9,9 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mozc.d>
diff --git a/apparmor.d/abstractions/mysql b/apparmor.d/abstractions/mysql
index fed759bb..4feccb44 100644
--- a/apparmor.d/abstractions/mysql
+++ b/apparmor.d/abstractions/mysql
@@ -9,7 +9,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
    /var/lib/mysql{,d}/mysql{,d}.sock rw,
-   /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
+   @{run}/mysql{,d}/mysql{,d}.sock rw,
    /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
    /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/mysql.d>
diff --git a/apparmor.d/abstractions/nameservice b/apparmor.d/abstractions/nameservice
index a78a874d..a4a6152b 100644
--- a/apparmor.d/abstractions/nameservice
+++ b/apparmor.d/abstractions/nameservice
@@ -9,31 +9,28 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # Many programs wish to perform nameservice-like operations, such as
   # looking up users by name or id, groups by name or id, hosts by name
   # or IP, etc. These operations may be performed through files, dns,
   # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
-  /etc/group              r,
-  /etc/host.conf          r,
-  /etc/hosts              r,
-  /etc/nsswitch.conf      r,
-  /etc/gai.conf           r,
-  /etc/passwd             r,
-  /etc/protocols          r,
+  @{etc_ro}/group          r,
+  @{etc_ro}/host.conf      r,
+  @{etc_ro}/hosts          r,
+  @{etc_ro}/nsswitch.conf  r,
+  @{etc_ro}/gai.conf       r,
+  @{etc_ro}/passwd         r,
+  @{etc_ro}/protocols      r,
 
   # libtirpc (used for NIS/YP login) needs this
-  /etc/netconfig r,
+  @{etc_ro}/netconfig r,
 
   # When using libnss-extrausers, the passwd and group files are merged from
   # an alternate path
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
-  # NSS records from systemd-userdbd.service
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
-  @{PROC}/sys/kernel/random/boot_id r,
-
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
@@ -41,56 +38,68 @@
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 
-  /etc/resolv.conf        r,
+  @{etc_ro}/resolv.conf r,
   # On systems where /etc/resolv.conf is managed programmatically, it is
-  # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
-  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
-  /etc/resolvconf/run/resolv.conf r,
-  /{,var/}run/systemd/resolve/stub-resolv.conf r,
+  # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
+  @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+  @{etc_ro}/resolvconf/run/resolv.conf  r,
+  @{run}/systemd/resolve/stub-resolv.conf r,
 
-  /etc/samba/lmhosts      r,
-  /etc/services           r,
+  @{etc_ro}/samba/lmhosts  r,
+  @{etc_ro}/services       r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
   # to vast speed increases when working with network-based lookups.
-  /{,var/}run/.nscd_socket   rw,
-  /{,var/}run/nscd/socket    rw,
+  @{run}/.nscd_socket   rw,
+  @{run}/nscd/socket    rw,
   /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
-  /{,var/}run/nscd/db*  rmix,
+  @{run}/nscd/db*  rmix,
 
   # The nss libraries are sometimes used in addition to PAM; make sure
   # they are available
   /{usr/,}lib{,32,64}/libnss_*.so*      mr,
   /{usr/,}lib/@{multiarch}/libnss_*.so*      mr,
-  /etc/default/nss               r,
+  @{etc_ro}/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution
-  /{,var/}run/avahi-daemon/socket rw,
+  @{run}/avahi-daemon/socket rw,
 
   # libnl-3-200 via libnss-gw-name
   @{PROC}/@{pid}/net/psched r,
-  /etc/libnl-*/classid r,
+  @{etc_ro}/libnl-*/classid r,
 
   # nis
-  #include <abstractions/nis>
+  include <abstractions/nis>
 
   # ldap
-  #include <abstractions/ldapclient>
+  include <abstractions/ldapclient>
 
   # winbind
-  #include <abstractions/winbind>
+  include <abstractions/winbind>
 
   # likewise
-  #include <abstractions/likewise>
+  include <abstractions/likewise>
 
   # mdnsd
-  #include <abstractions/mdns>
+  include <abstractions/mdns>
 
   # kerberos
-  #include <abstractions/kerberosclient>
+  include <abstractions/kerberosclient>
+
+  #libnss-systemd
+  include <abstractions/nss-systemd>
+
+  # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
+  #   https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+  dbus send
+       bus=system
+       path="/org/freedesktop/systemd1"
+       interface="org.freedesktop.systemd1.Manager"
+       member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
+       peer=(name="org.freedesktop.systemd1"),
 
   # TCP/UDP network access
   network inet  stream,
@@ -104,3 +113,6 @@
 
   # interface details
   @{PROC}/@{pid}/net/route r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/nameservice.d>
diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict
index 33325717..e1a9e708 100644
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /etc/hosts r,
   /etc/host.conf r,
diff --git a/apparmor.d/abstractions/nis b/apparmor.d/abstractions/nis
index 690e6796..1aea3f14 100644
--- a/apparmor.d/abstractions/nis
+++ b/apparmor.d/abstractions/nis
@@ -8,8 +8,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # NIS rules
   /var/yp/binding/*           r,
   # portmapper may ask root processes to do nis/ldap at low ports
   capability net_bind_service,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/nis.d>
diff --git a/apparmor.d/abstractions/nss-systemd b/apparmor.d/abstractions/nss-systemd
new file mode 100644
index 00000000..6ff17bc7
--- /dev/null
+++ b/apparmor.d/abstractions/nss-systemd
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009-2011 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/3.0>,
+
+# libnss-systemd
+  #
+  #   https://systemd.io/USER_GROUP_API/
+  #   https://systemd.io/USER_RECORD/
+  #   https://www.freedesktop.org/software/systemd/man/nss-systemd.html
+  #
+  # Allow User/Group lookups via common VarLink socket APIs. Applications need
+  # to either consult all of them or the io.systemd.Multiplexer frontend.
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
+  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
+  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
+
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  include if exists <abstractions/nss-systemd.d>
diff --git a/apparmor.d/abstractions/nvidia b/apparmor.d/abstractions/nvidia
index b01ef8b5..b2d475f1 100644
--- a/apparmor.d/abstractions/nvidia
+++ b/apparmor.d/abstractions/nvidia
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # nvidia access requirements
-  
+
+  abi <abi/3.0>,
+
   # configuration queries
   capability ipc_lock,
 
@@ -26,3 +28,6 @@
   owner @{HOME}/.nv/GLCache/** rwk,
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/nvidia.d>
diff --git a/apparmor.d/abstractions/opencl b/apparmor.d/abstractions/opencl
index 32a21b2a..58b35323 100644
--- a/apparmor.d/abstractions/opencl
+++ b/apparmor.d/abstractions/opencl
@@ -1,9 +1,15 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements
 
   # TODO: use conditionals to select allowed implementations
-  #include <abstractions/opencl-intel>
-  #include <abstractions/opencl-mesa>
-  #include <abstractions/opencl-nvidia>
-  #include <abstractions/opencl-pocl>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
+  include <abstractions/opencl-pocl>
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl.d>
diff --git a/apparmor.d/abstractions/opencl-common b/apparmor.d/abstractions/opencl-common
index 0ad3d559..a80b4ba2 100644
--- a/apparmor.d/abstractions/opencl-common
+++ b/apparmor.d/abstractions/opencl-common
@@ -1,4 +1,7 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # implementation-independent OpenCL access requirements
 
   # System files
@@ -8,3 +11,6 @@
   @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
   @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-common.d>
diff --git a/apparmor.d/abstractions/opencl-intel b/apparmor.d/abstractions/opencl-intel
index 353eeca2..4d047233 100644
--- a/apparmor.d/abstractions/opencl-intel
+++ b/apparmor.d/abstractions/opencl-intel
@@ -1,13 +1,16 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements for Intel implementation
 
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
 
   # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
-  #include <abstractions/X>
+  include <abstractions/X>
 
   # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
-  #include <abstractions/dri-enumerate>
+  include <abstractions/dri-enumerate>
 
   # System files
 
@@ -15,3 +18,6 @@
   @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
   /usr/lib/@{multiarch}/beignet/** r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-intel.d>
diff --git a/apparmor.d/abstractions/opencl-mesa b/apparmor.d/abstractions/opencl-mesa
index 9d7f82b2..a5cada61 100644
--- a/apparmor.d/abstractions/opencl-mesa
+++ b/apparmor.d/abstractions/opencl-mesa
@@ -1,7 +1,10 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements for Mesa implementation
 
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
 
   # Additional libraries
 
@@ -18,3 +21,6 @@
 
   owner @{HOME}/.cache/mesa_shader_cache/{,**} rw, # libMesaOpenCL.so -> pipe_nouveau.so
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-mesa.d>
diff --git a/apparmor.d/abstractions/opencl-nvidia b/apparmor.d/abstractions/opencl-nvidia
index 8a4764ec..bbd432b1 100644
--- a/apparmor.d/abstractions/opencl-nvidia
+++ b/apparmor.d/abstractions/opencl-nvidia
@@ -1,8 +1,11 @@
 # vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
 # OpenCL access requirements for NVIDIA implementation
 
-  #include <abstractions/nvidia>
-  #include <abstractions/opencl-common>
+  include <abstractions/nvidia>
+  include <abstractions/opencl-common>
 
   # Executables
 
@@ -28,3 +31,6 @@
   owner @{HOME}/.nv/ComputeCache/** rw,
   owner @{HOME}/.nv/ComputeCache/index rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-nvidia.d>
diff --git a/apparmor.d/abstractions/opencl-pocl b/apparmor.d/abstractions/opencl-pocl
index 054689ab..8b93b0dc 100644
--- a/apparmor.d/abstractions/opencl-pocl
+++ b/apparmor.d/abstractions/opencl-pocl
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
 # OpenCL access requirements for POCL implementation
 
-  #include <abstractions/opencl-common>
+  abi <abi/3.0>,
+
+  include <abstractions/opencl-common>
 
   # Executables
 
@@ -28,7 +30,7 @@
   @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
   @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
   /usr/share/pocl/** r,
-  /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
+  @{run}/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
 
   # User files
 
@@ -41,7 +43,7 @@
   # Child profiles
 
   profile opencl_pocl_ld {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Main executables
 
@@ -54,7 +56,7 @@
   }
 
   profile opencl_pocl_clang {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Main executables
 
@@ -74,3 +76,6 @@
     owner @{HOME}/.cache/pocl/kcache/*/*/*/*/*.so{,.o} rw,
   }
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/opencl-pocl.d>
diff --git a/apparmor.d/abstractions/openssl b/apparmor.d/abstractions/openssl
index 697da7ae..7dec53bf 100644
--- a/apparmor.d/abstractions/openssl
+++ b/apparmor.d/abstractions/openssl
@@ -8,7 +8,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/ssl/openssl.cnf r,
   /usr/share/ssl/openssl.cnf r,
   @{PROC}/sys/crypto/fips_enabled r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/openssl.d>
diff --git a/apparmor.d/abstractions/orbit2 b/apparmor.d/abstractions/orbit2
index b8df9df6..6e27461f 100644
--- a/apparmor.d/abstractions/orbit2
+++ b/apparmor.d/abstractions/orbit2
@@ -1,5 +1,10 @@
 # vim:syntax=apparmor
 # orbit2 permissions
 
+  abi <abi/3.0>,
+
   # system library
   /usr/lib/orbit-2.0/*.so mr,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/orbit2.d>
diff --git a/apparmor.d/abstractions/p11-kit b/apparmor.d/abstractions/p11-kit
index 84b7b11d..29696815 100644
--- a/apparmor.d/abstractions/p11-kit
+++ b/apparmor.d/abstractions/p11-kit
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/pkcs11/ r,
   /etc/pkcs11/pkcs11.conf r,
   /etc/pkcs11/modules/ r,
@@ -20,8 +22,11 @@
   /usr/share/p11-kit/modules/* r,
 
   # gnome-keyring pkcs11 module
-  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+  owner @{run}/user/[0-9]*/keyring*/pkcs11 rw,
 
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.
+
+  # Include additions to the abstraction
+  include if exists <abstractions/p11-kit.d>
diff --git a/apparmor.d/abstractions/perl b/apparmor.d/abstractions/perl
index 0e20aeb5..39718535 100644
--- a/apparmor.d/abstractions/perl
+++ b/apparmor.d/abstractions/perl
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # a few files typically required for perl scripts
   /usr/bin/perl                  rmix,
   /usr/bin/perl[0-9].[0-9].[0-9] rmix,
@@ -21,3 +23,6 @@
   /usr/share/perl/**             r,
   /usr/share/perl5/**            r,
   /etc/perl/**                   r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/perl.d>
diff --git a/apparmor.d/abstractions/php b/apparmor.d/abstractions/php
index 4aba2415..cd3172d4 100644
--- a/apparmor.d/abstractions/php
+++ b/apparmor.d/abstractions/php
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # shared snippets for config files
   /etc/php{,5,7}/**/ r,
   /etc/php{,5,7}/**.ini r,
@@ -37,3 +39,6 @@
 
   # Zend opcache
   /tmp/.ZendSem.* rwlk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/php.d>
diff --git a/apparmor.d/abstractions/php-worker b/apparmor.d/abstractions/php-worker
new file mode 100644
index 00000000..a476e407
--- /dev/null
+++ b/apparmor.d/abstractions/php-worker
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+
+# This file contains basic permissions for php-fpm workers
+
+  abi <abi/3.0>,
+
+  # load common libraries and their support files
+  include <abstractions/base>
+  # common php files and support files that php needs
+  include <abstractions/php>
+
+  signal (receive) peer=php-fpm,
+
+  # This is some php opcaching file
+  /tmp/.ZendSem.* rwk,
+
+  # I think this is adaptive memory management
+  /sys/devices/system/node/* r,
+  /sys/devices/system/node/*/meminfo r,
+  /sys/devices/system/node/ r,
+
+  include if exists <abstractions/php-worker.d>
diff --git a/apparmor.d/abstractions/php5 b/apparmor.d/abstractions/php5
index 9f5355f9..25f8001e 100644
--- a/apparmor.d/abstractions/php5
+++ b/apparmor.d/abstractions/php5
@@ -1,3 +1,8 @@
 #backwards compatibility include, actual abstraction moved from php5 to php
 
-#include <abstractions/php>
+  abi <abi/3.0>,
+
+  include <abstractions/php>
+
+  # Include additions to the abstraction
+  include if exists <abstractions/php5.d>
diff --git a/apparmor.d/abstractions/postfix-common b/apparmor.d/abstractions/postfix-common
index b10f888f..c45fe811 100644
--- a/apparmor.d/abstractions/postfix-common
+++ b/apparmor.d/abstractions/postfix-common
@@ -11,16 +11,16 @@
 # ------------------------------------------------------------------
 # used with postfix/*
 
+  abi <abi/3.0>,
+
 
   capability            setuid,
   capability            setgid,
   capability            sys_chroot,
 
   # postfix's master can send us signals
-  signal receive peer=/usr/lib/postfix/master,
   signal receive peer=postfix-master,
 
-  unix (send, receive) peer=(label=/usr/lib/postfix/master),
   unix (send, receive) peer=(label=postfix-master),
 
   /etc/mailname         r,
@@ -37,3 +37,8 @@
   /var/spool/postfix/etc/*        r,
   /var/spool/postfix/lib/lib*.so* mr,
   /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
+
+  /etc/postfix/dynamicmaps.cf.d/  r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/postfix-common.d>
diff --git a/apparmor.d/abstractions/private-files b/apparmor.d/abstractions/private-files
index 09f6d9bd..5f050417 100644
--- a/apparmor.d/abstractions/private-files
+++ b/apparmor.d/abstractions/private-files
@@ -2,6 +2,8 @@
 # privacy-violations contains rules for common files that you want to
 # explicitly deny access
 
+  abi <abi/3.0>,
+
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)
   deny @{HOME}/.*history mrwkl,
@@ -45,3 +47,6 @@
 
   deny @{HOME}/.zshenv mrk,
   audit deny @{HOME}/.zshenv wl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/private-files.d>
diff --git a/apparmor.d/abstractions/private-files-strict b/apparmor.d/abstractions/private-files-strict
index 31934318..f732bec8 100644
--- a/apparmor.d/abstractions/private-files-strict
+++ b/apparmor.d/abstractions/private-files-strict
@@ -2,7 +2,9 @@
 # privacy-violations-strict contains additional rules for sensitive
 # files that you want to explicitly deny access
 
-  #include <abstractions/private-files>
+  abi <abi/3.0>,
+
+  include <abstractions/private-files>
 
   # potentially extremely sensitive files
   audit deny @{HOME}/.aws/{,**} mrwkl,
@@ -12,7 +14,7 @@
   audit deny @{HOME}/.gnome2/ w,
   audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
   # don't allow access to any gnome-keyring modules
-  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
+  audit deny @{run}/user/[0-9]*/keyring** mrwkl,
   audit deny @{HOME}/.mozilla/{,**} mrwkl,
   audit deny @{HOME}/.config/ w,
   audit deny @{HOME}/.config/chromium/{,**} mrwkl,
@@ -23,3 +25,6 @@
   audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
   audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/private-files-strict.d>
diff --git a/apparmor.d/abstractions/python b/apparmor.d/abstractions/python
index 6c81af84..11a4e997 100644
--- a/apparmor.d/abstractions/python
+++ b/apparmor.d/abstractions/python
@@ -10,6 +10,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
   /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
   /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
@@ -37,5 +39,5 @@
   # python build configuration and headers
   /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
 
-  # Silencer
-  deny /usr/lib{,32,64}/python*/** w,
+  # Include additions to the abstraction
+  include if exists <abstractions/python.d>
diff --git a/apparmor.d/abstractions/qt5 b/apparmor.d/abstractions/qt5
index 66a574bf..83dc00c4 100644
--- a/apparmor.d/abstractions/qt5
+++ b/apparmor.d/abstractions/qt5
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Common rules for Qt5-based applications
 
+  abi <abi/3.0>,
+
   # Additional libraries
 
   /usr/lib{,64,/@{multiarch}}/qt5/plugins/**.so mr,
@@ -20,3 +22,6 @@
   owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
   owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/qt5.d>
diff --git a/apparmor.d/abstractions/qt5-compose-cache-write b/apparmor.d/abstractions/qt5-compose-cache-write
index 38cb2348..5322ea03 100644
--- a/apparmor.d/abstractions/qt5-compose-cache-write
+++ b/apparmor.d/abstractions/qt5-compose-cache-write
@@ -1,8 +1,13 @@
 # vim:syntax=apparmor
 # Allow writing cache for Qt5 "platforminputcontexts" plugins
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
   owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/qt5-compose-cache-write.d>
diff --git a/apparmor.d/abstractions/qt5-settings-write b/apparmor.d/abstractions/qt5-settings-write
index 07d10972..327390ac 100644
--- a/apparmor.d/abstractions/qt5-settings-write
+++ b/apparmor.d/abstractions/qt5-settings-write
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Allow writing shared settings for Qt-based applications
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.config/#[0-9]*[0-9] rw,
@@ -9,3 +11,6 @@
   owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
   owner @{HOME}/.config/QtProject.conf.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/qt5-settings-write.d>
diff --git a/apparmor.d/abstractions/recent-documents-write b/apparmor.d/abstractions/recent-documents-write
index 320ec943..02962e4c 100644
--- a/apparmor.d/abstractions/recent-documents-write
+++ b/apparmor.d/abstractions/recent-documents-write
@@ -1,10 +1,15 @@
 # vim:syntax=apparmor
 # Allow updating recent documents
 
+  abi <abi/3.0>,
+
   # User files
 
   owner @{HOME}/.local/share/RecentDocuments/ rw,
   owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
-  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> /home/*/.local/share/RecentDocuments/#[0-9]*,
+  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
   owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/recent-documents-write.d>
diff --git a/apparmor.d/abstractions/ruby b/apparmor.d/abstractions/ruby
index ff4ac9fa..a71a2043 100644
--- a/apparmor.d/abstractions/ruby
+++ b/apparmor.d/abstractions/ruby
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/ r,
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/**.rb r,
   /usr/lib{,32,64}/ruby/1.[89]{.[0-9],}/*-linux/**.so mr,
@@ -19,3 +21,6 @@
 
   /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/ r,
   /usr/lib{,32,64}/ruby/gems/1.[89]{.[0-9],}/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ruby.d>
diff --git a/apparmor.d/abstractions/samba b/apparmor.d/abstractions/samba
index 1cab7309..c6601abd 100644
--- a/apparmor.d/abstractions/samba
+++ b/apparmor.d/abstractions/samba
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,
   /usr/lib*/samba/ldb/*.so mr,
@@ -20,8 +22,15 @@
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/* w,
-  /{,var/}run/samba/ w,
-  /{,var/}run/samba/*.tdb rw,
+  @{run}/samba/ w,
+  @{run}/samba/*.tdb rw,
+  @{run}/samba/msg.lock/ rwk,
+  @{run}/samba/msg.lock/[0-9]* rwk,
+  /var/cache/samba/msg.lock/ rwk,
+  /var/cache/samba/msg.lock/[0-9]* rwk,
 
   # required for clustering
   /var/lib/ctdb/** rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/samba.d>
diff --git a/apparmor.d/abstractions/smbpass b/apparmor.d/abstractions/smbpass
index eb4cf26b..89534d46 100644
--- a/apparmor.d/abstractions/smbpass
+++ b/apparmor.d/abstractions/smbpass
@@ -9,5 +9,10 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # libpam-smbpass/pam_smbpass.so permissions
   /var/lib/samba/*.[lt]db rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/smbpass.d>
diff --git a/apparmor.d/abstractions/ssl_certs b/apparmor.d/abstractions/ssl_certs
index 789efc58..bf6ae67c 100644
--- a/apparmor.d/abstractions/ssl_certs
+++ b/apparmor.d/abstractions/ssl_certs
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /etc/ssl/ r,
   /etc/ssl/certs/ r,
   /etc/ssl/certs/* r,
@@ -42,3 +44,6 @@
   /etc/certbot/archive/*/cert*.pem r,
   /etc/certbot/archive/*/chain*.pem r,
   /etc/certbot/archive/*/fullchain*.pem r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ssl_certs.d>
diff --git a/apparmor.d/abstractions/ssl_keys b/apparmor.d/abstractions/ssl_keys
index 2de760b5..f310bb5a 100644
--- a/apparmor.d/abstractions/ssl_keys
+++ b/apparmor.d/abstractions/ssl_keys
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # private ssl permissions
 
   # Just include the whole /etc/ssl directory if we should have access to
@@ -28,3 +30,6 @@
   /etc/letsencrypt/archive/*/privkey*.pem r,
 
   /etc/certbot/archive/*/privkey*.pem r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ssl_keys.d>
diff --git a/apparmor.d/abstractions/svn-repositories b/apparmor.d/abstractions/svn-repositories
index 68ac5e0b..d518f1d0 100644
--- a/apparmor.d/abstractions/svn-repositories
+++ b/apparmor.d/abstractions/svn-repositories
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # This little snippet should abstract the read/write access to a repository.
   # it is intended to be included in profiles for svnserve/apache2 and maybe
   # some repository viewers like trac/viewvc
@@ -50,3 +52,6 @@
   /tmp/apr* rwl,
   /var/tmp/apr* rwl,
   /tmp/report*.tmp rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/svn-repositories.d>
diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common
index 34567570..b29ff184 100644
--- a/apparmor.d/abstractions/systemd-common
+++ b/apparmor.d/abstractions/systemd-common
@@ -9,13 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   ptrace (read),
 
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/1/environ r,
         @{PROC}/1/sched r,
+        @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/random/boot_id r,
diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read
index 74109b10..68c89d23 100644
--- a/apparmor.d/abstractions/thumbnails-cache-read
+++ b/apparmor.d/abstractions/thumbnails-cache-read
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/thumbnails/ r,
   owner @{HOME}/.cache/thumbnails/{large,normal}/ r,
diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write
index fdd16f20..85c4cc23 100644
--- a/apparmor.d/abstractions/thumbnails-cache-write
+++ b/apparmor.d/abstractions/thumbnails-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/thumbnails/ rw,
   owner @{HOME}/.cache/thumbnails/{large,normal}/ rw,
diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor
index f2fe3c4e..eb375573 100644
--- a/apparmor.d/abstractions/tor
+++ b/apparmor.d/abstractions/tor
@@ -1,8 +1,8 @@
 # vim:syntax=apparmor
 
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
 
   network tcp,
   network udp,
diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem
index e8b82a83..a1ebac2a 100644
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@@ -15,10 +15,10 @@
 # While ideally we would narrow down our read access to the above, this is
 # a maintenance problem and doesn't work for files without extensions.
 
-  #include <abstractions/gnome>
-  #include <abstractions/gstreamer>
-  #include <abstractions/nameservice>
-  #include <abstractions/dbus-session>
+  include <abstractions/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice>
+  include <abstractions/dbus-session>
 
   # Allow read on all directories
   /**/ r,
diff --git a/apparmor.d/abstractions/trash b/apparmor.d/abstractions/trash
index 4b686ce9..3c2a0d1e 100644
--- a/apparmor.d/abstractions/trash
+++ b/apparmor.d/abstractions/trash
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.config/trashrc rw,
   owner @{HOME}/.config/trashrc.lock rwk,
diff --git a/apparmor.d/abstractions/ubuntu-bittorrent-clients b/apparmor.d/abstractions/ubuntu-bittorrent-clients
index fb820c5a..0d929ad6 100644
--- a/apparmor.d/abstractions/ubuntu-bittorrent-clients
+++ b/apparmor.d/abstractions/ubuntu-bittorrent-clients
@@ -2,9 +2,11 @@
 #
 # abstraction for allowing graphical bittorrent clients in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/azureus Cxr -> sanitized_helper,
   /usr/bin/bitstormlite Cxr -> sanitized_helper,
@@ -15,3 +17,6 @@
   /usr/bin/ktorrent Cxr -> sanitized_helper,
   /usr/bin/qbittorrent Cxr -> sanitized_helper,
   /usr/bin/transmission{,-gtk,-qt,-cli} Cxr -> sanitized_helper,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-bittorrent-clients.d>
diff --git a/apparmor.d/abstractions/ubuntu-browsers b/apparmor.d/abstractions/ubuntu-browsers
index d4438ad6..c2c710a1 100644
--- a/apparmor.d/abstractions/ubuntu-browsers
+++ b/apparmor.d/abstractions/ubuntu-browsers
@@ -2,25 +2,23 @@
 #
 # abstraction for allowing access to graphical browsers in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/arora Cx -> sanitized_helper,
-  /usr/bin/conkeror Cx -> sanitized_helper,
   /usr/bin/dillo Cx -> sanitized_helper,
   /usr/bin/Dooble Cx -> sanitized_helper,
   /usr/bin/epiphany Cx -> sanitized_helper,
   /usr/bin/epiphany-browser Cx -> sanitized_helper,
   /usr/bin/epiphany-webkit Cx -> sanitized_helper,
   /usr/lib/fennec-*/fennec Cx -> sanitized_helper,
-  /usr/bin/galeon Cx -> sanitized_helper,
   /usr/bin/kazehakase Cx -> sanitized_helper,
   /usr/bin/konqueror Cx -> sanitized_helper,
   /usr/bin/midori Cx -> sanitized_helper,
   /usr/bin/netsurf Cx -> sanitized_helper,
-  /usr/bin/prism Cx -> sanitized_helper,
-  /usr/bin/rekonq Cx -> sanitized_helper,
   /usr/bin/seamonkey Cx -> sanitized_helper,
   /usr/bin/sensible-browser Pixr,
 
@@ -40,3 +38,4 @@
   /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
   /usr/bin/opera Cx -> sanitized_helper,
   /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser b/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
new file mode 100644
index 00000000..95724f1a
--- /dev/null
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# Author: Jamie Strandboge <jamie@canonical.com>
+
+# For site-specific adjustments, please see:
+# /etc/apparmor.d/local/chromium-browser
+
+abi <abi/3.0>,
+
+include <abstractions/ubuntu-browsers.d/plugins-common>
+include <abstractions/ubuntu-browsers.d/mailto>
+include <abstractions/ubuntu-browsers.d/multimedia>
+include <abstractions/ubuntu-browsers.d/productivity>
+include <abstractions/ubuntu-browsers.d/java>
+include <abstractions/ubuntu-browsers.d/kde>
+include <abstractions/ubuntu-browsers.d/text-editors>
+include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+include <abstractions/ubuntu-browsers.d/user-files>
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/java b/apparmor.d/abstractions/ubuntu-browsers.d/java
index e0a67cf3..ae93c755 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/java
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # Java plugin
   owner @{HOME}/.java/deployment/deployment.properties k,
   /etc/java-*/ r,
@@ -18,14 +20,14 @@
   # unfortunate workarounds of the proprietary Javas, so have a separate
   # profile.
   profile browser_openjdk {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/gnome>
-    #include <abstractions/kde>
-    #include <abstractions/nameservice>
-    #include <abstractions/ssl_certs>
-    #include <abstractions/user-tmp>
-    #include <abstractions/private-files-strict>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/gnome>
+    include <abstractions/kde>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+    include <abstractions/private-files-strict>
 
     network inet stream,
     network inet6 stream,
@@ -64,14 +66,14 @@
   # Profile for commercial Javas. These need workarounds to work right (eg
   # Sun's forcing of an executable stack (LP: #535247)).
   profile browser_java {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/gnome>
-    #include <abstractions/kde>
-    #include <abstractions/nameservice>
-    #include <abstractions/ssl_certs>
-    #include <abstractions/user-tmp>
-    #include <abstractions/private-files-strict>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/gnome>
+    include <abstractions/kde>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+    include <abstractions/private-files-strict>
 
     network inet stream,
     network inet6 stream,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/kde b/apparmor.d/abstractions/ubuntu-browsers.d/kde
index 038952a8..bdac331e 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/kde
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/kde
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 
-  #include <abstractions/kde>
+  abi <abi/3.0>,
+
+  include <abstractions/kde>
   /usr/bin/kde4-config Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/mailto b/apparmor.d/abstractions/ubuntu-browsers.d/mailto
index 40236a7b..8d157098 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/mailto
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/mailto
@@ -1,9 +1,11 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # for mailto:
-  #include <abstractions/ubuntu-email>
-  #include <abstractions/ubuntu-console-email>
+  include <abstractions/ubuntu-email>
+  include <abstractions/ubuntu-console-email>
 
   # Terminals for using console applications. These abstractions should ideally
   # have 'ix' to restrct access to what only firefox is allowed to do
-  #include <abstractions/ubuntu-gnome-terminal>
+  include <abstractions/ubuntu-gnome-terminal>
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
index 591d6b85..f2eb23ef 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
@@ -1,9 +1,11 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 
-  #include <abstractions/X>
+  abi <abi/3.0>,
+
+  include <abstractions/X>
 
   # Pulseaudio
   /usr/bin/pulseaudio Pixr,
@@ -13,10 +15,9 @@
   /usr/bin/gimp* Cxr -> sanitized_helper,
   /usr/bin/shotwell Cxr -> sanitized_helper,
   /usr/bin/digikam Cxr -> sanitized_helper,
-  /usr/bin/f-spot Cxr -> sanitized_helper,
   /usr/bin/gwenview Cxr -> sanitized_helper,
 
-  #include <abstractions/ubuntu-media-players>
+  include <abstractions/ubuntu-media-players>
   owner @{HOME}/.adobe/ w,
   owner @{HOME}/.adobe/** rw,
   owner @{HOME}/.macromedia/ w,
@@ -25,18 +26,8 @@
   /usr/bin/lpstat Cxr -> sanitized_helper,
   /usr/bin/lpr Cxr -> sanitized_helper,
 
-  # npviewer
-  /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr,
-  /var/lib/ r,
-  /var/lib/**/*.so mr,
-  /usr/bin/setarch ixr,
-
   # Bittorrent clients
-  #include <abstractions/ubuntu-bittorrent-clients>
-
-  # Mozplugger
-  /etc/mozpluggerrc r,
-  /usr/bin/mozplugger-helper Cxr -> sanitized_helper,
+  include <abstractions/ubuntu-bittorrent-clients>
 
   # Archivers
   /usr/bin/ark Cxr -> sanitized_helper,
@@ -45,16 +36,10 @@
   /usr/local/lib{,32,64}/*.so* mr,
 
   # News feed readers
-  #include <abstractions/ubuntu-feed-readers>
-
-  # Googletalk
-  /opt/google/talkplugin/*.so mr,
-  /opt/google/talkplugin/lib/*.so mr,
-  /opt/google/talkplugin/GoogleTalkPlugin ixr,
-  owner @{HOME}/.config/google-googletalkplugin/** rw,
+  include <abstractions/ubuntu-feed-readers>
 
   # If we allow the above, nvidia based systems will also need this
-  #include <abstractions/nvidia>
+  include <abstractions/nvidia>
 
   # Virus scanners
   /usr/bin/clamscan Cx -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common b/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
index c928f92c..5d93b262 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   #
   # Plugins/helpers
   #
@@ -13,4 +15,4 @@
 
   # Since all the ubuntu-browsers.d abstractions need this, just include it
   # here
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/ubuntu-helpers>
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/productivity b/apparmor.d/abstractions/ubuntu-browsers.d/productivity
index 2c898d13..1fc67a84 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/productivity
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/productivity
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   # Openoffice.org
   /usr/bin/ooffice Cxr -> sanitized_helper,
@@ -22,7 +24,3 @@
   # PDFs
   /usr/bin/evince Cxr -> sanitized_helper,
   /usr/bin/okular Cxr -> sanitized_helper,
-
-  owner @{HOME}/.adobe/** rw,
-  /opt/Adobe/Reader9/bin/acroread Cxr -> sanitized_helper,
-  /opt/Adobe/Reader9/** r,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/text-editors b/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
index bf5eb1d1..e04c6b80 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
@@ -1,7 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
   /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
index 0cd0928e..cdbd47cd 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
@@ -1,16 +1,15 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   # Apport
   /usr/bin/apport-bug Cx -> sanitized_helper,
 
   # Package installation
   /usr/bin/apturl Cxr -> sanitized_helper,
-  /usr/bin/gnome-codec-install Cxr -> sanitized_helper,
-  /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
-  /usr/lib/@{multiarch}/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
   /usr/share/software-center/software-center Cxr -> sanitized_helper,
 
   # Input Methods
@@ -29,10 +28,7 @@
   /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
 
   # Exo-aware applications
-  /usr/bin/exo-open ixr,
-  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
-  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
-  /etc/xdg/xfce4/helpers.rc r,
+  include <abstractions/exo-open>
 
   # unity webapps integration. Could go in its own abstraction
   owner /run/user/*/dconf/user rw,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
index 0429c13f..c6a8eedd 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # firefox-notify
-  #include <abstractions/python>
+  include <abstractions/python>
   /usr/bin/python2.[4567] ix,
   /usr/share/xul-ext/notify/**/download_complete_notify.py ix,
diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/apparmor.d/abstractions/ubuntu-browsers.d/user-files
index ffe68245..e2965f01 100644
--- a/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
   # Allow read to all files user has DAC access to and write access to all
   # files owned by the user in $HOME.
   @{HOME}/ r,
@@ -7,7 +9,7 @@
   owner @{HOME}/** w,
 
   # Do not allow read and/or write to particularly sensitive/problematic files
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
   audit deny @{HOME}/.ssh/{,**} mrwkl,
   audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
   audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
diff --git a/apparmor.d/abstractions/ubuntu-console-browsers b/apparmor.d/abstractions/ubuntu-console-browsers
index 554469e7..8f6687ae 100644
--- a/apparmor.d/abstractions/ubuntu-console-browsers
+++ b/apparmor.d/abstractions/ubuntu-console-browsers
@@ -4,11 +4,13 @@
 # typically also need a terminal, so when using this abstraction, should also
 # do something like:
 #
-# #include <abstractions/ubuntu-gnome-terminal>
+# include <abstractions/ubuntu-gnome-terminal>
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/elinks Cx -> sanitized_helper,
   /usr/bin/links Cx -> sanitized_helper,
@@ -16,3 +18,6 @@
   /usr/bin/netrik Cx -> sanitized_helper,
   /usr/bin/w3m Cx -> sanitized_helper,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-console-browsers.d>
diff --git a/apparmor.d/abstractions/ubuntu-console-email b/apparmor.d/abstractions/ubuntu-console-email
index f77c9bd6..ee741fdf 100644
--- a/apparmor.d/abstractions/ubuntu-console-email
+++ b/apparmor.d/abstractions/ubuntu-console-email
@@ -4,11 +4,13 @@
 # typically also need a terminal, so when using this abstraction, should also
 # do something like:
 #
-# #include <abstractions/ubuntu-gnome-terminal>
+# include <abstractions/ubuntu-gnome-terminal>
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/alpine Cx -> sanitized_helper,
   /usr/bin/citadel Cx -> sanitized_helper,
@@ -16,3 +18,6 @@
   /usr/bin/elmo Cx -> sanitized_helper,
   /usr/bin/mutt Cx -> sanitized_helper,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-console-email.d>
diff --git a/apparmor.d/abstractions/ubuntu-email b/apparmor.d/abstractions/ubuntu-email
index 48e0c6f4..45f02eba 100644
--- a/apparmor.d/abstractions/ubuntu-email
+++ b/apparmor.d/abstractions/ubuntu-email
@@ -2,9 +2,11 @@
 #
 # abstraction for allowing graphical email clients in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/anjal Cx -> sanitized_helper,
   /usr/bin/balsa Cx -> sanitized_helper,
@@ -22,3 +24,6 @@
 
   /usr/bin/thunderbird Cx -> sanitized_helper, # used by gio-launch-desktop
   /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-email.d>
diff --git a/apparmor.d/abstractions/ubuntu-feed-readers b/apparmor.d/abstractions/ubuntu-feed-readers
index 85379e30..e8b89b1d 100644
--- a/apparmor.d/abstractions/ubuntu-feed-readers
+++ b/apparmor.d/abstractions/ubuntu-feed-readers
@@ -2,9 +2,14 @@
 #
 # abstraction for allowing graphical news feed readers in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/akregator Cxr -> sanitized_helper,
   /usr/bin/liferea-add-feed Cxr -> sanitized_helper,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-feed-readers.d>
diff --git a/apparmor.d/abstractions/ubuntu-gnome-terminal b/apparmor.d/abstractions/ubuntu-gnome-terminal
index 7604df1e..c6280b0e 100644
--- a/apparmor.d/abstractions/ubuntu-gnome-terminal
+++ b/apparmor.d/abstractions/ubuntu-gnome-terminal
@@ -3,8 +3,13 @@
 # for allowing access to gnome-terminal
 #
 
-  #include <abstractions/gnome>
+  abi <abi/3.0>,
+
+  include <abstractions/gnome>
 
   # do not use ux or PUx here. Use at a minimum ix
   /usr/bin/gnome-terminal ix,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-gnome-terminal.d>
diff --git a/apparmor.d/abstractions/ubuntu-helpers b/apparmor.d/abstractions/ubuntu-helpers
index a1ab7bc0..4b9ea96b 100644
--- a/apparmor.d/abstractions/ubuntu-helpers
+++ b/apparmor.d/abstractions/ubuntu-helpers
@@ -9,7 +9,7 @@
 #
 # Usage:
 # Because this abstraction defines the sanitized_helper profile, it must only
-# be #included once. Therefore this abstraction should typically not be
+# be included once. Therefore this abstraction should typically not be
 # included in other abstractions so as to avoid parser errors regarding
 # multiple definitions.
 #
@@ -31,17 +31,19 @@
 # Use at your own risk. This profile was developed as an interim workaround for
 # LP: #851986 until AppArmor utilizes proper environment filtering.
 
+  abi <abi/3.0>,
+
 profile sanitized_helper {
-  #include <abstractions/base>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/X>
 
   # Allow all networking
   network inet,
   network inet6,
 
   # Allow all DBus communications
-  #include <abstractions/dbus-session-strict>
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
   dbus,
 
   # Needed for Google Chrome
@@ -72,6 +74,12 @@ profile sanitized_helper {
   /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
   /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
 
+  # The same is needed for Brave
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
+
   # Full access
   / r,
   /** rwkl,
diff --git a/apparmor.d/abstractions/ubuntu-konsole b/apparmor.d/abstractions/ubuntu-konsole
index baa8fb39..4ece2bd3 100644
--- a/apparmor.d/abstractions/ubuntu-konsole
+++ b/apparmor.d/abstractions/ubuntu-konsole
@@ -3,8 +3,10 @@
 # for allowing access to konsole
 #
 
-  #include <abstractions/consoles>
-  #include <abstractions/kde>
+  abi <abi/3.0>,
+
+  include <abstractions/consoles>
+  include <abstractions/kde>
   capability sys_ptrace,
   @{PROC}/@{pid}/status r,
   @{PROC}/@{pid}/stat r,
@@ -15,3 +17,6 @@
   # do not use ux or Ux here. Use at a minimum ix
   /usr/bin/konsole ix,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-konsole.d>
diff --git a/apparmor.d/abstractions/ubuntu-media-players b/apparmor.d/abstractions/ubuntu-media-players
index 5918cb8c..5fa48e75 100644
--- a/apparmor.d/abstractions/ubuntu-media-players
+++ b/apparmor.d/abstractions/ubuntu-media-players
@@ -2,9 +2,11 @@
 #
 # abstraction for allowing access to media players in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
+
+  abi <abi/3.0>,
 
   /usr/bin/amarok Cxr -> sanitized_helper,
   /usr/bin/audacious2 Cxr -> sanitized_helper,
@@ -58,3 +60,6 @@
   /etc/gnashpluginrc r,
   owner @{HOME}/.gnash/ rw,
   owner @{HOME}/.gnash/** rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-media-players.d>
diff --git a/apparmor.d/abstractions/ubuntu-unity7-base b/apparmor.d/abstractions/ubuntu-unity7-base
index 25e88b69..6e207b28 100644
--- a/apparmor.d/abstractions/ubuntu-unity7-base
+++ b/apparmor.d/abstractions/ubuntu-unity7-base
@@ -9,14 +9,16 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
 #
 # Rules common to applications running under Unity 7
 #
 
-#include <abstractions/gnome>
+include <abstractions/gnome>
 
-#include <abstractions/dbus-session-strict>
-#include <abstractions/dbus-strict>
+include <abstractions/dbus-session-strict>
+include <abstractions/dbus-strict>
 
   #
   # Access required for connecting to/communication with Unity HUD
@@ -98,3 +100,6 @@
   # Deny potentially dangerous access
   #
   deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-unity7-base.d>
diff --git a/apparmor.d/abstractions/ubuntu-unity7-launcher b/apparmor.d/abstractions/ubuntu-unity7-launcher
index 52f6cd43..eb2f070d 100644
--- a/apparmor.d/abstractions/ubuntu-unity7-launcher
+++ b/apparmor.d/abstractions/ubuntu-unity7-launcher
@@ -1,3 +1,5 @@
+  abi <abi/3.0>,
+
   #
   # Access required for connecting to/communicating with the Unity Launcher
   #
@@ -5,3 +7,6 @@
       bus=session
       interface="com.canonical.Unity.LauncherEntry"
       member="Update",
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-unity7-launcher.d>
diff --git a/apparmor.d/abstractions/ubuntu-unity7-messaging b/apparmor.d/abstractions/ubuntu-unity7-messaging
index 828592ee..21de3ff0 100644
--- a/apparmor.d/abstractions/ubuntu-unity7-messaging
+++ b/apparmor.d/abstractions/ubuntu-unity7-messaging
@@ -1,3 +1,5 @@
+  abi <abi/3.0>,
+
   #
   # Access required for connecting to/communicating with the Unity messaging
   # indicator
@@ -5,3 +7,6 @@
   dbus (receive, send)
        bus=session
        path="/com/canonical/indicator/messages/*",
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-unity7-messaging.d>
diff --git a/apparmor.d/abstractions/ubuntu-xterm b/apparmor.d/abstractions/ubuntu-xterm
index a062cc72..07eacaba 100644
--- a/apparmor.d/abstractions/ubuntu-xterm
+++ b/apparmor.d/abstractions/ubuntu-xterm
@@ -3,7 +3,9 @@
 # for allowing access to xterm
 #
 
-  #include <abstractions/consoles>
+  abi <abi/3.0>,
+
+  include <abstractions/consoles>
   /dev/ptmx rw,
   /{,var/}run/utmp r,
   /etc/X11/app-defaults/XTerm r,
@@ -11,3 +13,6 @@
   # do not use ux or Ux here. Use at a minimum ix
   /usr/bin/xterm ix,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/ubuntu-xterm.d>
diff --git a/apparmor.d/abstractions/user-download b/apparmor.d/abstractions/user-download
index ea1043a3..76540294 100644
--- a/apparmor.d/abstractions/user-download
+++ b/apparmor.d/abstractions/user-download
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
 # Description: Where common programs should allow users to download
 # files
 
@@ -22,3 +24,6 @@
   owner @{HOME}/@{XDG_DOWNLOAD_DIR}/*	rwl,
   owner "@{HOME}/My Downloads/" 	r,
   owner "@{HOME}/My Downloads/**" 	rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-download.d>
diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict
index bc2a5b74..5dd1c6d8 100644
--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/[dD]ownload{,s}/ r,
   owner @{HOME}/[dD]ownload{,s}/** rwl,
diff --git a/apparmor.d/abstractions/user-mail b/apparmor.d/abstractions/user-mail
index b799ffca..4156dfaa 100644
--- a/apparmor.d/abstractions/user-mail
+++ b/apparmor.d/abstractions/user-mail
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # location of user mail, spool and mboxes
   owner @{HOME}/[mM]ail/      r,
   owner @{HOME}/[mM]ail/**    rwl,
@@ -21,3 +23,6 @@
   owner @{HOME}/.forward      r,
   owner @{HOME}/Maildir/      r,
   owner @{HOME}/Maildir/**    rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-mail.d>
diff --git a/apparmor.d/abstractions/user-manpages b/apparmor.d/abstractions/user-manpages
index b7cc0cb8..3178a4d6 100644
--- a/apparmor.d/abstractions/user-manpages
+++ b/apparmor.d/abstractions/user-manpages
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # perhaps your configuration has users elsewhere, or you don't wish
   # them to read their own manpages
   owner @{HOME}/man/                          r,
@@ -22,3 +24,6 @@
   /usr/local/share/man/man?/**          r,
   /usr/{share,X11R6,local,kerberos}/man/**	 r,
   /usr/man/**				r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-manpages.d>
diff --git a/apparmor.d/abstractions/user-tmp b/apparmor.d/abstractions/user-tmp
index 63993d60..6d651c5d 100644
--- a/apparmor.d/abstractions/user-tmp
+++ b/apparmor.d/abstractions/user-tmp
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # per-user tmp directories
   owner @{HOME}/tmp/**  rwkl,
   owner @{HOME}/tmp/    rw,
@@ -18,3 +20,6 @@
   /var/tmp/             rw,
   owner /tmp/**         rwkl,
   /tmp/                 rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-tmp.d>
diff --git a/apparmor.d/abstractions/user-write b/apparmor.d/abstractions/user-write
index c6ea29bd..604b60b7 100644
--- a/apparmor.d/abstractions/user-write
+++ b/apparmor.d/abstractions/user-write
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # per-user write  directories
   owner @{HOME}/                          r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/       r,
@@ -19,3 +21,6 @@
   owner @{HOME}/@{XDG_DESKTOP_DIR}/**     rwl,
   owner @{HOME}/@{XDG_DOCUMENTS_DIR}/**   rwl,
   owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/user-write.d>
diff --git a/apparmor.d/abstractions/video b/apparmor.d/abstractions/video
index 00a83468..7df9a172 100644
--- a/apparmor.d/abstractions/video
+++ b/apparmor.d/abstractions/video
@@ -1,6 +1,11 @@
 # vim:syntax=apparmor
 # video device access
 
+  abi <abi/3.0>,
+
   # System devices
   @{sys}/class/video4linux r,
   @{sys}/class/video4linux/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/video.d>
diff --git a/apparmor.d/abstractions/vlc-art-cache-write b/apparmor.d/abstractions/vlc-art-cache-write
index 40a36bf3..1b5f1d04 100644
--- a/apparmor.d/abstractions/vlc-art-cache-write
+++ b/apparmor.d/abstractions/vlc-art-cache-write
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   owner @{HOME}/.cache/ rw,
   owner @{HOME}/.cache/vlc/ rw,
diff --git a/apparmor.d/abstractions/vulkan b/apparmor.d/abstractions/vulkan
index 04c8ec26..479a9dcb 100644
--- a/apparmor.d/abstractions/vulkan
+++ b/apparmor.d/abstractions/vulkan
@@ -1,6 +1,8 @@
 # vim:syntax=apparmor
 # Vulkan access requirements
 
+  abi <abi/3.0>,
+
   # System files
   /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
   /etc/glvnd/egl_vendor.d/{*,.json} r,
@@ -18,3 +20,6 @@
   # User files
   owner @{HOME}/.local/share/vulkan/implicit_layer.d/{,*.json} r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/vulkan.d>
diff --git a/apparmor.d/abstractions/wayland b/apparmor.d/abstractions/wayland
index 384c7aeb..86ba0cff 100644
--- a/apparmor.d/abstractions/wayland
+++ b/apparmor.d/abstractions/wayland
@@ -10,8 +10,10 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
-  owner @{run}/user/[0-9]*/weston-shared-* rw,
   owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
   owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/wayland.d>
diff --git a/apparmor.d/abstractions/web-data b/apparmor.d/abstractions/web-data
index 0baf2990..8459eee3 100644
--- a/apparmor.d/abstractions/web-data
+++ b/apparmor.d/abstractions/web-data
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /srv/www/htdocs/ r,
   /srv/www/htdocs/** r,
   # virtual hosting
@@ -23,3 +25,6 @@
 
   /var/www/html/ r,
   /var/www/html/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/web-data.d>
diff --git a/apparmor.d/abstractions/winbind b/apparmor.d/abstractions/winbind
index e982889e..3503e5a0 100644
--- a/apparmor.d/abstractions/winbind
+++ b/apparmor.d/abstractions/winbind
@@ -9,9 +9,12 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # pam_winbindd
   /tmp/.winbindd/pipe  rw,
-  /var/{lib,run}/samba/winbindd_privileged/pipe rw,
+  /var/lib/samba/winbindd_privileged/pipe rw,
+  @{run}/samba/winbindd_privileged/pipe rw,
   /etc/samba/smb.conf         r,
   /etc/samba/dhcp.conf        r,
   /usr/lib*/samba/valid.dat   r,
@@ -19,3 +22,6 @@
   /usr/lib*/samba/lowcase.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
 
+
+  # Include additions to the abstraction
+  include if exists <abstractions/winbind.d>
diff --git a/apparmor.d/abstractions/wutmp b/apparmor.d/abstractions/wutmp
index d7509558..7fdf906b 100644
--- a/apparmor.d/abstractions/wutmp
+++ b/apparmor.d/abstractions/wutmp
@@ -9,8 +9,13 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # some services update wtmp, utmp, and lastlog with per-user
   # connection information
   /var/log/lastlog  rwk,
   /var/log/wtmp     wk,
-  /{,var/}run/utmp     rwk,
+  @{run}/utmp       rwk,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/wutmp.d>
diff --git a/apparmor.d/abstractions/xad b/apparmor.d/abstractions/xad
index 54b0f40e..f5f6e720 100644
--- a/apparmor.d/abstractions/xad
+++ b/apparmor.d/abstractions/xad
@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   /opt/novell/xad/lib/ r,
   /opt/novell/xad/lib/lib*.so* mr,
   /opt/novell/xad/lib/gss/*.so* mr,
@@ -23,3 +25,6 @@
   /var/opt/novell/nici/* r,
   /var/opt/novell/nici/*/ r,
   /var/opt/novell/nici/*/* rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/xad.d>
diff --git a/apparmor.d/abstractions/xdg-desktop b/apparmor.d/abstractions/xdg-desktop
index bc8f6a00..9f7f4ae2 100644
--- a/apparmor.d/abstractions/xdg-desktop
+++ b/apparmor.d/abstractions/xdg-desktop
@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+  abi <abi/3.0>,
+
   # Entries based on:
   # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
 
@@ -22,3 +24,6 @@
   # fallbacks
   /usr/share/ r,
   /usr/local/share/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/xdg-desktop.d>
diff --git a/apparmor.d/abstractions/xdg-open b/apparmor.d/abstractions/xdg-open
index 67da04a4..aed20710 100644
--- a/apparmor.d/abstractions/xdg-open
+++ b/apparmor.d/abstractions/xdg-open
@@ -1,5 +1,7 @@
 # vim:syntax=apparmor
 
+  abi <abi/3.0>,
+
 # This abstraction is designed to be used in a child profile to limit what
 # confined application can invoke via xdg-open helper. xdg-open abstraction
 # will allow to use gio-open, kde-open5 and other helpers of the different
@@ -16,40 +18,40 @@
 #
 # # out-of-line child profile
 # profile foo//xdg-open {
-#   #include <abstractions/xdg-open>
+#   include <abstractions/xdg-open>
 #
 #   # Enable a11y support if considered required by
 #   # profile author for (rare) error message boxes.
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # Enable gstreamer support if considered required by
 #   # profile author for (rare) error message boxes.
-#   #include if exists <abstractions/gstreamer>
+#   include if exists <abstractions/gstreamer>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
 
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # for openin with `exo-open`
-  #include <abstractions/exo-open>
+  include <abstractions/exo-open>
 
   # for opening with `gio open <uri>`
-  #include <abstractions/gio-open>
+  include <abstractions/gio-open>
 
   # for opening with gvfs-open (deprecated)
-  #include <abstractions/gvfs-open>
+  include <abstractions/gvfs-open>
 
   # for opening with kde-open5
-  ##include <abstractions/kde-open5>
+  include <abstractions/kde-open5>
 
   # Main executables
 
@@ -81,4 +83,4 @@
   owner @{HOME}/.local/share/applications/{,*.desktop} r,
 
   # Include additions to the abstraction
-  #include if exists <abstractions/xdg-open.d>
+  include if exists <abstractions/xdg-open.d>
diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh
index 222c714f..fc70afdc 100644
--- a/apparmor.d/abstractions/zsh
+++ b/apparmor.d/abstractions/zsh
@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-  #abi <abi/3.0>,
+  abi <abi/3.0>,
 
   /usr/share/zsh/{,**} r,
   /usr/local/share/zsh/{,**} r,
diff --git a/apparmor.d/accounts-daemon b/apparmor.d/accounts-daemon
index 5d9ef313..ddd191b6 100644
--- a/apparmor.d/accounts-daemon
+++ b/apparmor.d/accounts-daemon
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
 @{exec_path} += /usr/libexec/accounts-daemon
 profile accounts-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
 
   # Needed?
   deny capability sys_nice,
@@ -37,5 +37,5 @@ profile accounts-daemon @{exec_path} {
 
   /var/log/wtmp r,
 
-  #include if exists <local/accounts-daemon>
+  include if exists <local/accounts-daemon>
 }
diff --git a/apparmor.d/acpi b/apparmor.d/acpi
index b1bcbeb9..b1c44dec 100644
--- a/apparmor.d/acpi
+++ b/apparmor.d/acpi
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/acpi
 profile acpi @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile acpi @{exec_path} flags=(complain) {
   @{sys}/devices/virtual/thermal/{,**} r,
 
 
-  #include if exists <local/acpi>
+  include if exists <local/acpi>
 }
diff --git a/apparmor.d/adduser b/apparmor.d/adduser
index 17d4ecb4..aeb782ba 100644
--- a/apparmor.d/adduser
+++ b/apparmor.d/adduser
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/add{user,group}
 profile adduser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   # To create a user home dir and give it proper permissions:
   #  mkdir("/home/user", 0755)     = 0
@@ -67,5 +67,5 @@ profile adduser @{exec_path} {
   /var/lib/lightdm/{,*} w,
   /var/lib/sddm/{,*} w,
 
-  #include if exists <local/adduser>
+  include if exists <local/adduser>
 }
diff --git a/apparmor.d/adequate b/apparmor.d/adequate
index 38487c67..d6bac274 100644
--- a/apparmor.d/adequate
+++ b/apparmor.d/adequate
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/adequate
 profile adequate @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -50,8 +50,8 @@ profile adequate @{exec_path} flags=(complain) {
 
 
   profile ldd flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/ldd mr,
 
@@ -70,10 +70,10 @@ profile adequate @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -89,10 +89,10 @@ profile adequate @{exec_path} flags=(complain) {
     /usr/share/debconf/templates/adequate.templates r,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -104,11 +104,11 @@ profile adequate @{exec_path} flags=(complain) {
   }
 
   profile pkg-config flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/pkg-config mr,
 
   }
 
-  #include if exists <local/adequate>
+  include if exists <local/adequate>
 }
diff --git a/apparmor.d/amarok b/apparmor.d/amarok
index b65c133e..3feb7986 100644
--- a/apparmor.d/amarok
+++ b/apparmor.d/amarok
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Audio extensions
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma,
@@ -37,22 +37,22 @@
 
 @{exec_path} = /{usr/,}bin/amarok
 profile amarok @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/kde4>
-  #include <abstractions/gtk>
-  #include <abstractions/audio>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/trash>
-  #include <abstractions/vlc-art-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/kde4>
+  include <abstractions/gtk>
+  include <abstractions/audio>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/trash>
+  include <abstractions/vlc-art-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -167,8 +167,8 @@ profile amarok @{exec_path} {
   # To generate the crash log info in Amarok
   /{usr/,}bin/gdb rCx -> gdb,
   profile gdb {
-    #include <abstractions/base>
-    #include <abstractions/python>
+    include <abstractions/base>
+    include <abstractions/python>
 
     /{usr/,}bin/gdb mr,
     /usr/share/glib-2.0/gdb/{,**} r,
@@ -196,5 +196,5 @@ profile amarok @{exec_path} {
 
   }
 
-  #include if exists <local/amarok>
+  include if exists <local/amarok>
 }
diff --git a/apparmor.d/amixer b/apparmor.d/amixer
index a231a7d5..7d470380 100644
--- a/apparmor.d/amixer
+++ b/apparmor.d/amixer
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/amixer
 profile amixer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/audio>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile amixer @{exec_path} {
 
   owner @{HOME}/.config/pulse/ r,
 
-  #include if exists <local/amixer>
+  include if exists <local/amixer>
 }
diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio
index 3f5389e1..9ff29172 100644
--- a/apparmor.d/android-studio
+++ b/apparmor.d/android-studio
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{AS_LIBDIR}     = /media/*/android-studio
 @{AS_SDKDIR}     = /media/*/SDK
@@ -20,20 +20,20 @@
 
 @{exec_path}  = @{AS_LIBDIR}/bin/studio.sh
 profile android-studio @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
   #icnlude <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/ssl_certs>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -47,10 +47,16 @@ profile android-studio @{exec_path} {
 
   signal (send) set=(term, kill) peer=android-studio//lsb-release,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh  rix,
 
-  /{usr/,}bin/python3.[0-9]* r,
+  /{usr/,}bin/python3.[0-9]* rix,
 
   /{usr/,}bin/which       rix,
   /{usr/,}bin/uname       rix,
@@ -202,6 +208,7 @@ profile android-studio @{exec_path} {
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/partitions r,
         @{PROC}/vmstat r,
+        @{PROC}/loadavg r,
 
   @{sys}/fs/cgroup/*/** r,
 
@@ -232,7 +239,7 @@ profile android-studio @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -242,9 +249,9 @@ profile android-studio @{exec_path} {
   }
 
   profile lsb-release {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/python>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/python>
 
     signal (receive) set=(term, kill) peer=android-studio,
 
@@ -270,8 +277,8 @@ profile android-studio @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -297,5 +304,5 @@ profile android-studio @{exec_path} {
 
   }
 
-  #include if exists <local/android-studio>
+  include if exists <local/android-studio>
 }
diff --git a/apparmor.d/anki b/apparmor.d/anki
index eec5e425..08cbb840 100644
--- a/apparmor.d/anki
+++ b/apparmor.d/anki
@@ -9,29 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/anki
 profile anki @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/python>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/trash>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/trash>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=anki//mpv,
 
@@ -137,10 +137,10 @@ profile anki @{exec_path} {
 
 
   profile mpv {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/audio>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/audio>
 
     signal (receive) set=(term, kill) peer=anki,
 
@@ -171,7 +171,7 @@ profile anki @{exec_path} {
   }
 
   profile lame {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/lame mr,
 
@@ -180,8 +180,8 @@ profile anki @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -197,5 +197,5 @@ profile anki @{exec_path} {
 
   }
 
-  #include if exists <local/anki>
+  include if exists <local/anki>
 }
diff --git a/apparmor.d/anyremote b/apparmor.d/anyremote
index 28a32839..2f6e0de1 100644
--- a/apparmor.d/anyremote
+++ b/apparmor.d/anyremote
@@ -9,20 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/anyremote
 profile anyremote @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(int, term, kill),
   signal (send) set=(term, kill),
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} rm,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -68,6 +71,9 @@ profile anyremote @{exec_path} {
   owner /tmp/amarok_covers/ rw,
   owner /tmp/*.png rw,
 
+  # For shell pwd
+  owner @{HOME}/ r,
+
   owner @{HOME}/.anyRemote/{,**} rw,
   owner @{HOME}/.anyRemote/imdb-mf.sh rix,
 
@@ -87,7 +93,7 @@ profile anyremote @{exec_path} {
 
 
   profile imagemagic {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/convert-im6.q16 mr,
 
@@ -107,8 +113,8 @@ profile anyremote @{exec_path} {
   }
 
   profile killall {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_ptrace,
 
@@ -129,8 +135,8 @@ profile anyremote @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     signal (send) set=(term, kill),
 
@@ -147,21 +153,21 @@ profile anyremote @{exec_path} {
   }
 
   profile curl {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/curl mr,
 
   }
 
     profile qdbus {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/qt5/bin/qdbus mr,
 
   }
 
-  #include if exists <local/anyremote>
+  include if exists <local/anyremote>
 }
diff --git a/apparmor.d/apache2.d/phpsysinfo b/apparmor.d/apache2.d/phpsysinfo
index af730910..afd1ff34 100644
--- a/apparmor.d/apache2.d/phpsysinfo
+++ b/apparmor.d/apache2.d/phpsysinfo
@@ -1,12 +1,14 @@
 # Last Modified: Fri Sep 11 13:27:22 2009
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
 
+  abi <abi/3.0>,
+
   ^phpsysinfo {
-    #include <abstractions/apache2-common>
-    #include <abstractions/base>
-    #include <abstractions/nameservice>
-    #include <abstractions/php5>
-    #include <abstractions/python>
+    include <abstractions/apache2-common>
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/php5>
+    include <abstractions/python>
 
     /{,usr/}bin/dash ixr,
     /{,usr/}bin/df ixr,
@@ -43,6 +45,6 @@
     /var/lib/{misc,usbutils}/usb.ids r,
     /var/log/apache2/access.log w,
     /var/log/apache2/error.log w,
-    /{,var/}run/utmp rk,
+    @{run}/utmp rk,
     /usr/share/misc/pci.ids r,
   }
diff --git a/apparmor.d/aplay b/apparmor.d/aplay
index c9122416..e69ac29d 100644
--- a/apparmor.d/aplay
+++ b/apparmor.d/aplay
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aplay
 profile aplay @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/audio>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile aplay @{exec_path} flags=(complain) {
 
   owner @{HOME}/.config/pulse/ r,
 
-  #include if exists <local/aplay>
+  include if exists <local/aplay>
 }
diff --git a/apparmor.d/appstreamcli b/apparmor.d/appstreamcli
index b28dfdf7..343433a7 100644
--- a/apparmor.d/appstreamcli
+++ b/apparmor.d/appstreamcli
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/appstreamcli
 profile appstreamcli @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -53,14 +53,14 @@ profile appstreamcli @{exec_path} flags=(complain) {
 
 
   profile curl {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/curl mr,
 
   }
 
-  #include if exists <local/appstreamcli>
+  include if exists <local/appstreamcli>
 }
diff --git a/apparmor.d/apt b/apparmor.d/apt
index 0fd069ae..ce40b243 100644
--- a/apparmor.d/apt
+++ b/apparmor.d/apt
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt
 profile apt @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -67,6 +67,7 @@ profile apt @{exec_path} flags=(complain) {
   # Needed? (##FIXME##)
   capability kill,
   capability fsetid,
+  capability net_admin,
 
   signal (send) peer=apt-methods-*,
 
@@ -124,8 +125,8 @@ profile apt @{exec_path} flags=(complain) {
 
 
   profile editor flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/sensible-editor mr,
     /{usr/,}bin/vim.*           mrix,
@@ -146,9 +147,9 @@ profile apt @{exec_path} flags=(complain) {
   }
 
   profile dpkg-source flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dpkg-source mr,
     /{usr/,}bin/perl r,
@@ -173,6 +174,6 @@ profile apt @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/apt>
+  include if exists <local/apt>
 }
 
diff --git a/apparmor.d/apt-cache b/apparmor.d/apt-cache
index e95e9191..026bdcad 100644
--- a/apparmor.d/apt-cache
+++ b/apparmor.d/apt-cache
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-cache
 profile apt-cache @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile apt-cache @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
-  #include if exists <local/apt-cache>
+  include if exists <local/apt-cache>
 }
diff --git a/apparmor.d/apt-cdrom b/apparmor.d/apt-cdrom
index 217004ca..373c755b 100644
--- a/apparmor.d/apt-cdrom
+++ b/apparmor.d/apt-cdrom
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-cdrom
 profile apt-cdrom @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/apt-common>
 
   capability dac_read_search,
 
@@ -63,7 +63,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   /etc/apt/sources.list~ w,
 
   profile mount flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/mount mr,
 
@@ -74,7 +74,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   }
 
   profile umount flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_admin,
 
@@ -90,5 +90,5 @@ profile apt-cdrom @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/apt-cdrom>
+  include if exists <local/apt-cdrom>
 }
diff --git a/apparmor.d/apt-config b/apparmor.d/apt-config
index c2137418..1171094d 100644
--- a/apparmor.d/apt-config
+++ b/apparmor.d/apt-config
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-config
 profile apt-config @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile apt-config @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  #include if exists <local/apt-config>
+  include if exists <local/apt-config>
 }
diff --git a/apparmor.d/apt-extracttemplates b/apparmor.d/apt-extracttemplates
index 389c53ab..65d7eac7 100644
--- a/apparmor.d/apt-extracttemplates
+++ b/apparmor.d/apt-extracttemplates
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt-extracttemplates
 profile apt-extracttemplates @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -35,5 +35,5 @@ profile apt-extracttemplates @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/apt-extracttemplates>
+  include if exists <local/apt-extracttemplates>
 }
diff --git a/apparmor.d/apt-file b/apparmor.d/apt-file
index f1aea4c9..2efaeb1e 100644
--- a/apparmor.d/apt-file
+++ b/apparmor.d/apt-file
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-file
 profile apt-file @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/apt-common>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/apt-common>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -40,5 +40,5 @@ profile apt-file @{exec_path} {
   # file_inherit
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-file>
+  include if exists <local/apt-file>
 }
diff --git a/apparmor.d/apt-ftparchive b/apparmor.d/apt-ftparchive
index d53e7627..ef1357a8 100644
--- a/apparmor.d/apt-ftparchive
+++ b/apparmor.d/apt-ftparchive
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt-ftparchive
 profile apt-ftparchive @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile apt-ftparchive @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/apt-ftparchive>
+  include if exists <local/apt-ftparchive>
 }
diff --git a/apparmor.d/apt-get b/apparmor.d/apt-get
index 44da03ee..21405246 100644
--- a/apparmor.d/apt-get
+++ b/apparmor.d/apt-get
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/apt-get
 profile apt-get @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -66,6 +66,7 @@ profile apt-get @{exec_path} flags=(complain) {
   # Needed? (##FIXME##)
   capability kill,
   capability fsetid,
+  capability net_admin,
 
   signal (send) peer=apt-methods-*,
 
@@ -114,6 +115,8 @@ profile apt-get @{exec_path} flags=(complain) {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/ptmx rw,
+
         /tmp/ r,
   owner /tmp/apt-tmp-index.* rw,
   owner /tmp/apt-dpkg-install-*/ rw,
@@ -129,9 +132,9 @@ profile apt-get @{exec_path} flags=(complain) {
   owner /var/log/cron-apt/temp w,
 
 
-  profile pager flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+  profile pager {
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability dac_read_search,
 
@@ -153,9 +156,9 @@ profile apt-get @{exec_path} flags=(complain) {
   }
 
   profile dpkg-source flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/perl>
 
     /{usr/,}bin/dpkg-source mr,
     /{usr/,}bin/perl r,
@@ -180,5 +183,5 @@ profile apt-get @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/apt-get>
+  include if exists <local/apt-get>
 }
diff --git a/apparmor.d/apt-key b/apparmor.d/apt-key
index a6eb903d..920839a9 100644
--- a/apparmor.d/apt-key
+++ b/apparmor.d/apt-key
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-key
 profile apt-key @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -59,9 +59,14 @@ profile apt-key @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
 
     /{usr/,}bin/gpg     mr,
     /{usr/,}bin/gpgconf mr,
@@ -97,5 +102,5 @@ profile apt-key @{exec_path} {
 
   }
 
-  #include if exists <local/apt-key>
+  include if exists <local/apt-key>
 }
diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs
index 74a52dbf..96cb4003 100644
--- a/apparmor.d/apt-listbugs
+++ b/apparmor.d/apt-listbugs
@@ -9,20 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-listbugs
 profile apt-listbugs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   #capability sys_tty_config,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
 
@@ -42,15 +48,15 @@ profile apt-listbugs @{exec_path} {
   @{PROC}/@{pid}/loginuid r,
 
   # The following is needed when apt-listbugs uses debcconf GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
   owner @{PROC}/@{pid}/mounts r,
   @{HOME}/.Xauthority r,
 
-  #include if exists <local/apt-listbugs>
+  include if exists <local/apt-listbugs>
 }
diff --git a/apparmor.d/apt-listbugs-aptcleanup b/apparmor.d/apt-listbugs-aptcleanup
index 6cb2f0b5..f3eef816 100644
--- a/apparmor.d/apt-listbugs-aptcleanup
+++ b/apparmor.d/apt-listbugs-aptcleanup
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
 profile apt-listbugs-aptcleanup @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
 
-  #include if exists <local/apt-listbugs-aptcleanup>
+  include if exists <local/apt-listbugs-aptcleanup>
 }
diff --git a/apparmor.d/apt-listbugs-migratepins b/apparmor.d/apt-listbugs-migratepins
index e3bc6cdc..6e3ca525 100644
--- a/apparmor.d/apt-listbugs-migratepins
+++ b/apparmor.d/apt-listbugs-migratepins
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/libexec/apt-listbugs/migratepins
 profile apt-listbugs-migratepins @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
@@ -31,5 +31,5 @@ profile apt-listbugs-migratepins @{exec_path} {
   owner /tmp/pin_migration_*-@{pid}-*/preferences w,
   owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w,
 
-  #include if exists <local/apt-listbugs-migratepins>
+  include if exists <local/apt-listbugs-migratepins>
 }
diff --git a/apparmor.d/apt-listbugs-prefclean b/apparmor.d/apt-listbugs-prefclean
index 87409ad6..26004a99 100644
--- a/apparmor.d/apt-listbugs-prefclean
+++ b/apparmor.d/apt-listbugs-prefclean
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/libexec/apt-listbugs/prefclean
 profile apt-listbugs-prefclean @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ruby>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ruby>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* rix,
@@ -32,5 +32,5 @@ profile apt-listbugs-prefclean @{exec_path} {
 
   owner /var/spool/apt-listbugs/lastprefclean rw,
 
-  #include if exists <local/apt-listbugs-prefclean>
+  include if exists <local/apt-listbugs-prefclean>
 }
diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges
index 7a57bc7d..c97a23ac 100644
--- a/apparmor.d/apt-listchanges
+++ b/apparmor.d/apt-listchanges
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-listchanges
 profile apt-listchanges @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -67,10 +67,10 @@ profile apt-listchanges @{exec_path} {
   owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw,
 
   # The following is needed when apt-listchanges uses debcconf GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
@@ -79,8 +79,8 @@ profile apt-listchanges @{exec_path} {
 
 
   profile pager {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     #capability sys_tty_config,
 
@@ -101,5 +101,5 @@ profile apt-listchanges @{exec_path} {
 
   }
 
-  #include if exists <local/apt-listchanges>
+  include if exists <local/apt-listchanges>
 }
diff --git a/apparmor.d/apt-mark b/apparmor.d/apt-mark
index 933c16da..a39abfac 100644
--- a/apparmor.d/apt-mark
+++ b/apparmor.d/apt-mark
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-mark
 profile apt-mark @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/apt-common>
 
   @{exec_path} mr,
 
@@ -29,5 +29,5 @@ profile apt-mark @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
-  #include if exists <local/apt-mark>
+  include if exists <local/apt-mark>
 }
diff --git a/apparmor.d/apt-methods-cdrom b/apparmor.d/apt-methods-cdrom
index fb5c6c9f..b91b5ced 100644
--- a/apparmor.d/apt-methods-cdrom
+++ b/apparmor.d/apt-methods-cdrom
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/cdrom
 profile apt-methods-cdrom @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-cdrom @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-cdrom>
+  include if exists <local/apt-methods-cdrom>
 }
diff --git a/apparmor.d/apt-methods-copy b/apparmor.d/apt-methods-copy
index 637d6917..35418407 100644
--- a/apparmor.d/apt-methods-copy
+++ b/apparmor.d/apt-methods-copy
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/copy
 profile apt-methods-copy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -60,5 +60,5 @@ profile apt-methods-copy @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-copy>
+  include if exists <local/apt-methods-copy>
 }
diff --git a/apparmor.d/apt-methods-file b/apparmor.d/apt-methods-file
index a5523cf2..165941e3 100644
--- a/apparmor.d/apt-methods-file
+++ b/apparmor.d/apt-methods-file
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/file
 profile apt-methods-file @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -60,5 +60,5 @@ profile apt-methods-file @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-file>
+  include if exists <local/apt-methods-file>
 }
diff --git a/apparmor.d/apt-methods-ftp b/apparmor.d/apt-methods-ftp
index c119f0e2..5c356d8a 100644
--- a/apparmor.d/apt-methods-ftp
+++ b/apparmor.d/apt-methods-ftp
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/ftp
 profile apt-methods-ftp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-ftp @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-ftp>
+  include if exists <local/apt-methods-ftp>
 }
diff --git a/apparmor.d/apt-methods-gpgv b/apparmor.d/apt-methods-gpgv
index 0e2a1e83..e3875e9c 100644
--- a/apparmor.d/apt-methods-gpgv
+++ b/apparmor.d/apt-methods-gpgv
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/gpgv
 profile apt-methods-gpgv @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -92,5 +92,5 @@ profile apt-methods-gpgv @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-gpgv>
+  include if exists <local/apt-methods-gpgv>
 }
diff --git a/apparmor.d/apt-methods-http b/apparmor.d/apt-methods-http
index d1996be2..0b352f0f 100644
--- a/apparmor.d/apt-methods-http
+++ b/apparmor.d/apt-methods-http
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/http{,s}
 profile apt-methods-http @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -34,6 +34,12 @@ profile apt-methods-http @{exec_path} {
   signal (receive) peer=aptitude,
   signal (receive) peer=synaptic,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # apt-helper gets "no new privs" so "rix" it
@@ -74,5 +80,5 @@ profile apt-methods-http @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-http>
+  include if exists <local/apt-methods-http>
 }
diff --git a/apparmor.d/apt-methods-mirror b/apparmor.d/apt-methods-mirror
index fe2785c5..c1e05b10 100644
--- a/apparmor.d/apt-methods-mirror
+++ b/apparmor.d/apt-methods-mirror
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
 profile apt-methods-mirror @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-mirror @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-mirror>
+  include if exists <local/apt-methods-mirror>
 }
diff --git a/apparmor.d/apt-methods-rred b/apparmor.d/apt-methods-rred
index 86260641..1149713b 100644
--- a/apparmor.d/apt-methods-rred
+++ b/apparmor.d/apt-methods-rred
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/rred
 profile apt-methods-rred @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -60,5 +60,5 @@ profile apt-methods-rred @{exec_path} {
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-rred>
+  include if exists <local/apt-methods-rred>
 }
diff --git a/apparmor.d/apt-methods-rsh b/apparmor.d/apt-methods-rsh
index b9de6730..fd9d2084 100644
--- a/apparmor.d/apt-methods-rsh
+++ b/apparmor.d/apt-methods-rsh
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
 profile apt-methods-rsh @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -49,5 +49,5 @@ profile apt-methods-rsh @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/apt-methods-rsh>
+  include if exists <local/apt-methods-rsh>
 }
diff --git a/apparmor.d/apt-methods-store b/apparmor.d/apt-methods-store
index 3ed2218f..98f72658 100644
--- a/apparmor.d/apt-methods-store
+++ b/apparmor.d/apt-methods-store
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}lib/apt/methods/store
 profile apt-methods-store @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
   # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
@@ -65,5 +65,5 @@ profile apt-methods-store @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-methods-store>
+  include if exists <local/apt-methods-store>
 }
diff --git a/apparmor.d/apt-show-versions b/apparmor.d/apt-show-versions
index b1b49638..b39ac121 100644
--- a/apparmor.d/apt-show-versions
+++ b/apparmor.d/apt-show-versions
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-show-versions
 profile apt-show-versions @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/apt-common>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -37,5 +37,5 @@ profile apt-show-versions @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner /var/log/cron-apt/temp w,
 
-  #include if exists <local/apt-show-versions>
+  include if exists <local/apt-show-versions>
 }
diff --git a/apparmor.d/apt-sortpkgs b/apparmor.d/apt-sortpkgs
index 8d0e48cd..339484bb 100644
--- a/apparmor.d/apt-sortpkgs
+++ b/apparmor.d/apt-sortpkgs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/apt-sortpkgs
 profile apt-sortpkgs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile apt-sortpkgs @{exec_path} {
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
 
-  #include if exists <local/apt-sortpkgs>
+  include if exists <local/apt-sortpkgs>
 }
diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude
index 9867aad0..91eaa14b 100644
--- a/apparmor.d/aptitude
+++ b/apparmor.d/aptitude
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/aptitude{,-curses}
 profile aptitude @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/apt-common>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -67,6 +67,7 @@ profile aptitude @{exec_path} flags=(complain) {
   capability kill,
   capability fsetid,
   capability sys_chroot,
+  capability net_admin,
   #capability sys_tty_config,
 
   signal (send) peer=apt-methods-*,
@@ -162,6 +163,8 @@ profile aptitude @{exec_path} flags=(complain) {
   #  aptitude[]: Oh, oh, it's an error! possibly I die!
   /dev/tty[0-9]* rw,
 
+  /dev/ptmx rw,
+
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
@@ -169,9 +172,9 @@ profile aptitude @{exec_path} flags=(complain) {
   /var/log/cron-apt/temp w,
 
 
-  profile pager flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+  profile pager {
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/                r,
     /{usr/,}bin/sensible-pager mr,
@@ -189,6 +192,6 @@ profile aptitude @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/aptitude>
+  include if exists <local/aptitude>
 }
 
diff --git a/apparmor.d/aptitude-changelog-parser b/apparmor.d/aptitude-changelog-parser
index 3898e271..f3245008 100644
--- a/apparmor.d/aptitude-changelog-parser
+++ b/apparmor.d/aptitude-changelog-parser
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aptitude-changelog-parser
 profile aptitude-changelog-parser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -25,5 +25,5 @@ profile aptitude-changelog-parser @{exec_path} {
 
   /**/debian/changelog r,
 
-  #include if exists <local/aptitude-changelog-parser>
+  include if exists <local/aptitude-changelog-parser>
 }
diff --git a/apparmor.d/aptitude-create-state-bundle b/apparmor.d/aptitude-create-state-bundle
index 5f398845..fb514aa9 100644
--- a/apparmor.d/aptitude-create-state-bundle
+++ b/apparmor.d/aptitude-create-state-bundle
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
 profile aptitude-create-state-bundle @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -36,5 +36,5 @@ profile aptitude-create-state-bundle @{exec_path} {
   /etc/apt/{,**} r,
   /var/lib/dpkg/status r,
 
-  #include if exists <local/aptitude-create-state-bundle>
+  include if exists <local/aptitude-create-state-bundle>
 }
diff --git a/apparmor.d/aptitude-run-state-bundle b/apparmor.d/aptitude-run-state-bundle
index 8ebe76cd..0c9fff18 100644
--- a/apparmor.d/aptitude-run-state-bundle
+++ b/apparmor.d/aptitude-run-state-bundle
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
 profile aptitude-run-state-bundle @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -32,5 +32,5 @@ profile aptitude-run-state-bundle @{exec_path} {
 
   owner /tmp/aptitudebug.*/{,**} rw,
 
-  #include if exists <local/aptitude-run-state-bundle>
+  include if exists <local/aptitude-run-state-bundle>
 }
diff --git a/apparmor.d/arandr b/apparmor.d/arandr
index 33583192..926442f9 100644
--- a/apparmor.d/arandr
+++ b/apparmor.d/arandr
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/arandr
 profile arandr @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -42,5 +42,5 @@ profile arandr @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/arandr>
+  include if exists <local/arandr>
 }
diff --git a/apparmor.d/at-spi-bus-launcher b/apparmor.d/at-spi-bus-launcher
index 62f514d5..f46ab640 100644
--- a/apparmor.d/at-spi-bus-launcher
+++ b/apparmor.d/at-spi-bus-launcher
@@ -9,23 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
 @{exec_path} += /usr/libexec/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # Needed?
   deny capability sys_nice,
 
   signal (send) set=(term, kill) peer=dbus-daemon,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   /{usr/,}bin/dbus-daemon rPUx,
@@ -42,5 +45,5 @@ profile at-spi-bus-launcher @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   /var/log/lightdm/seat[0-9]*-greeter.log w,
 
-  #include if exists <local/at-spi-bus-launcher>
+  include if exists <local/at-spi-bus-launcher>
 }
diff --git a/apparmor.d/at-spi2-registryd b/apparmor.d/at-spi2-registryd
index 04b82dfc..468dba12 100644
--- a/apparmor.d/at-spi2-registryd
+++ b/apparmor.d/at-spi2-registryd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi2-registryd
 @{exec_path} += /usr/libexec/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   # Needed?
   deny capability sys_nice,
@@ -32,5 +32,5 @@ profile at-spi2-registryd @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/at-spi2-registryd>
+  include if exists <local/at-spi2-registryd>
 }
diff --git a/apparmor.d/atftpd b/apparmor.d/atftpd
index bbeec524..562e484c 100644
--- a/apparmor.d/atftpd
+++ b/apparmor.d/atftpd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/atftpd
 profile atftpd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   # to run atftpd daemon as nobody/nogroup
   capability setgid,
@@ -31,5 +31,5 @@ profile atftpd @{exec_path} {
   # for libwrap (TCP Wrapper) support
   /etc/hosts.{,allow,deny} r,
 
-  #include if exists <local/atftpd>
+  include if exists <local/atftpd>
 }
diff --git a/apparmor.d/atom b/apparmor.d/atom
index 3f69cf15..547e8763 100644
--- a/apparmor.d/atom
+++ b/apparmor.d/atom
@@ -9,30 +9,30 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
 profile atom @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/enchant>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/enchant>
   # The following doesn't seem to be needed
   ##include <abstractions/mesa>
   ##include <abstractions/consoles>
   ##include <abstractions/audio>
   ##include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
+  include <abstractions/thumbnails-cache-read>
   ##include <abstractions/zsh>
   ##include <abstractions/fzf>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=child-lsb_release,
   ptrace (read) peer=xdg-settings,
@@ -169,10 +169,10 @@ profile atom @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
 
     /{usr/,}bin/gpg mr,
 
@@ -186,8 +186,8 @@ profile atom @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -203,5 +203,5 @@ profile atom @{exec_path} {
 
   }
 
-  #include if exists <local/atom>
+  include if exists <local/atom>
 }
diff --git a/apparmor.d/badblocks b/apparmor.d/badblocks
index 4073d695..000aea5e 100644
--- a/apparmor.d/badblocks
+++ b/apparmor.d/badblocks
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/badblocks
 profile badblocks @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} r,
 
@@ -28,5 +28,5 @@ profile badblocks @{exec_path} {
   @{HOME}/** rwk,
   /media/*/** rwk,
 
-  #include if exists <local/badblocks>
+  include if exists <local/badblocks>
 }
diff --git a/apparmor.d/bin.netstat b/apparmor.d/bin.netstat
index a05e67b0..977f76c7 100644
--- a/apparmor.d/bin.netstat
+++ b/apparmor.d/bin.netstat
@@ -14,15 +14,15 @@
 # give evolution access to significant chunks of /proc
 #
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/netstat
 profile netstat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   capability dac_read_search,
   capability syslog,
diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping
index 2ed7af5f..dddeb71e 100644
--- a/apparmor.d/bin.ping
+++ b/apparmor.d/bin.ping
@@ -10,11 +10,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile ping /{usr/,}bin/{,iputils-}ping {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   #capability net_raw, # Not needed when sysctl net.ipv4.ping_group_range is set
   #capability setuid,  # Not needed anymore since it's not SETUID binary
@@ -25,5 +27,5 @@ profile ping /{usr/,}bin/{,iputils-}ping {
   /etc/modules.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/bin.ping>
+  include if exists <local/bin.ping>
 }
diff --git a/apparmor.d/biosdecode b/apparmor.d/biosdecode
index edf4211f..907fa9f6 100644
--- a/apparmor.d/biosdecode
+++ b/apparmor.d/biosdecode
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/biosdecode
 profile biosdecode @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed to read the /dev/mem device
   capability sys_rawio,
@@ -24,5 +24,5 @@ profile biosdecode @{exec_path} {
 
   /dev/mem r,
 
-  #include if exists <local/biosdecode>
+  include if exists <local/biosdecode>
 }
diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray
index 4f96ab97..f17ab2c3 100644
--- a/apparmor.d/birdtray
+++ b/apparmor.d/birdtray
@@ -9,25 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/birdtray
 profile birdtray @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet,
+  network inet6,
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -78,8 +82,8 @@ profile birdtray @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -93,8 +97,8 @@ profile birdtray @{exec_path} {
     # file_inherit
     owner @{HOME}/.xsession-errors w,
 
-    #include if exists <local/qpdfview_open>
+    include if exists <local/qpdfview_open>
   }
 
-  #include if exists <local/birdtray>
+  include if exists <local/birdtray>
 }
diff --git a/apparmor.d/blkid b/apparmor.d/blkid
index 0dbe7cce..13ee0102 100644
--- a/apparmor.d/blkid
+++ b/apparmor.d/blkid
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/blkid
 profile blkid @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -38,5 +38,5 @@ profile blkid @{exec_path} {
   @{HOME}/** r,
   /media/*/** r,
 
-  #include if exists <local/blkid>
+  include if exists <local/blkid>
 }
diff --git a/apparmor.d/blockdev b/apparmor.d/blockdev
index c530833d..c4c96ecb 100644
--- a/apparmor.d/blockdev
+++ b/apparmor.d/blockdev
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/blockdev
 profile blockdev @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile blockdev @{exec_path} {
 
   @{PROC}/partitions r,
 
-  #include if exists <local/blockdev>
+  include if exists <local/blockdev>
 }
diff --git a/apparmor.d/bluetoothctl b/apparmor.d/bluetoothctl
index 044739b2..f34be1b3 100644
--- a/apparmor.d/bluetoothctl
+++ b/apparmor.d/bluetoothctl
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/bluetoothctl
 profile bluetoothctl @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   /etc/inputrc r,
 
-  #include if exists <local/bluetoothctl>
+  include if exists <local/bluetoothctl>
 }
diff --git a/apparmor.d/bluetoothd b/apparmor.d/bluetoothd
index 5c5bfe76..11377a41 100644
--- a/apparmor.d/bluetoothd
+++ b/apparmor.d/bluetoothd
@@ -9,19 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/bluetooth/bluetoothd
 @{exec_path} += /usr/libexec/bluetooth/bluetoothd
 profile bluetoothd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed for configuring HCI interfaces
   capability net_admin,
   capability net_bind_service,
 
+  network bluetooth,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}lib/@{multiarch}/bluetooth/plugins/*.so mr,
@@ -39,5 +42,5 @@ profile bluetoothd @{exec_path} {
 
   /var/lib/bluetooth/{,**} rw,
 
-  #include if exists <local/bluetoothd>
+  include if exists <local/bluetoothd>
 }
diff --git a/apparmor.d/bmon b/apparmor.d/bmon
index f8f2286b..a4cfba00 100644
--- a/apparmor.d/bmon
+++ b/apparmor.d/bmon
@@ -9,17 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/bmon
 profile bmon @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
   /etc/bmon.conf r,
 
-  #include if exists <local/bmon>
+  include if exists <local/bmon>
 }
diff --git a/apparmor.d/borg b/apparmor.d/borg
index 4ceac998..537039ea 100644
--- a/apparmor.d/borg
+++ b/apparmor.d/borg
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BACKUP_DIR} = /media/Arti/backup-*
 
 @{exec_path} = /{usr/,}bin/borg
 profile borg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   # For reading files of other users as root
   capability dac_read_search,
@@ -85,7 +85,7 @@ profile borg @{exec_path} {
 
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -95,5 +95,5 @@ profile borg @{exec_path} {
 
   }
 
-  #include if exists <local/borg>
+  include if exists <local/borg>
 }
diff --git a/apparmor.d/brave b/apparmor.d/brave
index 570a6322..76b10401 100644
--- a/apparmor.d/brave
+++ b/apparmor.d/brave
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
 @{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@@ -19,20 +19,20 @@
 
 @{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev}
 profile brave @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   capability sys_ptrace,
 
@@ -204,8 +204,8 @@ profile brave @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -220,5 +220,5 @@ profile brave @{exec_path} {
 
   }
 
-  #include if exists <local/brave>
+  include if exists <local/brave>
 }
diff --git a/apparmor.d/brave-browser b/apparmor.d/brave-browser
index 48503730..c47bb3ab 100644
--- a/apparmor.d/brave-browser
+++ b/apparmor.d/brave-browser
@@ -13,15 +13,15 @@
 @{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 @{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev}
 profile brave-browser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh    rix,
@@ -36,5 +36,5 @@ profile brave-browser @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/63 w,
 
-  #include if exists <local/brave-browser>
+  include if exists <local/brave-browser>
 }
diff --git a/apparmor.d/brave-sandbox b/apparmor.d/brave-sandbox
index 5cef49b7..1a4a1f43 100644
--- a/apparmor.d/brave-sandbox
+++ b/apparmor.d/brave-sandbox
@@ -13,14 +13,14 @@
 @{BRAVE_HOMEDIR} = @{HOME}/.config/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 @{BRAVE_CACHEDIR} = @{HOME}/.cache/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox
 profile brave-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -35,5 +35,5 @@ profile brave-sandbox @{exec_path} {
         @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/brave-sandbox>
+  include if exists <local/brave-sandbox>
 }
diff --git a/apparmor.d/btrfs b/apparmor.d/btrfs
index 35093b74..2bca2e10 100644
--- a/apparmor.d/btrfs
+++ b/apparmor.d/btrfs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{btrfs,btrfsck}
 profile btrfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   capability sys_admin,
   capability fowner,
@@ -53,5 +53,5 @@ profile btrfs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs>
+  include if exists <local/btrfs>
 }
diff --git a/apparmor.d/btrfs-convert b/apparmor.d/btrfs-convert
index bfefeafc..923138f5 100644
--- a/apparmor.d/btrfs-convert
+++ b/apparmor.d/btrfs-convert
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-convert
 profile btrfs-convert @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/btrfs-convert>
+  include if exists <local/btrfs-convert>
 }
diff --git a/apparmor.d/btrfs-find-root b/apparmor.d/btrfs-find-root
index 11071897..c4f85c4d 100644
--- a/apparmor.d/btrfs-find-root
+++ b/apparmor.d/btrfs-find-root
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-find-root
 profile btrfs-find-root @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile btrfs-find-root @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs-find-root>
+  include if exists <local/btrfs-find-root>
 }
diff --git a/apparmor.d/btrfs-image b/apparmor.d/btrfs-image
index 9fb7d4e2..f18b0710 100644
--- a/apparmor.d/btrfs-image
+++ b/apparmor.d/btrfs-image
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-image
 profile btrfs-image @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile btrfs-image @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs-image>
+  include if exists <local/btrfs-image>
 }
diff --git a/apparmor.d/btrfs-map-logical b/apparmor.d/btrfs-map-logical
index 4ee7b074..4c9c935d 100644
--- a/apparmor.d/btrfs-map-logical
+++ b/apparmor.d/btrfs-map-logical
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-map-logical
 profile btrfs-map-logical @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile btrfs-map-logical @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/btrfs-map-logical>
+  include if exists <local/btrfs-map-logical>
 }
diff --git a/apparmor.d/btrfs-select-super b/apparmor.d/btrfs-select-super
index b0f13786..9f0fa81f 100644
--- a/apparmor.d/btrfs-select-super
+++ b/apparmor.d/btrfs-select-super
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfs-select-super
 profile btrfs-select-super @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/btrfs-select-super>
+  include if exists <local/btrfs-select-super>
 }
diff --git a/apparmor.d/btrfstune b/apparmor.d/btrfstune
index c799f57f..b27352dc 100644
--- a/apparmor.d/btrfstune
+++ b/apparmor.d/btrfstune
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/btrfstune
 profile btrfstune @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile btrfstune @{exec_path} {
   owner @{run}/blkid/blkid.tab{,-*} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
-  #include if exists <local/btrfstune>
+  include if exists <local/btrfstune>
 }
diff --git a/apparmor.d/calibre b/apparmor.d/calibre
index 383e250c..dd30415b 100644
--- a/apparmor.d/calibre
+++ b/apparmor.d/calibre
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # PDF extensions
 # pdf, epub, txt, html, mhtml, ps, mobi, djvu
@@ -30,23 +30,23 @@
 @{exec_path} += /{usr/,}bin/lrs2lrf /{usr/,}bin/lrf2lrs /{usr/,}bin/lrfviewer
 @{exec_path} += /{usr/,}bin/web2disk
 profile calibre @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/trash>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/trash>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -58,6 +58,8 @@ profile calibre @{exec_path} {
 
   capability sys_ptrace,
 
+  network netlink raw,
+
   @{exec_path} mrix,
   /{usr/,}bin/python3.[0-9]* r,
 
@@ -172,14 +174,17 @@ profile calibre @{exec_path} {
   /etc/inputrc r,
   /etc/magic r,
 
+  # Silencer
+  deny /usr/lib/python3/dist-packages/**.pyc.[0-9]* w,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -205,5 +210,5 @@ profile calibre @{exec_path} {
 
   }
 
-  #include if exists <local/calibre>
+  include if exists <local/calibre>
 }
diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird
index 10d422ab..5dd850c8 100644
--- a/apparmor.d/cawbird
+++ b/apparmor.d/cawbird
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/cawbird
 profile cawbird @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/enchant>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/enchant>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -49,7 +49,7 @@ profile cawbird @{exec_path} {
   /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
 
   # This is needed as cawbird stores its settings in the dconf database.
-  #include <abstractions/dconf>
+  include <abstractions/dconf>
   @{run}/user/[0-9]*/dconf/user rw,
 
   /var/lib/dbus/machine-id r,
@@ -71,8 +71,8 @@ profile cawbird @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -88,5 +88,5 @@ profile cawbird @{exec_path} {
 
   }
 
-  #include if exists <local/cawbird>
+  include if exists <local/cawbird>
 }
diff --git a/apparmor.d/ccze b/apparmor.d/ccze
index 8542859a..0b21202a 100644
--- a/apparmor.d/ccze
+++ b/apparmor.d/ccze
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ccze
 profile ccze @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile ccze @{exec_path} {
 
   /etc/cczerc r,
 
-  #include if exists <local/ccze>
+  include if exists <local/ccze>
 }
diff --git a/apparmor.d/cfdisk b/apparmor.d/cfdisk
index cea54cf9..612898d5 100644
--- a/apparmor.d/cfdisk
+++ b/apparmor.d/cfdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cfdisk
 profile cfdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -40,5 +40,5 @@ profile cfdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/cfdisk>
+  include if exists <local/cfdisk>
 }
diff --git a/apparmor.d/cgdisk b/apparmor.d/cgdisk
index 5ffd5bdf..61a1b3ed 100644
--- a/apparmor.d/cgdisk
+++ b/apparmor.d/cgdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cgdisk
 profile cgdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -32,5 +32,5 @@ profile cgdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/cgdisk>
+  include if exists <local/cgdisk>
 }
diff --git a/apparmor.d/cgrulesengd b/apparmor.d/cgrulesengd
index 83443fdd..d834c5ef 100644
--- a/apparmor.d/cgrulesengd
+++ b/apparmor.d/cgrulesengd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cgrulesengd
 profile cgrulesengd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # For creating Unix domain sockets/IPC sockets:
   #  socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
@@ -32,6 +32,8 @@ profile cgrulesengd @{exec_path} {
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
 
+  network netlink dgram,
+
   ptrace (read),
 
   @{exec_path} mr,
@@ -48,5 +50,5 @@ profile cgrulesengd @{exec_path} {
   /etc/cgconfig.conf r,
   /etc/cgrules.conf r,
 
-  #include if exists <local/cgrulesengd>
+  include if exists <local/cgrulesengd>
 }
diff --git a/apparmor.d/chage b/apparmor.d/chage
index bdd346d3..817a5baf 100644
--- a/apparmor.d/chage
+++ b/apparmor.d/chage
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/chage
 profile chage @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -38,5 +38,5 @@ profile chage @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/chage>
+  include if exists <local/chage>
 }
diff --git a/apparmor.d/changestool b/apparmor.d/changestool
index f03af570..991b8aeb 100644
--- a/apparmor.d/changestool
+++ b/apparmor.d/changestool
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/changestool
 profile changestool @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -32,7 +32,7 @@ profile changestool @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg        mr,
     /{usr/,}bin/gpgconf    mr,
@@ -43,5 +43,5 @@ profile changestool @{exec_path} {
 
   }
 
-  #include if exists <local/changestool>
+  include if exists <local/changestool>
 }
diff --git a/apparmor.d/check-bios-nx b/apparmor.d/check-bios-nx
index d122dc55..14cff05d 100644
--- a/apparmor.d/check-bios-nx
+++ b/apparmor.d/check-bios-nx
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/check-bios-nx
 profile check-bios-nx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # To remove the following errors:
   #  /usr/sbin/check-bios-nx: 19: cannot create /dev/stderr: Permission denied
@@ -37,7 +37,7 @@ profile check-bios-nx @{exec_path} {
 
 
     profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -51,5 +51,5 @@ profile check-bios-nx @{exec_path} {
 
   }
 
-  #include if exists <local/check-bios-nx>
+  include if exists <local/check-bios-nx>
 }
diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status
index 8c55381a..40d9926f 100644
--- a/apparmor.d/check-support-status
+++ b/apparmor.d/check-support-status
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/check-support-status
 profile check-support-status @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -67,8 +67,8 @@ profile check-support-status @{exec_path} flags=(complain) {
 
 
   profile debconf-escape flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/perl>
 
     /{usr/,}bin/debconf-escape r,
     /{usr/,}bin/perl r,
@@ -77,5 +77,5 @@ profile check-support-status @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/check-support-status>
+  include if exists <local/check-support-status>
 }
diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook
index 0de24ca7..09e5171b 100644
--- a/apparmor.d/check-support-status-hook
+++ b/apparmor.d/check-support-status-hook
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/debian-security-support/check-support-status.hook
 profile check-support-status-hook @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -54,9 +54,9 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
 
 
   profile debconf-escape flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
 
     /{usr/,}bin/debconf-escape r,
     /{usr/,}bin/perl r,
@@ -67,10 +67,10 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -86,10 +86,10 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
     owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -99,10 +99,12 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
   }
 
   profile runuser flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/authentication>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/authentication>
+
+    network netlink raw,
 
     # To remove the following errors:
     #  runuser: cannot set user id: Operation not permitted
@@ -130,5 +132,5 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
     owner /tmp/debian-security-support.postinst.*/output w,
   }
 
-  #include if exists <local/check-support-status-hook>
+  include if exists <local/check-support-status-hook>
 }
diff --git a/apparmor.d/chfn b/apparmor.d/chfn
index 73aa1bf8..9ea56e02 100644
--- a/apparmor.d/chfn
+++ b/apparmor.d/chfn
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/chfn
 profile chfn @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -31,6 +31,8 @@ profile chfn @{exec_path} {
   # chfn is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -47,5 +49,5 @@ profile chfn @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/chfn>
+  include if exists <local/chfn>
 }
diff --git a/apparmor.d/child-dpkg b/apparmor.d/child-dpkg
index 1fa3533d..4c9d422a 100644
--- a/apparmor.d/child-dpkg
+++ b/apparmor.d/child-dpkg
@@ -15,14 +15,14 @@
 # is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/dpkg by default
 profile child-dpkg {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # Needed?
   deny capability setgid,
@@ -39,5 +39,5 @@ profile child-dpkg {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/child-dpkg>
+  include if exists <local/child-dpkg>
 }
diff --git a/apparmor.d/child-dpkg-divert b/apparmor.d/child-dpkg-divert
index e1dde189..b69b435a 100644
--- a/apparmor.d/child-dpkg-divert
+++ b/apparmor.d/child-dpkg-divert
@@ -15,13 +15,13 @@
 # it is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/dpkg-divert by default
 profile child-dpkg-divert {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   /{usr/,}bin/dpkg-divert mr,
 
@@ -35,5 +35,5 @@ profile child-dpkg-divert {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/child-dpkg-divert>
+  include if exists <local/child-dpkg-divert>
 }
diff --git a/apparmor.d/child-lsb_release b/apparmor.d/child-lsb_release
index 9be0414d..9031c148 100644
--- a/apparmor.d/child-lsb_release
+++ b/apparmor.d/child-lsb_release
@@ -15,15 +15,15 @@
 # it is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/lsb_release by default
 profile child-lsb_release {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
 
   signal (receive) set=(term, kill),
 
@@ -61,5 +61,6 @@ profile child-lsb_release {
 #  deny /tmp/gtalkplugin.log w,
   /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/child-lsb_release>
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/child-lsb_release>
 }
diff --git a/apparmor.d/child-pager b/apparmor.d/child-pager
index 9ca17b3d..94eb4903 100644
--- a/apparmor.d/child-pager
+++ b/apparmor.d/child-pager
@@ -15,14 +15,14 @@
 # is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/pager by default
 profile child-pager {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   signal (receive) set=(stop, cont, term, kill),
 
@@ -36,5 +36,5 @@ profile child-pager {
   # For shell pwd
   /root/ r,
 
-  #include if exists <local/child-pager>
+  include if exists <local/child-pager>
 }
diff --git a/apparmor.d/child-systemctl b/apparmor.d/child-systemctl
index 23717922..f207d787 100644
--- a/apparmor.d/child-systemctl
+++ b/apparmor.d/child-systemctl
@@ -15,15 +15,15 @@
 # it is invoked from other confined applications, but not when it is
 # used in regular (unconfined) shell scripts or run directly by the user.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Do not attach to /{usr/,}bin/systemctl by default
 profile child-systemctl {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/wutmp>
 
   capability sys_ptrace,
 
@@ -41,5 +41,5 @@ profile child-systemctl {
 
   /dev/kmsg w,
 
-  #include if exists <local/child-systemctl>
+  include if exists <local/child-systemctl>
 }
diff --git a/apparmor.d/chromium b/apparmor.d/chromium
index 61296c8a..702e503a 100644
--- a/apparmor.d/chromium
+++ b/apparmor.d/chromium
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
 @{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@@ -19,9 +19,9 @@
 
 @{exec_path} = /{usr/,}bin/chromium
 profile chromium @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -61,5 +61,5 @@ profile chromium @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/chromium>
+  include if exists <local/chromium>
 }
diff --git a/apparmor.d/chromium-chrome-sandbox b/apparmor.d/chromium-chrome-sandbox
index 8cdc3492..79aa8f99 100644
--- a/apparmor.d/chromium-chrome-sandbox
+++ b/apparmor.d/chromium-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
 @{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@@ -20,8 +20,8 @@
 @{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome-sandbox
 
 profile chromium-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -38,5 +38,5 @@ profile chromium-chrome-sandbox @{exec_path} {
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/chromium-chrome-sandbox>
+  include if exists <local/chromium-chrome-sandbox>
 }
diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium
index 59115637..63a0e5e9 100644
--- a/apparmor.d/chromium-chromium
+++ b/apparmor.d/chromium-chromium
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
 @{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
@@ -19,20 +19,20 @@
 
 @{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium
 profile chromium-chromium @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -49,6 +49,12 @@ profile chromium-chromium @{exec_path} {
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   @{CHROMIUM_INSTALLDIR}/chrome-sandbox rPx,
@@ -84,6 +90,7 @@ profile chromium-chromium @{exec_path} {
 
   # Chromium home files
   owner @{HOME}/ r,
+  owner @{HOME}/.config/ r,
   owner @{CHROMIUM_HOMEDIR}/ rw,
   owner @{CHROMIUM_HOMEDIR}/** rwk,
   owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw,
@@ -185,8 +192,8 @@ profile chromium-chromium @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -204,5 +211,5 @@ profile chromium-chromium @{exec_path} {
 
   }
 
-  #include if exists <local/chromium-chromium>
+  include if exists <local/chromium-chromium>
 }
diff --git a/apparmor.d/chsh b/apparmor.d/chsh
index ecbf3af1..78547ba4 100644
--- a/apparmor.d/chsh
+++ b/apparmor.d/chsh
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/chsh
 profile chsh @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -30,6 +30,8 @@ profile chsh @{exec_path} {
   # gpasswd is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -48,5 +50,5 @@ profile chsh @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/chsh>
+  include if exists <local/chsh>
 }
diff --git a/apparmor.d/claws-mail b/apparmor.d/claws-mail
index 024fea13..fa0c0098 100644
--- a/apparmor.d/claws-mail
+++ b/apparmor.d/claws-mail
@@ -9,24 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/claws-mail
 profile claws-mail @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/audio>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/audio>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -78,7 +78,7 @@ profile claws-mail @{exec_path} flags=(complain) {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
     /{usr/,}bin/gpgsm mr,
@@ -89,5 +89,5 @@ profile claws-mail @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/claws-mail>
+  include if exists <local/claws-mail>
 }
diff --git a/apparmor.d/code b/apparmor.d/code
index 3f0a69df..86d59951 100644
--- a/apparmor.d/code
+++ b/apparmor.d/code
@@ -9,28 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
 profile code @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
   # The following doesn't seem to be needed
   ##include <abstractions/mesa>
   ##include <abstractions/consoles>
   ##include <abstractions/audio>
   ##include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=child-lsb_release,
 
@@ -142,6 +142,6 @@ profile code @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/code>
+  include if exists <local/code>
 }
 
diff --git a/apparmor.d/colord b/apparmor.d/colord
index f13da5f7..661779a6 100644
--- a/apparmor.d/colord
+++ b/apparmor.d/colord
@@ -9,14 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/colord/colord /usr/libexec/colord
 profile colord @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -48,5 +50,5 @@ profile colord @{exec_path} {
 
   /usr/share/mime/mime.cache r,
 
-  #include if exists <local/colord>
+  include if exists <local/colord>
 }
diff --git a/apparmor.d/colord-sane b/apparmor.d/colord-sane
index 842c1367..d8c767f8 100644
--- a/apparmor.d/colord-sane
+++ b/apparmor.d/colord-sane
@@ -9,14 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/colord/colord-sane
 @{exec_path} += /usr/libexec/colord-sane
 profile colord-sane @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -43,5 +45,5 @@ profile colord-sane @{exec_path} flags=(complain) {
 
   @{PROC}/sys/dev/parport/ r,
 
-  #include if exists <local/colord-sane>
+  include if exists <local/colord-sane>
 }
diff --git a/apparmor.d/colord-session b/apparmor.d/colord-session
index c72c6981..46b33c4d 100644
--- a/apparmor.d/colord-session
+++ b/apparmor.d/colord-session
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/colord/colord-session /usr/libexec/colord-session
 profile colord-session @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/colord-session>
+  include if exists <local/colord-session>
 }
diff --git a/apparmor.d/command-not-found b/apparmor.d/command-not-found
index c326919e..e2088009 100644
--- a/apparmor.d/command-not-found
+++ b/apparmor.d/command-not-found
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /usr/share/command-not-found/command-not-found
 @{exec_path} += /{usr/,}bin/command-not-found
 profile command-not-found @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/apt-common>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/apt-common>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -30,5 +30,5 @@ profile command-not-found @{exec_path} {
 
   /usr/share/command-not-found/{,**} r,
 
-  #include if exists <local/command-not-found>
+  include if exists <local/command-not-found>
 }
diff --git a/apparmor.d/compton b/apparmor.d/compton
index 90ad8c81..4fdc93bb 100644
--- a/apparmor.d/compton
+++ b/apparmor.d/compton
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/compton
 profile compton @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile compton @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/compton>
+  include if exists <local/compton>
 }
diff --git a/apparmor.d/conky b/apparmor.d/conky
index 65160494..2f3ecf47 100644
--- a/apparmor.d/conky
+++ b/apparmor.d/conky
@@ -9,21 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/conky
 profile conky @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
 
   @{exec_path} mr,
 
@@ -142,11 +145,14 @@ profile conky @{exec_path} {
 
 
   profile browse {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    network inet,
+    network inet6,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
@@ -188,5 +194,5 @@ profile conky @{exec_path} {
 
   }
 
-  #include if exists <local/conky>
+  include if exists <local/conky>
 }
diff --git a/apparmor.d/convertall b/apparmor.d/convertall
index 54881e80..9e1980a7 100644
--- a/apparmor.d/convertall
+++ b/apparmor.d/convertall
@@ -9,24 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/convertall /usr/share/convertall/convertall.py
 profile convertall @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/python>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/python>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh     rix,
@@ -49,5 +49,5 @@ profile convertall @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/convertall>
+  include if exists <local/convertall>
 }
diff --git a/apparmor.d/cppw-cpgr b/apparmor.d/cppw-cpgr
index 3a187bb2..9992b69b 100644
--- a/apparmor.d/cppw-cpgr
+++ b/apparmor.d/cppw-cpgr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cp{pw,gr}
 profile cppw-cpgr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To set the right permission to the files in the /etc/ dir.
   capability chown,
@@ -38,5 +38,5 @@ profile cppw-cpgr @{exec_path} {
   # Source of the files to be replaced
   owner /root/* r,
 
-  #include if exists <local/cppw-cpgr>
+  include if exists <local/cppw-cpgr>
 }
diff --git a/apparmor.d/cpuid b/apparmor.d/cpuid
index b643d96f..e57352b4 100644
--- a/apparmor.d/cpuid
+++ b/apparmor.d/cpuid
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/cpuid
 profile cpuid @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability mknod,
 
@@ -25,5 +25,5 @@ profile cpuid @{exec_path} {
 
   owner /tmp/cpuid* rw,
 
-  #include if exists <local/cpuid>
+  include if exists <local/cpuid>
 }
diff --git a/apparmor.d/cpupower b/apparmor.d/cpupower
index 24c32773..7a4da3ee 100644
--- a/apparmor.d/cpupower
+++ b/apparmor.d/cpupower
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/cpupower
 profile cpupower @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed to read the /dev/cpu/[0-9]*/msr device, and hence remove the following error:
   #  Could not read perf-bias value[-1]
@@ -48,7 +48,7 @@ profile cpupower @{exec_path} {
 
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -60,5 +60,5 @@ profile cpupower @{exec_path} {
 
   }
 
-  #include if exists <local/cpupower>
+  include if exists <local/cpupower>
 }
diff --git a/apparmor.d/crda b/apparmor.d/crda
index ce72d7b0..86c16a5a 100644
--- a/apparmor.d/crda
+++ b/apparmor.d/crda
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/crda
 profile crda @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # For "iw reg set PL"
   capability net_admin,
 
   @{exec_path} mr,
 
-  #include if exists <local/crda>
+  include if exists <local/crda>
 }
diff --git a/apparmor.d/cron b/apparmor.d/cron
index bb20a9fe..91679ca5 100644
--- a/apparmor.d/cron
+++ b/apparmor.d/cron
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cron
 profile cron @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   capability setuid,
   capability setgid,
@@ -26,6 +26,8 @@ profile cron @{exec_path} {
   capability audit_write,
   capability sys_resource,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -77,7 +79,7 @@ profile cron @{exec_path} {
   /etc/security/limits.d/ r,
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -121,8 +123,8 @@ profile cron @{exec_path} {
     # file_inherit
     owner /tmp/#[0-9]*[0-9] rw,
 
-    #include if exists <local/cron_run-parts>
+    include if exists <local/cron_run-parts>
   }
 
-  #include if exists <local/cron>
+  include if exists <local/cron>
 }
diff --git a/apparmor.d/cron-apt b/apparmor.d/cron-apt
index bfbdc462..ac45526c 100644
--- a/apparmor.d/cron-apt
+++ b/apparmor.d/cron-apt
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/cron-apt
 profile cron-apt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed?
   capability setgid,
@@ -92,5 +92,5 @@ profile cron-apt @{exec_path} {
   # file_inherit
   owner /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/cron-apt>
+  include if exists <local/cron-apt>
 }
diff --git a/apparmor.d/cron-apt-listbugs b/apparmor.d/cron-apt-listbugs
index c26954d5..2d6885cc 100644
--- a/apparmor.d/cron-apt-listbugs
+++ b/apparmor.d/cron-apt-listbugs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/apt-listbugs
 profile cron-apt-listbugs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -26,7 +26,7 @@ profile cron-apt-listbugs @{exec_path} {
 
 
   profile prefclean {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
 
@@ -41,5 +41,5 @@ profile cron-apt-listbugs @{exec_path} {
 
   }
 
-  #include if exists <local/cron-apt-listbugs>
+  include if exists <local/cron-apt-listbugs>
 }
diff --git a/apparmor.d/cron-apt-show-versions b/apparmor.d/cron-apt-show-versions
index fda645e0..9fd7598b 100644
--- a/apparmor.d/cron-apt-show-versions
+++ b/apparmor.d/cron-apt-show-versions
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/apt-show-versions
 profile cron-apt-show-versions @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -25,5 +25,5 @@ profile cron-apt-show-versions @{exec_path} {
   # For shell pwd
   / r,
 
-  #include if exists <local/cron-apt-show-versions>
+  include if exists <local/cron-apt-show-versions>
 }
diff --git a/apparmor.d/cron-apt-xapian-index b/apparmor.d/cron-apt-xapian-index
index 36fc40f1..9f2d3e2d 100644
--- a/apparmor.d/cron-apt-xapian-index
+++ b/apparmor.d/cron-apt-xapian-index
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.weekly/apt-xapian-index
 profile cron-apt-xapian-index @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -33,5 +33,5 @@ profile cron-apt-xapian-index @{exec_path} {
   # For shell pwd
   / r,
 
-  #include if exists <local/cron-apt-xapian-index>
+  include if exists <local/cron-apt-xapian-index>
 }
diff --git a/apparmor.d/cron-aptitude b/apparmor.d/cron-aptitude
index 99734edd..a586ed37 100644
--- a/apparmor.d/cron-aptitude
+++ b/apparmor.d/cron-aptitude
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/aptitude
 profile cron-aptitude @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -38,5 +38,5 @@ profile cron-aptitude @{exec_path} {
   /var/backups/ r,
   /var/backups/* rw,
 
-  #include if exists <local/cron-aptitude>
+  include if exists <local/cron-aptitude>
 }
diff --git a/apparmor.d/cron-debsums b/apparmor.d/cron-debsums
index 82a4c94e..42de1e9e 100644
--- a/apparmor.d/cron-debsums
+++ b/apparmor.d/cron-debsums
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.{daily,weekly,monthly}/debsums
 profile cron-debsums @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -39,8 +39,8 @@ profile cron-debsums @{exec_path} {
 
 
   profile tee {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     # Needed to write to /proc/self/fd/3
     capability dac_override,
@@ -51,5 +51,5 @@ profile cron-debsums @{exec_path} {
 
   }
 
-  #include if exists <local/cron-debsums>
+  include if exists <local/cron-debsums>
 }
diff --git a/apparmor.d/cron-dlocate b/apparmor.d/cron-dlocate
index b8d94786..d7d72ee2 100644
--- a/apparmor.d/cron-dlocate
+++ b/apparmor.d/cron-dlocate
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/dlocate
 profile cron-dlocate @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh        rix,
 
   /{usr/,}sbin/update-dlocatedb rPx,
 
-  #include if exists <local/cron-dlocate>
+  include if exists <local/cron-dlocate>
 }
diff --git a/apparmor.d/cron-ipset-autoban-save b/apparmor.d/cron-ipset-autoban-save
index 5d68ce1c..fe46a497 100644
--- a/apparmor.d/cron-ipset-autoban-save
+++ b/apparmor.d/cron-ipset-autoban-save
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.hourly/ipset_autoban_save
 profile cron-ipset-autoban-save @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -25,5 +25,5 @@ profile cron-ipset-autoban-save @{exec_path} {
 
   /etc/peerblock/autoban rw,
 
-  #include if exists <local/cron-ipset-autoban-save>
+  include if exists <local/cron-ipset-autoban-save>
 }
diff --git a/apparmor.d/cron-logrotate b/apparmor.d/cron-logrotate
index 6123ef48..149a8223 100644
--- a/apparmor.d/cron-logrotate
+++ b/apparmor.d/cron-logrotate
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/logrotate
 profile cron-logrotate @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -27,5 +27,5 @@ profile cron-logrotate @{exec_path} {
   # For shell pwd
   / r,
 
-  #include if exists <local/cron-logrotate>
+  include if exists <local/cron-logrotate>
 }
diff --git a/apparmor.d/cron-mlocate b/apparmor.d/cron-mlocate
index f34cb78c..bac4455b 100644
--- a/apparmor.d/cron-mlocate
+++ b/apparmor.d/cron-mlocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/mlocate
 profile cron-mlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -33,5 +33,5 @@ profile cron-mlocate @{exec_path} {
 
   @{run}/mlocate.daily.lock rwk,
 
-  #include if exists <local/cron-mlocate>
+  include if exists <local/cron-mlocate>
 }
diff --git a/apparmor.d/cron-popularity-contest b/apparmor.d/cron-popularity-contest
index a108f6e1..ec02d612 100644
--- a/apparmor.d/cron-popularity-contest
+++ b/apparmor.d/cron-popularity-contest
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/cron.daily/popularity-contest
 profile cron-popularity-contest @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh          rix,
@@ -66,7 +66,7 @@ profile cron-popularity-contest @{exec_path} {
 
 
   profile savelog {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/savelog mr,
 
@@ -92,10 +92,10 @@ profile cron-popularity-contest @{exec_path} {
   }
 
   profile runuser {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/authentication>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/authentication>
 
     /{usr/,}sbin/runuser mr,
 
@@ -116,8 +116,8 @@ profile cron-popularity-contest @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/gpg mr,
 
@@ -134,9 +134,9 @@ profile cron-popularity-contest @{exec_path} {
   }
 
   profile popcon-upload {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/perl>
 
     /usr/share/popularity-contest/popcon-upload r,
     /{usr/,}bin/perl r,
@@ -151,5 +151,5 @@ profile cron-popularity-contest @{exec_path} {
 
   }
 
-  #include if exists <local/cron-popularity-contest>
+  include if exists <local/cron-popularity-contest>
 }
diff --git a/apparmor.d/crontab b/apparmor.d/crontab
index b62c26b6..20956a82 100644
--- a/apparmor.d/crontab
+++ b/apparmor.d/crontab
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/crontab
 profile crontab @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability setgid,
   capability setuid,
@@ -38,8 +38,8 @@ profile crontab @{exec_path} {
 
 
   profile editor {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     capability fsetid,
 
@@ -62,5 +62,5 @@ profile crontab @{exec_path} {
 
   }
 
-  #include if exists <local/crontab>
+  include if exists <local/crontab>
 }
diff --git a/apparmor.d/curl b/apparmor.d/curl
index ecd4b535..18de592f 100644
--- a/apparmor.d/curl
+++ b/apparmor.d/curl
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/curl
 profile curl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -34,5 +39,5 @@ profile curl @{exec_path} {
   @{PROC}/uptime r,
   @{PROC}/loadavg r,
 
-  #include if exists <local/curl>
+  include if exists <local/curl>
 }
diff --git a/apparmor.d/dbus-daemon b/apparmor.d/dbus-daemon
index 4a126d20..66572400 100644
--- a/apparmor.d/dbus-daemon
+++ b/apparmor.d/dbus-daemon
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dbus-daemon
 profile dbus-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability setgid,
   capability setuid,
@@ -24,6 +24,8 @@ profile dbus-daemon @{exec_path} {
 
   signal (receive) set=(term, kill),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /usr/libexec/* rPUx,
@@ -40,6 +42,8 @@ profile dbus-daemon @{exec_path} {
 
   /usr/share/defaults/**.conf r,
 
+  @{sys}/module/apparmor/parameters/enabled r,
+
         @{run}/systemd/users/[0-9]* r,
   owner @{run}/user/[0-9]*/dbus-1/ rw,
   owner @{run}/user/[0-9]*/dbus-1/services/ rw,
@@ -47,5 +51,5 @@ profile dbus-daemon @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/dbus-daemon>
+  include if exists <local/dbus-daemon>
 }
diff --git a/apparmor.d/dconf-editor b/apparmor.d/dconf-editor
index 7f83c13d..038c773c 100644
--- a/apparmor.d/dconf-editor
+++ b/apparmor.d/dconf-editor
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dconf-editor
 profile dconf-editor @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile dconf-editor @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/dconf-editor>
+  include if exists <local/dconf-editor>
 }
diff --git a/apparmor.d/dconf-service b/apparmor.d/dconf-service
index 29a49a91..54b0b1f6 100644
--- a/apparmor.d/dconf-service
+++ b/apparmor.d/dconf-service
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/dconf/dconf-service /usr/libexec/dconf-service
 profile dconf-service @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed?
   deny capability sys_nice,
@@ -34,5 +34,5 @@ profile dconf-service @{exec_path} {
 
   @{PROC}/cmdline r,
 
-  #include if exists <local/dconf-service>
+  include if exists <local/dconf-service>
 }
diff --git a/apparmor.d/ddclient b/apparmor.d/ddclient
index d9e98a90..04f5fcb8 100644
--- a/apparmor.d/ddclient
+++ b/apparmor.d/ddclient
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ddclient
 profile ddclient @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -35,5 +35,5 @@ profile ddclient @{exec_path} {
 
   / r,
 
-  #include if exists <local/ddclient>
+  include if exists <local/ddclient>
 }
diff --git a/apparmor.d/debconf-apt-progress b/apparmor.d/debconf-apt-progress
index 31b2ffe9..6cfbb1a5 100644
--- a/apparmor.d/debconf-apt-progress
+++ b/apparmor.d/debconf-apt-progress
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debconf-apt-progress
 profile debconf-apt-progress @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -29,10 +29,10 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
 
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -54,5 +54,5 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/debconf-apt-progress>
+  include if exists <local/debconf-apt-progress>
 }
diff --git a/apparmor.d/debconf-show b/apparmor.d/debconf-show
index 9ce4281d..1c8e2941 100644
--- a/apparmor.d/debconf-show
+++ b/apparmor.d/debconf-show
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debconf-show
 profile debconf-show @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -30,5 +30,5 @@ profile debconf-show @{exec_path} {
 
   /etc/shadow r,
 
-  #include if exists <local/debconf-show>
+  include if exists <local/debconf-show>
 }
diff --git a/apparmor.d/deborphan b/apparmor.d/deborphan
index 9867f070..16006b33 100644
--- a/apparmor.d/deborphan
+++ b/apparmor.d/deborphan
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/deborphan
 profile deborphan @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,7 +27,7 @@ profile deborphan @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.synaptic/selections.{update,proceed} w,
 
-  #include if exists <local/deborphan>
+  include if exists <local/deborphan>
 }
 
 
diff --git a/apparmor.d/debsecan b/apparmor.d/debsecan
index f497e94f..fca62406 100644
--- a/apparmor.d/debsecan
+++ b/apparmor.d/debsecan
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debsecan
 profile debsecan @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -48,5 +53,5 @@ profile debsecan @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/debsecan>
+  include if exists <local/debsecan>
 }
diff --git a/apparmor.d/debsign b/apparmor.d/debsign
index 58cf7d68..b57a96ba 100644
--- a/apparmor.d/debsign
+++ b/apparmor.d/debsign
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/debsign
 profile debsign @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -55,7 +55,7 @@ profile debsign @{exec_path} {
 
   /{usr/,}bin/gpg rCx -> gpg,
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -67,5 +67,5 @@ profile debsign @{exec_path} {
 
   }
 
-  #include if exists <local/debsign>
+  include if exists <local/debsign>
 }
diff --git a/apparmor.d/debsums b/apparmor.d/debsums
index 068583a0..6eaaeef0 100644
--- a/apparmor.d/debsums
+++ b/apparmor.d/debsums
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debsums
 profile debsums @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   # Needed to read files owned by other users than root.
   capability dac_read_search,
@@ -39,6 +39,7 @@ profile debsums @{exec_path} {
 
   # For shell pwd
   / r,
+  /root/ r,
 
   # Scanning files
   /{usr/,}bin/{,*} r,
@@ -49,5 +50,5 @@ profile debsums @{exec_path} {
   /opt/{,**} r,
   /boot/{,**} r,
 
-  #include if exists <local/debsums>
+  include if exists <local/debsums>
 }
diff --git a/apparmor.d/debtags b/apparmor.d/debtags
index 5b2dcb3c..b73cba2e 100644
--- a/apparmor.d/debtags
+++ b/apparmor.d/debtags
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/debtags
 profile debtags @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/apt-common>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/apt-common>
+  include <abstractions/python>
 
   #capability sys_tty_config,
 
@@ -41,5 +41,5 @@ profile debtags @{exec_path} {
   # file_inherit
   /var/log/cron-apt/temp w ,
 
-  #include if exists <local/debtags>
+  include if exists <local/debtags>
 }
diff --git a/apparmor.d/deluser b/apparmor.d/deluser
index c5e3e08a..52e071ff 100644
--- a/apparmor.d/deluser
+++ b/apparmor.d/deluser
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/del{user,group}
 profile deluser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The deluser command is issued as root and its task is to delete regular user accounts. It
   # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup.
@@ -53,7 +53,7 @@ profile deluser @{exec_path} {
 
 
   profile mount {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/mount mr,
 
@@ -63,5 +63,5 @@ profile deluser @{exec_path} {
 
   }
 
-  #include if exists <local/deluser>
+  include if exists <local/deluser>
 }
diff --git a/apparmor.d/df b/apparmor.d/df
index e0fb0983..7e7256fa 100644
--- a/apparmor.d/df
+++ b/apparmor.d/df
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/df
 profile df @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability dac_read_search,
 
@@ -27,5 +27,5 @@ profile df @{exec_path} {
   / r,
   /**/ r,
 
-  #include if exists <local/df>
+  include if exists <local/df>
 }
diff --git a/apparmor.d/dfc b/apparmor.d/dfc
index 130797a0..e52e0999 100644
--- a/apparmor.d/dfc
+++ b/apparmor.d/dfc
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dfc
 profile dfc @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile dfc @{exec_path} {
   owner @{HOME}/.config/dfc/dfcrc r,
   owner @{HOME}/.dfcrc r,
 
-  #include if exists <local/dfc>
+  include if exists <local/dfc>
 }
diff --git a/apparmor.d/dhclient b/apparmor.d/dhclient
index 462b3814..421667c6 100644
--- a/apparmor.d/dhclient
+++ b/apparmor.d/dhclient
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dhclient
 profile dhclient @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   # To remove the following errors:
   #  dhclient[]: Open a socket for LPF: Operation not permitted
@@ -31,6 +31,11 @@ profile dhclient @{exec_path} {
   #capability net_admin,
   audit deny capability sys_module,
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+  network packet raw,
+
   @{exec_path} mr,
 
   # To run dhclient scripts
@@ -45,5 +50,5 @@ profile dhclient @{exec_path} {
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  #include if exists <local/dhclient>
+  include if exists <local/dhclient>
 }
diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script
index 6781ccce..3e69842b 100644
--- a/apparmor.d/dhclient-script
+++ b/apparmor.d/dhclient-script
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dhclient-script
 profile dhclient-script @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   # Needed?
   audit deny capability sys_module,
@@ -94,7 +94,7 @@ profile dhclient-script @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -105,5 +105,5 @@ profile dhclient-script @{exec_path} {
 
   }
 
-  #include if exists <local/dhclient-script>
+  include if exists <local/dhclient-script>
 }
diff --git a/apparmor.d/dig b/apparmor.d/dig
index 9f96c499..85c84bfb 100644
--- a/apparmor.d/dig
+++ b/apparmor.d/dig
@@ -9,15 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dig
 profile dig @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -25,5 +31,5 @@ profile dig @{exec_path} {
 
   owner @{HOME}/.digrc r,
 
-  #include if exists <local/dig>
+  include if exists <local/dig>
 }
diff --git a/apparmor.d/dirmngr b/apparmor.d/dirmngr
index b125fe6e..000504a8 100644
--- a/apparmor.d/dirmngr
+++ b/apparmor.d/dirmngr
@@ -9,15 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dirmngr
 profile dirmngr @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -34,5 +39,5 @@ profile dirmngr @{exec_path} {
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  #include if exists <local/dirmngr>
+  include if exists <local/dirmngr>
 }
diff --git a/apparmor.d/discord b/apparmor.d/discord
index c1722280..83790ded 100644
--- a/apparmor.d/discord
+++ b/apparmor.d/discord
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{DISCORD_LIBDIR} = /usr/share/discord
 @{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@@ -19,19 +19,19 @@
 
 @{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord
 profile discord @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(kill, term) peer=@{profile_name}//lsb_release,
 
@@ -39,6 +39,12 @@ profile discord @{exec_path} {
   deny capability sys_ptrace,
   deny ptrace (read),
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@@ -138,8 +144,8 @@ profile discord @{exec_path} {
 
 
   profile xdg-mime {
-    #include <abstractions/base>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/base>
+    include <abstractions/freedesktop.org>
 
     /{usr/,}bin/xdg-mime mr,
 
@@ -160,9 +166,9 @@ profile discord @{exec_path} {
   }
 
   profile lsb_release {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/python>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/python>
 
     signal (receive) set=(kill, term) peer=discord,
 
@@ -188,8 +194,8 @@ profile discord @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -205,5 +211,5 @@ profile discord @{exec_path} {
 
   }
 
-  #include if exists <local/discord>
+  include if exists <local/discord>
 }
diff --git a/apparmor.d/discord-chrome-sandbox b/apparmor.d/discord-chrome-sandbox
index b839c189..5a3cb972 100644
--- a/apparmor.d/discord-chrome-sandbox
+++ b/apparmor.d/discord-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{DISCORD_LIBDIR} = /usr/share/discord
 @{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@@ -20,8 +20,8 @@
 @{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
 
 profile discord-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -43,5 +43,5 @@ profile discord-chrome-sandbox @{exec_path} {
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/discord-chrome-sandbox>
+  include if exists <local/discord-chrome-sandbox>
 }
diff --git a/apparmor.d/dkms b/apparmor.d/dkms
index d5733489..6a70947d 100644
--- a/apparmor.d/dkms
+++ b/apparmor.d/dkms
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dkms
 profile dkms @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -93,8 +93,8 @@ profile dkms @{exec_path} {
 
 
   profile kmod {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/kmod mr,
 
@@ -107,5 +107,5 @@ profile dkms @{exec_path} {
 
   }
 
-  #include if exists <local/dkms>
+  include if exists <local/dkms>
 }
diff --git a/apparmor.d/dkms-autoinstaller b/apparmor.d/dkms-autoinstaller
index fd4288aa..a65dbbd9 100644
--- a/apparmor.d/dkms-autoinstaller
+++ b/apparmor.d/dkms-autoinstaller
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/dkms/dkms_autoinstaller
 profile dkms-autoinstaller @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -34,12 +34,12 @@ profile dkms-autoinstaller @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/run-parts mr,
 
   }
 
-  #include if exists <local/dkms-autoinstaller>
+  include if exists <local/dkms-autoinstaller>
 }
diff --git a/apparmor.d/dlocate b/apparmor.d/dlocate
index c36987db..4f5fbe9c 100644
--- a/apparmor.d/dlocate
+++ b/apparmor.d/dlocate
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dlocate
 profile dlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -58,7 +58,7 @@ profile dlocate @{exec_path} {
 
 
   profile md5sum {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/md5sum mr,
 
@@ -68,5 +68,5 @@ profile dlocate @{exec_path} {
 
   }
 
-  #include if exists <local/dlocate>
+  include if exists <local/dlocate>
 }
diff --git a/apparmor.d/dmcrypt-get-device b/apparmor.d/dmcrypt-get-device
index dca3663e..ce86e8fb 100644
--- a/apparmor.d/dmcrypt-get-device
+++ b/apparmor.d/dmcrypt-get-device
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/eject/dmcrypt-get-device
 profile dmcrypt-get-device @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_admin,
   capability setgid,
@@ -28,5 +28,5 @@ profile dmcrypt-get-device @{exec_path} flags=(complain) {
 
   /dev/mapper/control rw,
 
-  #include if exists <local/dmcrypt-get-device>
+  include if exists <local/dmcrypt-get-device>
 }
diff --git a/apparmor.d/dmesg b/apparmor.d/dmesg
index 130ffb36..d36b5d77 100644
--- a/apparmor.d/dmesg
+++ b/apparmor.d/dmesg
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dmesg
 profile dmesg @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability syslog,
 
@@ -23,5 +23,5 @@ profile dmesg @{exec_path} {
 
   /dev/kmsg r,
 
-  #include if exists <local/dmesg>
+  include if exists <local/dmesg>
 }
diff --git a/apparmor.d/dmidecode b/apparmor.d/dmidecode
index 03a34fab..9833adb2 100644
--- a/apparmor.d/dmidecode
+++ b/apparmor.d/dmidecode
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dmidecode
 profile dmidecode @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile dmidecode @{exec_path} {
   # For dumping the output to a file
   owner /tmp/dump.bin rw,
 
-  #include if exists <local/dmidecode>
+  include if exists <local/dmidecode>
 }
diff --git a/apparmor.d/dnscrypt-proxy b/apparmor.d/dnscrypt-proxy
index 770b2c20..56b95e82 100644
--- a/apparmor.d/dnscrypt-proxy
+++ b/apparmor.d/dnscrypt-proxy
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dnscrypt-proxy
 profile dnscrypt-proxy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   # To bind to the 53 tcp/udp port (when systemd's sockets aren't used).
   capability net_bind_service,
@@ -26,6 +26,14 @@ profile dnscrypt-proxy @{exec_path} {
   capability setgid,
   capability setuid,
 
+  # Needed?
+  capability net_admin,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mrix,
 
   # dnscrypt-proxy config files
@@ -70,5 +78,5 @@ profile dnscrypt-proxy @{exec_path} {
   # Needed?
   deny /etc/ssl/certs/java/ r,
 
-  #include if exists <local/dnscrypt-proxy>
+  include if exists <local/dnscrypt-proxy>
 }
diff --git a/apparmor.d/dpkg b/apparmor.d/dpkg
index f52e3b83..ee55b789 100644
--- a/apparmor.d/dpkg
+++ b/apparmor.d/dpkg
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg
 profile dpkg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # To set proper ownership/permissions of installed files.
   capability chown,
@@ -116,8 +116,8 @@ profile dpkg @{exec_path} {
 
 
   profile diff {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/       r,
     /{usr/,}bin/pager mr,
@@ -136,7 +136,7 @@ profile dpkg @{exec_path} {
   }
 
   profile scripts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /var/lib/dpkg/info/*.config             r,
     /var/lib/dpkg/info/*.{preinst,postinst} r,
@@ -152,5 +152,5 @@ profile dpkg @{exec_path} {
 
   }
 
-  #include if exists <local/dpkg>
+  include if exists <local/dpkg>
 }
diff --git a/apparmor.d/dpkg-architecture b/apparmor.d/dpkg-architecture
index b72e69f2..2a193622 100644
--- a/apparmor.d/dpkg-architecture
+++ b/apparmor.d/dpkg-architecture
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-architecture
 profile dpkg-architecture @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /usr/bin/perl r,
@@ -33,7 +33,7 @@ profile dpkg-architecture @{exec_path} {
 
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -43,5 +43,5 @@ profile dpkg-architecture @{exec_path} {
 
   }
 
-  #include if exists <local/dpkg-architecture>
+  include if exists <local/dpkg-architecture>
 }
diff --git a/apparmor.d/dpkg-buildflags b/apparmor.d/dpkg-buildflags
index d6b657e6..0d0c5656 100644
--- a/apparmor.d/dpkg-buildflags
+++ b/apparmor.d/dpkg-buildflags
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-buildflags
 profile dpkg-buildflags @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -28,5 +28,5 @@ profile dpkg-buildflags @{exec_path} flags=(complain) {
 
   owner @{HOME}/.config/dpkg/buildflags.conf r,
 
-  #include if exists <local/dpkg-buildflags>
+  include if exists <local/dpkg-buildflags>
 }
diff --git a/apparmor.d/dpkg-checkbuilddeps b/apparmor.d/dpkg-checkbuilddeps
index 19458871..b7dbf390 100644
--- a/apparmor.d/dpkg-checkbuilddeps
+++ b/apparmor.d/dpkg-checkbuilddeps
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps
 profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -33,5 +33,5 @@ profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
   # For package building
   owner @{BUILD_DIR}/**/debian/control r,
 
-  #include if exists <local/dpkg-checkbuilddeps>
+  include if exists <local/dpkg-checkbuilddeps>
 }
diff --git a/apparmor.d/dpkg-deb b/apparmor.d/dpkg-deb
index 01fed462..b89baef5 100644
--- a/apparmor.d/dpkg-deb
+++ b/apparmor.d/dpkg-deb
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-deb
 profile dpkg-deb @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -45,5 +45,5 @@ profile dpkg-deb @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/dpkg-deb>
+  include if exists <local/dpkg-deb>
 }
diff --git a/apparmor.d/dpkg-divert b/apparmor.d/dpkg-divert
index fb055b86..714c6ca6 100644
--- a/apparmor.d/dpkg-divert
+++ b/apparmor.d/dpkg-divert
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-divert
 profile dpkg-divert @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile dpkg-divert @{exec_path} {
   /var/lib/dpkg/diversions-new rw,
   /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
 
-  #include if exists <local/dpkg-divert>
+  include if exists <local/dpkg-divert>
 }
diff --git a/apparmor.d/dpkg-genbuildinfo b/apparmor.d/dpkg-genbuildinfo
index 9ebccdd2..67a2959c 100644
--- a/apparmor.d/dpkg-genbuildinfo
+++ b/apparmor.d/dpkg-genbuildinfo
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-genbuildinfo
 profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -42,5 +42,5 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
   /usr/local/include/ r,
   /usr/local/etc/ r,
 
-  #include if exists <local/dpkg-genbuildinfo>
+  include if exists <local/dpkg-genbuildinfo>
 }
diff --git a/apparmor.d/dpkg-genchanges b/apparmor.d/dpkg-genchanges
index beb3e079..a96c4971 100644
--- a/apparmor.d/dpkg-genchanges
+++ b/apparmor.d/dpkg-genchanges
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-genchanges
 profile dpkg-genchanges @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -31,5 +31,5 @@ profile dpkg-genchanges @{exec_path} flags=(complain) {
   # For package building
   owner @{BUILD_DIR}/** r,
 
-  #include if exists <local/dpkg-genchanges>
+  include if exists <local/dpkg-genchanges>
 }
diff --git a/apparmor.d/dpkg-preconfigure b/apparmor.d/dpkg-preconfigure
index 914c0e61..35686aeb 100644
--- a/apparmor.d/dpkg-preconfigure
+++ b/apparmor.d/dpkg-preconfigure
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/dpkg-preconfigure
 profile dpkg-preconfigure @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -44,10 +44,10 @@ profile dpkg-preconfigure @{exec_path} {
   owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
 
   # The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
@@ -56,5 +56,5 @@ profile dpkg-preconfigure @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/dpkg-preconfigure>
+  include if exists <local/dpkg-preconfigure>
 }
diff --git a/apparmor.d/dpkg-query b/apparmor.d/dpkg-query
index 1e13965a..8b77827b 100644
--- a/apparmor.d/dpkg-query
+++ b/apparmor.d/dpkg-query
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-query
 profile dpkg-query @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile dpkg-query @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/dpkg-query>
+  include if exists <local/dpkg-query>
 }
diff --git a/apparmor.d/dpkg-split b/apparmor.d/dpkg-split
index 39fad099..539672b3 100644
--- a/apparmor.d/dpkg-split
+++ b/apparmor.d/dpkg-split
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dpkg-split
 profile dpkg-split @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -32,5 +32,5 @@ profile dpkg-split @{exec_path} {
   # For package building
   @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/dpkg-split>
+  include if exists <local/dpkg-split>
 }
diff --git a/apparmor.d/dpkg-trigger b/apparmor.d/dpkg-trigger
index 71fece4c..ce4de753 100644
--- a/apparmor.d/dpkg-trigger
+++ b/apparmor.d/dpkg-trigger
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-trigger
 profile dpkg-trigger @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile dpkg-trigger @{exec_path} {
   /var/lib/dpkg/triggers/ r,
   /var/lib/dpkg/triggers/Unincorp{,.new} rw,
 
-  #include if exists <local/dpkg-trigger>
+  include if exists <local/dpkg-trigger>
 }
diff --git a/apparmor.d/dpkg-vendor b/apparmor.d/dpkg-vendor
index 439c9ee7..5060d6f5 100644
--- a/apparmor.d/dpkg-vendor
+++ b/apparmor.d/dpkg-vendor
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dpkg-vendor
 profile dpkg-vendor @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /usr/bin/perl r,
 
   /etc/dpkg/origins/* r,
 
-  #include if exists <local/dpkg-vendor>
+  include if exists <local/dpkg-vendor>
 }
diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox
index 5a40b872..95e1f55b 100644
--- a/apparmor.d/dropbox
+++ b/apparmor.d/dropbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{DROPBOX_DEMON_DIR}=@{HOME}/.dropbox-dist/
 @{DROPBOX_HOME_DIR}=@{HOME}/.dropbox/
@@ -19,18 +19,18 @@
 
 @{exec_path} = /{usr/,}bin/dropbox
 profile dropbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   ptrace peer=@{profile_name},
 
@@ -130,8 +130,8 @@ profile dropbox @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -147,5 +147,5 @@ profile dropbox @{exec_path} {
 
   }
 
-  #include if exists <local/dropbox>
+  include if exists <local/dropbox>
 }
diff --git a/apparmor.d/dumpcap b/apparmor.d/dumpcap
index 2eddf5f0..86fcd69b 100644
--- a/apparmor.d/dumpcap
+++ b/apparmor.d/dumpcap
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dumpcap
 profile dumpcap @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To capture packekts
   capability net_raw,
@@ -23,6 +23,13 @@ profile dumpcap @{exec_path} {
 
   signal (receive) peer=wireshark,
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+  network bluetooth raw,
+
   @{exec_path} mr,
 
   @{sys}/class/net/ r,
@@ -36,7 +43,7 @@ profile dumpcap @{exec_path} {
   /dev/ r,
 
   # Traffic log files
-  owner /tmp/wireshark_*_[0-9]*_*.pcapng rw,
+  owner /tmp/wireshark_*.pcapng rw,
   owner /tmp/*.pcap rw,
 
   # file_inherit
@@ -44,5 +51,5 @@ profile dumpcap @{exec_path} {
   /usr/share/GeoIP/* r,
   /dev/dri/card[0-9] rw,
 
-  #include if exists <local/dumpcap>
+  include if exists <local/dumpcap>
 }
diff --git a/apparmor.d/dumpe2fs b/apparmor.d/dumpe2fs
index 0abb92a0..91cc5c63 100644
--- a/apparmor.d/dumpe2fs
+++ b/apparmor.d/dumpe2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{dumpe2fs,e2mmpstatus}
 profile dumpe2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile dumpe2fs @{exec_path} {
   @{HOME}/** r,
   /media/*/** r,
 
-  #include if exists <local/dumpe2fs>
+  include if exists <local/dumpe2fs>
 }
diff --git a/apparmor.d/e2fsck b/apparmor.d/e2fsck
index 11005abb..5e713e50 100644
--- a/apparmor.d/e2fsck
+++ b/apparmor.d/e2fsck
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{e2fsck,fsck.ext2,fsck.ext3,fsck.ext4}
 profile e2fsck @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile e2fsck @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/e2fsck>
+  include if exists <local/e2fsck>
 }
diff --git a/apparmor.d/e2image b/apparmor.d/e2image
index ceaf29be..55684bc6 100644
--- a/apparmor.d/e2image
+++ b/apparmor.d/e2image
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/e2image
 profile e2image @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile e2image @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/e2image>
+  include if exists <local/e2image>
 }
diff --git a/apparmor.d/edid-decode b/apparmor.d/edid-decode
index 31074dad..02a75aab 100644
--- a/apparmor.d/edid-decode
+++ b/apparmor.d/edid-decode
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/edid-decode
 profile edid-decode @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/*/edid r,
 
-  #include if exists <local/edid-decode>
+  include if exists <local/edid-decode>
 }
diff --git a/apparmor.d/eject b/apparmor.d/eject
index 424d1dce..15259941 100644
--- a/apparmor.d/eject
+++ b/apparmor.d/eject
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/eject
 profile eject @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_rawio,
 
@@ -31,5 +31,5 @@ profile eject @{exec_path} {
 
   /etc/fstab r,
 
-  #include if exists <local/eject>
+  include if exists <local/eject>
 }
diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa
index 5c6fd20b..7650fa95 100644
--- a/apparmor.d/engrampa
+++ b/apparmor.d/engrampa
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/engrampa
 profile engrampa @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -90,8 +90,8 @@ profile engrampa @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
     /{usr/,}bin/xdg-open mr,
@@ -111,5 +111,5 @@ profile engrampa @{exec_path} {
 
   }
 
-  #include if exists <local/engrampa>
+  include if exists <local/engrampa>
 }
diff --git a/apparmor.d/execute-dcut b/apparmor.d/execute-dcut
index 28af931a..8596db4d 100644
--- a/apparmor.d/execute-dcut
+++ b/apparmor.d/execute-dcut
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/dcut /usr/share/dput/execute-dcut
 profile execute-dcut @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
-  #include if exists <local/execute-dcut>
+  include if exists <local/execute-dcut>
 }
diff --git a/apparmor.d/execute-dput b/apparmor.d/execute-dput
index c3614651..d65c5a17 100644
--- a/apparmor.d/execute-dput
+++ b/apparmor.d/execute-dput
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/dput /usr/share/dput/execute-dput
 profile execute-dput @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -48,7 +48,7 @@ profile execute-dput @{exec_path} flags=(complain) {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
     /{usr/,}bin/gpg mr,
@@ -59,5 +59,5 @@ profile execute-dput @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/execute-dput>
+  include if exists <local/execute-dput>
 }
diff --git a/apparmor.d/exim4 b/apparmor.d/exim4
index c68ebf3e..17477a37 100644
--- a/apparmor.d/exim4
+++ b/apparmor.d/exim4
@@ -9,15 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/exim4
 profile exim4 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  network inet,
+  network inet6,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -60,5 +64,5 @@ profile exim4 @{exec_path} {
   /var/lib/dpkg/status r,
   /var/log/cron-apt/lastfullmessage r,
 
-  #include if exists <local/exim4>
+  include if exists <local/exim4>
 }
diff --git a/apparmor.d/exo-compose-mail b/apparmor.d/exo-compose-mail
index b23968b8..fde8fc5e 100644
--- a/apparmor.d/exo-compose-mail
+++ b/apparmor.d/exo-compose-mail
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/xfce4/exo/exo-compose-mail
 profile exo-compose-mail @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -26,5 +26,5 @@ profile exo-compose-mail @{exec_path} {
   /{usr/,}lib/thunderbird/thunderbird     rPx,
   /{usr/,}lib/thunderbird/thunderbird-bin rPx,
 
-  #include if exists <local/exo-compose-mail>
+  include if exists <local/exo-compose-mail>
 }
diff --git a/apparmor.d/exo-helper b/apparmor.d/exo-helper
index b755212f..cb5c3468 100644
--- a/apparmor.d/exo-helper
+++ b/apparmor.d/exo-helper
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/exo-[0-9]/exo-helper-[0-9]
 profile exo-helper @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/app-launcher-user>
 
   # These are needed when there's no default application set in the ~/.config/xfce4/helpers.rc
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} mr,
 
@@ -59,5 +59,5 @@ profile exo-helper @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/exo-helper>
+  include if exists <local/exo-helper>
 }
diff --git a/apparmor.d/exo-open b/apparmor.d/exo-open
index 78c1e063..13482a26 100644
--- a/apparmor.d/exo-open
+++ b/apparmor.d/exo-open
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/exo-open
 profile exo-open @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} mr,
 
@@ -34,5 +34,5 @@ profile exo-open @{exec_path} {
         /** r,
   owner /** rw,
 
-  #include if exists <local/exo-open>
+  include if exists <local/exo-open>
 }
diff --git a/apparmor.d/f3brew b/apparmor.d/f3brew
index 24953544..db18ff2d 100644
--- a/apparmor.d/f3brew
+++ b/apparmor.d/f3brew
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3brew
 profile f3brew @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
-  #include if exists <local/f3brew>
+  include if exists <local/f3brew>
 }
diff --git a/apparmor.d/f3fix b/apparmor.d/f3fix
index e8a2a767..f07abc2e 100644
--- a/apparmor.d/f3fix
+++ b/apparmor.d/f3fix
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3fix
 profile f3fix @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # To remove the following errors:
   #  Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the
@@ -42,7 +42,7 @@ profile f3fix @{exec_path} {
         @{PROC}/swaps r,
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -65,6 +65,6 @@ profile f3fix @{exec_path} {
 
   }
 
-  #include if exists <local/f3fix>
+  include if exists <local/f3fix>
 }
 
diff --git a/apparmor.d/f3probe b/apparmor.d/f3probe
index 06969769..c9f5d15e 100644
--- a/apparmor.d/f3probe
+++ b/apparmor.d/f3probe
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3probe
 profile f3probe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
-  #include if exists <local/f3probe>
+  include if exists <local/f3probe>
 }
 
diff --git a/apparmor.d/f3read b/apparmor.d/f3read
index 6d065cec..f135264a 100644
--- a/apparmor.d/f3read
+++ b/apparmor.d/f3read
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3read
 profile f3read @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,6 +27,6 @@ profile f3read @{exec_path} {
   /media/*/[0-9]*.h2w r,
   /media/*/*/[0-9]*.h2w r,
 
-  #include if exists <local/f3read>
+  include if exists <local/f3read>
 }
 
diff --git a/apparmor.d/f3write b/apparmor.d/f3write
index 276adb7e..0ca7c0dd 100644
--- a/apparmor.d/f3write
+++ b/apparmor.d/f3write
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/f3write
 profile f3write @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # The f3write doesn't have to be started as root, but when it's started as root, the following
   # CAP is needed in order to write to the user owned USB drives (e.g. mounted via udisks).
@@ -31,6 +31,6 @@ profile f3write @{exec_path} {
   owner /media/*/[0-9]*.h2w w,
   owner /media/*/*/[0-9]*.h2w w,
 
-  #include if exists <local/f3write>
+  include if exists <local/f3write>
 }
 
diff --git a/apparmor.d/fatlabel b/apparmor.d/fatlabel
index 65d4108b..7ae626c7 100644
--- a/apparmor.d/fatlabel
+++ b/apparmor.d/fatlabel
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fatlabel
 profile fatlabel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
-  #include if exists <local/fatlabel>
+  include if exists <local/fatlabel>
 }
diff --git a/apparmor.d/fatresize b/apparmor.d/fatresize
index 28c5e643..c9a5fa37 100644
--- a/apparmor.d/fatresize
+++ b/apparmor.d/fatresize
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fatresize
 profile fatresize @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   # ioctl(3, BLKFLSBUF)              = -1 EACCES (Permission denied)
@@ -41,7 +41,7 @@ profile fatresize @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -64,5 +64,5 @@ profile fatresize @{exec_path} {
 
   }
 
-  #include if exists <local/fatresize>
+  include if exists <local/fatresize>
 }
diff --git a/apparmor.d/fc-list b/apparmor.d/fc-list
index 59831ccf..b710467b 100644
--- a/apparmor.d/fc-list
+++ b/apparmor.d/fc-list
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fc-list
 profile fc-list @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
 
   /{usr/,}bin/fc-list mr,
 
-  #include if exists <local/fc-list>
+  include if exists <local/fc-list>
 }
diff --git a/apparmor.d/fdisk b/apparmor.d/fdisk
index b21b465c..e8bcad45 100644
--- a/apparmor.d/fdisk
+++ b/apparmor.d/fdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fdisk
 profile fdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -42,5 +42,5 @@ profile fdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/fdisk>
+  include if exists <local/fdisk>
 }
diff --git a/apparmor.d/ffmpeg b/apparmor.d/ffmpeg
index 6a74fc06..1f714b0d 100644
--- a/apparmor.d/ffmpeg
+++ b/apparmor.d/ffmpeg
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -51,13 +51,13 @@
 
 @{exec_path} = /{usr/,}bin/ffmpeg
 profile ffmpeg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path}  mr,
 
@@ -85,5 +85,5 @@ profile ffmpeg @{exec_path} {
   # TMP files for apps using ffmpeg
   owner /tmp/vidcutter/** rw,
 
-  #include if exists <local/ffmpeg>
+  include if exists <local/ffmpeg>
 }
diff --git a/apparmor.d/ffplay b/apparmor.d/ffplay
index 9857e994..4dfb053a 100644
--- a/apparmor.d/ffplay
+++ b/apparmor.d/ffplay
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,11 +46,11 @@
 
 @{exec_path} = /{usr/,}bin/ffplay
 profile ffplay @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -69,5 +69,5 @@ profile ffplay @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]/meminfo r,
 
-  #include if exists <local/ffplay>
+  include if exists <local/ffplay>
 }
diff --git a/apparmor.d/ffprobe b/apparmor.d/ffprobe
index fb3cbbaa..3194bb25 100644
--- a/apparmor.d/ffprobe
+++ b/apparmor.d/ffprobe
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,9 +46,9 @@
 
 @{exec_path} = /{usr/,}bin/ffprobe
 profile ffprobe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -64,5 +64,5 @@ profile ffprobe @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]/meminfo r,
 
-  #include if exists <local/ffprobe>
+  include if exists <local/ffprobe>
 }
diff --git a/apparmor.d/filecap b/apparmor.d/filecap
index f36c4f5c..e452321c 100644
--- a/apparmor.d/filecap
+++ b/apparmor.d/filecap
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/filecap
 profile filecap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -35,5 +35,5 @@ profile filecap @{exec_path} {
   #/ r,
   #/** r,
 
-  #include if exists <local/filecap>
+  include if exists <local/filecap>
 }
diff --git a/apparmor.d/filezilla b/apparmor.d/filezilla
index 1ac8643a..a86b89cf 100644
--- a/apparmor.d/filezilla
+++ b/apparmor.d/filezilla
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/filezilla
 profile filezilla @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=fzsftp,
 
@@ -75,5 +75,5 @@ profile filezilla @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/filezilla>
+  include if exists <local/filezilla>
 }
diff --git a/apparmor.d/firefox b/apparmor.d/firefox
index 46d790a6..27f482be 100644
--- a/apparmor.d/firefox
+++ b/apparmor.d/firefox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,28 +19,33 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
 profile firefox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa-cache-write>
-  #include <abstractions/audio>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa-cache-write>
+  include <abstractions/audio>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
   ##include <abstractions/nvidia>
 
-
   ptrace peer=@{profile_name},
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
   signal (send) set=(term, kill) peer=firefox-*,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
@@ -184,8 +189,8 @@ profile firefox @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open                                    mr,
     /{usr/,}bin/exo-open                                    mr,
@@ -215,5 +220,5 @@ profile firefox @{exec_path} {
 
   }
 
-  #include if exists <local/firefox>
+  include if exists <local/firefox>
 }
diff --git a/apparmor.d/firefox-crashreporter b/apparmor.d/firefox-crashreporter
index 8ab31288..ae02c44e 100644
--- a/apparmor.d/firefox-crashreporter
+++ b/apparmor.d/firefox-crashreporter
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,12 +19,12 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/crashreporter
 profile firefox-crashreporter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -60,5 +60,5 @@ profile firefox-crashreporter @{exec_path} {
   owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/firefox-crashreporter>
+  include if exists <local/firefox-crashreporter>
 }
diff --git a/apparmor.d/firefox-minidump-analyzer b/apparmor.d/firefox-minidump-analyzer
index 51adaa16..b1b16516 100644
--- a/apparmor.d/firefox-minidump-analyzer
+++ b/apparmor.d/firefox-minidump-analyzer
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,8 +19,8 @@
 
 @{exec_path} = /{usr/,}lib/firefox/minidump-analyzer
 profile firefox-minidump-analyzer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -43,5 +43,5 @@ profile firefox-minidump-analyzer @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r,
 
-  #include if exists <local/firefox-minidump-analyzer>
+  include if exists <local/firefox-minidump-analyzer>
 }
diff --git a/apparmor.d/firefox-pingsender b/apparmor.d/firefox-pingsender
index 3250d4a0..84fab49e 100644
--- a/apparmor.d/firefox-pingsender
+++ b/apparmor.d/firefox-pingsender
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,11 +19,11 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/pingsender
 profile firefox-pingsender @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -34,5 +34,5 @@ profile firefox-pingsender @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/firefox-pingsender>
+  include if exists <local/firefox-pingsender>
 }
diff --git a/apparmor.d/firefox-plugin-container b/apparmor.d/firefox-plugin-container
index f4d375ce..2b256b14 100644
--- a/apparmor.d/firefox-plugin-container
+++ b/apparmor.d/firefox-plugin-container
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@@ -19,11 +19,11 @@
 
 @{exec_path} = @{MOZ_LIBDIR}/plugin-container
 profile firefox-plugin-container @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   signal (receive) set=(term, kill) peer=firefox,
 
   @{exec_path} mr,
 
-  #include if exists <local/firefox-plugin-container>
+  include if exists <local/firefox-plugin-container>
 }
diff --git a/apparmor.d/firejail-default b/apparmor.d/firejail-default
index e396ae7d..aaf72597 100644
--- a/apparmor.d/firejail-default
+++ b/apparmor.d/firejail-default
@@ -4,7 +4,7 @@
 
 # AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
 # and <abstractions/dbus-session-strict>.
-#include <tunables/global>
+include <tunables/global>
 
 ##########
 # A simple PID declaration based on Ubuntu's @{pid}
@@ -14,14 +14,14 @@
 ##########
 @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
 
-profile firejail-default flags=(attach_disconnected,mediate_deleted) {
+profile firejail-default flags=(attach_disconnected, complain, mediate_deleted) {
 
 ##########
 # Allow D-Bus access. It may negatively affect security. Comment those lines or
 # use 'nodbus' option in profile if you don't need D-Bus functionality.
 ##########
-#include <abstractions/dbus-strict>
-#include <abstractions/dbus-session-strict>
+include <abstractions/dbus-strict>
+include <abstractions/dbus-session-strict>
 dbus,
 # Add rule in order to avoid dbus-*=filter breakage (#3432)
 owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
@@ -161,5 +161,5 @@ capability setfcap,
 #capability mac_admin,
 
 # Site-specific additions and overrides. See local/README for details.
-#include <local/firejail-default>
+include <local/firejail-default>
 }
diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot
index 8e823bf4..f9f1daf8 100644
--- a/apparmor.d/flameshot
+++ b/apparmor.d/flameshot
@@ -9,28 +9,35 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/flameshot
 profile flameshot @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -72,8 +79,8 @@ profile flameshot @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -88,5 +95,5 @@ profile flameshot @{exec_path} {
 
   }
 
-  #include if exists <local/flameshot>
+  include if exists <local/flameshot>
 }
diff --git a/apparmor.d/fping b/apparmor.d/fping
index 9d6bdffd..3250d284 100644
--- a/apparmor.d/fping
+++ b/apparmor.d/fping
@@ -9,21 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fping{,6}
 profile fping @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # This CAP can be blocked when the net.ipv4.ping_group_range sysctl parametr is set. Otherwise it
   # will return the following error:
   #  fping: can't create socket (must run as root?)
   deny capability net_raw,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+
   @{exec_path} mr,
 
-  #include if exists <local/fping>
+  include if exists <local/fping>
 }
diff --git a/apparmor.d/freetube b/apparmor.d/freetube
index 95519c28..e134c2a7 100644
--- a/apparmor.d/freetube
+++ b/apparmor.d/freetube
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{FT_LIBDIR} =  /{usr/,}lib/freetube
 @{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@@ -20,20 +20,20 @@
 
 @{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
 profile freetube @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -43,6 +43,12 @@ profile freetube @{exec_path} {
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/uid_map w,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   @{FT_LIBDIR}/ r,
@@ -61,7 +67,7 @@ profile freetube @{exec_path} {
   owner /tmp/.org.chromium.Chromium.*/ rw,
   owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
   owner /tmp/.org.chromium.Chromium.*/SS w,
-  owner /tmp/.org.chromium.Chromium.* w,
+  owner /tmp/.org.chromium.Chromium.* rw,
   owner /tmp/net-export/ rw,
 
         /dev/shm/ r,
@@ -106,6 +112,8 @@ profile freetube @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  owner @{run}/user/[0-9]*/ r,
+
   # no new privs
   /{usr/,}bin/xdg-settings    rPx,
 
@@ -119,8 +127,8 @@ profile freetube @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -136,5 +144,5 @@ profile freetube @{exec_path} {
 
   }
 
-  #include if exists <local/freetube>
+  include if exists <local/freetube>
 }
diff --git a/apparmor.d/freetube-chrome-sandbox b/apparmor.d/freetube-chrome-sandbox
index eefd5fdb..abd3704d 100644
--- a/apparmor.d/freetube-chrome-sandbox
+++ b/apparmor.d/freetube-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{FT_LIBDIR} =  /{usr/,}lib/freetube
 @{FT_LIBDIR} += /{usr/,}lib/freetube-vue
@@ -20,9 +20,9 @@
 
 @{exec_path} = @{FT_LIBDIR}/chrome-sandbox
 profile freetube-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   capability sys_admin,
   capability setgid,
@@ -38,5 +38,5 @@ profile freetube-chrome-sandbox @{exec_path} {
        owner @{PROC}/@{pid}/oom_{,score_}adj r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
 
-  #include if exists <local/freetube-chrome-sandbox>
+  include if exists <local/freetube-chrome-sandbox>
 }
diff --git a/apparmor.d/frontend b/apparmor.d/frontend
index 8a8ef23d..d845967d 100644
--- a/apparmor.d/frontend
+++ b/apparmor.d/frontend
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/share/debconf/frontend
 profile frontend @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   #capability sys_tty_config,
 
@@ -70,10 +70,10 @@ profile frontend @{exec_path} flags=(complain) {
   /etc/shadow r,
 
   # The following is needed when debconf uses GUI frontends.
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
   capability dac_read_search,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
   /{usr/,}bin/hostname    rPx,
@@ -86,8 +86,8 @@ profile frontend @{exec_path} flags=(complain) {
 
 
   profile scripts flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     # What's this for? (#FIXME#)
     capability dac_read_search,
@@ -126,5 +126,5 @@ profile frontend @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/frontend>
+  include if exists <local/frontend>
 }
diff --git a/apparmor.d/fsck b/apparmor.d/fsck
index 97b6a11a..4d283713 100644
--- a/apparmor.d/fsck
+++ b/apparmor.d/fsck
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fsck
 profile fsck @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile fsck @{exec_path} {
   owner @{run}/blkid/blkid.tab{,-*} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
-  #include if exists <local/fsck>
+  include if exists <local/fsck>
 }
diff --git a/apparmor.d/fsck-btrfs b/apparmor.d/fsck-btrfs
index 0a1e7abf..1802923d 100644
--- a/apparmor.d/fsck-btrfs
+++ b/apparmor.d/fsck-btrfs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/fsck.btrfs
 profile fsck-btrfs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
 
@@ -23,5 +23,5 @@ profile fsck-btrfs @{exec_path} {
 
   /etc/fstab r,
 
-  #include if exists <local/fsck-btrfs>
+  include if exists <local/fsck-btrfs>
 }
diff --git a/apparmor.d/fsck-fat b/apparmor.d/fsck-fat
index a3b23d99..53b55246 100644
--- a/apparmor.d/fsck-fat
+++ b/apparmor.d/fsck-fat
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{fsck.fat,fsck.msdos,fsck.vfat,dosfsck}
 profile fsck-fat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile fsck-fat @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/fsck-fat>
+  include if exists <local/fsck-fat>
 }
diff --git a/apparmor.d/fuseiso b/apparmor.d/fuseiso
index 974525c1..12abbed1 100644
--- a/apparmor.d/fuseiso
+++ b/apparmor.d/fuseiso
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fuseiso
 profile fuseiso @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile fuseiso @{exec_path} {
 
   /dev/fuse rw,
 
-  #include if exists <local/fuseiso>
+  include if exists <local/fuseiso>
 }
diff --git a/apparmor.d/fusermount b/apparmor.d/fusermount
index 79aafa25..457a89f7 100644
--- a/apparmor.d/fusermount
+++ b/apparmor.d/fusermount
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fusermount{,3}
 profile fusermount @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To mount anything:
   #  fusermount: mount failed: Operation not permitted
@@ -59,5 +59,5 @@ profile fusermount @{exec_path} {
 
   @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/fusermount>
+  include if exists <local/fusermount>
 }
diff --git a/apparmor.d/fwupd b/apparmor.d/fwupd
index 8286a096..758309f3 100644
--- a/apparmor.d/fwupd
+++ b/apparmor.d/fwupd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
 profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # This is needed in order to read/write from/to the /dev/tpm0 , device which is owned by tss:tss
   capability dac_override,
@@ -69,7 +69,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg        mr,
     /{usr/,}bin/gpgconf    mr,
@@ -80,5 +80,5 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   }
 
-  #include if exists <local/fwupd>
+  include if exists <local/fwupd>
 }
diff --git a/apparmor.d/fwupdmgr b/apparmor.d/fwupdmgr
index 0ad1aaaa..7d261661 100644
--- a/apparmor.d/fwupdmgr
+++ b/apparmor.d/fwupdmgr
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fwupdmgr
 profile fwupdmgr @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
 
   @{exec_path} mr,
 
@@ -40,8 +40,8 @@ profile fwupdmgr @{exec_path} flags=(complain) {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch mr,
 
@@ -49,5 +49,5 @@ profile fwupdmgr @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/fwupdmgr>
+  include if exists <local/fwupdmgr>
 }
diff --git a/apparmor.d/fzsftp b/apparmor.d/fzsftp
index 9c982ed1..2277cdeb 100644
--- a/apparmor.d/fzsftp
+++ b/apparmor.d/fzsftp
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/fzsftp
 profile fzsftp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   signal (receive) set=(term, kill) peer=filezilla,
 
@@ -45,5 +45,5 @@ profile fzsftp @{exec_path} {
   # file_inherit
   #deny @{HOME}/.cache/filezilla/** rw,
 
-  #include if exists <local/fzsftp>
+  include if exists <local/fzsftp>
 }
diff --git a/apparmor.d/gajim b/apparmor.d/gajim
index 1113581f..3f73f6fb 100644
--- a/apparmor.d/gajim
+++ b/apparmor.d/gajim
@@ -9,26 +9,34 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gajim
 profile gajim @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
 
   @{exec_path} r,
 
@@ -80,8 +88,8 @@ profile gajim @{exec_path} {
 
 
   profile audio {
-    #include <abstractions/base>
-    #include <abstractions/audio>
+    include <abstractions/base>
+    include <abstractions/audio>
 
     /{usr/,}bin/aplay mr,
     /{usr/,}bin/pacat mr,
@@ -94,7 +102,7 @@ profile gajim @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -103,5 +111,5 @@ profile gajim @{exec_path} {
 
   }
 
-  #include if exists <local/gajim>
+  include if exists <local/gajim>
 }
diff --git a/apparmor.d/games-wesnoth b/apparmor.d/games-wesnoth
index ad930cb5..88a035a0 100644
--- a/apparmor.d/games-wesnoth
+++ b/apparmor.d/games-wesnoth
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/games/wesnoth{,-[0-9]*}
 profile games-wesnoth @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/dri-common>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/dri-common>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -39,5 +39,5 @@ profile games-wesnoth @{exec_path} {
   owner @{HOME}/.icons/default/index.theme r,
   /usr/share/icons/*/index.theme r,
 
-  #include if exists <local/games-wesnoth>
+  include if exists <local/games-wesnoth>
 }
diff --git a/apparmor.d/games-wesnoth-sh b/apparmor.d/games-wesnoth-sh
index 06b9644b..5028d0d4 100644
--- a/apparmor.d/games-wesnoth-sh
+++ b/apparmor.d/games-wesnoth-sh
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /usr/games/wesnoth-[0-9]*{-nolog,-smalgui,_editor} /usr/games/wesnoth-nolog
 profile games-wesnoth-sh @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh       rix,
@@ -30,5 +30,5 @@ profile games-wesnoth-sh @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/games-wesnoth-sh>
+  include if exists <local/games-wesnoth-sh>
 }
diff --git a/apparmor.d/ganyremote b/apparmor.d/ganyremote
index 0354b9e5..83899487 100644
--- a/apparmor.d/ganyremote
+++ b/apparmor.d/ganyremote
@@ -9,23 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ganyremote
 profile ganyremote @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -77,8 +80,8 @@ profile ganyremote @{exec_path} {
 
 
   profile killall {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_ptrace,
 
@@ -96,8 +99,8 @@ profile ganyremote @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/pgrep mr,
 
@@ -110,5 +113,5 @@ profile ganyremote @{exec_path} {
 
   }
 
-  #include if exists <local/ganyremote>
+  include if exists <local/ganyremote>
 }
diff --git a/apparmor.d/gconfd b/apparmor.d/gconfd
index 032c43ff..23e7a3ed 100644
--- a/apparmor.d/gconfd
+++ b/apparmor.d/gconfd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/gconf/gconfd-[0-9]
 profile gconfd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile gconfd @{exec_path} {
   owner @{HOME}/.gconf/ rw,
   owner @{HOME}/.gconf/.testing.writeability rw,
 
-  #include if exists <local/gconfd>
+  include if exists <local/gconfd>
 }
diff --git a/apparmor.d/gdisk b/apparmor.d/gdisk
index 3301ae35..8e01c4d9 100644
--- a/apparmor.d/gdisk
+++ b/apparmor.d/gdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gdisk
 profile gdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -39,5 +39,5 @@ profile gdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/gdisk>
+  include if exists <local/gdisk>
 }
diff --git a/apparmor.d/geany b/apparmor.d/geany
index ccc461c4..bbbe36f7 100644
--- a/apparmor.d/geany
+++ b/apparmor.d/geany
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/geany
 profile geany @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/enchant>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/nameservice-strict>
 
   # To edit system files as root.
   capability dac_read_search,
@@ -104,8 +104,8 @@ profile geany @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch mr,
     /{usr/,}bin/dbus-send   mr,
@@ -117,5 +117,5 @@ profile geany @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/geany>
+  include if exists <local/geany>
 }
diff --git a/apparmor.d/gio-launch-desktop b/apparmor.d/gio-launch-desktop
index 40e31baf..f68025b8 100644
--- a/apparmor.d/gio-launch-desktop
+++ b/apparmor.d/gio-launch-desktop
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/gio
 @{exec_path} += /{usr/,}bin/gio-launch-desktop
 @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} mr,
 
@@ -37,5 +37,5 @@ profile gio-launch-desktop @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/gio-launch-desktop>
+  include if exists <local/gio-launch-desktop>
 }
diff --git a/apparmor.d/git b/apparmor.d/git
index 38140691..6ce418c4 100644
--- a/apparmor.d/git
+++ b/apparmor.d/git
@@ -9,18 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/git
 profile git @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ssl_certs>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
 
   @{exec_path} mr,
 
@@ -92,8 +98,8 @@ profile git @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/gpg mr,
 
@@ -105,9 +111,9 @@ profile git @{exec_path} {
   }
 
   profile ssh {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
 
     /{usr/,}bin/ssh mr,
 
@@ -124,15 +130,15 @@ profile git @{exec_path} {
   }
 
   profile exec {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     owner @{BUILD_DIR}/**/bin/* mr,
 
   }
 
-  profile editor flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+  profile editor {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/sensible-editor mr,
     /{usr/,}bin/vim.*           mrix,
@@ -154,5 +160,5 @@ profile git @{exec_path} {
 
   }
 
-  #include if exists <local/git>
+  include if exists <local/git>
 }
diff --git a/apparmor.d/globaltime b/apparmor.d/globaltime
index bf4a9a47..49a57626 100644
--- a/apparmor.d/globaltime
+++ b/apparmor.d/globaltime
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/globaltime
 profile globaltime @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile globaltime @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/globaltime>
+  include if exists <local/globaltime>
 }
diff --git a/apparmor.d/glxgears b/apparmor.d/glxgears
index 4cefc138..16172760 100644
--- a/apparmor.d/glxgears
+++ b/apparmor.d/glxgears
@@ -9,18 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/glxgears
 profile glxgears @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
@@ -33,5 +32,5 @@ profile glxgears @{exec_path} {
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/glxgears>
+  include if exists <local/glxgears>
 }
diff --git a/apparmor.d/glxinfo b/apparmor.d/glxinfo
index b65d7433..9aa0ca31 100644
--- a/apparmor.d/glxinfo
+++ b/apparmor.d/glxinfo
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/glxinfo
 profile glxinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
   # Needed?
@@ -34,5 +34,5 @@ profile glxinfo @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/glxinfo>
+  include if exists <local/glxinfo>
 }
diff --git a/apparmor.d/gnome-keyring-daemon b/apparmor.d/gnome-keyring-daemon
index 6c282383..569cb8bd 100644
--- a/apparmor.d/gnome-keyring-daemon
+++ b/apparmor.d/gnome-keyring-daemon
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # Remove the following error:
   #  gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used
@@ -35,5 +35,5 @@ profile gnome-keyring-daemon @{exec_path} {
   owner @{run}/user/[0-9]*/keyring/ rw,
   owner @{run}/user/[0-9]*/keyring/* rw,
 
-  #include if exists <local/gnome-keyring-daemon>
+  include if exists <local/gnome-keyring-daemon>
 }
diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome
index bea27718..ec12aa18 100644
--- a/apparmor.d/google-chrome-chrome
+++ b/apparmor.d/google-chrome-chrome
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
 @{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@@ -19,19 +19,19 @@
 
 @{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable}
 profile google-chrome-chrome @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -45,6 +45,12 @@ profile google-chrome-chrome @{exec_path} {
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   @{CHROME_INSTALLDIR}/{,**} r,
@@ -181,8 +187,8 @@ profile google-chrome-chrome @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -197,5 +203,5 @@ profile google-chrome-chrome @{exec_path} {
 
   }
 
-  #include if exists <local/google-chrome-chrome>
+  include if exists <local/google-chrome-chrome>
 }
diff --git a/apparmor.d/google-chrome-chrome-sandbox b/apparmor.d/google-chrome-chrome-sandbox
index 6aab4588..f6c21681 100644
--- a/apparmor.d/google-chrome-chrome-sandbox
+++ b/apparmor.d/google-chrome-chrome-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
 @{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@@ -19,8 +19,8 @@
 
 @{exec_path} = @{CHROME_INSTALLDIR}/chrome-sandbox
 profile google-chrome-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -42,5 +42,5 @@ profile google-chrome-chrome-sandbox @{exec_path} {
        owner @{PROC}/@{pid}/fd/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/google-chrome-chrome-sandbox>
+  include if exists <local/google-chrome-chrome-sandbox>
 }
diff --git a/apparmor.d/google-chrome-google-chrome b/apparmor.d/google-chrome-google-chrome
index fbedbab4..5d09959e 100644
--- a/apparmor.d/google-chrome-google-chrome
+++ b/apparmor.d/google-chrome-google-chrome
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{CHROME_INSTALLDIR} = /opt/google/chrome{,-beta,-unstable}
 @{CHROME_HOMEDIR} = @{HOME}/.config/google-chrome{,-beta,-unstable}
@@ -19,9 +19,9 @@
 
 @{exec_path} = @{CHROME_INSTALLDIR}/google-chrome{,-beta,-unstable}
 profile google-chrome-google-chrome @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -39,5 +39,5 @@ profile google-chrome-google-chrome @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/google-chrome-google-chrome>
+  include if exists <local/google-chrome-google-chrome>
 }
diff --git a/apparmor.d/gpa b/apparmor.d/gpa
index 8902b764..e0adc9fe 100644
--- a/apparmor.d/gpa
+++ b/apparmor.d/gpa
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpa
 profile gpa @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -58,5 +58,5 @@ profile gpa @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/gpa>
+  include if exists <local/gpa>
 }
diff --git a/apparmor.d/gparted b/apparmor.d/gparted
index cc583ee3..cddf907e 100644
--- a/apparmor.d/gparted
+++ b/apparmor.d/gparted
@@ -9,17 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gparted
 profile gparted @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh  rix,
 
+  /{usr/,}sbin/           r,
+  /{usr/,}sbin/gpartedbin rPx,
+
+  /{usr/,}bin/            r,
   /{usr/,}bin/{,e}grep    rix,
   /{usr/,}bin/cut         rix,
   /{usr/,}bin/id          rix,
@@ -33,19 +37,26 @@ profile gparted @{exec_path} {
   @{run}/udev/rules.d/90-udisks-inhibit.rules rw,
 
   /{usr/,}bin/udevadm     rCx -> udevadm,
+  /{usr/,}sbin/killall5   rCx -> killall,
 
-  /{usr/,}sbin/gpartedbin rPx,
   /{usr/,}bin/ps          rPx,
   /{usr/,}bin/xhost       rPx,
   /{usr/,}bin/pkexec      rPx,
   /{usr/,}bin/systemctl   rPx -> child-systemctl,
 
+  # For shell pwd
+  / r,
+  /root/ r,
+
+  /usr/local/bin/ r,
+  /usr/local/sbin/ r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -67,5 +78,25 @@ profile gparted @{exec_path} {
 
   }
 
-  #include if exists <local/gparted>
+  profile killall flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability sys_ptrace,
+
+    signal (send) set=(int, term, kill),
+
+    ptrace (read),
+
+    /{usr/,}sbin/killall5 mr,
+
+    # The /proc/ dir is needed to avoid the following error:
+    #  /proc: Permission denied
+         @{PROC}/ r,
+         @{PROC}/@{pids}/stat r,
+         @{PROC}/@{pids}/cmdline r,
+
+  }
+
+  include if exists <local/gparted>
 }
diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin
index 49ad27e1..9b29c0d2 100644
--- a/apparmor.d/gpartedbin
+++ b/apparmor.d/gpartedbin
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gpartedbin
 profile gpartedbin @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions.
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -144,7 +144,7 @@ profile gpartedbin @{exec_path} {
 
 
   profile mount {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_admin,
 
@@ -167,7 +167,7 @@ profile gpartedbin @{exec_path} {
   }
 
   profile umount {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_admin,
 
@@ -188,7 +188,7 @@ profile gpartedbin @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -205,14 +205,14 @@ profile gpartedbin @{exec_path} {
           @{PROC}/sys/kernel/random/boot_id r,
 
     # file_inherit
-    #include <abstractions/disks-write>  # lots of files in this abstraction get inherited
+    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
     /dev/mapper/control rw,
 
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open                                    mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -228,5 +228,5 @@ profile gpartedbin @{exec_path} {
 
   }
 
-  #include if exists <local/gpartedbin>
+  include if exists <local/gpartedbin>
 }
diff --git a/apparmor.d/gpasswd b/apparmor.d/gpasswd
index e28a9128..106e0f58 100644
--- a/apparmor.d/gpasswd
+++ b/apparmor.d/gpasswd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpasswd
 profile gpasswd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -29,6 +29,8 @@ profile gpasswd @{exec_path} {
   # gpasswd is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -46,5 +48,5 @@ profile gpasswd @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/gpasswd>
+  include if exists <local/gpasswd>
 }
diff --git a/apparmor.d/gpg b/apparmor.d/gpg
index f48156df..642dc3a2 100644
--- a/apparmor.d/gpg
+++ b/apparmor.d/gpg
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpg
 profile gpg @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mrix,
 
@@ -82,5 +82,5 @@ profile gpg @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/gpg>
+  include if exists <local/gpg>
 }
diff --git a/apparmor.d/gpg-agent b/apparmor.d/gpg-agent
index a2448f02..8dc0d2b6 100644
--- a/apparmor.d/gpg-agent
+++ b/apparmor.d/gpg-agent
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpg-agent
 profile gpg-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   signal (receive) peer=pinentry-*,
 
@@ -56,5 +56,5 @@ profile gpg-agent @{exec_path} {
   # Silencer
   deny /{usr/,}bin/.gnupg/ w,
 
-  #include if exists <local/gpg-agent>
+  include if exists <local/gpg-agent>
 }
diff --git a/apparmor.d/gpg-connect-agent b/apparmor.d/gpg-connect-agent
index 00bcc281..cf1da8f2 100644
--- a/apparmor.d/gpg-connect-agent
+++ b/apparmor.d/gpg-connect-agent
@@ -9,15 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpg-connect-agent
 profile gpg-connect-agent @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
-  #include if exists <local/gpg-connect-agent>
+  /etc/inputrc r,
+
+  include if exists <local/gpg-connect-agent>
 }
diff --git a/apparmor.d/gpgconf b/apparmor.d/gpgconf
index 592ca620..d1393f9e 100644
--- a/apparmor.d/gpgconf
+++ b/apparmor.d/gpgconf
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpgconf
 profile gpgconf @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mrix,
 
@@ -41,5 +41,5 @@ profile gpgconf @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/gpgconf>
+  include if exists <local/gpgconf>
 }
diff --git a/apparmor.d/gpgsm b/apparmor.d/gpgsm
index 2e5851fa..1ab2716f 100644
--- a/apparmor.d/gpgsm
+++ b/apparmor.d/gpgsm
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpgsm
 profile gpgsm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile gpgsm @{exec_path} {
 
   owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
 
-  #include if exists <local/gpgsm>
+  include if exists <local/gpgsm>
 }
diff --git a/apparmor.d/gpo b/apparmor.d/gpo
index 7bd4f54c..fe9d1fc0 100644
--- a/apparmor.d/gpo
+++ b/apparmor.d/gpo
@@ -9,20 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpo
 profile gpo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -45,5 +50,5 @@ profile gpo @{exec_path} {
 
   owner /var/tmp/etilqs_[0-9a-f]* rw,
 
-  #include if exists <local/gpo>
+  include if exists <local/gpo>
 }
diff --git a/apparmor.d/gpodder b/apparmor.d/gpodder
index 73fbd70d..7622d444 100644
--- a/apparmor.d/gpodder
+++ b/apparmor.d/gpodder
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpodder
 profile gpodder @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -72,8 +78,8 @@ profile gpodder @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -90,5 +96,5 @@ profile gpodder @{exec_path} {
 
   }
 
-  #include if exists <local/gpodder>
+  include if exists <local/gpodder>
 }
diff --git a/apparmor.d/gpodder-migrate2tres b/apparmor.d/gpodder-migrate2tres
index 4d111e14..b134396e 100644
--- a/apparmor.d/gpodder-migrate2tres
+++ b/apparmor.d/gpodder-migrate2tres
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gpodder-migrate2tres
 profile gpodder-migrate2tres @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -31,5 +31,5 @@ profile gpodder-migrate2tres @{exec_path} {
   owner @{HOME}/gPodder/ rw,
   owner @{HOME}/gPodder/** rwk,
 
-  #include if exists <local/gpodder-migrate2tres>
+  include if exists <local/gpodder-migrate2tres>
 }
diff --git a/apparmor.d/groupadd b/apparmor.d/groupadd
index df41be2b..bed46fb8 100644
--- a/apparmor.d/groupadd
+++ b/apparmor.d/groupadd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/groupadd
 profile groupadd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -26,6 +26,8 @@ profile groupadd @{exec_path} {
   capability chown,
   capability fsetid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -41,5 +43,5 @@ profile groupadd @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/groupadd>
+  include if exists <local/groupadd>
 }
diff --git a/apparmor.d/groupdel b/apparmor.d/groupdel
index 1e92d1d0..88578b6e 100644
--- a/apparmor.d/groupdel
+++ b/apparmor.d/groupdel
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/groupdel
 profile groupdel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -26,6 +26,8 @@ profile groupdel @{exec_path} {
   capability chown,
   capability fsetid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -41,5 +43,5 @@ profile groupdel @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/groupdel>
+  include if exists <local/groupdel>
 }
diff --git a/apparmor.d/groupmod b/apparmor.d/groupmod
index 71eac769..10c7e77b 100644
--- a/apparmor.d/groupmod
+++ b/apparmor.d/groupmod
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/groupmod
 profile groupmod @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -26,6 +26,8 @@ profile groupmod @{exec_path} {
   capability chown,
   capability fsetid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -43,5 +45,5 @@ profile groupmod @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/groupmod>
+  include if exists <local/groupmod>
 }
diff --git a/apparmor.d/groups b/apparmor.d/groups
index 150f4502..2be493cd 100644
--- a/apparmor.d/groups
+++ b/apparmor.d/groups
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/groups
 profile groups @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  #include if exists <local/groups>
+  include if exists <local/groups>
 }
diff --git a/apparmor.d/grpck b/apparmor.d/grpck
index 6c1442b1..1a65eb92 100644
--- a/apparmor.d/grpck
+++ b/apparmor.d/grpck
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/grpck
 profile grpck @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To set the right permission to the files in the /etc/ dir.
   capability chown,
@@ -38,5 +38,5 @@ profile grpck @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/grpck>
+  include if exists <local/grpck>
 }
diff --git a/apparmor.d/gsmartcontrol b/apparmor.d/gsmartcontrol
index ddba75b8..822174ff 100644
--- a/apparmor.d/gsmartcontrol
+++ b/apparmor.d/gsmartcontrol
@@ -9,18 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/gsmartcontrol
 profile gsmartcontrol @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
 
   capability dac_read_search,
 
@@ -30,6 +31,7 @@ profile gsmartcontrol @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}sbin/smartctl rPx,
+  /{usr/,}bin/xterm     rCx -> terminal,
 
   # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two
   # following root processes:
@@ -73,8 +75,8 @@ profile gsmartcontrol @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -86,5 +88,33 @@ profile gsmartcontrol @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/gsmartcontrol>
+  profile terminal {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/freedesktop.org>
+
+    capability setuid,
+    capability setgid,
+    capability fsetid,
+
+    /{usr/,}bin/xterm mr,
+
+    /usr/sbin/update-smart-drivedb rPx,
+
+    owner @{HOME}/.Xauthority r,
+
+    /etc/shells r,
+
+    /etc/X11/app-defaults/XTerm-color r,
+    /etc/X11/app-defaults/XTerm r,
+    /etc/X11/cursors/*.theme r,
+
+    /usr/include/X11/bitmaps/vlines2 r,
+
+    /dev/ptmx rw,
+
+  }
+
+  include if exists <local/gsmartcontrol>
 }
diff --git a/apparmor.d/gsmartcontrol-root b/apparmor.d/gsmartcontrol-root
index e05197e8..9ef8cc9c 100644
--- a/apparmor.d/gsmartcontrol-root
+++ b/apparmor.d/gsmartcontrol-root
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gsmartcontrol-root
 profile gsmartcontrol-root @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -25,5 +25,5 @@ profile gsmartcontrol-root @{exec_path} {
 
   /{usr/,}bin/pkexec     rPx,
 
-  #include if exists <local/gsmartcontrol-root>
+  include if exists <local/gsmartcontrol-root>
 }
diff --git a/apparmor.d/gtk-update-icon-cache b/apparmor.d/gtk-update-icon-cache
index 1b5b0135..938edbac 100644
--- a/apparmor.d/gtk-update-icon-cache
+++ b/apparmor.d/gtk-update-icon-cache
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gtk-update-icon-cache
 profile gtk-update-icon-cache @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile gtk-update-icon-cache @{exec_path} {
   /usr/share/icons/**/.icon-theme.cache rw,
   /usr/share/icons/**/icon-theme.cache rw,
 
-  #include if exists <local/gtk-update-icon-cache>
+  include if exists <local/gtk-update-icon-cache>
 }
diff --git a/apparmor.d/gtk-youtube-viewer b/apparmor.d/gtk-youtube-viewer
index f8a6fbae..77c82ef1 100644
--- a/apparmor.d/gtk-youtube-viewer
+++ b/apparmor.d/gtk-youtube-viewer
@@ -9,22 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/gtk{,2,3}-youtube-viewer
 profile gtk-youtube-viewer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -55,14 +61,14 @@ profile gtk-youtube-viewer @{exec_path} {
 
 
   profile xterm {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/perl>
-    #include <abstractions/wutmp>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
+    include <abstractions/nameservice-strict>
+    include <abstractions/perl>
+    include <abstractions/wutmp>
 
     signal (send) set=(hup, winch) peer=youtube-viewer,
     signal (send) set=(hup, winch) peer=youtube-viewer//wget,
@@ -96,8 +102,8 @@ profile gtk-youtube-viewer @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -114,5 +120,5 @@ profile gtk-youtube-viewer @{exec_path} {
 
   }
 
-  #include if exists <local/gtk-youtube-viewer>
+  include if exists <local/gtk-youtube-viewer>
 }
diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo
index 465055f7..5d471aba 100644
--- a/apparmor.d/hardinfo
+++ b/apparmor.d/hardinfo
@@ -9,20 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hardinfo
 profile hardinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
 
   # This is needed to display some content of devices -> resources
   capability sys_admin,
@@ -30,12 +31,18 @@ profile hardinfo @{exec_path} {
   # This is for benchmarks
   capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh      rix,
   /{usr/,}bin/locale          rix,
   /{usr/,}bin/ldd             rix,
   /{usr/,}bin/tr              rix,
+  /{usr/,}bin/python2.[0-9]*  rix,
   /{usr/,}bin/python3.[0-9]*  rix,
   /{usr/,}bin/perl            rix,
   /{usr/,}bin/ruby2.[0-9]*    rix,
@@ -98,6 +105,12 @@ profile hardinfo @{exec_path} {
 
   /etc/fstab r,
   /etc/exports r,
+  /etc/samba/smb.conf  r,
+
+  /etc/gdb/gdbinit.d/ r,
+
+  /usr/share/gdb/python/ r,
+  /usr/share/gdb/python/** r,
 
   /var/log/wtmp r,
 
@@ -108,12 +121,16 @@ profile hardinfo @{exec_path} {
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
+  # Silencer
+  deny /usr/share/gdb/python/** w,
+  deny /usr/lib/python3/** w,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -124,19 +141,22 @@ profile hardinfo @{exec_path} {
   }
 
   profile javac {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
-    /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/javac mr,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/bin/* mr,
 
-    /etc/java-[0-9]*-openjdk/jvm-amd64.cfg r,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
+
+    /etc/java-[0-9]*-openjdk/** r,
 
     /usr/share/java/*.jar r,
 
     owner @{PROC}/@{pid}/mountinfo r,
     owner @{PROC}/@{pid}/cgroup r,
+    owner @{PROC}/@{pid}/coredump_filter rw,
 
-    /sys/fs/cgroup/** r,
+    @{sys}/fs/cgroup/** r,
 
     owner /tmp/hsperfdata_*/ rw,
     owner /tmp/hsperfdata_*/@{pid} rw,
@@ -144,8 +164,8 @@ profile hardinfo @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -162,15 +182,17 @@ profile hardinfo @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
+    @{sys}/module/** r,
+
     @{PROC}/cmdline r,
     @{PROC}/modules r,
     @{PROC}/ioports r,
 
   }
 
-  #include if exists <local/hardinfo>
+  include if exists <local/hardinfo>
 }
diff --git a/apparmor.d/hciconfig b/apparmor.d/hciconfig
index 168a7668..e88af380 100644
--- a/apparmor.d/hciconfig
+++ b/apparmor.d/hciconfig
@@ -9,19 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hciconfig
 profile hciconfig @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability net_raw,
 
   capability net_admin,
 
+  network bluetooth raw,
+
   @{exec_path} mr,
 
-  #include if exists <local/hciconfig>
+  include if exists <local/hciconfig>
 }
diff --git a/apparmor.d/hddtemp b/apparmor.d/hddtemp
index cf1541d6..65d49489 100644
--- a/apparmor.d/hddtemp
+++ b/apparmor.d/hddtemp
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/hddtemp
 profile hddtemp @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To remove the following errors:
   #  /dev/sda: Permission denied
@@ -28,6 +28,9 @@ profile hddtemp @{exec_path} {
   # It looks like hddtemp works just fine without it.
   deny capability sys_admin,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   # Monitored hard drives
@@ -39,5 +42,5 @@ profile hddtemp @{exec_path} {
   # Needed when the hddtemp daemon is started in the TCP/IP mode
   /etc/gai.conf r,
 
-  #include if exists <local/hddtemp>
+  include if exists <local/hddtemp>
 }
diff --git a/apparmor.d/hdparm b/apparmor.d/hdparm
index b05a4c28..5cf7e42a 100644
--- a/apparmor.d/hdparm
+++ b/apparmor.d/hdparm
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/hdparm
 profile hdparm @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # To remove the following errors:
   #  re-writing sector *: BLKFLSBUF failed: Permission denied
@@ -37,5 +37,5 @@ profile hdparm @{exec_path} flags=(complain) {
   @{HOME}/** r,
   /media/*/** r,
 
-  #include if exists <local/hdparm>
+  include if exists <local/hdparm>
 }
diff --git a/apparmor.d/hexchat b/apparmor.d/hexchat
index 862ab317..26e0f0ab 100644
--- a/apparmor.d/hexchat
+++ b/apparmor.d/hexchat
@@ -9,26 +9,32 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hexchat
 profile hexchat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
   # For python/perl plugins
-  #include <abstractions/python>
-  #include <abstractions/perl>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/python>
+  include <abstractions/perl>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -52,5 +58,5 @@ profile hexchat @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/hexchat>
+  include if exists <local/hexchat>
 }
diff --git a/apparmor.d/hostname b/apparmor.d/hostname
index 0b4c1978..2f56d302 100644
--- a/apparmor.d/hostname
+++ b/apparmor.d/hostname
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
 profile hostname @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
   @{exec_path} mr,
 
-  #include if exists <local/hostname>
+  include if exists <local/hostname>
 }
diff --git a/apparmor.d/htop b/apparmor.d/htop
index 5557c073..b6e1dfd2 100644
--- a/apparmor.d/htop
+++ b/apparmor.d/htop
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/htop
 profile htop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
@@ -29,9 +29,14 @@ profile htop @{exec_path} {
 
   capability sys_ptrace,
 
+  # Needed?
+  capability net_admin,
+
   signal (send),
   ptrace (read),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{PROC}/ r,
@@ -50,6 +55,7 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/wchan r,
   @{PROC}/@{pids}/io r,
+  @{PROC}/@{pids}/comm r,
 
   @{PROC}/@{pids}/task/ r,
   @{PROC}/@{pids}/task/@{tid}/cmdline r,
@@ -62,9 +68,13 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/task/@{tid}/wchan r,
   @{PROC}/@{pids}/task/@{tid}/status r,
   @{PROC}/@{pids}/task/@{tid}/io r,
+  @{PROC}/@{pids}/task/@{tid}/comm r,
 
   owner @{PROC}/@{pid}/smaps_rollup r,
 
+  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
+
   owner @{HOME}/.config/htop/ rw,
   owner @{HOME}/.config/htop/htoprc rw,
 
@@ -75,5 +85,5 @@ profile htop @{exec_path} {
   #  htop[]: Oh, oh, it's an error! possibly I die!
   /dev/tty[0-9]* rw,
 
-  #include if exists <local/htop>
+  include if exists <local/htop>
 }
diff --git a/apparmor.d/hugeadm b/apparmor.d/hugeadm
index f5234127..7af2a321 100644
--- a/apparmor.d/hugeadm
+++ b/apparmor.d/hugeadm
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hugeadm
 profile hugeadm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To mount anything under /var/lib/hugetlbfs/** .
   capability sys_admin,
@@ -63,5 +63,5 @@ profile hugeadm @{exec_path} {
         @{sys}/kernel/mm/transparent_hugepage/* r,
   owner @{sys}/kernel/mm/transparent_hugepage/* rw,
 
-  #include if exists <local/hugeadm>
+  include if exists <local/hugeadm>
 }
diff --git a/apparmor.d/hugo b/apparmor.d/hugo
index 85065668..07812f0e 100644
--- a/apparmor.d/hugo
+++ b/apparmor.d/hugo
@@ -9,15 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{HUGO_DIR} = /media/debuilder/hugo
 
 @{exec_path} = /{usr/,}bin/hugo
 profile hugo @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -40,5 +43,5 @@ profile hugo @{exec_path} {
 
   /etc/mime.types r,
 
-  #include if exists <local/hugo>
+  include if exists <local/hugo>
 }
diff --git a/apparmor.d/hw-probe b/apparmor.d/hw-probe
index 2142e01c..36c4c42d 100644
--- a/apparmor.d/hw-probe
+++ b/apparmor.d/hw-probe
@@ -9,17 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/hw-probe
 profile hw-probe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   capability sys_admin,
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
@@ -32,6 +35,7 @@ profile hw-probe @{exec_path} {
   /{usr/,}bin/uname       rix,
 
   /{usr/,}bin/dd          rix,
+  /{usr/,}bin/tar         rix,
 
   /{usr/,}bin/efivar      rix,
   /{usr/,}bin/efibootmgr  rix,
@@ -85,6 +89,7 @@ profile hw-probe @{exec_path} {
   /{usr/,}sbin/ifconfig       rCx -> netconfig,
   /{usr/,}sbin/iwconfig       rCx -> netconfig,
   /{usr/,}sbin/ethtool        rCx -> netconfig,
+  /{usr/,}bin/curl            rCx -> curl,
 
   owner /root/HW_PROBE/{,**} rw,
 
@@ -114,8 +119,8 @@ profile hw-probe @{exec_path} {
 
 
   profile find {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     capability dac_read_search,
 
@@ -123,10 +128,12 @@ profile hw-probe @{exec_path} {
 
     /dev/{,**} r,
 
+    /root/ r,
+
   }
 
   profile journalctl {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/journalctl mr,
 
@@ -145,7 +152,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile systemd-analyze {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/systemd-analyze mr,
 
@@ -154,7 +161,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile killall {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_ptrace,
 
@@ -172,7 +179,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -194,7 +201,7 @@ profile hw-probe @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -208,12 +215,19 @@ profile hw-probe @{exec_path} {
   }
 
   profile netconfig {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Not needed
     deny capability net_admin,
     deny capability net_raw,
 
+    network inet dgram,
+    network inet6 dgram,
+    network ipx dgram,
+    network ax25 dgram,
+    network appletalk dgram,
+    network netlink raw,
+
     /{usr/,}sbin/iw       mr,
     /{usr/,}sbin/ifconfig mr,
     /{usr/,}sbin/iwconfig mr,
@@ -224,5 +238,16 @@ profile hw-probe @{exec_path} {
 
   }
 
-  #include if exists <local/hw-probe>
+  profile curl {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    /{usr/,}bin/curl mr,
+
+  }
+
+
+  include if exists <local/hw-probe>
 }
diff --git a/apparmor.d/hwinfo b/apparmor.d/hwinfo
index ad0927d8..e27b4e39 100644
--- a/apparmor.d/hwinfo
+++ b/apparmor.d/hwinfo
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/hwinfo
 profile hwinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # Without the sys_admin CAP, some information, for instance the reserved I/O port address range
   # in the /proc/ioports, will be hidden.
@@ -32,6 +32,10 @@ profile hwinfo @{exec_path} {
   # Needed when passed disk related options (--block, --partition, --floppy)
   capability sys_rawio,
 
+  network inet dgram,
+  network inet6 dgram,
+  network packet raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -78,7 +82,7 @@ profile hwinfo @{exec_path} {
 
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -95,7 +99,7 @@ profile hwinfo @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -115,5 +119,5 @@ profile hwinfo @{exec_path} {
 
   }
 
-  #include if exists <local/hwinfo>
+  include if exists <local/hwinfo>
 }
diff --git a/apparmor.d/i2cdetect b/apparmor.d/i2cdetect
index 8f21883e..2a8c051e 100644
--- a/apparmor.d/i2cdetect
+++ b/apparmor.d/i2cdetect
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/i2cdetect
 profile i2cdetect @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/i2cdetect>
+  include if exists <local/i2cdetect>
 }
diff --git a/apparmor.d/i3lock b/apparmor.d/i3lock
index 6e54160b..65fdda5a 100644
--- a/apparmor.d/i3lock
+++ b/apparmor.d/i3lock
@@ -9,18 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/i3lock
 profile i3lock @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -38,5 +40,5 @@ profile i3lock @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/i3lock>
+  include if exists <local/i3lock>
 }
diff --git a/apparmor.d/i3lock-fancy b/apparmor.d/i3lock-fancy
index 02d024c4..bc44fa3e 100644
--- a/apparmor.d/i3lock-fancy
+++ b/apparmor.d/i3lock-fancy
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/i3lock-fancy
 profile i3lock-fancy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,9 +49,9 @@ profile i3lock-fancy @{exec_path} {
 
 
   profile imagemagic {
-    #include <abstractions/base>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
+    include <abstractions/base>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
 
     /{usr/,}bin/convert-im6.q16 mr,
     /{usr/,}bin/import-im6.q16  mr,
@@ -72,8 +72,7 @@ profile i3lock-fancy @{exec_path} {
     # file_inherit
     owner /dev/tty[0-9]* rw,
 
-
   }
 
-  #include if exists <local/i3lock-fancy>
+  include if exists <local/i3lock-fancy>
 }
diff --git a/apparmor.d/ifconfig b/apparmor.d/ifconfig
index 00fa8a7f..ed0f727a 100644
--- a/apparmor.d/ifconfig
+++ b/apparmor.d/ifconfig
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ifconfig
 profile ifconfig @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -24,6 +24,9 @@ profile ifconfig @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   @{PROC}/net/dev r,
@@ -33,5 +36,5 @@ profile ifconfig @{exec_path} {
 
   /etc/networks r,
 
-  #include if exists <local/ifconfig>
+  include if exists <local/ifconfig>
 }
diff --git a/apparmor.d/ifup b/apparmor.d/ifup
index d8839ada..60df93c2 100644
--- a/apparmor.d/ifup
+++ b/apparmor.d/ifup
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{ifup,ifdown,ifquery}
 profile ifup @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -23,6 +23,8 @@ profile ifup @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -46,7 +48,7 @@ profile ifup @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -85,5 +87,5 @@ profile ifup @{exec_path} {
 
   }
 
-  #include if exists <local/ifup>
+  include if exists <local/ifup>
 }
diff --git a/apparmor.d/initd-kexec b/apparmor.d/initd-kexec
index 5cd40472..5e0ec791 100644
--- a/apparmor.d/initd-kexec
+++ b/apparmor.d/initd-kexec
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/init.d/kexec
 profile initd-kexec @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -35,7 +35,7 @@ profile initd-kexec @{exec_path} {
   @{sys}/kernel/kexec_loaded r,
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -44,7 +44,7 @@ profile initd-kexec @{exec_path} {
   }
 
   profile systemctl {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_resource,
 
@@ -68,5 +68,5 @@ profile initd-kexec @{exec_path} {
 
   }
 
-  #include if exists <local/initd-kexec>
+  include if exists <local/initd-kexec>
 }
diff --git a/apparmor.d/initd-kexec-load b/apparmor.d/initd-kexec-load
index 196d91da..6ffc56e8 100644
--- a/apparmor.d/initd-kexec-load
+++ b/apparmor.d/initd-kexec-load
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/init.d/kexec-load
 profile initd-kexec-load @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,7 +49,7 @@ profile initd-kexec-load @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -58,8 +58,8 @@ profile initd-kexec-load @{exec_path} {
   }
 
   profile systemctl {
-    #include <abstractions/base>
-    #include <abstractions/wutmp>
+    include <abstractions/base>
+    include <abstractions/wutmp>
 
     capability sys_resource,
 
@@ -83,5 +83,5 @@ profile initd-kexec-load @{exec_path} {
 
   }
 
-  #include if exists <local/initd-kexec-load>
+  include if exists <local/initd-kexec-load>
 }
diff --git a/apparmor.d/initd-kmod b/apparmor.d/initd-kmod
index a74e5d00..db2ddefa 100644
--- a/apparmor.d/initd-kmod
+++ b/apparmor.d/initd-kmod
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/init.d/kmod
 profile initd-kmod @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -36,7 +36,7 @@ profile initd-kmod @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -45,7 +45,7 @@ profile initd-kmod @{exec_path} {
   }
 
   profile systemctl {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_resource,
 
@@ -63,5 +63,5 @@ profile initd-kmod @{exec_path} {
 
   }
 
-  #include if exists <local/initd-kmod>
+  include if exists <local/initd-kmod>
 }
diff --git a/apparmor.d/install-printerdriver b/apparmor.d/install-printerdriver
index b520d540..5d8f8e1a 100644
--- a/apparmor.d/install-printerdriver
+++ b/apparmor.d/install-printerdriver
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/install-printerdriver
 @{exec_path} += /usr/share/system-config-printer/install-printerdriver.py
 profile install-printerdriver @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} mrix,
 
@@ -26,5 +26,5 @@ profile install-printerdriver @{exec_path} flags=(complain) {
 
   /usr/share/system-config-printer/{,**} r,
 
-  #include if exists <local/install-printerdriver>
+  include if exists <local/install-printerdriver>
 }
diff --git a/apparmor.d/inxi b/apparmor.d/inxi
index 702e7514..e6da6f4b 100644
--- a/apparmor.d/inxi
+++ b/apparmor.d/inxi
@@ -9,16 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/inxi
 profile inxi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -77,6 +83,9 @@ profile inxi @{exec_path} {
   @{HOME}/.local/share/xorg/ r,
   @{HOME}/.local/share/xorg/Xorg.[0-9]*.log r,
 
+  # For shell pwd
+  /root/ r,
+
   @{run}/ r,
 
   @{PROC}/asound/ r,
@@ -103,10 +112,13 @@ profile inxi @{exec_path} {
   @{sys}/bus/usb/devices/ r,
   @{sys}/devices/{,**} r,
   @{sys}/module/*/version r,
+  @{sys}/power/wakeup_count r,
 
 
   profile ip {
-    #include <abstractions/base>
+    include <abstractions/base>
+
+    network netlink raw,
 
     /{usr/,}bin/ip mr,
 
@@ -117,7 +129,7 @@ profile inxi @{exec_path} {
   }
 
   profile systemd {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/systemd/systemd mr,
 
@@ -131,7 +143,7 @@ profile inxi @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -149,7 +161,7 @@ profile inxi @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -158,5 +170,5 @@ profile inxi @{exec_path} {
 
   }
 
-  #include if exists <local/inxi>
+  include if exists <local/inxi>
 }
diff --git a/apparmor.d/ioping b/apparmor.d/ioping
index c1baca1e..64db88c0 100644
--- a/apparmor.d/ioping
+++ b/apparmor.d/ioping
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ioping
 profile ioping @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # For pinging other users files as root.
   capability dac_read_search,
@@ -51,5 +51,5 @@ profile ioping @{exec_path} {
   # This was created when ioping was used on an external SD card.
   /**/ioping.tmp.* w,
 
-  #include if exists <local/ioping>
+  include if exists <local/ioping>
 }
diff --git a/apparmor.d/iotop b/apparmor.d/iotop
index 921aa07c..1f57e362 100644
--- a/apparmor.d/iotop
+++ b/apparmor.d/iotop
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iotop
 profile iotop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
 
@@ -42,5 +42,5 @@ profile iotop @{exec_path} {
   # For file
   /etc/magic r,
 
-  #include if exists <local/iotop>
+  include if exists <local/iotop>
 }
diff --git a/apparmor.d/ip b/apparmor.d/ip
index 3432e14c..2e9e4a73 100644
--- a/apparmor.d/ip
+++ b/apparmor.d/ip
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # When "ip netns" is issued, the following error will be printed:
 #  "Failed name lookup - disconnected path" error=-13 profile="ip" name="".
 @{exec_path} = /{usr/,}bin/ip
 profile ip @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -27,6 +27,8 @@ profile ip @{exec_path} flags=(attach_disconnected) {
   # Needed?
   audit deny capability sys_module,
 
+  network netlink raw,
+
   @{exec_path} mrix,
 
   mount options=(rw, rshared)   -> /{var/,}run/netns/,
@@ -50,5 +52,5 @@ profile ip @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/net/igmp{,6} r,
   owner @{PROC}/sys/net/ipv{4,6}/route/flush w,
 
-  #include if exists <local/ip>
+  include if exists <local/ip>
 }
diff --git a/apparmor.d/ipcalc b/apparmor.d/ipcalc
index 529d3b49..84d0311b 100644
--- a/apparmor.d/ipcalc
+++ b/apparmor.d/ipcalc
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ipcalc
 profile ipcalc @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
-  #include if exists <local/ipcalc>
+  include if exists <local/ipcalc>
 }
diff --git a/apparmor.d/iw b/apparmor.d/iw
index c171ccb4..2442d34c 100644
--- a/apparmor.d/iw
+++ b/apparmor.d/iw
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iw
 profile iw @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -23,10 +23,12 @@ profile iw @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/iw>
+  include if exists <local/iw>
 }
diff --git a/apparmor.d/iwconfig b/apparmor.d/iwconfig
index 2afb5627..049f98b2 100644
--- a/apparmor.d/iwconfig
+++ b/apparmor.d/iwconfig
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iwconfig
 profile iwconfig @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -23,11 +23,14 @@ profile iwconfig @{exec_path} {
   # Needed?
   audit deny capability sys_module,
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
         @{PROC}/net/wireless r,
   owner @{PROC}/@{pid}/net/wireless r,
   owner @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/iwconfig>
+  include if exists <local/iwconfig>
 }
diff --git a/apparmor.d/iwlist b/apparmor.d/iwlist
index 0b847465..c9c919b5 100644
--- a/apparmor.d/iwlist
+++ b/apparmor.d/iwlist
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/iwlist
 profile iwlist @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces.
   capability net_admin,
@@ -25,5 +25,5 @@ profile iwlist @{exec_path} {
         @{PROC}/net/wireless r,
   owner @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/iwlist>
+  include if exists <local/iwlist>
 }
diff --git a/apparmor.d/jdownloader b/apparmor.d/jdownloader
index 87b9cac6..ed7ccc50 100644
--- a/apparmor.d/jdownloader
+++ b/apparmor.d/jdownloader
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{JD_INSTALLDIR} = /home/*/jd2
 
 @{exec_path} = @{JD_INSTALLDIR}/*JDownloader*
 profile jdownloader @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} rix,
 
@@ -106,8 +106,8 @@ profile jdownloader @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -124,5 +124,5 @@ profile jdownloader @{exec_path} {
 
   }
 
-  #include if exists <local/jdownloader>
+  include if exists <local/jdownloader>
 }
diff --git a/apparmor.d/jdownloader-install b/apparmor.d/jdownloader-install
index 6bbf2187..7428013d 100644
--- a/apparmor.d/jdownloader-install
+++ b/apparmor.d/jdownloader-install
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{JD_INSTALLDIR} = /home/*/jd2
 @{JD_SH_PATH} = /home/*/[dD]ownload{,s}
@@ -19,12 +19,12 @@
 
 @{exec_path} = @{JD_SH_PATH}/JD2Setup_{x86,x64}.sh
 profile jdownloader-install @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -107,5 +107,5 @@ profile jdownloader-install @{exec_path} {
   deny owner @{JD_INSTALLDIR}/jre/lib/*/*.so m,
   deny owner @{JD_INSTALLDIR}/JDownloader2 rx,
 
-  #include if exists <local/jdownloader-install>
+  include if exists <local/jdownloader-install>
 }
diff --git a/apparmor.d/jekyll b/apparmor.d/jekyll
index ce212606..ad0d2adf 100644
--- a/apparmor.d/jekyll
+++ b/apparmor.d/jekyll
@@ -11,16 +11,16 @@
 
 @{JEKYLL_DIR}=@{HOME}/morfikov.github.io
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/jekyll
 profile jekyll @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/ruby>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/ruby>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/ruby2.[0-9]* r,
@@ -36,5 +36,5 @@ profile jekyll @{exec_path} {
 
   @{PROC}/version r,
 
-  #include if exists <local/jekyll>
+  include if exists <local/jekyll>
 }
diff --git a/apparmor.d/jgmenu b/apparmor.d/jgmenu
index 8bff2daa..7193043b 100644
--- a/apparmor.d/jgmenu
+++ b/apparmor.d/jgmenu
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/jgmenu{,_run}
 profile jgmenu @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} mrix,
 
@@ -39,7 +39,7 @@ profile jgmenu @{exec_path} {
   owner @{HOME}/ r,
   owner @{HOME}/.jgmenu-lockfile rwk,
 
-  owner @{HOME}/.config/tint2/tint2rc r,
+  owner @{HOME}/.config/tint2/* r,
 
   owner @{HOME}/.config/jgmenu/ rw,
   owner @{HOME}/.config/jgmenu/** rw,
@@ -62,5 +62,5 @@ profile jgmenu @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/jgmenu>
+  include if exists <local/jgmenu>
 }
diff --git a/apparmor.d/kanyremote b/apparmor.d/kanyremote
index 7b044e10..35599cd0 100644
--- a/apparmor.d/kanyremote
+++ b/apparmor.d/kanyremote
@@ -9,27 +9,30 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kanyremote
 profile kanyremote @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/deny-root-dir-access>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -87,8 +90,8 @@ profile kanyremote @{exec_path} {
 
 
   profile killall {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_ptrace,
 
@@ -106,8 +109,8 @@ profile kanyremote @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/pgrep mr,
 
@@ -120,5 +123,5 @@ profile kanyremote @{exec_path} {
 
   }
 
-  #include if exists <local/kanyremote>
+  include if exists <local/kanyremote>
 }
diff --git a/apparmor.d/kcheckpass b/apparmor.d/kcheckpass
index e3acc174..0c70cfe5 100644
--- a/apparmor.d/kcheckpass
+++ b/apparmor.d/kcheckpass
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kcheckpass
 profile kcheckpass @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   signal (receive) peer=kscreenlocker-greet,
 
@@ -29,5 +29,5 @@ profile kcheckpass @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/kcheckpass>
+  include if exists <local/kcheckpass>
 }
diff --git a/apparmor.d/kconfig-hardened-check b/apparmor.d/kconfig-hardened-check
index b5d0f055..9f417de9 100644
--- a/apparmor.d/kconfig-hardened-check
+++ b/apparmor.d/kconfig-hardened-check
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kconfig-hardened-check
 profile kconfig-hardened-check @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -31,5 +31,5 @@ profile kconfig-hardened-check @{exec_path} {
   # This is for kernels, which are built manually
   /**/.config r,
 
-  #include if exists <local/kconfig-hardened-check>
+  include if exists <local/kconfig-hardened-check>
 }
diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc
index 89b3c829..9a5d852d 100644
--- a/apparmor.d/keepassxc
+++ b/apparmor.d/keepassxc
@@ -9,29 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{KP_DB} = @{HOME}/keepass-baza
 
 @{exec_path} = /{usr/,}bin/keepassxc
 profile keepassxc @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -121,8 +128,8 @@ profile keepassxc @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -139,5 +146,5 @@ profile keepassxc @{exec_path} {
 
   }
 
-  #include if exists <local/keepassxc>
+  include if exists <local/keepassxc>
 }
diff --git a/apparmor.d/keepassxc-cli b/apparmor.d/keepassxc-cli
index 8ec49ddd..76d4c81c 100644
--- a/apparmor.d/keepassxc-cli
+++ b/apparmor.d/keepassxc-cli
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/keepassxc-cli
 profile keepassxc-cli @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
-  #include if exists <local/keepassxc-cli>
+  include if exists <local/keepassxc-cli>
 }
diff --git a/apparmor.d/keepassxc-proxy b/apparmor.d/keepassxc-proxy
index a729a170..729e7a7d 100644
--- a/apparmor.d/keepassxc-proxy
+++ b/apparmor.d/keepassxc-proxy
@@ -9,18 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/keepassxc-proxy
 profile keepassxc-proxy @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # file_inherit
@@ -40,5 +44,5 @@ profile keepassxc-proxy @{exec_path} {
   #
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/keepassxc-proxy>
+  include if exists <local/keepassxc-proxy>
 }
diff --git a/apparmor.d/kernel-install b/apparmor.d/kernel-install
index e40fafb2..8751059a 100644
--- a/apparmor.d/kernel-install
+++ b/apparmor.d/kernel-install
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kernel-install
 profile kernel-install @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -63,7 +63,7 @@ profile kernel-install @{exec_path} flags=(complain) {
 
 
   profile kmod flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -72,5 +72,5 @@ profile kernel-install @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/kernel-install>
+  include if exists <local/kernel-install>
 }
diff --git a/apparmor.d/kerneloops b/apparmor.d/kerneloops
index e27aa18e..1952e019 100644
--- a/apparmor.d/kerneloops
+++ b/apparmor.d/kerneloops
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/kerneloops
 profile kerneloops @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability syslog,
 
@@ -31,5 +31,5 @@ profile kerneloops @{exec_path} {
   # When found a kernel OOPS make a tmp file and fill it with the OOPS message
   /tmp/kerneloops.* rw,
 
-  #include if exists <local/kerneloops>
+  include if exists <local/kerneloops>
 }
diff --git a/apparmor.d/kerneloops-applet b/apparmor.d/kerneloops-applet
index b6dc61a2..cb5f6dd3 100644
--- a/apparmor.d/kerneloops-applet
+++ b/apparmor.d/kerneloops-applet
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kerneloops-applet
 profile kerneloops-applet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -37,5 +37,5 @@ profile kerneloops-applet @{exec_path} {
   # Fonts
   /usr/share/poppler/cMap/Adobe-Japan2/ r,
 
-  #include if exists <local/kerneloops-applet>
+  include if exists <local/kerneloops-applet>
 }
diff --git a/apparmor.d/kexec b/apparmor.d/kexec
index 01c19b26..38ea385a 100644
--- a/apparmor.d/kexec
+++ b/apparmor.d/kexec
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/kexec
 profile kexec @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_boot,
 
@@ -32,5 +32,5 @@ profile kexec @{exec_path} flags=(complain) {
 
   /dev/fb[0-9] r,
 
-  #include if exists <local/kexec>
+  include if exists <local/kexec>
 }
diff --git a/apparmor.d/kmod b/apparmor.d/kmod
index e8111378..cc137c40 100644
--- a/apparmor.d/kmod
+++ b/apparmor.d/kmod
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path}  = /{usr/,}bin/{kmod,lsmod}
 @{exec_path} += /{usr/,}sbin/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
 profile kmod @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   # To load/unload kernel modules
   #  modprobe: ERROR: could not insert '*': Operation not permitted
@@ -60,5 +60,5 @@ profile kmod @{exec_path} {
   owner @{BUILD_DIR}/**/debian/*/lib/modules/*/kernel/{,**/} r,
   owner @{BUILD_DIR}/**/debian/*/lib/modules/*/kernel/**/*.ko r,
 
-  #include if exists <local/kmod>
+  include if exists <local/kmod>
 }
diff --git a/apparmor.d/kodi b/apparmor.d/kodi
index 8492c7fd..24b5f215 100644
--- a/apparmor.d/kodi
+++ b/apparmor.d/kodi
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kodi /{usr/,}lib/@{multiarch}/kodi/kodi.bin
 profile kodi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/mesa>
-  #include <abstractions/python>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/audio>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/mesa>
+  include <abstractions/python>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -93,7 +93,7 @@ profile kodi @{exec_path} {
   /etc/machine-id r,
 
   profile df {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/df mr,
 
@@ -107,5 +107,5 @@ profile kodi @{exec_path} {
 
   }
 
-  #include if exists <local/kodi>
+  include if exists <local/kodi>
 }
diff --git a/apparmor.d/kodi-xrandr b/apparmor.d/kodi-xrandr
index 5f817b21..bfbcb4a0 100644
--- a/apparmor.d/kodi-xrandr
+++ b/apparmor.d/kodi-xrandr
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr
 profile kodi-xrandr @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile kodi-xrandr @{exec_path} {
   @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r,
   owner @{HOME}/.kodi/temp/kodi.log w,
 
-  #include if exists <local/kodi-xrandr>
+  include if exists <local/kodi-xrandr>
 }
diff --git a/apparmor.d/kscreenlocker-greet b/apparmor.d/kscreenlocker-greet
index 41994693..76cf6917 100644
--- a/apparmor.d/kscreenlocker-greet
+++ b/apparmor.d/kscreenlocker-greet
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet
 profile kscreenlocker-greet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) peer=kcheckpass,
 
@@ -79,5 +79,5 @@ profile kscreenlocker-greet @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/kscreenlocker-greet>
+  include if exists <local/kscreenlocker-greet>
 }
diff --git a/apparmor.d/kvm-ok b/apparmor.d/kvm-ok
index 21a34a01..e89edc84 100644
--- a/apparmor.d/kvm-ok
+++ b/apparmor.d/kvm-ok
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/kvm-ok
 profile kvm-ok @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -32,9 +32,12 @@ profile kvm-ok @{exec_path} {
   #/dev/kvm r,
   #/dev/cpu/[0-9]*/msr r,
 
+  # For shell pwd
+  /root/ r,
+
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -47,5 +50,5 @@ profile kvm-ok @{exec_path} {
 
   }
 
-  #include if exists <local/kvm-ok>
+  include if exists <local/kvm-ok>
 }
diff --git a/apparmor.d/kwalletd5 b/apparmor.d/kwalletd5
index 8d9024e3..c62ea6e5 100644
--- a/apparmor.d/kwalletd5
+++ b/apparmor.d/kwalletd5
@@ -9,26 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kwalletd5
 profile kwalletd5 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -70,7 +70,7 @@ profile kwalletd5 @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
     /{usr/,}bin/gpg mr,
@@ -81,6 +81,6 @@ profile kwalletd5 @{exec_path} {
 
   }
 
-  #include if exists <local/kwalletd5>
+  include if exists <local/kwalletd5>
 }
 
diff --git a/apparmor.d/kwalletmanager5 b/apparmor.d/kwalletmanager5
index bc3c1e9a..0ec301c3 100644
--- a/apparmor.d/kwalletmanager5
+++ b/apparmor.d/kwalletmanager5
@@ -9,27 +9,27 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/kwalletmanager5
 profile kwalletmanager5 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -78,5 +78,5 @@ profile kwalletmanager5 @{exec_path} {
 
   owner /tmp/xauth-[0-9]*-_[0-9] r,
 
-  #include if exists <local/kwalletmanager5>
+  include if exists <local/kwalletmanager5>
 }
diff --git a/apparmor.d/libvirt/TEMPLATE.lxc b/apparmor.d/libvirt/TEMPLATE.lxc
index f1005dc5..6894aa6b 100644
--- a/apparmor.d/libvirt/TEMPLATE.lxc
+++ b/apparmor.d/libvirt/TEMPLATE.lxc
@@ -2,10 +2,10 @@
 # This profile is for the domain whose UUID matches this file.
 #
 
-#include <tunables/global>
+include <tunables/global>
 
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
-  #include <abstractions/libvirt-lxc>
+  include <abstractions/libvirt-lxc>
 
   # Globally allows everything to run under this profile
   # These can be narrowed depending on the container's use.
diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu
index a327315d..b242a775 100644
--- a/apparmor.d/libvirt/TEMPLATE.qemu
+++ b/apparmor.d/libvirt/TEMPLATE.qemu
@@ -2,8 +2,8 @@
 # This profile is for the domain whose UUID matches this file.
 #
 
-#include <tunables/global>
+include <tunables/global>
 
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
-  #include <abstractions/libvirt-qemu>
+  include <abstractions/libvirt-qemu>
 }
diff --git a/apparmor.d/light b/apparmor.d/light
index 1da36f74..916339ee 100644
--- a/apparmor.d/light
+++ b/apparmor.d/light
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/light
 profile light @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile light @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/light>
+  include if exists <local/light>
 }
diff --git a/apparmor.d/light-locker b/apparmor.d/light-locker
index 108996fa..c197b7a1 100644
--- a/apparmor.d/light-locker
+++ b/apparmor.d/light-locker
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/light-locker
 profile light-locker @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wayland>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -41,7 +41,7 @@ profile light-locker @{exec_path} {
   ##include <abstractions/dconf>
   #owner @{run}/user/[0-9]*/dconf/ w,
   #owner @{run}/user/[0-9]*/dconf/user rw,
-  #include <abstractions/deny-dconf>
+  include <abstractions/deny-dconf>
 
   @{sys}/devices/pci[0-9]*/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/vendor r,
@@ -52,5 +52,5 @@ profile light-locker @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/light-locker>
+  include if exists <local/light-locker>
 }
diff --git a/apparmor.d/light-locker-command b/apparmor.d/light-locker-command
index 3470393a..9cb6c7ee 100644
--- a/apparmor.d/light-locker-command
+++ b/apparmor.d/light-locker-command
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/light-locker-command
 profile light-locker-command @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
-  #include if exists <local/light-locker-command>
+  include if exists <local/light-locker-command>
 }
diff --git a/apparmor.d/lightdm b/apparmor.d/lightdm
index 325c6f2a..070fbc8f 100644
--- a/apparmor.d/lightdm
+++ b/apparmor.d/lightdm
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/lightdm
 profile lightdm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
 
   # To remove the following errors:
   #  lightdm[]: Could not chown user data directory /var/lib/lightdm/data/lightdm: Error setting
@@ -126,5 +126,5 @@ profile lightdm @{exec_path} {
   /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
   /usr/libexec/at-spi-bus-launcher             rPUx,
 
-  #include if exists <local/lightdm>
+  include if exists <local/lightdm>
 }
diff --git a/apparmor.d/lightdm-gtk-greeter b/apparmor.d/lightdm-gtk-greeter
index 2390c9cb..dd8c16e9 100644
--- a/apparmor.d/lightdm-gtk-greeter
+++ b/apparmor.d/lightdm-gtk-greeter
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/lightdm-gtk-greeter
 profile lightdm-gtk-greeter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
 
   signal (receive) set=(term, kill) peer=lightdm,
 
@@ -62,7 +62,7 @@ profile lightdm-gtk-greeter @{exec_path} {
 
 
   profile systemd {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/systemd/systemd mr,
 
@@ -81,5 +81,5 @@ profile lightdm-gtk-greeter @{exec_path} {
 
   }
 
-  #include if exists <local/lightdm-gtk-greeter>
+  include if exists <local/lightdm-gtk-greeter>
 }
diff --git a/apparmor.d/lightdm-guest-session b/apparmor.d/lightdm-guest-session
index f666cf75..0e80dde2 100644
--- a/apparmor.d/lightdm-guest-session
+++ b/apparmor.d/lightdm-guest-session
@@ -1,14 +1,14 @@
 # vim:syntax=apparmor
 # Profile for restricting lightdm guest session
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session {
   # Most applications are confined via the main abstraction
-  #include <abstractions/lightdm>
+  include <abstractions/lightdm>
 
   # chromium-browser needs special confinement due to its sandboxing
-  #include <abstractions/lightdm_chromium-browser>
+  include <abstractions/lightdm_chromium-browser>
 
   # fcitx and friends needs special treatment due to C/S design
   /usr/bin/fcitx ix,
diff --git a/apparmor.d/lightworks b/apparmor.d/lightworks
index 23212dc7..7582c4e3 100644
--- a/apparmor.d/lightworks
+++ b/apparmor.d/lightworks
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lightworks
 profile lightworks @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh          rix,
@@ -31,5 +31,5 @@ profile lightworks @{exec_path} {
   owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w,
   owner @{HOME}/Lightworks/machine.num w,
 
-  #include if exists <local/lightworks>
+  include if exists <local/lightworks>
 }
diff --git a/apparmor.d/lightworks-ntcardvt b/apparmor.d/lightworks-ntcardvt
index fdc9c142..b6ea584d 100644
--- a/apparmor.d/lightworks-ntcardvt
+++ b/apparmor.d/lightworks-ntcardvt
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/lightworks/ntcardvt
 profile lightworks-ntcardvt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
-  #include if exists <local/lightworks-ntcardvt>
+  include if exists <local/lightworks-ntcardvt>
 }
diff --git a/apparmor.d/linssid b/apparmor.d/linssid
index 531a785d..3b65f31c 100644
--- a/apparmor.d/linssid
+++ b/apparmor.d/linssid
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/linssid /{usr/,}bin/linssid-pkexec
 profile linssid @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
 
   # For reading/saving config/log files when linssid is started via pkexec
   #capability dac_read_search,
@@ -76,16 +76,21 @@ profile linssid @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  # For shell pwd
+  /root/ r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
 
   profile iw {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability net_admin,
     deny capability sys_module,
 
+    network netlink raw,
+
     /{usr/,}sbin/iw mr,
 
     # file_inherit
@@ -97,8 +102,8 @@ profile linssid @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -110,5 +115,5 @@ profile linssid @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/linssid>
+  include if exists <local/linssid>
 }
diff --git a/apparmor.d/linux-check-removal b/apparmor.d/linux-check-removal
index 0595f00c..7650b92f 100644
--- a/apparmor.d/linux-check-removal
+++ b/apparmor.d/linux-check-removal
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/linux-check-removal
 profile linux-check-removal @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -28,10 +28,10 @@ profile linux-check-removal @{exec_path} flags=(complain) {
 
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -54,5 +54,5 @@ profile linux-check-removal @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/linux-check-removal>
+  include if exists <local/linux-check-removal>
 }
diff --git a/apparmor.d/linux-version b/apparmor.d/linux-version
index 49ba413b..fc5827a8 100644
--- a/apparmor.d/linux-version
+++ b/apparmor.d/linux-version
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/linux-version
 profile linux-version @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
   /boot/ r,
 
-  #include if exists <local/linux-version>
+  include if exists <local/linux-version>
 }
diff --git a/apparmor.d/localepurge b/apparmor.d/localepurge
index 4ac3c114..e78df247 100644
--- a/apparmor.d/localepurge
+++ b/apparmor.d/localepurge
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/localepurge
 profile localepurge @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -62,5 +62,5 @@ profile localepurge @{exec_path} {
 
   /tmp/ r,
 
-  #include if exists <local/localepurge>
+  include if exists <local/localepurge>
 }
diff --git a/apparmor.d/logrotate b/apparmor.d/logrotate
index 885d1907..070763de 100644
--- a/apparmor.d/logrotate
+++ b/apparmor.d/logrotate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/logrotate
-profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed for logfiles owned by other users than root, for instance exim.
   capability dac_read_search,
@@ -43,7 +43,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
   #/{usr/,}bin/systemctl              rCx -> systemctl,
   /{usr/,}bin/systemctl rix,
   /{usr/,}sbin/runlevel rix,
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
   ptrace (read),
   capability sys_ptrace,
   owner @{PROC}/@{pid}/stat r,
@@ -70,8 +70,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
 
 
   profile systemctl flags=(attach_disconnected, complain) {
-    #include <abstractions/base>
-    #include <abstractions/wutmp>
+    include <abstractions/base>
+    include <abstractions/wutmp>
 
     capability sys_ptrace,
     ptrace (read),
@@ -88,5 +88,5 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) {
 
   }
 
-  #include if exists <local/logrotate>
+  include if exists <local/logrotate>
 }
diff --git a/apparmor.d/lsb_release b/apparmor.d/lsb_release
index 5cc6890b..56e4adea 100644
--- a/apparmor.d/lsb_release
+++ b/apparmor.d/lsb_release
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsb_release
 profile lsb_release @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -36,5 +36,5 @@ profile lsb_release @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/lsb_release>
+  include if exists <local/lsb_release>
 }
diff --git a/apparmor.d/lsblk b/apparmor.d/lsblk
index 3a1be948..9fb89a27 100644
--- a/apparmor.d/lsblk
+++ b/apparmor.d/lsblk
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsblk
 profile lsblk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile lsblk @{exec_path} {
 
   @{run}/mount/utab r,
 
-  #include if exists <local/lsblk>
+  include if exists <local/lsblk>
 }
diff --git a/apparmor.d/lscpu b/apparmor.d/lscpu
index b728125a..0b73db40 100644
--- a/apparmor.d/lscpu
+++ b/apparmor.d/lscpu
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lscpu
 profile lscpu @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile lscpu @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/cpumap r,
 
-  #include if exists <local/lscpu>
+  include if exists <local/lscpu>
 }
diff --git a/apparmor.d/lsinitramfs b/apparmor.d/lsinitramfs
index e95b9c90..1dbe085c 100644
--- a/apparmor.d/lsinitramfs
+++ b/apparmor.d/lsinitramfs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsinitramfs
 profile lsinitramfs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh    rix,
@@ -25,5 +25,5 @@ profile lsinitramfs @{exec_path} {
 
   /{usr/,}bin/unmkinitramfs rPx,
 
-  #include if exists <local/lsinitramfs>
+  include if exists <local/lsinitramfs>
 }
diff --git a/apparmor.d/lspci b/apparmor.d/lspci
index 94537984..f93032c3 100644
--- a/apparmor.d/lspci
+++ b/apparmor.d/lspci
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lspci
 profile lspci @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed when run as root
   capability sys_admin,
@@ -42,5 +42,5 @@ profile lspci @{exec_path} {
   # file_inherit
   @{PROC}/ioports r,
 
-  #include if exists <local/lspci>
+  include if exists <local/lspci>
 }
diff --git a/apparmor.d/lsusb b/apparmor.d/lsusb
index 0f4a4efa..9aaba704 100644
--- a/apparmor.d/lsusb
+++ b/apparmor.d/lsusb
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lsusb
 profile lsusb @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -33,5 +35,5 @@ profile lsusb @{exec_path} {
 
   /etc/udev/hwdb.bin r,
 
-  #include if exists <local/lsusb>
+  include if exists <local/lsusb>
 }
diff --git a/apparmor.d/lxappearance b/apparmor.d/lxappearance
index 8a8a67c2..f580d2a5 100644
--- a/apparmor.d/lxappearance
+++ b/apparmor.d/lxappearance
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lxappearance
 profile lxappearance @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} mr,
 
@@ -58,8 +58,8 @@ profile lxappearance @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -71,5 +71,5 @@ profile lxappearance @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/lxappearance>
+  include if exists <local/lxappearance>
 }
diff --git a/apparmor.d/lxc-containers b/apparmor.d/lxc-containers
index 0644cf2d..4e94d77e 100644
--- a/apparmor.d/lxc-containers
+++ b/apparmor.d/lxc-containers
@@ -2,6 +2,6 @@
 # listed under /etc/apparmor.d/lxc get loaded at boot.  Please do
 # not edit this file.
 
-#include <tunables/global>
+include <tunables/global>
 
-#include <lxc>
+include <lxc>
diff --git a/apparmor.d/lxc/lxc-default b/apparmor.d/lxc/lxc-default
index 9a96a2e5..266edc19 100644
--- a/apparmor.d/lxc/lxc-default
+++ b/apparmor.d/lxc/lxc-default
@@ -2,7 +2,7 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
+  include <abstractions/lxc/container-base>
 
   # the container may never be allowed to mount devpts.  If it does, it
   # will remount the host's devpts.  We could allow it to do it with
diff --git a/apparmor.d/lxc/lxc-default-cgns b/apparmor.d/lxc/lxc-default-cgns
index f69eb994..d582a407 100644
--- a/apparmor.d/lxc/lxc-default-cgns
+++ b/apparmor.d/lxc/lxc-default-cgns
@@ -2,7 +2,7 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
+  include <abstractions/lxc/container-base>
 
   # the container may never be allowed to mount devpts.  If it does, it
   # will remount the host's devpts.  We could allow it to do it with
diff --git a/apparmor.d/lxc/lxc-default-with-mounting b/apparmor.d/lxc/lxc-default-with-mounting
index 8a9a6b71..7b5db2ca 100644
--- a/apparmor.d/lxc/lxc-default-with-mounting
+++ b/apparmor.d/lxc/lxc-default-with-mounting
@@ -2,7 +2,7 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
+  include <abstractions/lxc/container-base>
 
 # allow standard blockdevtypes.
 # The concern here is in-kernel superblock parsers bringing down the
diff --git a/apparmor.d/lxc/lxc-default-with-nesting b/apparmor.d/lxc/lxc-default-with-nesting
index cd198beb..25e3feff 100644
--- a/apparmor.d/lxc/lxc-default-with-nesting
+++ b/apparmor.d/lxc/lxc-default-with-nesting
@@ -2,8 +2,8 @@
 # will source all profiles under /etc/apparmor.d/lxc
 
 profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
-  #include <abstractions/lxc/container-base>
-  #include <abstractions/lxc/start-container>
+  include <abstractions/lxc/container-base>
+  include <abstractions/lxc/start-container>
 
   deny /dev/.lxc/proc/** rw,
   deny /dev/.lxc/sys/** rw,
diff --git a/apparmor.d/lynx b/apparmor.d/lynx
index d0427652..0c88208a 100644
--- a/apparmor.d/lynx
+++ b/apparmor.d/lynx
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/lynx
 profile lynx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
 
@@ -36,5 +41,7 @@ profile lynx @{exec_path} {
   owner /tmp/lynxXXXX*/ rw,
   owner /tmp/lynxXXXX*/*TMP.html{,.gz} rw,
 
-  #include if exists <local/lynx>
+  owner @{HOME}/ r,
+
+  include if exists <local/lynx>
 }
diff --git a/apparmor.d/macchanger b/apparmor.d/macchanger
index 3cafe709..d58383dc 100644
--- a/apparmor.d/macchanger
+++ b/apparmor.d/macchanger
@@ -9,21 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/macchanger
 profile macchanger @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability net_admin,
 
+  network inet dgram,
+  network inet6 dgram,
+ 
   @{exec_path} mr,
 
   /usr/share/macchanger/*.list r,
 
   /dev/hwrng r,
 
-  #include if exists <local/macchanger>
+  include if exists <local/macchanger>
 }
diff --git a/apparmor.d/mediainfo b/apparmor.d/mediainfo
index 6824b910..1109abde 100644
--- a/apparmor.d/mediainfo
+++ b/apparmor.d/mediainfo
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -40,8 +40,8 @@
 
 @{exec_path} = /{usr/,}bin/mediainfo
 profile mediainfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -54,5 +54,5 @@ profile mediainfo @{exec_path} {
   owner /media/**/ r,
   owner /{home,media}/**.@{mediainfo_ext} r,
 
-  #include if exists <local/mediainfo>
+  include if exists <local/mediainfo>
 }
diff --git a/apparmor.d/megasync b/apparmor.d/megasync
index d9ec33f1..7700b59c 100644
--- a/apparmor.d/megasync
+++ b/apparmor.d/megasync
@@ -9,30 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{SYNC_FOLDER}=/media/*/cloud_storage
 
 @{exec_path} = /{usr/,}bin/megasync
 profile megasync @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
 
   @{exec_path} mrix,
 
@@ -91,8 +97,8 @@ profile megasync @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -111,5 +117,5 @@ profile megasync @{exec_path} {
 
   }
 
-  #include if exists <local/megasync>
+  include if exists <local/megasync>
 }
diff --git a/apparmor.d/memtester b/apparmor.d/memtester
index 04adc6e7..913a079f 100644
--- a/apparmor.d/memtester
+++ b/apparmor.d/memtester
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/memtester
 profile memtester @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/memtester>
+  include if exists <local/memtester>
 }
diff --git a/apparmor.d/mimetype b/apparmor.d/mimetype
index 491715c5..1a1f1ee9 100644
--- a/apparmor.d/mimetype
+++ b/apparmor.d/mimetype
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mimetype
 profile mimetype @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /usr/bin/perl r,
@@ -34,5 +34,5 @@ profile mimetype @{exec_path} {
   # To read files
   /** r,
 
-  #include if exists <local/mimetype>
+  include if exists <local/mimetype>
 }
diff --git a/apparmor.d/minitube b/apparmor.d/minitube
index 558b7c07..8a0cf7af 100644
--- a/apparmor.d/minitube
+++ b/apparmor.d/minitube
@@ -9,28 +9,35 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/minitube
 profile minitube @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -100,8 +107,8 @@ profile minitube @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -117,5 +124,5 @@ profile minitube @{exec_path} {
 
   }
 
-  #include if exists <local/minitube>
+  include if exists <local/minitube>
 }
diff --git a/apparmor.d/mke2fs b/apparmor.d/mke2fs
index 5b90f208..6d6b8457 100644
--- a/apparmor.d/mke2fs
+++ b/apparmor.d/mke2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{mke2fs,mkfs.ext2,mkfs.ext3,mkfs.ext4}
 profile mke2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -42,5 +42,5 @@ profile mke2fs @{exec_path} {
   # For virt-resize
   owner /var/tmp/.guestfs-[0-9]*/** rwk,
 
-  #include if exists <local/mke2fs>
+  include if exists <local/mke2fs>
 }
diff --git a/apparmor.d/mkfs-btrfs b/apparmor.d/mkfs-btrfs
index ef181017..03d6c356 100644
--- a/apparmor.d/mkfs-btrfs
+++ b/apparmor.d/mkfs-btrfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mkfs.btrfs
 profile mkfs-btrfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -33,5 +33,5 @@ profile mkfs-btrfs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/mkfs-btrfs>
+  include if exists <local/mkfs-btrfs>
 }
diff --git a/apparmor.d/mkfs-fat b/apparmor.d/mkfs-fat
index dc82306e..b0c20d7a 100644
--- a/apparmor.d/mkfs-fat
+++ b/apparmor.d/mkfs-fat
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{mkfs.fat,mkfs.msdos,mkfs.vfat,mkdosfs}
 profile mkfs-fat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -29,5 +29,5 @@ profile mkfs-fat @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/mkfs-fat>
+  include if exists <local/mkfs-fat>
 }
diff --git a/apparmor.d/mkinitramfs b/apparmor.d/mkinitramfs
index 304d51a8..b640d4dc 100644
--- a/apparmor.d/mkinitramfs
+++ b/apparmor.d/mkinitramfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mkinitramfs
 profile mkinitramfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   capability syslog,
   capability chown,
@@ -97,8 +97,8 @@ profile mkinitramfs @{exec_path} {
 
 
   profile ldd {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/ldd mr,
 
@@ -111,8 +111,8 @@ profile mkinitramfs @{exec_path} {
   }
 
   profile ldconfig {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability sys_chroot,
 
@@ -134,8 +134,8 @@ profile mkinitramfs @{exec_path} {
   }
 
   profile find {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/find mr,
 
@@ -152,8 +152,8 @@ profile mkinitramfs @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/kmod mr,
 
@@ -169,5 +169,5 @@ profile mkinitramfs @{exec_path} {
 
   }
 
-  #include if exists <local/mkinitramfs>
+  include if exists <local/mkinitramfs>
 }
diff --git a/apparmor.d/mkntfs b/apparmor.d/mkntfs
index 4fb30284..00690f35 100644
--- a/apparmor.d/mkntfs
+++ b/apparmor.d/mkntfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{mkntfs,mkfs.ntfs}
 profile mkntfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile mkntfs @{exec_path} {
 
   owner @{PROC}/@{pids}/mounts r,
 
-  #include if exists <local/mkntfs>
+  include if exists <local/mkntfs>
 }
diff --git a/apparmor.d/mkswap b/apparmor.d/mkswap
index 5a11d895..0ee6b2f1 100644
--- a/apparmor.d/mkswap
+++ b/apparmor.d/mkswap
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mkswap
 profile mkswap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile mkswap @{exec_path} {
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/mkswap>
+  include if exists <local/mkswap>
 }
diff --git a/apparmor.d/mkvmerge b/apparmor.d/mkvmerge
index 30463322..428f3ca2 100644
--- a/apparmor.d/mkvmerge
+++ b/apparmor.d/mkvmerge
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,9 +46,9 @@
 
 @{exec_path} = /{usr/,}bin/mkvmerge
 profile mkvmerge @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
 
@@ -69,5 +69,5 @@ profile mkvmerge @{exec_path} {
   # file_inherit
   /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/mkvmerge>
+  include if exists <local/mkvmerge>
 }
diff --git a/apparmor.d/mkvtoolnix-gui b/apparmor.d/mkvtoolnix-gui
index bdaad7b0..58757817 100644
--- a/apparmor.d/mkvtoolnix-gui
+++ b/apparmor.d/mkvtoolnix-gui
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,21 +46,21 @@
 
 @{exec_path} = /{usr/,}bin/mkvtoolnix-gui
 profile mkvtoolnix-gui @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mkvmerge,
 
@@ -113,5 +113,5 @@ profile mkvtoolnix-gui @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/mkvtoolnix-gui>
+  include if exists <local/mkvtoolnix-gui>
 }
diff --git a/apparmor.d/mlocate b/apparmor.d/mlocate
index 335985aa..6517b562 100644
--- a/apparmor.d/mlocate
+++ b/apparmor.d/mlocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mlocate
 profile mlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # When run as root
   capability dac_read_search,
@@ -25,5 +25,5 @@ profile mlocate @{exec_path} {
 
   /var/lib/mlocate/mlocate.db r,
 
-  #include if exists <local/mlocate>
+  include if exists <local/mlocate>
 }
diff --git a/apparmor.d/mount b/apparmor.d/mount
index 13f00521..7c320556 100644
--- a/apparmor.d/mount
+++ b/apparmor.d/mount
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mount
 profile mount @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
 
   # To be able to mount anything
   #  mount("/dev/sdb1", "/mnt", "ext4", 0, NULL) = -1 EPERM (Operation not permitted)
@@ -60,5 +60,5 @@ profile mount @{exec_path} flags=(complain) {
   owner @{run}/mount/utab{,.*} rw,
   owner @{run}/mount/utab.lock wk,
 
-  #include if exists <local/mount>
+  include if exists <local/mount>
 }
diff --git a/apparmor.d/mount.cifs b/apparmor.d/mount.cifs
index eb04aaa1..e5699158 100644
--- a/apparmor.d/mount.cifs
+++ b/apparmor.d/mount.cifs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/mount.cifs
 profile mount.cifs @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To mount anything.
   capability sys_admin,
@@ -23,6 +23,10 @@ profile mount.cifs @{exec_path} flags=(complain) {
   # (#FIXME#)
   capability setpcap,
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/fstab r,
@@ -37,5 +41,5 @@ profile mount.cifs @{exec_path} flags=(complain) {
   mount fstype=cifs -> /media/*/,
   mount fstype=cifs -> /media/*/*/,
 
-  #include if exists <local/mount.cifs>
+  include if exists <local/mount.cifs>
 }
diff --git a/apparmor.d/mpsyt b/apparmor.d/mpsyt
index 9dd9c0ed..171bb30c 100644
--- a/apparmor.d/mpsyt
+++ b/apparmor.d/mpsyt
@@ -9,22 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mpsyt
 profile mpsyt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mpv,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
@@ -62,5 +68,8 @@ profile mpsyt @{exec_path} {
   owner /tmp/mpsyt-input* rw,
   owner /tmp/mpsyt-mpv*.sock rw,
 
-  #include if exists <local/mpsyt>
+  # Silencer
+  /usr/lib/python3/** w,
+
+  include if exists <local/mpsyt>
 }
diff --git a/apparmor.d/mpv b/apparmor.d/mpv
index 02dce804..0021e57b 100644
--- a/apparmor.d/mpv
+++ b/apparmor.d/mpv
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -62,25 +62,31 @@
 
 @{exec_path} = /{usr/,}bin/mpv
 profile mpv @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/vulkan>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
   signal (send) set=(term, kill) peer=youtube-dl,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # MPV config files
@@ -151,5 +157,5 @@ profile mpv @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/mpv>
+  include if exists <local/mpv>
 }
diff --git a/apparmor.d/mtools b/apparmor.d/mtools
index 6d440249..59b838e8 100644
--- a/apparmor.d/mtools
+++ b/apparmor.d/mtools
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{mtools,mattrib,mbadblocks,mcat,mcd,mclasserase,mcopy,mdel,mdeltree,mdir,mdu,mformat,minfo,mlabel,mmd,mmount,mmove,mpartition,mrd,mren,mshortname,mshowfat,mtoolstest,mtype,mzip}
 profile mtools @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   capability setuid,
   capability setgid,
@@ -36,5 +36,5 @@ profile mtools @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/mtools>
+  include if exists <local/mtools>
 }
diff --git a/apparmor.d/mumble b/apparmor.d/mumble
index d03c9d63..e9689280 100644
--- a/apparmor.d/mumble
+++ b/apparmor.d/mumble
@@ -9,29 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mumble
 profile mumble @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -79,8 +86,8 @@ profile mumble @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -96,5 +103,5 @@ profile mumble @{exec_path} {
 
   }
 
-  #include if exists <local/mumble>
+  include if exists <local/mumble>
 }
diff --git a/apparmor.d/mumble-overlay b/apparmor.d/mumble-overlay
index 747eee91..d8dcd69c 100644
--- a/apparmor.d/mumble-overlay
+++ b/apparmor.d/mumble-overlay
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/mumble-overlay
 profile mumble-overlay @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -29,5 +29,5 @@ profile mumble-overlay @{exec_path} {
 
   /etc/magic r,
 
-  #include if exists <local/mumble-overlay>
+  include if exists <local/mumble-overlay>
 }
diff --git a/apparmor.d/netcap b/apparmor.d/netcap
index 1242bbdf..908819fa 100644
--- a/apparmor.d/netcap
+++ b/apparmor.d/netcap
@@ -9,14 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/netcap
 profile netcap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -28,14 +29,14 @@ profile netcap @{exec_path} {
 
   @{exec_path} mr,
 
-        @{PROC}/ r,
-        @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pid}/net/tcp{,6} r,
-  owner @{PROC}/@{pid}/net/udp{,6} r,
-  owner @{PROC}/@{pid}/net/raw{,6} r,
-  owner @{PROC}/@{pid}/net/packet r,
-  owner @{PROC}/@{pid}/net/dev r,
+  @{PROC}/ r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pid}/net/tcp{,6} r,
+  @{PROC}/@{pid}/net/udp{,6} r,
+  @{PROC}/@{pid}/net/raw{,6} r,
+  @{PROC}/@{pid}/net/packet r,
+  @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/netcap>
+  include if exists <local/netcap>
 }
diff --git a/apparmor.d/nethogs b/apparmor.d/nethogs
index a839e999..1d4b80ea 100644
--- a/apparmor.d/nethogs
+++ b/apparmor.d/nethogs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/nethogs
 profile nethogs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability syslog,
   capability net_raw,
@@ -25,6 +25,9 @@ profile nethogs @{exec_path} {
 
   ptrace (read),
 
+  network netlink raw,
+  network packet raw,
+
   @{exec_path} mr,
 
   @{PROC}/ r,
@@ -32,5 +35,5 @@ profile nethogs @{exec_path} {
   @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/net/tcp{,6} r,
 
-  #include if exists <local/nethogs>
+  include if exists <local/nethogs>
 }
diff --git a/apparmor.d/networkctl b/apparmor.d/networkctl
index 6f2221f2..48c967a4 100644
--- a/apparmor.d/networkctl
+++ b/apparmor.d/networkctl
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/networkctl
 profile networkctl @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to manage network interfaces,
   capability net_admin,
@@ -26,6 +26,10 @@ profile networkctl @{exec_path} flags=(complain) {
 
   signal send peer=child-pager,
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/pager            rPx -> child-pager,
@@ -37,6 +41,7 @@ profile networkctl @{exec_path} flags=(complain) {
   @{run}/systemd/netif/links/[0-9]* r,
   @{run}/systemd/netif/state r,
 
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/random/boot_id r,
 
@@ -53,5 +58,5 @@ profile networkctl @{exec_path} flags=(complain) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/networkctld>
+  include if exists <local/networkctld>
 }
diff --git a/apparmor.d/newgrp b/apparmor.d/newgrp
index 2ff834ec..b0f3cec8 100644
--- a/apparmor.d/newgrp
+++ b/apparmor.d/newgrp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/newgrp
 profile newgrp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -29,6 +29,8 @@ profile newgrp @{exec_path} {
   # newgrp is a SETUID binary
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # Shells to use
@@ -41,5 +43,5 @@ profile newgrp @{exec_path} {
 
   owner @{PROC}/@{pid}/loginuid r,
 
-  #include if exists <local/newgrp>
+  include if exists <local/newgrp>
 }
diff --git a/apparmor.d/nft b/apparmor.d/nft
index 0f01a16a..8148d791 100644
--- a/apparmor.d/nft
+++ b/apparmor.d/nft
@@ -9,22 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/nft
 profile nft @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner /etc/iproute2/** r,
 
   owner /etc/nftables/**.nft r,
 
-  #include if exists <local/nft>
+  include if exists <local/nft>
 }
diff --git a/apparmor.d/nmap b/apparmor.d/nmap
index 24671812..a69f30f0 100644
--- a/apparmor.d/nmap
+++ b/apparmor.d/nmap
@@ -9,22 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/nmap
 profile nmap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   capability net_raw,
   capability net_bind_service,
 
   signal (receive) set=(term, kill) peer=zenmap,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network netlink raw,
+  network packet raw,
+
   @{exec_path} r,
 
   owner @{PROC}/@{pid}/net/dev r,
@@ -35,5 +42,5 @@ profile nmap @{exec_path} {
   owner /tmp/zenmap-stdout-* rw,
   owner /tmp/zenmap-*.xml rw,
 
-  #include if exists <local/nmap>
+  include if exists <local/nmap>
 }
diff --git a/apparmor.d/ntfs-3g b/apparmor.d/ntfs-3g
index c1cc9dc3..b9670b3b 100644
--- a/apparmor.d/ntfs-3g
+++ b/apparmor.d/ntfs-3g
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/{low,}ntfs{,-3g}
 @{exec_path} += /{usr/,}sbin/mount.{low,}ntfs{,-3g}
 profile ntfs-3g @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
   # When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume
-  #include <abstractions/nameservice-strict>
+  include <abstractions/nameservice-strict>
 
   # Needed in order to mount ntfs disks
   capability setgid,
@@ -50,5 +50,5 @@ profile ntfs-3g @{exec_path} {
   # kmod is used to load the fuse kernel module
   /{usr/,}bin/kmod rPx,
 
-  #include if exists <local/ntfs-3g>
+  include if exists <local/ntfs-3g>
 }
diff --git a/apparmor.d/ntfs-3g-probe b/apparmor.d/ntfs-3g-probe
index 2723ea84..01efa8fd 100644
--- a/apparmor.d/ntfs-3g-probe
+++ b/apparmor.d/ntfs-3g-probe
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfs-3g.probe
 profile ntfs-3g-probe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
   @{exec_path} mr,
 
-  #include if exists <local/ntfs-3g-probe>
+  include if exists <local/ntfs-3g-probe>
 }
diff --git a/apparmor.d/ntfscat b/apparmor.d/ntfscat
index a9cf08e9..20064e02 100644
--- a/apparmor.d/ntfscat
+++ b/apparmor.d/ntfscat
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfscat
 profile ntfscat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfscat @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscat>
+  include if exists <local/ntfscat>
 }
diff --git a/apparmor.d/ntfsclone b/apparmor.d/ntfsclone
index a0380751..65718aa0 100644
--- a/apparmor.d/ntfsclone
+++ b/apparmor.d/ntfsclone
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfsclone
 profile ntfsclone @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -28,5 +28,5 @@ profile ntfsclone @{exec_path} {
   @{HOME}/** rwk,
   /media/*/** rwk,
 
-  #include if exists <local/ntfsclone>
+  include if exists <local/ntfsclone>
 }
diff --git a/apparmor.d/ntfscluster b/apparmor.d/ntfscluster
index ab863d6f..53a7fe92 100644
--- a/apparmor.d/ntfscluster
+++ b/apparmor.d/ntfscluster
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfscluster
 profile ntfscluster @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfscluster @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscluster>
+  include if exists <local/ntfscluster>
 }
diff --git a/apparmor.d/ntfscmp b/apparmor.d/ntfscmp
index 0fe0870b..f7178f28 100644
--- a/apparmor.d/ntfscmp
+++ b/apparmor.d/ntfscmp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfscmp
 profile ntfscmp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfscmp @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscmp>
+  include if exists <local/ntfscmp>
 }
diff --git a/apparmor.d/ntfscp b/apparmor.d/ntfscp
index a88f021f..f8eb3825 100644
--- a/apparmor.d/ntfscp
+++ b/apparmor.d/ntfscp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfscp
 profile ntfscp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -31,5 +31,5 @@ profile ntfscp @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfscp>
+  include if exists <local/ntfscp>
 }
diff --git a/apparmor.d/ntfsdecrypt b/apparmor.d/ntfsdecrypt
index 1909dbd9..286bb16a 100644
--- a/apparmor.d/ntfsdecrypt
+++ b/apparmor.d/ntfsdecrypt
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsdecrypt
 profile ntfsdecrypt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -26,5 +26,5 @@ profile ntfsdecrypt @{exec_path} {
   owner /tmp/*.key r,
   owner @{HOME}/*.key r,
 
-  #include if exists <local/ntfsdecrypt>
+  include if exists <local/ntfsdecrypt>
 }
diff --git a/apparmor.d/ntfsfallocate b/apparmor.d/ntfsfallocate
index 04c6a767..236aeba3 100644
--- a/apparmor.d/ntfsfallocate
+++ b/apparmor.d/ntfsfallocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsfallocate
 profile ntfsfallocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsfallocate @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsfallocate>
+  include if exists <local/ntfsfallocate>
 }
diff --git a/apparmor.d/ntfsfix b/apparmor.d/ntfsfix
index 0bb2e87b..e01deb50 100644
--- a/apparmor.d/ntfsfix
+++ b/apparmor.d/ntfsfix
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsfix
 profile ntfsfix @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsfix @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsfix>
+  include if exists <local/ntfsfix>
 }
diff --git a/apparmor.d/ntfsinfo b/apparmor.d/ntfsinfo
index 0d310537..39fe58d6 100644
--- a/apparmor.d/ntfsinfo
+++ b/apparmor.d/ntfsinfo
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsinfo
 profile ntfsinfo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsinfo @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsinfo>
+  include if exists <local/ntfsinfo>
 }
diff --git a/apparmor.d/ntfslabel b/apparmor.d/ntfslabel
index d830a4e8..f086ce41 100644
--- a/apparmor.d/ntfslabel
+++ b/apparmor.d/ntfslabel
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfslabel
 profile ntfslabel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfslabel @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfslabel>
+  include if exists <local/ntfslabel>
 }
diff --git a/apparmor.d/ntfsls b/apparmor.d/ntfsls
index 9614213b..93487fc5 100644
--- a/apparmor.d/ntfsls
+++ b/apparmor.d/ntfsls
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsls
 profile ntfsls @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsls @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsls>
+  include if exists <local/ntfsls>
 }
diff --git a/apparmor.d/ntfsmove b/apparmor.d/ntfsmove
index d990cce6..68a73af4 100644
--- a/apparmor.d/ntfsmove
+++ b/apparmor.d/ntfsmove
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsmove
 profile ntfsmove @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsmove @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsmove>
+  include if exists <local/ntfsmove>
 }
diff --git a/apparmor.d/ntfsrecover b/apparmor.d/ntfsrecover
index 61ff6c18..73ba2548 100644
--- a/apparmor.d/ntfsrecover
+++ b/apparmor.d/ntfsrecover
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsrecover
 profile ntfsrecover @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsrecover @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsrecover>
+  include if exists <local/ntfsrecover>
 }
diff --git a/apparmor.d/ntfsresize b/apparmor.d/ntfsresize
index 20a41002..3f7194c5 100644
--- a/apparmor.d/ntfsresize
+++ b/apparmor.d/ntfsresize
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfsresize
 profile ntfsresize @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfsresize @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfsresize>
+  include if exists <local/ntfsresize>
 }
diff --git a/apparmor.d/ntfssecaudit b/apparmor.d/ntfssecaudit
index 0ff4e42c..30a8c637 100644
--- a/apparmor.d/ntfssecaudit
+++ b/apparmor.d/ntfssecaudit
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfssecaudit
 profile ntfssecaudit @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
@@ -25,5 +25,5 @@ profile ntfssecaudit @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfssecaudit>
+  include if exists <local/ntfssecaudit>
 }
diff --git a/apparmor.d/ntfstruncate b/apparmor.d/ntfstruncate
index 77695d6a..083bfd2e 100644
--- a/apparmor.d/ntfstruncate
+++ b/apparmor.d/ntfstruncate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfstruncate
 profile ntfstruncate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfstruncate @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfstruncate>
+  include if exists <local/ntfstruncate>
 }
diff --git a/apparmor.d/ntfsundelete b/apparmor.d/ntfsundelete
index 26d50ead..d3a8ad88 100644
--- a/apparmor.d/ntfsundelete
+++ b/apparmor.d/ntfsundelete
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/ntfsundelete
 profile ntfsundelete @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   capability sys_admin,
 
@@ -28,5 +28,5 @@ profile ntfsundelete @{exec_path} {
   owner /tmp/ntfs-recovery/ r,
   owner /tmp/ntfs-recovery/* rw,
 
-  #include if exists <local/ntfsundelete>
+  include if exists <local/ntfsundelete>
 }
diff --git a/apparmor.d/ntfsusermap b/apparmor.d/ntfsusermap
index 26111eb8..f638e647 100644
--- a/apparmor.d/ntfsusermap
+++ b/apparmor.d/ntfsusermap
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfsusermap
 profile ntfsusermap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
 
@@ -29,5 +29,5 @@ profile ntfsusermap @{exec_path} {
   owner /root/UserMapping w,
   owner /tmp/UserMapping w,
 
-  #include if exists <local/ntfsusermap>
+  include if exists <local/ntfsusermap>
 }
diff --git a/apparmor.d/ntfswipe b/apparmor.d/ntfswipe
index 0e0ad9c1..c2679826 100644
--- a/apparmor.d/ntfswipe
+++ b/apparmor.d/ntfswipe
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ntfswipe
 profile ntfswipe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -24,5 +24,5 @@ profile ntfswipe @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/ntfswipe>
+  include if exists <local/ntfswipe>
 }
diff --git a/apparmor.d/numlockx b/apparmor.d/numlockx
index e6261432..f2066203 100644
--- a/apparmor.d/numlockx
+++ b/apparmor.d/numlockx
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/numlockx
 profile numlockx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile numlockx @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/numlockx>
+  include if exists <local/numlockx>
 }
diff --git a/apparmor.d/nvidia_modprobe b/apparmor.d/nvidia_modprobe
index 2c29b997..2502c49d 100644
--- a/apparmor.d/nvidia_modprobe
+++ b/apparmor.d/nvidia_modprobe
@@ -1,9 +1,11 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile nvidia_modprobe {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Capabilities
 
@@ -35,7 +37,7 @@ profile nvidia_modprobe {
   # Child profiles
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     # Capabilities
 
@@ -60,6 +62,6 @@ profile nvidia_modprobe {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/nvidia_modprobe>
+  include if exists <local/nvidia_modprobe>
 }
 
diff --git a/apparmor.d/obamenu b/apparmor.d/obamenu
index 4c8567f0..de90ad41 100644
--- a/apparmor.d/obamenu
+++ b/apparmor.d/obamenu
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/obamenu
 profile obamenu @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* rix,
@@ -29,5 +29,5 @@ profile obamenu @{exec_path} {
   /usr/share/pixmaps/ r,
   /usr/share/*/*.desktop r,
 
-  #include if exists <local/obamenu>
+  include if exists <local/obamenu>
 }
diff --git a/apparmor.d/obconf b/apparmor.d/obconf
index 030130b3..b1452d39 100644
--- a/apparmor.d/obconf
+++ b/apparmor.d/obconf
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/obconf
 profile obconf @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -45,5 +45,5 @@ profile obconf @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/obconf>
+  include if exists <local/obconf>
 }
diff --git a/apparmor.d/obxprop b/apparmor.d/obxprop
index 9d50727b..f1497232 100644
--- a/apparmor.d/obxprop
+++ b/apparmor.d/obxprop
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/obxprop
 profile obxprop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -25,5 +25,5 @@ profile obxprop @{exec_path} {
   owner @{HOME}/.icons/default/index.theme r,
   /usr/share/icons/*/cursors/crosshair r,
 
-  #include if exists <local/obxprop>
+  include if exists <local/obxprop>
 }
diff --git a/apparmor.d/okular b/apparmor.d/okular
index 0737ef28..aec594de 100644
--- a/apparmor.d/okular
+++ b/apparmor.d/okular
@@ -9,29 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{okular_ext}  = [pP][dD][fF]
 
 @{exec_path} = /{usr/,}bin/okular
 profile okular @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/kde-icon-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/audio>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/kde-icon-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -104,8 +104,8 @@ profile okular @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -121,5 +121,5 @@ profile okular @{exec_path} {
 
   }
 
-  #include if exists <local/okular>
+  include if exists <local/okular>
 }
diff --git a/apparmor.d/on-ac-power b/apparmor.d/on-ac-power
index 0d70d401..7a42dee5 100644
--- a/apparmor.d/on-ac-power
+++ b/apparmor.d/on-ac-power
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/on_ac_power /{usr/,}bin/on_ac_power
 profile on-ac-power @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -29,7 +29,9 @@ profile on-ac-power @{exec_path} {
   @{PROC}/pmu/info r,
   @{PROC}/apm r,
 
+  # For shell pwd
   / r,
+  owner @{HOME}/ r,
 
-  #include if exists <local/on-ac-power>
+  include if exists <local/on-ac-power>
 }
diff --git a/apparmor.d/openbox b/apparmor.d/openbox
index 66bbb6c6..b6a46dc6 100644
--- a/apparmor.d/openbox
+++ b/apparmor.d/openbox
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/openbox
 profile openbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill),
 
@@ -56,7 +56,7 @@ profile openbox @{exec_path} {
 
 
   profile autostart {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/@{multiarch}/openbox-autostart mr,
     /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix,
@@ -82,8 +82,8 @@ profile openbox @{exec_path} {
     owner @{HOME}/.xsession-errors w,
     owner /dev/tty[0-9]* rw,
 
-    #include if exists <local/openbox_autostart>
+    include if exists <local/openbox_autostart>
   }
 
-  #include if exists <local/openbox>
+  include if exists <local/openbox>
 }
diff --git a/apparmor.d/openbox-session b/apparmor.d/openbox-session
index 64d6c63b..a1a169a4 100644
--- a/apparmor.d/openbox-session
+++ b/apparmor.d/openbox-session
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/openbox-session
 profile openbox-session @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -31,5 +31,5 @@ profile openbox-session @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/openbox-session>
+  include if exists <local/openbox-session>
 }
diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn
index 4bbcdc9d..c45a6304 100644
--- a/apparmor.d/openvpn
+++ b/apparmor.d/openvpn
@@ -19,21 +19,25 @@
 #   DNS/resolver script is stored in: /etc/openvpn/update-resolv-conf{,.sh}
 # If a user wants to type user/pass interactively, systemd-ask-password is invoked for that.
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/openvpn
 profile openvpn @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   capability net_admin,
   # These are needed when user/group are set in a OpenVPN config file
   capability setuid,
   capability setgid,
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # OpenVPN config
@@ -56,8 +60,8 @@ profile openvpn @{exec_path} {
 
 
   profile systemd-ask-password {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/systemd-ask-password mr,
 
@@ -67,9 +71,9 @@ profile openvpn @{exec_path} {
   }
 
   profile update-resolv {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability net_admin,
 
@@ -87,12 +91,14 @@ profile openvpn @{exec_path} {
   }
 
   profile force-user-traffic-via-vpn {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability net_admin,
 
+    network netlink raw,
+
     /etc/openvpn/ r,
     /etc/openvpn/force-user-traffic-via-vpn.sh r,
 
@@ -114,5 +120,5 @@ profile openvpn @{exec_path} {
 
   }
 
-  #include if exists <local/openvpn>
+  include if exists <local/openvpn>
 }
diff --git a/apparmor.d/opera b/apparmor.d/opera
index 03b86d94..1e8e6e0d 100644
--- a/apparmor.d/opera
+++ b/apparmor.d/opera
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
 @{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@@ -19,21 +19,21 @@
 
 @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
 profile opera @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
@@ -48,6 +48,12 @@ profile opera @{exec_path} {
   signal (send) set=(term, kill) peer=opera-sandbox,
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/which                        rix,
@@ -178,8 +184,8 @@ profile opera @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -194,5 +200,5 @@ profile opera @{exec_path} {
 
   }
 
-  #include if exists <local/opera>
+  include if exists <local/opera>
 }
diff --git a/apparmor.d/opera-crashreporter b/apparmor.d/opera-crashreporter
index 9f688a89..2cd96ca8 100644
--- a/apparmor.d/opera-crashreporter
+++ b/apparmor.d/opera-crashreporter
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
 @{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@@ -19,14 +19,14 @@
 
 @{exec_path} = @{OPERA_INSTALLDIR}/opera_crashreporter
 profile opera-crashreporter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (trace, read) peer=opera,
 
@@ -42,5 +42,5 @@ profile opera-crashreporter @{exec_path} {
 
   deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
 
-  #include if exists <local/opera-crashreporter>
+  include if exists <local/opera-crashreporter>
 }
diff --git a/apparmor.d/opera-sandbox b/apparmor.d/opera-sandbox
index 6319676c..e80e0c79 100644
--- a/apparmor.d/opera-sandbox
+++ b/apparmor.d/opera-sandbox
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{OPERA_INSTALLDIR} = /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}
 @{OPERA_HOMEDIR} = @{HOME}/.config/opera{,-beta,-developer}
@@ -19,10 +19,10 @@
 
 @{exec_path} = @{OPERA_INSTALLDIR}/opera_sandbox
 profile opera-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
@@ -42,5 +42,5 @@ profile opera-sandbox @{exec_path} {
              @{PROC}/@{pids}/ r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
 
-  #include if exists <local/opera-sandbox>
+  include if exists <local/opera-sandbox>
 }
diff --git a/apparmor.d/orage b/apparmor.d/orage
index 4c0eeb86..fb1cd2d7 100644
--- a/apparmor.d/orage
+++ b/apparmor.d/orage
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/orage
 profile orage @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -53,8 +53,8 @@ profile orage @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -70,5 +70,5 @@ profile orage @{exec_path} {
 
   }
 
-  #include if exists <local/orage>
+  include if exists <local/orage>
 }
diff --git a/apparmor.d/pacmd b/apparmor.d/pacmd
index f903af48..9ea3b9e3 100644
--- a/apparmor.d/pacmd
+++ b/apparmor.d/pacmd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pacmd
 profile pacmd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   #capability sys_ptrace,
   ptrace peer=pulseaudio,
@@ -29,5 +29,5 @@ profile pacmd @{exec_path} {
 
   owner @{PROC}/@{pids}/stat r,
 
-  #include if exists <local/pacmd>
+  include if exists <local/pacmd>
 }
diff --git a/apparmor.d/pactl b/apparmor.d/pactl
index 0e45b194..c504ff60 100644
--- a/apparmor.d/pactl
+++ b/apparmor.d/pactl
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pactl
 profile pactl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   /{usr/,}bin/pactl mr,
 
@@ -33,5 +33,5 @@ profile pactl @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  #include if exists <local/pactl>
+  include if exists <local/pactl>
 }
diff --git a/apparmor.d/pagesize b/apparmor.d/pagesize
index 33861dc2..caa6fe49 100644
--- a/apparmor.d/pagesize
+++ b/apparmor.d/pagesize
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pagesize
 profile pagesize @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   # For HugePages
   @{sys}/kernel/mm/hugepages/ r,
 
-  #include if exists <local/pagesize>
+  include if exists <local/pagesize>
 }
diff --git a/apparmor.d/pam-auth-update b/apparmor.d/pam-auth-update
index 2c9f606c..104bf601 100644
--- a/apparmor.d/pam-auth-update
+++ b/apparmor.d/pam-auth-update
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/pam-auth-update
 profile pam-auth-update @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
 
   @{exec_path} mr,
   /{usr/,}bin/perl r,
@@ -34,10 +34,10 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -53,10 +53,10 @@ profile pam-auth-update @{exec_path} flags=(complain) {
     /usr/share/debconf/templates/adequate.templates r,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -67,5 +67,5 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/pam-auth-update>
+  include if exists <local/pam-auth-update>
 }
diff --git a/apparmor.d/pam/mappings b/apparmor.d/pam/mappings
index 9ce90c0b..99a47320 100644
--- a/apparmor.d/pam/mappings
+++ b/apparmor.d/pam/mappings
@@ -20,8 +20,8 @@
 # necessary to transition to the user's login shell. All other permissions have
 # been moved into the default_user profile.
 ^DEFAULT {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
+  include <abstractions/authentication>
+  include <abstractions/nameservice>
   capability dac_override,
   capability setgid,
   capability setuid,
@@ -36,8 +36,8 @@
 # to transition to gray's login shell. All other permissions have been
 # moved into the confined_user profile.
 ^morfik {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
+  include <abstractions/authentication>
+  include <abstractions/nameservice>
 
   capability dac_override,
   capability audit_write,
@@ -57,9 +57,9 @@
 # confined. Systems without this special primary group may want to define an
 # unconfined 'root' hat in this manner (depending on site policy).
 ^root {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
-  #include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/nameservice>
+  include <abstractions/wutmp>
 
   capability dac_override,
   capability audit_write,
diff --git a/apparmor.d/pam_roles b/apparmor.d/pam_roles
index 5ac7a703..7d82ce70 100644
--- a/apparmor.d/pam_roles
+++ b/apparmor.d/pam_roles
@@ -15,18 +15,18 @@
 # This file contains the roles as referenced by pam/mappings
 #
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # By default, allow users to read, lock and link to their own files anywhere,
 # but only write to files in their home directory. Only allow limited execution
 # of files.
 profile default_user flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   deny capability sys_ptrace,
 
@@ -43,10 +43,10 @@ profile default_user flags=(complain) {
 # Allow confined_users to read, write, lock and link to their own files
 # anywhere, and execute from some places.
 profile confined_user flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   deny capability sys_ptrace,
 
diff --git a/apparmor.d/parted b/apparmor.d/parted
index 919fc7e2..0eadca5b 100644
--- a/apparmor.d/parted
+++ b/apparmor.d/parted
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/parted
 profile parted @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -57,7 +57,7 @@ profile parted @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -75,7 +75,7 @@ profile parted @{exec_path} {
           @{PROC}/sys/kernel/random/boot_id r,
 
     # file_inherit
-    #include <abstractions/disks-write>  # lots of files in this abstraction get inherited
+    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
     owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
     owner /media/*/**.{iso,img,bin,mdf,nrg} rwk,
     owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
@@ -83,5 +83,5 @@ profile parted @{exec_path} {
 
   }
 
-  #include if exists <local/parted>
+  include if exists <local/parted>
 }
diff --git a/apparmor.d/partprobe b/apparmor.d/partprobe
index c75080c6..8380fd28 100644
--- a/apparmor.d/partprobe
+++ b/apparmor.d/partprobe
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/partprobe
 profile partprobe @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # To remove the following errors:
   #  device-mapper: version ioctl on   failed: Permission denied
@@ -48,7 +48,7 @@ profile partprobe @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -66,10 +66,10 @@ profile partprobe @{exec_path} {
           @{PROC}/sys/kernel/random/boot_id r,
 
     # file_inherit
-    #include <abstractions/disks-write>  # lots of files in this abstraction get inherited
+    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
     /dev/mapper/control rw,
 
   }
 
-  #include if exists <local/partprobe>
+  include if exists <local/partprobe>
 }
diff --git a/apparmor.d/passwd b/apparmor.d/passwd
index f3fa1a93..b8bcb055 100644
--- a/apparmor.d/passwd
+++ b/apparmor.d/passwd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -33,6 +33,8 @@ profile passwd @{exec_path} {
   # passwd is a SETUID binary, but it looks like it doesn't want this CAP.
   #capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/loginuid r,
@@ -44,5 +46,5 @@ profile passwd @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  #include if exists <local/passwd>
+  include if exists <local/passwd>
 }
diff --git a/apparmor.d/pavucontrol b/apparmor.d/pavucontrol
index 9ef1f82c..e3f67730 100644
--- a/apparmor.d/pavucontrol
+++ b/apparmor.d/pavucontrol
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pavucontrol
 profile pavucontrol @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -43,5 +43,5 @@ profile pavucontrol @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/pavucontrol>
+  include if exists <local/pavucontrol>
 }
diff --git a/apparmor.d/php-fpm b/apparmor.d/php-fpm
new file mode 100644
index 00000000..32a78640
--- /dev/null
+++ b/apparmor.d/php-fpm
@@ -0,0 +1,60 @@
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile php-fpm /usr/sbin/php-fpm* flags=(complain,attach_disconnected) {
+  # load common libraries and their support files
+  include <abstractions/base>
+  # resolve hostnames/usernames
+  include <abstractions/nameservice>
+  # common php files and support files that php needs
+  include <abstractions/php>
+  # read openssl configuration
+  include <abstractions/openssl>
+  # read the system certificates
+  include <abstractions/ssl_certs>
+
+  /etc/php{,5,7}/** r,
+
+  capability net_admin,
+  # change user/group of a pool
+  capability setuid,
+  capability setgid,
+  # change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
+  capability chown,
+  # we want to be able to kill our child processes
+  capability kill,
+  # to provide sockets with acls different than root
+  capability dac_override,
+
+  # we need write access here to move it into a different apparmor sub profile
+  @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+
+  # the main log file
+  /var/log/php*-fpm.log rw,
+
+  # we need to be able to create all sockets
+  @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+
+  # to reload
+  /usr/sbin/php-fpm* rix,
+
+  # no idea why php tries to open / read/write
+  deny / rw,
+
+  # allow sending signals to our subprocesses
+  signal (send) peer=php-fpm//*,
+
+  # allow switching processes to those subprofiles
+  change_profile -> php-fpm//*,
+
+  # load all files from this directory
+  # store your configurations per pool in this dir
+  include if exists <php-fpm.d>
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/php-fpm>
+}
diff --git a/apparmor.d/pinentry-gtk-2 b/apparmor.d/pinentry-gtk-2
index e011bd10..374d89f3 100644
--- a/apparmor.d/pinentry-gtk-2
+++ b/apparmor.d/pinentry-gtk-2
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pinentry-gtk-2
 profile pinentry-gtk-2 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} mr,
 
-  #include if exists <local/pinentry-gtk-2>
+  include if exists <local/pinentry-gtk-2>
 }
diff --git a/apparmor.d/pinentry-kwallet b/apparmor.d/pinentry-kwallet
index 949df6da..f5cc1198 100644
--- a/apparmor.d/pinentry-kwallet
+++ b/apparmor.d/pinentry-kwallet
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pinentry-kwallet
 profile pinentry-kwallet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=gpg-agent,
 
@@ -41,7 +41,7 @@ profile pinentry-kwallet @{exec_path} {
 
 
   profile kwalletcli {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kwalletcli mr,
 
@@ -56,5 +56,5 @@ profile pinentry-kwallet @{exec_path} {
 
   }
 
-  #include if exists <local/pinentry-kwallet>
+  include if exists <local/pinentry-kwallet>
 }
diff --git a/apparmor.d/pinentry-qt b/apparmor.d/pinentry-qt
index a86b3edd..219a094e 100644
--- a/apparmor.d/pinentry-qt
+++ b/apparmor.d/pinentry-qt
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pinentry-qt
 profile pinentry-qt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -44,5 +44,5 @@ profile pinentry-qt @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  #include if exists <local/pinentry-qt>
+  include if exists <local/pinentry-qt>
 }
diff --git a/apparmor.d/pkexec b/apparmor.d/pkexec
index 58678198..82b2f4a4 100644
--- a/apparmor.d/pkexec
+++ b/apparmor.d/pkexec
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pkexec
 profile pkexec @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -36,6 +36,8 @@ profile pkexec @{exec_path} flags=(complain) {
 
   ptrace (read),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/shells r,
@@ -56,5 +58,5 @@ profile pkexec @{exec_path} flags=(complain) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/pkexec>
+  include if exists <local/pkexec>
 }
diff --git a/apparmor.d/polipo b/apparmor.d/polipo
index 672b8be1..1edc884b 100644
--- a/apparmor.d/polipo
+++ b/apparmor.d/polipo
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/polipo
 profile polipo @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile polipo @{exec_path} {
   # Nameservice
   /etc/resolv.conf r,
 
-  #include if exists <local/polipo>
+  include if exists <local/polipo>
 }
diff --git a/apparmor.d/polkit-agent-helper b/apparmor.d/polkit-agent-helper
index 0dd3fe98..9c6955a3 100644
--- a/apparmor.d/polkit-agent-helper
+++ b/apparmor.d/polkit-agent-helper
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
   signal (receive) set=(term, kill) peer=pkexec,
@@ -32,11 +32,13 @@ profile polkit-agent-helper @{exec_path} {
   # Needed?
   deny capability sys_nice,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/polkit-agent-helper>
+  include if exists <local/polkit-agent-helper>
 }
diff --git a/apparmor.d/polkit-kde-authentication-agent b/apparmor.d/polkit-kde-authentication-agent
index f68b79dc..1d264b39 100644
--- a/apparmor.d/polkit-kde-authentication-agent
+++ b/apparmor.d/polkit-kde-authentication-agent
@@ -9,25 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/libexec/polkit-kde-authentication-agent-[0-9]
 profile polkit-kde-authentication-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/mesa>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/mesa>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -58,5 +58,5 @@ profile polkit-kde-authentication-agent @{exec_path} {
   owner /tmp/#[0-9]*[0-9] rw,
   owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#[0-9]*[0-9],
 
-  #include if exists <local/polkit-kde-authentication-agent>
+  include if exists <local/polkit-kde-authentication-agent>
 }
diff --git a/apparmor.d/polkit-mate-authentication-agent b/apparmor.d/polkit-mate-authentication-agent
index 1e1064bb..279b1654 100644
--- a/apparmor.d/polkit-mate-authentication-agent
+++ b/apparmor.d/polkit-mate-authentication-agent
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
 profile polkit-mate-authentication-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -44,5 +44,5 @@ profile polkit-mate-authentication-agent @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/polkit-mate-authentication-agent>
+  include if exists <local/polkit-mate-authentication-agent>
 }
diff --git a/apparmor.d/polkitd b/apparmor.d/polkitd
index 44e85cb8..3410265a 100644
--- a/apparmor.d/polkitd
+++ b/apparmor.d/polkitd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/polkit-1/polkitd
 profile polkitd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Tu run as polkitd:nogroup
   capability setuid,
@@ -46,5 +46,5 @@ profile polkitd @{exec_path} {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/[0-9]* r,
 
-  #include if exists <local/polkitd>
+  include if exists <local/polkitd>
 }
diff --git a/apparmor.d/popcon-largest-unused b/apparmor.d/popcon-largest-unused
index 10842b5f..a4a195d9 100644
--- a/apparmor.d/popcon-largest-unused
+++ b/apparmor.d/popcon-largest-unused
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/popcon-largest-unused
 profile popcon-largest-unused @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -33,5 +33,8 @@ profile popcon-largest-unused @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  #include if exists <local/popcon-largest-unused>
+  # For shell pwd
+  /root/ r,
+
+  include if exists <local/popcon-largest-unused>
 }
diff --git a/apparmor.d/popularity-contest b/apparmor.d/popularity-contest
index 8689cfb1..456d6d35 100644
--- a/apparmor.d/popularity-contest
+++ b/apparmor.d/popularity-contest
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/popularity-contest
 profile popularity-contest @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   # For popularity-contest --su-nobody
   capability setuid,
@@ -59,5 +59,5 @@ profile popularity-contest @{exec_path} {
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,
 
-  #include if exists <local/popularity-contest>
+  include if exists <local/popularity-contest>
 }
diff --git a/apparmor.d/ps b/apparmor.d/ps
index 049acd22..d9ab3d20 100644
--- a/apparmor.d/ps
+++ b/apparmor.d/ps
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # When any of the "*ns" parameters is used, the following error will be printed:
 #  "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
 @{exec_path} = /{usr/,}bin/ps
 profile ps @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
@@ -67,5 +67,5 @@ profile ps @{exec_path} flags=(attach_disconnected) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/ps>
+  include if exists <local/ps>
 }
diff --git a/apparmor.d/ps-mem b/apparmor.d/ps-mem
index b1d86c7b..418f3a19 100644
--- a/apparmor.d/ps-mem
+++ b/apparmor.d/ps-mem
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ps_mem
 profile ps-mem @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   capability sys_ptrace,
 
@@ -35,5 +35,5 @@ profile ps-mem @{exec_path} {
   # For the "--swap" flag
   @{PROC}/@{pid}/smaps r,
 
-  #include if exists <local/ps-mem>
+  include if exists <local/ps-mem>
 }
diff --git a/apparmor.d/pscap b/apparmor.d/pscap
index 608e3394..c4b2f383 100644
--- a/apparmor.d/pscap
+++ b/apparmor.d/pscap
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pscap
 profile pscap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -28,5 +28,5 @@ profile pscap @{exec_path} {
   @{PROC}/ r,
   @{PROC}/@{pids}/stat r,
 
-  #include if exists <local/pscap>
+  include if exists <local/pscap>
 }
diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus
index 38a27f33..08a6d593 100644
--- a/apparmor.d/psi-plus
+++ b/apparmor.d/psi-plus
@@ -9,33 +9,39 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/psi-plus
 profile psi-plus @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=child-lsb_release,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
@@ -104,8 +110,8 @@ profile psi-plus @{exec_path} {
 
 
   profile aplay {
-    #include <abstractions/base>
-    #include <abstractions/audio>
+    include <abstractions/base>
+    include <abstractions/audio>
 
     /{usr/,}bin/aplay mr,
     #/{usr/,}bin/pulseaudio rPUx,
@@ -123,7 +129,7 @@ profile psi-plus @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -136,8 +142,8 @@ profile psi-plus @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -153,5 +159,5 @@ profile psi-plus @{exec_path} {
 
   }
 
-  #include if exists <local/psi-plus>
+  include if exists <local/psi-plus>
 }
diff --git a/apparmor.d/pulseaudio b/apparmor.d/pulseaudio
index 0f54a353..aa07d128 100644
--- a/apparmor.d/pulseaudio
+++ b/apparmor.d/pulseaudio
@@ -9,22 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pulseaudio
 profile pulseaudio @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 
   signal (receive) peer=pacmd,
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
@@ -83,5 +87,5 @@ profile pulseaudio @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/pulseaudio>
+  include if exists <local/pulseaudio>
 }
diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent
index a89c29b9..702101ee 100644
--- a/apparmor.d/qbittorrent
+++ b/apparmor.d/qbittorrent
@@ -9,34 +9,41 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{TORRENT_DIR} = /media/*/torrent
 
 @{exec_path} = /{usr/,}bin/qbittorrent
 profile qbittorrent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=qbittorrent//python3,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   # For "search engine"
@@ -113,14 +120,18 @@ profile qbittorrent @{exec_path} {
 
 
   profile python3 {
-    #include <abstractions/base>
-    #include <abstractions/python>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/python>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+    include <abstractions/nameservice-strict>
 
     signal (receive) set=(term, kill) peer=qbittorrent,
 
+    network inet dgram,
+    network inet6 dgram,
+    network netlink raw,
+
     /{usr/,}bin/python3.[0-9]* r,
 
     owner @{HOME}/.local/share/data/qBittorrent/nova[0-9]/{,**} rw,
@@ -140,8 +151,8 @@ profile qbittorrent @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -171,5 +182,5 @@ profile qbittorrent @{exec_path} {
 
   }
 
-  #include if exists <local/qbittorrent>
+  include if exists <local/qbittorrent>
 }
diff --git a/apparmor.d/qbittorrent-nox b/apparmor.d/qbittorrent-nox
index cc7f11ab..7eea7886 100644
--- a/apparmor.d/qbittorrent-nox
+++ b/apparmor.d/qbittorrent-nox
@@ -9,19 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{TORRENT_DIR} = /media/*/torrent
 
 @{exec_path} = /{usr/,}bin/qbittorrent-nox
 profile qbittorrent-nox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -68,5 +75,5 @@ profile qbittorrent-nox @{exec_path} {
   owner /tmp/mozilla_*/*.torrent rw,
   owner /tmp/.*/{,s} rw,
 
-  #include if exists <local/qbittorrent-nox>
+  include if exists <local/qbittorrent-nox>
 }
diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi
index 2a1361be..de3e4db1 100644
--- a/apparmor.d/qnapi
+++ b/apparmor.d/qnapi
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -46,24 +46,31 @@
 
 @{exec_path} = /{usr/,}bin/qnapi
 profile qnapi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
   # action (stop qnapi), the apps send the term/kill signal to qnapi.
   signal (receive) set=(kill, term),
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/7z        rix,
@@ -124,8 +131,8 @@ profile qnapi @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -141,5 +148,5 @@ profile qnapi @{exec_path} {
 
   }
 
-  #include if exists <local/qnapi>
+  include if exists <local/qnapi>
 }
diff --git a/apparmor.d/qpdfview b/apparmor.d/qpdfview
index 73d6b2a7..e533ec20 100644
--- a/apparmor.d/qpdfview
+++ b/apparmor.d/qpdfview
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Ebooks extensions
 # pdf, epub, djvu
@@ -21,20 +21,20 @@
 
 @{exec_path} = /{usr/,}bin/qpdfview
 profile qpdfview @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -104,8 +104,8 @@ profile qpdfview @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -121,7 +121,7 @@ profile qpdfview @{exec_path} {
 
   }
 
-  #include if exists <local/qpdfview>
+  include if exists <local/qpdfview>
 }
 
 
diff --git a/apparmor.d/qt5ct b/apparmor.d/qt5ct
index 88cd43ef..392539de 100644
--- a/apparmor.d/qt5ct
+++ b/apparmor.d/qt5ct
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/qt5ct
 profile qt5ct @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -57,5 +57,5 @@ profile qt5ct @{exec_path} {
 
   /dev/shm/#[0-9]*[0-9] rw,
 
-  #include if exists <local/qt5ct>
+  include if exists <local/qt5ct>
 }
diff --git a/apparmor.d/qtchooser b/apparmor.d/qtchooser
index 690f6435..5d8971d8 100644
--- a/apparmor.d/qtchooser
+++ b/apparmor.d/qtchooser
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/qtchooser
 profile qtchooser @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile qtchooser @{exec_path} flags=(complain) {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/qtchooser>
+  include if exists <local/qtchooser>
 }
diff --git a/apparmor.d/querybts b/apparmor.d/querybts
index c7bfd0f1..e5e634b0 100644
--- a/apparmor.d/querybts
+++ b/apparmor.d/querybts
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/querybts
 profile querybts @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/apt-common>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/apt-common>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -59,8 +65,8 @@ profile querybts @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -76,5 +82,5 @@ profile querybts @{exec_path} {
 
   }
 
-  #include if exists <local/querybts>
+  include if exists <local/querybts>
 }
diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss
index e73f0eb6..689f4a0c 100644
--- a/apparmor.d/quiterss
+++ b/apparmor.d/quiterss
@@ -9,31 +9,38 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/quiterss
 profile quiterss @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/wayland>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/wayland>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   # This one is needed when you want to receive sound notifications
-  ##include <abstractions/audio>
+  include <abstractions/audio>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -90,8 +97,8 @@ profile quiterss @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -107,5 +114,5 @@ profile quiterss @{exec_path} {
 
   }
 
-  #include if exists <local/quiterss>
+  include if exists <local/quiterss>
 }
diff --git a/apparmor.d/rdmsr b/apparmor.d/rdmsr
index 85a57cb3..8fa61858 100644
--- a/apparmor.d/rdmsr
+++ b/apparmor.d/rdmsr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/rdmsr
 profile rdmsr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To access /dev/cpu/*/msr .
   capability sys_rawio,
@@ -24,5 +24,5 @@ profile rdmsr @{exec_path} {
 
   owner /dev/cpu/[0-9]*/msr r,
 
-  #include if exists <local/rdmsr>
+  include if exists <local/rdmsr>
 }
diff --git a/apparmor.d/redshift b/apparmor.d/redshift
index 02542bd8..26b4ca8d 100644
--- a/apparmor.d/redshift
+++ b/apparmor.d/redshift
@@ -10,14 +10,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/redshift
 profile redshift @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile redshift @{exec_path} {
   owner @{HOME}/.Xauthority r,
   owner /tmp/xauth-[0-9]*-_[0-9] r,
 
-  #include if exists <local/redshift>
+  include if exists <local/redshift>
 }
diff --git a/apparmor.d/repo b/apparmor.d/repo
index 62536305..7ff5112a 100644
--- a/apparmor.d/repo
+++ b/apparmor.d/repo
@@ -9,18 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/repo
-profile repo @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+profile repo @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* rix,
@@ -59,24 +64,26 @@ profile repo @{exec_path} flags=(complain) {
   owner /dev/shm/sem.mp* rwl -> /dev/shm/*,
 
 
-  profile curl flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+  profile curl {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/curl mr,
 
   }
 
-  profile gpg flags=(complain) {
-    #include <abstractions/base>
+  profile gpg {
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
     owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**,
 
+    owner /tmp/.git_vtag_tmp* r,
+
   }
 
-  #include if exists <local/repo>
+  include if exists <local/repo>
 }
diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug
index c2abcbf0..cf544f1b 100644
--- a/apparmor.d/reportbug
+++ b/apparmor.d/reportbug
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/reportbug
 profile reportbug @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/enchant>
-  #include <abstractions/python>
-  #include <abstractions/apt-common>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/enchant>
+  include <abstractions/python>
+  include <abstractions/apt-common>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -89,14 +95,14 @@ profile reportbug @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg mr,
 
@@ -108,8 +114,8 @@ profile reportbug @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -125,5 +131,5 @@ profile reportbug @{exec_path} {
 
   }
 
-  #include if exists <local/reportbug>
+  include if exists <local/reportbug>
 }
diff --git a/apparmor.d/reprepro b/apparmor.d/reprepro
index 5ff17efc..09216692 100644
--- a/apparmor.d/reprepro
+++ b/apparmor.d/reprepro
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{REPO_DIR}  = /media/debuilder/repo
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/reprepro
 profile reprepro @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -63,7 +63,7 @@ profile reprepro @{exec_path} {
   owner @{BUILD_DIR}/pbuilder/result/*.tar.* r,
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
     /{usr/,}bin/gpg mr,
@@ -74,5 +74,5 @@ profile reprepro @{exec_path} {
 
   }
 
-  #include if exists <local/reprepro>
+  include if exists <local/reprepro>
 }
diff --git a/apparmor.d/resize2fs b/apparmor.d/resize2fs
index e2714f96..718c9808 100644
--- a/apparmor.d/resize2fs
+++ b/apparmor.d/resize2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/resize2fs
 profile resize2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
@@ -30,5 +30,5 @@ profile resize2fs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
-  #include if exists <local/resize2fs>
+  include if exists <local/resize2fs>
 }
diff --git a/apparmor.d/rfkill b/apparmor.d/rfkill
index 144371f4..75154b1f 100644
--- a/apparmor.d/rfkill
+++ b/apparmor.d/rfkill
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/rfkill
 profile rfkill @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile rfkill @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/rfkill[0-9]/{name,type} r,
   @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r,
 
-  #include if exists <local/rfkill>
+  include if exists <local/rfkill>
 }
diff --git a/apparmor.d/rpi-imager b/apparmor.d/rpi-imager
index 944ad368..bbfd3a1a 100644
--- a/apparmor.d/rpi-imager
+++ b/apparmor.d/rpi-imager
@@ -9,29 +9,36 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/rpi-imager
 profile rpi-imager @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/openssl>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/disks-write>
 
   #capability sys_admin,
   deny capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream, 
+  network netlink dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /usr/bin/lsblk rCx -> lsblk,
@@ -85,9 +92,9 @@ profile rpi-imager @{exec_path} {
 
 
   profile lsblk {
-    #include <abstractions/base>
-    #include <abstractions/disks-read>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/disks-read>
+    include <abstractions/nameservice-strict>
 
     /usr/bin/lsblk mr,
 
@@ -99,5 +106,5 @@ profile rpi-imager @{exec_path} {
 
   }
 
-  #include if exists <local/rpi-imager>
+  include if exists <local/rpi-imager>
 }
diff --git a/apparmor.d/rredtool b/apparmor.d/rredtool
index c8842289..f1688539 100644
--- a/apparmor.d/rredtool
+++ b/apparmor.d/rredtool
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/rredtool
 profile rredtool @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/rredtool>
+  include if exists <local/rredtool>
 }
diff --git a/apparmor.d/rsyslogd b/apparmor.d/rsyslogd
index ff37cc8b..6affe0c3 100644
--- a/apparmor.d/rsyslogd
+++ b/apparmor.d/rsyslogd
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Debugging the syslogger can be difficult if it can't write to the file
 # that the kernel is logging denials to. In these cases, you can do the
@@ -20,8 +20,8 @@
 
 @{exec_path} = /{usr/,}sbin/rsyslogd
 profile rsyslogd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
 
   capability syslog,
 
@@ -55,5 +55,5 @@ profile rsyslogd @{exec_path} {
   /etc/CA/*.crt r,
   /etc/CA/*.key r,
 
-  #include if exists <local/rsyslogd>
+  include if exists <local/rsyslogd>
 }
diff --git a/apparmor.d/rtkit-daemon b/apparmor.d/rtkit-daemon
index 02fb286d..eac84366 100644
--- a/apparmor.d/rtkit-daemon
+++ b/apparmor.d/rtkit-daemon
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 
 @{exec_path} = /usr/libexec/rtkit-daemon
 profile rtkit-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To raise process nice and set scheduling policies (real-time) and priorities
   capability sys_nice,
@@ -40,5 +40,5 @@ profile rtkit-daemon @{exec_path} {
   @{PROC}/@{pids}/task/@{tid}/stat r,
   @{PROC}/@{pids}/limits r,
 
-  #include if exists <local/rtkit-daemon>
+  include if exists <local/rtkit-daemon>
 }
diff --git a/apparmor.d/rtkitctl b/apparmor.d/rtkitctl
index ed3bcc14..3014abae 100644
--- a/apparmor.d/rtkitctl
+++ b/apparmor.d/rtkitctl
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/rtkitctl
 profile rtkitctl @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/rtkitctl>
+  include if exists <local/rtkitctl>
 }
diff --git a/apparmor.d/run-parts b/apparmor.d/run-parts
index 2fbf74f3..21130cc9 100644
--- a/apparmor.d/run-parts
+++ b/apparmor.d/run-parts
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/run-parts
 profile run-parts @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -48,7 +48,7 @@ profile run-parts @{exec_path} {
 
 
   profile motd {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     / r,
     /etc/update-motd.d/[0-9]*-[a-z]* r,
@@ -60,8 +60,8 @@ profile run-parts @{exec_path} {
   }
 
   profile kernel-pre-post {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /etc/kernel/header_postinst.d/* r,
     /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
@@ -115,5 +115,5 @@ profile run-parts @{exec_path} {
 
   }
 
-  #include if exists <local/run-parts>
+  include if exists <local/run-parts>
 }
diff --git a/apparmor.d/runuser b/apparmor.d/runuser
index e817b2fd..77f300fa 100644
--- a/apparmor.d/runuser
+++ b/apparmor.d/runuser
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/runuser
 profile runuser @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
   # To remove the following errors:
   #  runuser: cannot set user id: Operation not permitted
@@ -51,5 +51,5 @@ profile runuser @{exec_path} {
   # file_inherit
   owner /tmp/debian-security-support.postinst.*/output w,
 
-  #include if exists <local/runuser>
+  include if exists <local/runuser>
 }
diff --git a/apparmor.d/sbin.klogd b/apparmor.d/sbin.klogd
index 8f4b22d3..b44c4da0 100644
--- a/apparmor.d/sbin.klogd
+++ b/apparmor.d/sbin.klogd
@@ -9,10 +9,12 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_admin, # for backward compatibility with kernel <= 2.6.37
   capability syslog,
@@ -26,10 +28,10 @@ profile klogd /{usr/,}{bin,sbin}/klogd flags=(complain) {
 
   /{usr/,}{bin,sbin}/klogd	rmix,
   /var/log/boot.msg     rwl,
-  /{,var/}run/klogd.pid    krwl,
-  /{,var/}run/klogd/klogd.pid krwl,
-  /{,var/}run/klogd/kmsg   r,
+  @{run}/klogd.pid    krwl,
+  @{run}/klogd/klogd.pid krwl,
+  @{run}/klogd/kmsg   r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/sbin.klogd>
+  include if exists <local/sbin.klogd>
 }
diff --git a/apparmor.d/sbin.syslog-ng b/apparmor.d/sbin.syslog-ng
index b03af238..1f0d229e 100644
--- a/apparmor.d/sbin.syslog-ng
+++ b/apparmor.d/sbin.syslog-ng
@@ -10,18 +10,21 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 #define this to be where syslog-ng is chrooted
 @{CHROOT_BASE}=""
 
 profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/mysql>
-  #include <abstractions/openssl>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/mysql>
+  include <abstractions/openssl>
+  include <abstractions/python>
+  include <abstractions/hosts_access>
 
   capability chown,
   capability dac_override,
@@ -45,8 +48,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
   /etc/syslog-ng/conf.d/ r,
   /etc/syslog-ng/conf.d/* r,
   @{PROC}/kmsg r,
-  /etc/hosts.deny r,
-  /etc/hosts.allow r,
   /{usr/,}{bin,sbin}/syslog-ng mr,
   @{sys}/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
@@ -55,14 +56,14 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng flags=(complain) {
   @{CHROOT_BASE}/var/lib/*/dev/log w,
   @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
   @{CHROOT_BASE}/var/log/** w,
-  @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
-  @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+  @{CHROOT_BASE}/@{run}/syslog-ng.pid krw,
+  @{CHROOT_BASE}/@{run}/syslog-ng.ctl rw,
   /{var,var/run,run}/log/journal/ r,
   /{var,var/run,run}/log/journal/*/ r,
   /{var,var/run,run}/log/journal/*/*.journal r,
-  /{var/,}run/syslog-ng.ctl a,
-  /{var/,}run/syslog-ng/additional-log-sockets.conf r,
+  @{run}/syslog-ng.ctl a,
+  @{run}/syslog-ng/additional-log-sockets.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/sbin.syslog-ng>
+  include if exists <local/sbin.syslog-ng>
 }
diff --git a/apparmor.d/sbin.syslogd b/apparmor.d/sbin.syslogd
index 1b54029d..bcd632aa 100644
--- a/apparmor.d/sbin.syslogd
+++ b/apparmor.d/sbin.syslogd
@@ -9,12 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/consoles>
 
   capability sys_tty_config,
   capability dac_override,
@@ -34,10 +36,10 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd flags=(complain) {
   /etc/syslog.conf              r,
   /{usr/,}{bin,sbin}/syslogd    rmix,
   /var/log/**                   rw,
-  /{,var/}run/syslogd.pid          krwl,
-  /{,var/}run/utmp                 rw,
+  @{run}/syslogd.pid          krwl,
+  @{run}/utmp                 rw,
   /var/spool/compaq/nic/messages_fifo rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/sbin.syslogd>
+  include if exists <local/sbin.syslogd>
 }
diff --git a/apparmor.d/scdaemon b/apparmor.d/scdaemon
index c73c96f3..ea03bfcc 100644
--- a/apparmor.d/scdaemon
+++ b/apparmor.d/scdaemon
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/gnupg/scdaemon
 profile scdaemon @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -34,5 +36,5 @@ profile scdaemon @{exec_path} {
   @{sys}/class/ r,
   @{sys}/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent,bConfigurationValue} r,
 
-  #include if exists <local/scdaemon>
+  include if exists <local/scdaemon>
 }
diff --git a/apparmor.d/scrot b/apparmor.d/scrot
index 86c8c842..9ce34a17 100644
--- a/apparmor.d/scrot
+++ b/apparmor.d/scrot
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/scrot
 profile scrot @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -39,5 +39,5 @@ profile scrot @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/scrot>
+  include if exists <local/scrot>
 }
diff --git a/apparmor.d/sddm b/apparmor.d/sddm
index 73c34971..46b09715 100644
--- a/apparmor.d/sddm
+++ b/apparmor.d/sddm
@@ -9,20 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sddm
 profile sddm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/dri-common>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/dri-common>
+  include <abstractions/nameservice-strict>
 
   # To remove the following errors:
   #  chown("/tmp/sddm-:0-YPUOCV", 123, 132) = -1 EPERM (Operation not permitted)
@@ -169,9 +169,9 @@ profile sddm @{exec_path} {
 
 
   profile sddm-scripts {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/bash>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/bash>
 
     /usr/share/sddm/scripts/Xsetup r,
     /usr/share/sddm/scripts/Xstop r,
@@ -192,7 +192,7 @@ profile sddm @{exec_path} {
   }
 
   profile xauth {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/xauth mr,
 
@@ -208,5 +208,5 @@ profile sddm @{exec_path} {
 
   }
 
-  #include if exists <local/sddm>
+  include if exists <local/sddm>
 }
diff --git a/apparmor.d/sddm-greeter b/apparmor.d/sddm-greeter
index 53f020a7..6530b76f 100644
--- a/apparmor.d/sddm-greeter
+++ b/apparmor.d/sddm-greeter
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sddm-greeter
 profile sddm-greeter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -83,7 +83,7 @@ profile sddm-greeter @{exec_path} {
   owner @{HOME}/.cache/plasma_theme_*.kcache rw,
   owner @{HOME}/.cache/plasma-svgelements-* rw,
 
-  #include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-compose-cache-write>
 
   owner @{PROC}/@{pid}/cmdline r,
   #------------------------------------------------------------------
@@ -105,5 +105,5 @@ profile sddm-greeter @{exec_path} {
   # file_inherit
   #/dev/tty[0-9]* rw,
 
-  #include if exists <local/sddm-greeter>
+  include if exists <local/sddm-greeter>
 }
diff --git a/apparmor.d/sddm-xsession b/apparmor.d/sddm-xsession
index a24295d3..147ef66a 100644
--- a/apparmor.d/sddm-xsession
+++ b/apparmor.d/sddm-xsession
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/sddm/Xsession
 profile sddm-xsession @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/bash>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/bash>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -79,7 +79,7 @@ profile sddm-xsession @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -92,7 +92,7 @@ profile sddm-xsession @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/dbus-update-activation-environment mr,
 
@@ -102,7 +102,7 @@ profile sddm-xsession @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
 
@@ -116,7 +116,7 @@ profile sddm-xsession @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -139,5 +139,5 @@ profile sddm-xsession @{exec_path} {
 
   }
 
-  #include if exists <local/sddm-xsession>
+  include if exists <local/sddm-xsession>
 }
diff --git a/apparmor.d/sensors b/apparmor.d/sensors
index 4bf1e69d..335ab2ef 100644
--- a/apparmor.d/sensors
+++ b/apparmor.d/sensors
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sensors
 profile sensors @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -46,5 +46,5 @@ profile sensors @{exec_path} {
   deny @{PROC}/loadavg r,
   deny @{PROC}/@{pid}/io r,
 
-  #include if exists <local/sensors>
+  include if exists <local/sensors>
 }
diff --git a/apparmor.d/sensors-detect b/apparmor.d/sensors-detect
index 678b983b..9bb179cd 100644
--- a/apparmor.d/sensors-detect
+++ b/apparmor.d/sensors-detect
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/sensors-detect
 profile sensors-detect @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   capability syslog,
 
@@ -48,7 +48,7 @@ profile sensors-detect @{exec_path} {
 
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     capability sys_ptrace,
 
@@ -66,7 +66,7 @@ profile sensors-detect @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -79,5 +79,5 @@ profile sensors-detect @{exec_path} {
 
   }
 
-  #include if exists <local/sensors-detect>
+  include if exists <local/sensors-detect>
 }
diff --git a/apparmor.d/setpci b/apparmor.d/setpci
index fb3fbc39..49e864b7 100644
--- a/apparmor.d/setpci
+++ b/apparmor.d/setpci
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/setpci
 profile setpci @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/pci[0-9]*/** r,
 
-  #include if exists <local/setpci>
+  include if exists <local/setpci>
 }
diff --git a/apparmor.d/setpriv b/apparmor.d/setpriv
index 7e515485..3f3b3c0c 100644
--- a/apparmor.d/setpriv
+++ b/apparmor.d/setpriv
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/setpriv
 profile setpriv @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
   /{usr/,}bin/[a-z0-9]* rPUx,
   /{usr/,}sbin/[a-z0-9]* rPUx,
 
-  #include if exists <local/setpriv>
+  include if exists <local/setpriv>
 }
diff --git a/apparmor.d/sfdisk b/apparmor.d/sfdisk
index bbe7f39f..bf0dad47 100644
--- a/apparmor.d/sfdisk
+++ b/apparmor.d/sfdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/sfdisk
 profile sfdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to avoid the following error:
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -39,5 +39,5 @@ profile sfdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/sfdisk>
+  include if exists <local/sfdisk>
 }
diff --git a/apparmor.d/sgdisk b/apparmor.d/sgdisk
index 12969551..37e976fb 100644
--- a/apparmor.d/sgdisk
+++ b/apparmor.d/sgdisk
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/sgdisk
 profile sgdisk @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   # Needed to inform the system of newly created/removed partitions
   #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
@@ -39,5 +39,5 @@ profile sgdisk @{exec_path} {
   owner @{HOME}/**.{bak,back} rwk,
   owner /media/*/**.{bak,back} rwk,
 
-  #include if exists <local/sgdisk>
+  include if exists <local/sgdisk>
 }
diff --git a/apparmor.d/signal-desktop b/apparmor.d/signal-desktop
index c796a715..c7e1f91d 100644
--- a/apparmor.d/signal-desktop
+++ b/apparmor.d/signal-desktop
@@ -8,26 +8,26 @@
 #    License published by the Free Software Foundation.
 #
 # ------------------------------------------------------------------
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
 @{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
 
 @{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
 profile signal-desktop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -75,5 +75,5 @@ profile signal-desktop @{exec_path} {
 
   /{usr/,}bin/getconf rix,
 
-  #include if exists <local/signal-desktop>
+  include if exists <local/signal-desktop>
 }
diff --git a/apparmor.d/signal-desktop-chrome-sandbox b/apparmor.d/signal-desktop-chrome-sandbox
index 1379816c..60470716 100644
--- a/apparmor.d/signal-desktop-chrome-sandbox
+++ b/apparmor.d/signal-desktop-chrome-sandbox
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}"
 @{SIGNAL_HOMEDIR} = "@{HOME}/.config/Signal{, Beta}"
 
 @{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta}
 profile signal-desktop-chrome-sandbox @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
   @{SIGNAL_INSTALLDIR}/signal-desktop rPx,
 
-  #include if exists <local/signal-desktop-chrome-sandbox>
+  include if exists <local/signal-desktop-chrome-sandbox>
 }
 
diff --git a/apparmor.d/smartctl b/apparmor.d/smartctl
index fef20c00..74a2154a 100644
--- a/apparmor.d/smartctl
+++ b/apparmor.d/smartctl
@@ -9,14 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/smartctl
 profile smartctl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
 
   # To remove the following errors:
   #  Probable ATA device behind a SAT layer
@@ -27,5 +28,5 @@ profile smartctl @{exec_path} {
 
   /var/lib/smartmontools/** r,
 
-  #include if exists <local/smartctl>
+  include if exists <local/smartctl>
 }
diff --git a/apparmor.d/smartd b/apparmor.d/smartd
index f2761caa..41f34453 100644
--- a/apparmor.d/smartd
+++ b/apparmor.d/smartd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/smartd
 profile smartd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-read>
+  include <abstractions/base>
+  include <abstractions/disks-read>
 
   # To remove the following errors:
   #  Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device
@@ -45,5 +45,5 @@ profile smartd @{exec_path} {
   /dev/ r,
   @{PROC}/devices r,
 
-  #include if exists <local/smartd>
+  include if exists <local/smartd>
 }
diff --git a/apparmor.d/smplayer b/apparmor.d/smplayer
index 7f579aae..a13203ac 100644
--- a/apparmor.d/smplayer
+++ b/apparmor.d/smplayer
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -59,26 +59,25 @@
 # For Qbittorrent !qB extension
 @{smplayer_ext} += "!qB"
 
-
 @{exec_path} = /{usr/,}bin/smplayer
 profile smplayer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/wayland>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/wayland>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/deny-root-dir-access>
 
   # Needed for hardware decoding
   ##include <abstractions/nvidia>
@@ -86,6 +85,12 @@ profile smplayer @{exec_path} {
   signal (send) set=(term, kill),
   signal (receive) set=(term, kill),
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+
   @{exec_path} mrix,
 
   # Which media files SMPlayer should be able to open
@@ -146,6 +151,6 @@ profile smplayer @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  #include if exists <local/smplayer>
+  include if exists <local/smplayer>
 }
 
diff --git a/apparmor.d/smtube b/apparmor.d/smtube
index 85a421f9..85df3f23 100644
--- a/apparmor.d/smtube
+++ b/apparmor.d/smtube
@@ -9,25 +9,32 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/smtube
 profile smtube @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -86,8 +93,8 @@ profile smtube @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -103,5 +110,5 @@ profile smtube @{exec_path} {
 
   }
 
-  #include if exists <local/smtube>
+  include if exists <local/smtube>
 }
diff --git a/apparmor.d/spacefm b/apparmor.d/spacefm
index 36f71bdf..83a9d0ae 100644
--- a/apparmor.d/spacefm
+++ b/apparmor.d/spacefm
@@ -9,26 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spacefm
 profile spacefm @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/disks-read>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/disks-read>
+  include <abstractions/consoles>
 
   # This should be tightened when the "profile has merged rule with conflicting x modifiers" error
   # will be fixed. (#FIXME#)
-  #include <abstractions/app-launcher-user>
-  #include <abstractions/app-launcher-root>
+  include <abstractions/app-launcher-user>
+  include <abstractions/app-launcher-root>
 
   # For root window
   deny capability dac_read_search,
@@ -40,6 +40,10 @@ profile spacefm @{exec_path} {
   # SpaceFM needs this for killing/terminating processes it initiates.
   signal (send) set=(term, kill),
 
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/mountinfo r,
@@ -97,5 +101,5 @@ profile spacefm @{exec_path} {
         /var/**   r,
   owner /var/**   rw,
 
-  #include if exists <local/spacefm>
+  include if exists <local/spacefm>
 }
diff --git a/apparmor.d/spacefm-auth b/apparmor.d/spacefm-auth
index cfa28057..9a061833 100644
--- a/apparmor.d/spacefm-auth
+++ b/apparmor.d/spacefm-auth
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spacefm-auth
 profile spacefm-auth @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/spacefm-auth>
+  include if exists <local/spacefm-auth>
 }
diff --git a/apparmor.d/spectre-meltdown-checker b/apparmor.d/spectre-meltdown-checker
index 6033900b..3569d84f 100644
--- a/apparmor.d/spectre-meltdown-checker
+++ b/apparmor.d/spectre-meltdown-checker
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spectre-meltdown-checker
 profile spectre-meltdown-checker @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed to read the /dev/cpu/[0-9]*/msr device
   capability sys_rawio,
@@ -26,6 +26,7 @@ profile spectre-meltdown-checker @{exec_path} {
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
+  /{usr/,}bin/           r,
   /{usr/,}bin/dirname    rix,
   /{usr/,}bin/uname      rix,
   /{usr/,}bin/cut        rix,
@@ -38,6 +39,9 @@ profile spectre-meltdown-checker @{exec_path} {
   /{usr/,}bin/id         rix,
   /{usr/,}bin/gunzip     rix,
   /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/zstd       rix,
+  /{usr/,}bin/bunzip2    rix,
+  /{usr/,}bin/lzop       rix,
   /{usr/,}bin/mktemp     rix,
   /{usr/,}bin/tr         rix,
   /{usr/,}bin/stat       rix,
@@ -56,6 +60,7 @@ profile spectre-meltdown-checker @{exec_path} {
   /{usr/,}bin/{,@{multiarch}-}objdump rix,
   /{usr/,}sbin/iucode_tool            rix,
   /{usr/,}bin/dmesg                   rix,
+  /{usr/,}bin/mount      rix,
 
   /{usr/,}bin/pgrep      rCx -> pgrep,
   /{usr/,}bin/ccache     rCx -> ccache,
@@ -74,15 +79,18 @@ profile spectre-meltdown-checker @{exec_path} {
   owner @{HOME}/.mcedb rw,
   owner /{usr/,}bin/spectre-meltdown-checker w,
 
+        /tmp/ r,
   owner /tmp/{config,kernel}-* rw,
 
   owner /dev/cpu/[0-9]*/cpuid r,
   owner /dev/cpu/[0-9]*/msr rw,
   owner /dev/kmsg r,
 
+  /boot/ r,
   /boot/{config,vmlinuz,System.map}-* r,
 
   @{sys}/devices/system/cpu/vulnerabilities/* r,
+  @{sys}/module/kvm_intel/parameters/ept r,
 
   @{PROC}/ r,
   @{PROC}/config.gz r,
@@ -93,9 +101,13 @@ profile spectre-meltdown-checker @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  # For shell pwd
+  /root/ r,
+  /etc/ r,
+
 
   profile ccache {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/ccache mr,
 
@@ -106,7 +118,7 @@ profile spectre-meltdown-checker @{exec_path} {
   }
 
   profile pgrep {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/pgrep mr,
 
@@ -118,11 +130,11 @@ profile spectre-meltdown-checker @{exec_path} {
   }
 
   profile mcedb {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/sqlite3 mr,
@@ -139,7 +151,7 @@ profile spectre-meltdown-checker @{exec_path} {
   }
 
   profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/kmod mr,
 
@@ -150,5 +162,5 @@ profile spectre-meltdown-checker @{exec_path} {
 
   }
 
-  #include if exists <local/spectre-meltdown-checker>
+  include if exists <local/spectre-meltdown-checker>
 }
diff --git a/apparmor.d/speedtest b/apparmor.d/speedtest
index 5daeb310..c95013a7 100644
--- a/apparmor.d/speedtest
+++ b/apparmor.d/speedtest
@@ -9,17 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/speedtest{,-cli}
 profile speedtest @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -34,5 +40,5 @@ profile speedtest @{exec_path} {
 
   /etc/magic r,
 
-  #include if exists <local/speedtest>
+  include if exists <local/speedtest>
 }
diff --git a/apparmor.d/spflashtool b/apparmor.d/spflashtool
index d28562a9..a4f680ee 100644
--- a/apparmor.d/spflashtool
+++ b/apparmor.d/spflashtool
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /opt/SPFlashTool/flash_tool{,.sh}
 profile spflashtool @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -69,5 +69,5 @@ profile spflashtool @{exec_path} {
   # Silence the noise
   /opt/SPFlashTool/** w,
 
-  #include if exists <local/spflashtool>
+  include if exists <local/spflashtool>
 }
diff --git a/apparmor.d/spotify b/apparmor.d/spotify
index ca2338d9..904e58b4 100644
--- a/apparmor.d/spotify
+++ b/apparmor.d/spotify
@@ -9,26 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/spotify /usr/share/spotify/spotify
 profile spotify @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/audio>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/mesa>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/audio>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/mesa>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -90,5 +90,5 @@ profile spotify @{exec_path} {
   deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
-  #include if exists <local/spotify>
+  include if exists <local/spotify>
 }
diff --git a/apparmor.d/ssh-agent b/apparmor.d/ssh-agent
index c56f93fc..6f8ed02b 100644
--- a/apparmor.d/ssh-agent
+++ b/apparmor.d/ssh-agent
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ssh-agent
 profile ssh-agent @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/openssl>
 
   @{exec_path} mr,
 
@@ -41,5 +41,5 @@ profile ssh-agent @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/ssh-agent>
+  include if exists <local/ssh-agent>
 }
diff --git a/apparmor.d/startx b/apparmor.d/startx
index 8f7ffaf6..a8e44df2 100644
--- a/apparmor.d/startx
+++ b/apparmor.d/startx
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/startx
 profile startx @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,5 +49,5 @@ profile startx @{exec_path} {
         /dev/ r,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/startx>
+  include if exists <local/startx>
 }
diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry
index 45390291..0bfcef51 100644
--- a/apparmor.d/strawberry
+++ b/apparmor.d/strawberry
@@ -9,33 +9,40 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/strawberry
 profile strawberry @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=strawberry-tagreader,
 
   signal (receive) set=(term, kill) peer=anyremote//*,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/strawberry-tagreader rPx,
@@ -117,8 +124,8 @@ profile strawberry @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -134,5 +141,5 @@ profile strawberry @{exec_path} {
 
   }
 
-  #include if exists <local/strawberry>
+  include if exists <local/strawberry>
 }
diff --git a/apparmor.d/strawberry-tagreader b/apparmor.d/strawberry-tagreader
index 0eb6cd19..c7d19457 100644
--- a/apparmor.d/strawberry-tagreader
+++ b/apparmor.d/strawberry-tagreader
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/strawberry-tagreader
 profile strawberry-tagreader @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=strawberry,
   signal (receive) set=(term, kill) peer=anyremote//*,
@@ -35,5 +35,5 @@ profile strawberry-tagreader @{exec_path} {
   owner @{HOME}/.anyRemote/anyremote.stdout w,
   owner @{HOME}/.cache/gstreamer-*/registry.x86_64.bin.tmp* rw,
 
-  #include if exists <local/strawberry-tagreader>
+  include if exists <local/strawberry-tagreader>
 }
diff --git a/apparmor.d/su b/apparmor.d/su
index 479ab961..fff527ad 100644
--- a/apparmor.d/su
+++ b/apparmor.d/su
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/su
 profile su @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
-# #include <pam/mappings>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
+# include <pam/mappings>
 
   # To remove the following errors:
   #  su: cannot set groups: Operation not permitted
@@ -39,6 +39,8 @@ profile su @{exec_path} {
   signal (send)    set=(term,kill),
   signal (receive) set=(int,quit,term),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   # Shells to use
@@ -64,5 +66,5 @@ profile su @{exec_path} {
   @{PROC}/cmdline r,
   @{sys}/devices/virtual/tty/console/active r,
 
-  #include if exists <local/su>
+  include if exists <local/su>
 }
diff --git a/apparmor.d/sudo b/apparmor.d/sudo
index a0032884..b8cd2a68 100644
--- a/apparmor.d/sudo
+++ b/apparmor.d/sudo
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/sudo
 profile sudo @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/authentication>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
-# #include <pam/mappings>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/authentication>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
+# include <pam/mappings>
 
   # To remove the following errors:
   #  sudo: unable to change to root gid: Operation not permitted
@@ -68,5 +68,5 @@ profile sudo @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/sudo>
+  include if exists <local/sudo>
 }
diff --git a/apparmor.d/suid3num b/apparmor.d/suid3num
index 2963f933..6761e4f6 100644
--- a/apparmor.d/suid3num
+++ b/apparmor.d/suid3num
@@ -9,16 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/suid3num
 @{exec_path} += /{usr/,}bin/suid3num.py
 profile suid3num @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
+  capability dac_read_search,
   capability sys_ptrace,
 
   ptrace (read),
@@ -37,5 +38,5 @@ profile suid3num @{exec_path} {
   deny /media/ r,
   deny /media/**/ r,
 
-  #include if exists <local/suid3num>
+  include if exists <local/suid3num>
 }
diff --git a/apparmor.d/swaplabel b/apparmor.d/swaplabel
index e3daf144..98bdad2c 100644
--- a/apparmor.d/swaplabel
+++ b/apparmor.d/swaplabel
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/swaplabel
 profile swaplabel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   @{exec_path} mr,
 
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/swaplabel>
+  include if exists <local/swaplabel>
 }
diff --git a/apparmor.d/swapoff b/apparmor.d/swapoff
index b68632db..7ea8882b 100644
--- a/apparmor.d/swapoff
+++ b/apparmor.d/swapoff
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/swapoff
 profile swapoff @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -29,6 +29,6 @@ profile swapoff @{exec_path} {
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/swapoff>
+  include if exists <local/swapoff>
 }
 
diff --git a/apparmor.d/swapon b/apparmor.d/swapon
index ebbbb911..659e4aab 100644
--- a/apparmor.d/swapon
+++ b/apparmor.d/swapon
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/swapon
 profile swapon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/disks-write>
 
   capability sys_admin,
 
@@ -29,5 +29,5 @@ profile swapon @{exec_path} {
   # SWAP file common locations
   owner /swapfile rw,
 
-  #include if exists <local/swapon>
+  include if exists <local/swapon>
 }
diff --git a/apparmor.d/synaptic b/apparmor.d/synaptic
index 39867492..33275668 100644
--- a/apparmor.d/synaptic
+++ b/apparmor.d/synaptic
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
 @{BUILD_DIR} = /media/debuilder/
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec
 profile synaptic @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/apt-common>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-dconf>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-dconf>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
@@ -166,8 +166,8 @@ profile synaptic @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -179,5 +179,5 @@ profile synaptic @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/synaptic>
+  include if exists <local/synaptic>
 }
diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing
index d3d6a3ce..a548125f 100644
--- a/apparmor.d/syncthing
+++ b/apparmor.d/syncthing
@@ -9,16 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/syncthing
 profile syncthing @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -44,8 +50,8 @@ profile syncthing @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -61,5 +67,5 @@ profile syncthing @{exec_path} {
 
   }
 
-  #include if exists <local/syncthing>
+  include if exists <local/syncthing>
 }
diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer
index 65ef0ef7..a2781cae 100644
--- a/apparmor.d/system-config-printer
+++ b/apparmor.d/system-config-printer
@@ -9,22 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/system-config-printer /usr/share/system-config-printer/system-config-printer.py
 profile system-config-printer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/openssl>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mrix,
 
@@ -33,6 +36,7 @@ profile system-config-printer @{exec_path} {
 
   /usr/share/system-config-printer/{,**} r,
 
+  owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/mountinfo r,
@@ -48,5 +52,5 @@ profile system-config-printer @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/system-config-printer>
+  include if exists <local/system-config-printer>
 }
diff --git a/apparmor.d/system-config-printer-applet b/apparmor.d/system-config-printer-applet
index 22f0e2cd..a50db5b4 100644
--- a/apparmor.d/system-config-printer-applet
+++ b/apparmor.d/system-config-printer-applet
@@ -9,16 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/system-config-printer-applet /usr/share/system-config-printer/applet.py
 profile system-config-printer-applet @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mrix,
 
@@ -29,5 +32,5 @@ profile system-config-printer-applet @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/system-config-printer-applet>
+  include if exists <local/system-config-printer-applet>
 }
diff --git a/apparmor.d/system_tor b/apparmor.d/system_tor
index dfaa967c..5e927f2f 100644
--- a/apparmor.d/system_tor
+++ b/apparmor.d/system_tor
@@ -1,9 +1,9 @@
 # vim:syntax=apparmor
-#include <tunables/global>
+include <tunables/global>
 
 profile system_tor flags=(attach_disconnected) {
-  #include <abstractions/tor>
-  #include <abstractions/openssl>
+  include <abstractions/tor>
+  include <abstractions/openssl>
 
   owner /var/lib/tor/** rwk,
   owner /var/lib/tor/ r,
@@ -22,5 +22,5 @@ profile system_tor flags=(attach_disconnected) {
   /{,var/}run/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/system_tor>
+  include <local/system_tor>
 }
diff --git a/apparmor.d/systemd-analyze b/apparmor.d/systemd-analyze
index 73e5e91c..724eaf36 100644
--- a/apparmor.d/systemd-analyze
+++ b/apparmor.d/systemd-analyze
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   # Needed for the prctl's PR_SET_MM option:
   #  prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)
@@ -58,5 +58,5 @@ profile systemd-analyze @{exec_path} {
 
   /etc/default/locale r,
 
-  #include if exists <local/systemd-analyze>
+  include if exists <local/systemd-analyze>
 }
diff --git a/apparmor.d/systemd-fsck b/apparmor.d/systemd-fsck
index ac59ec6a..57571dd1 100644
--- a/apparmor.d/systemd-fsck
+++ b/apparmor.d/systemd-fsck
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-fsck
 profile systemd-fsck @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/disks-read>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability sys_resource,
@@ -30,5 +30,5 @@ profile systemd-fsck @{exec_path} flags=(complain) {
 
   owner @{run}/systemd/quotacheck w,
 
-  #include if exists <local/systemd-fsck>
+  include if exists <local/systemd-fsck>
 }
diff --git a/apparmor.d/systemd-fsckd b/apparmor.d/systemd-fsckd
index fc799f97..2facf213 100644
--- a/apparmor.d/systemd-fsckd
+++ b/apparmor.d/systemd-fsckd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
 profile systemd-fsckd @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability sys_tty_config,
@@ -26,5 +26,5 @@ profile systemd-fsckd @{exec_path} flags=(complain) {
 
   owner @{run}/systemd/fsck.progress w,
 
-  #include if exists <local/systemd-fsckd>
+  include if exists <local/systemd-fsckd>
 }
diff --git a/apparmor.d/systemd-journalctl b/apparmor.d/systemd-journalctl
index 06995c9a..48522feb 100644
--- a/apparmor.d/systemd-journalctl
+++ b/apparmor.d/systemd-journalctl
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/journalctl
 profile systemd-journalctl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   capability sys_resource,
 
@@ -46,5 +46,7 @@ profile systemd-journalctl @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/systemd-journalctl>
+  owner @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/systemd-journalctl>
 }
diff --git a/apparmor.d/systemd-journald b/apparmor.d/systemd-journald
index 30a303bc..71931f46 100644
--- a/apparmor.d/systemd-journald
+++ b/apparmor.d/systemd-journald
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-journald
 profile systemd-journald @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   capability syslog,
   capability sys_ptrace,
@@ -52,6 +52,7 @@ profile systemd-journald @{exec_path} {
 
   @{sys}/devices/**/uevent r,
   @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/module/printk/parameters/time r,
 
   @{PROC}/@{pids}/comm r,
   @{PROC}/@{pids}/cmdline r,
@@ -64,9 +65,8 @@ profile systemd-journald @{exec_path} {
 
   /dev/kmsg rw,
 
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/systemd-journald>
+  include if exists <local/systemd-journald>
 }
diff --git a/apparmor.d/systemd-modules-load b/apparmor.d/systemd-modules-load
index 96b55bbe..7010869c 100644
--- a/apparmor.d/systemd-modules-load
+++ b/apparmor.d/systemd-modules-load
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-modules-load
 profile systemd-modules-load @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   # To load kernel modules
   capability sys_module,
@@ -33,5 +33,5 @@ profile systemd-modules-load @{exec_path} {
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 
-  #include if exists <local/systemd-modules-load>
+  include if exists <local/systemd-modules-load>
 }
diff --git a/apparmor.d/systemd-networkd b/apparmor.d/systemd-networkd
index 7e70e252..d4a4145d 100644
--- a/apparmor.d/systemd-networkd
+++ b/apparmor.d/systemd-networkd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-networkd
 profile systemd-networkd @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability net_raw,
@@ -49,5 +49,5 @@ profile systemd-networkd @{exec_path} flags=(complain) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/systemd-networkd>
+  include if exists <local/systemd-networkd>
 }
diff --git a/apparmor.d/systemd-networkd-wait-online b/apparmor.d/systemd-networkd-wait-online
index 7ab4c7aa..4bf673cb 100644
--- a/apparmor.d/systemd-networkd-wait-online
+++ b/apparmor.d/systemd-networkd-wait-online
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-networkd-wait-online
 profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   @{exec_path} mr,
 
   @{run}/systemd/netif/links/[0-9]* r,
 
-  #include if exists <local/systemd-networkd-wait-online>
+  include if exists <local/systemd-networkd-wait-online>
 }
diff --git a/apparmor.d/systemd-rfkill b/apparmor.d/systemd-rfkill
index c27e7ca2..8010e594 100644
--- a/apparmor.d/systemd-rfkill
+++ b/apparmor.d/systemd-rfkill
@@ -9,17 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-rfkill
 profile systemd-rfkill @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability net_admin,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /dev/rfkill rw,
@@ -32,5 +34,5 @@ profile systemd-rfkill @{exec_path} {
 
   @{run}/udev/data/+rfkill:* r,
 
-  #include if exists <local/systemd-rfkill>
+  include if exists <local/systemd-rfkill>
 }
diff --git a/apparmor.d/systemd-shutdown b/apparmor.d/systemd-shutdown
index 98e5c014..81fcdfef 100644
--- a/apparmor.d/systemd-shutdown
+++ b/apparmor.d/systemd-shutdown
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-shutdown
 profile systemd-shutdown @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability sys_resource,
   capability sys_boot,
@@ -34,5 +34,5 @@ profile systemd-shutdown @{exec_path} flags=(complain) {
   owner @{PROC}/sys/kernel/core_pattern w,
   owner @{PROC}/sys/kernel/printk rw,
 
-  #include if exists <local/systemd-shutdown>
+  include if exists <local/systemd-shutdown>
 }
diff --git a/apparmor.d/systemd-sysctl b/apparmor.d/systemd-sysctl
index c634f401..8879c6e6 100644
--- a/apparmor.d/systemd-sysctl
+++ b/apparmor.d/systemd-sysctl
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
 profile systemd-sysctl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   # Are these needed?
   deny capability sys_ptrace,
@@ -33,5 +33,5 @@ profile systemd-sysctl @{exec_path} {
 
   /etc/sysctl.conf r,
 
-  #include if exists <local/systemd-sysctl>
+  include if exists <local/systemd-sysctl>
 }
diff --git a/apparmor.d/systemd-timedated b/apparmor.d/systemd-timedated
index 6363e5ce..22c08d5b 100644
--- a/apparmor.d/systemd-timedated
+++ b/apparmor.d/systemd-timedated
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-timedated
 profile systemd-timedated @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability sys_time,
 
@@ -33,5 +33,5 @@ profile systemd-timedated @{exec_path} {
   /etc/.#timezone* rw,
   /etc/timezone rw,
 
-  #include if exists <local/systemd-timedated>
+  include if exists <local/systemd-timedated>
 }
diff --git a/apparmor.d/systemd-timesyncd b/apparmor.d/systemd-timesyncd
index a9af280c..2a7cfeed 100644
--- a/apparmor.d/systemd-timesyncd
+++ b/apparmor.d/systemd-timesyncd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
 profile systemd-timesyncd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/systemd-common>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+  include <abstractions/nameservice-strict>
 
   capability sys_time,
 
@@ -30,5 +30,5 @@ profile systemd-timesyncd @{exec_path} {
   owner @{run}/systemd/timesync/synchronized rw,
         @{run}/systemd/netif/state r,
 
-  #include if exists <local/systemd-timesyncd>
+  include if exists <local/systemd-timesyncd>
 }
diff --git a/apparmor.d/tasksel b/apparmor.d/tasksel
index 890e721a..458480ac 100644
--- a/apparmor.d/tasksel
+++ b/apparmor.d/tasksel
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tasksel
 profile tasksel @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -44,7 +44,7 @@ profile tasksel @{exec_path} flags=(complain) {
 
 
   profile tasksel-tests flags=(complain) {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}lib/tasksel/tests/* r,
     /{usr/,}bin/{,ba,da}sh rix,
@@ -52,10 +52,10 @@ profile tasksel @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -80,5 +80,5 @@ profile tasksel @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/tasksel>
+  include if exists <local/tasksel>
 }
diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop
index a8d0ffcf..9c3fa1b3 100644
--- a/apparmor.d/telegram-desktop
+++ b/apparmor.d/telegram-desktop
@@ -9,32 +9,39 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{TELEGRAM_WORK_DIR} = /media/Kabi/telegram
 
 @{exec_path} = /{usr/,}bin/telegram-desktop
 profile telegram-desktop @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/enchant>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/enchant>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -85,8 +92,8 @@ profile telegram-desktop @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -107,5 +114,5 @@ profile telegram-desktop @{exec_path} {
 
   }
 
-  #include if exists <local/telegram-desktop>
+  include if exists <local/telegram-desktop>
 }
diff --git a/apparmor.d/tftp b/apparmor.d/tftp
index dc137b27..0aa03ab5 100644
--- a/apparmor.d/tftp
+++ b/apparmor.d/tftp
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tftp
 profile tftp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 
-  #include if exists <local/tftp>
+  include if exists <local/tftp>
 }
diff --git a/apparmor.d/thinkfan b/apparmor.d/thinkfan
index fe22079b..8a1a0a7d 100644
--- a/apparmor.d/thinkfan
+++ b/apparmor.d/thinkfan
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/thinkfan
 profile thinkfan @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -30,6 +30,6 @@ profile thinkfan @{exec_path} {
 
   owner @{run}/thinkfan.pid rw,
 
-  #include if exists <local/thinkfan>
+  include if exists <local/thinkfan>
 }
 
diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird
index a516ed3a..e03a3a77 100644
--- a/apparmor.d/thunderbird
+++ b/apparmor.d/thunderbird
@@ -12,9 +12,9 @@
 # http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
 #
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
 @{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@@ -23,25 +23,31 @@
 @{exec_path}  = @{MOZ_LIBDIR}/thunderbird{,-bin}
 @{exec_path} += /{usr/,}bin/thunderbird
 profile thunderbird @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/enchant>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/enchant>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   ptrace peer=@{profile_name},
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
   # to "1".
   capability sys_admin,
@@ -192,8 +198,12 @@ profile thunderbird @{exec_path} {
 
 
   profile gpg {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
 
     /{usr/,}bin/gpgconf           mr,
     /{usr/,}bin/gpg               mr,
@@ -237,8 +247,8 @@ profile thunderbird @{exec_path} {
   }
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open                                    mr,
     /{usr/,}bin/exo-open                                    mr,
@@ -260,5 +270,5 @@ profile thunderbird @{exec_path} {
 
   }
 
-  #include if exists <local/thunderbird>
+  include if exists <local/thunderbird>
 }
diff --git a/apparmor.d/tint2 b/apparmor.d/tint2
index d374565c..ad1ef41a 100644
--- a/apparmor.d/tint2
+++ b/apparmor.d/tint2
@@ -9,18 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tint2
 profile tint2 @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/deny-root-dir-access>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/deny-root-dir-access>
+  include <abstractions/app-launcher-user>
+
+  network netlink dgram,
 
   @{exec_path} mr,
 
@@ -65,5 +67,5 @@ profile tint2 @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/tint2>
+  include if exists <local/tint2>
 }
diff --git a/apparmor.d/tint2conf b/apparmor.d/tint2conf
index 79a76d7c..6c05ec13 100644
--- a/apparmor.d/tint2conf
+++ b/apparmor.d/tint2conf
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tint2conf
 profile tint2conf @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -46,5 +46,5 @@ profile tint2conf @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/tint2conf>
+  include if exists <local/tint2conf>
 }
diff --git a/apparmor.d/top b/apparmor.d/top
index e73d2f79..3c159049 100644
--- a/apparmor.d/top
+++ b/apparmor.d/top
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # When any of the "ns*" fields is displayed, the following error will be printed:
 #  "Failed name lookup - disconnected path" error=-13 profile="top" name="".
 @{exec_path} = /{usr/,}bin/top
 profile top @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/wutmp>
+  include <abstractions/nameservice-strict>
 
   # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
@@ -76,5 +76,5 @@ profile top @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.config/procps/ rw,
   owner @{HOME}/.config/procps/toprc rw,
 
-  #include if exists <local/top>
+  include if exists <local/top>
 }
diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox
index 57c03594..c8236f6b 100644
--- a/apparmor.d/torbrowser.Browser.firefox
+++ b/apparmor.d/torbrowser.Browser.firefox
@@ -1,15 +1,15 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
+include <tunables/global>
+include <tunables/torbrowser>
 
 @{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
 
 profile torbrowser_firefox @{torbrowser_firefox_executable} {
-  #include <abstractions/audio>
-  #include <abstractions/gnome>
+  include <abstractions/audio>
+  include <abstractions/gnome>
 
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
-  # #include <abstractions/user-download>
+  # include <abstractions/user-download>
   # @{HOME}/ r,
 
   # Audio support
@@ -148,5 +148,5 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,
 
-  #include <local/torbrowser.Browser.firefox>
+  include <local/torbrowser.Browser.firefox>
 }
diff --git a/apparmor.d/torbrowser.Browser.plugin-container b/apparmor.d/torbrowser.Browser.plugin-container
index fdf5fda1..b96dcb51 100644
--- a/apparmor.d/torbrowser.Browser.plugin-container
+++ b/apparmor.d/torbrowser.Browser.plugin-container
@@ -1,10 +1,10 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
+include <tunables/global>
+include <tunables/torbrowser>
 
 @{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
 
 profile torbrowser_plugin_container {
-  #include <abstractions/gnome>
+  include <abstractions/gnome>
 
   # Uncomment the following lines if you want Tor Browser
   # to have direct access to your sound hardware. You will also
@@ -12,7 +12,7 @@ profile torbrowser_plugin_container {
   #  - the "deny" word in the machine-id lines
   #  - the rules that deny reading /etc/pulse/client.conf
   #    and executing /usr/bin/pulseaudio
-  # #include <abstractions/audio>
+  # include <abstractions/audio>
   # /etc/asound.conf r,
   # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
 
@@ -100,5 +100,5 @@ profile torbrowser_plugin_container {
   deny /etc/pulse/client.conf r,
   deny /usr/bin/pulseaudio x,
 
-  #include <local/torbrowser.Browser.plugin-container>
+  include <local/torbrowser.Browser.plugin-container>
 }
diff --git a/apparmor.d/torbrowser.Tor.tor b/apparmor.d/torbrowser.Tor.tor
index f5b81779..cb15d6c8 100644
--- a/apparmor.d/torbrowser.Tor.tor
+++ b/apparmor.d/torbrowser.Tor.tor
@@ -1,10 +1,10 @@
-#include <tunables/global>
-#include <tunables/torbrowser>
+include <tunables/global>
+include <tunables/torbrowser>
 
 @{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor
 
 profile torbrowser_tor @{torbrowser_tor_executable} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   network netlink raw,
   network tcp,
@@ -24,7 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   # Support some of the included pluggable transports
   owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix,
   @{PROC}/sys/net/core/somaxconn r,
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
 
   # Silence file_inherit logs
   deny @{torbrowser_home_dir}/{browser/,}omni.ja r,
@@ -42,5 +42,5 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
   # OnionShare compatibility
   /tmp/onionshare/** rw,
 
-  #include <local/torbrowser.Tor.tor>
+  include <local/torbrowser.Tor.tor>
 }
diff --git a/apparmor.d/torify b/apparmor.d/torify
index 279db423..d1558377 100644
--- a/apparmor.d/torify
+++ b/apparmor.d/torify
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/torify
 profile torify @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/torify>
+  include if exists <local/torify>
 }
diff --git a/apparmor.d/torsocks b/apparmor.d/torsocks
index cb1a5db3..e5119281 100644
--- a/apparmor.d/torsocks
+++ b/apparmor.d/torsocks
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/torsocks
 profile torsocks @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/torsocks>
+  include if exists <local/torsocks>
 }
diff --git a/apparmor.d/tpacpi-bat b/apparmor.d/tpacpi-bat
index 74296698..ca4cc9d8 100644
--- a/apparmor.d/tpacpi-bat
+++ b/apparmor.d/tpacpi-bat
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/tpacpi-bat
 profile tpacpi-bat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/perl>
 
   @{exec_path} mr,
   /{usr/,}bin/perl r,
@@ -32,5 +32,5 @@ profile tpacpi-bat @{exec_path} {
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/**/path r,
 
-  #include if exists <local/tpacpi-bat>
+  include if exists <local/tpacpi-bat>
 }
diff --git a/apparmor.d/tunables/apparmorfs b/apparmor.d/tunables/apparmorfs
index 8df86759..2028097f 100644
--- a/apparmor.d/tunables/apparmorfs
+++ b/apparmor.d/tunables/apparmorfs
@@ -6,6 +6,6 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/securityfs>
+include <tunables/securityfs>
 
 @{apparmorfs}=@{securityfs}/apparmor/
diff --git a/apparmor.d/tunables/etc b/apparmor.d/tunables/etc
new file mode 100644
index 00000000..c144621d
--- /dev/null
+++ b/apparmor.d/tunables/etc
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{etc_ro} contains a space-separated list of the system configuration directories.
+# Traditionally this means /etc/, but when using a read-only / filesystem and/or
+# with the goal of having only user-modified config files in /etc/, directories
+# like /usr/etc/ get introduced for storing the default config.
+
+# @{etc_ro} contains read-only directories with configuration files.
+# Do not use @{etc_ro} in rules that allow write access.
+@{etc_ro}=/etc/ /usr/etc/
+
+# @{etc_rw} contains directories where writing to configuration files is allowed.
+@{etc_rw}=/etc/
+
+# Also, include files in tunables/etc.d/ for site-specific adjustments to
+# @{etc_ro} and @{etc_rw}.
+include if exists <tunables/etc.d>
diff --git a/apparmor.d/tunables/global b/apparmor.d/tunables/global
index 3b6f99cc..3dd4bfdb 100644
--- a/apparmor.d/tunables/global
+++ b/apparmor.d/tunables/global
@@ -12,11 +12,12 @@
 # All the tunables definitions that should be available to every profile
 # should be included here
 
-#include <tunables/home>
-#include <tunables/multiarch>
-#include <tunables/proc>
-#include <tunables/alias>
-#include <tunables/kernelvars>
-#include <tunables/xdg-user-dirs>
-#include <tunables/share>
-#include <tunables/run>
+include <tunables/home>
+include <tunables/multiarch>
+include <tunables/proc>
+include <tunables/alias>
+include <tunables/kernelvars>
+include <tunables/xdg-user-dirs>
+include <tunables/share>
+include <tunables/etc>
+include <tunables/run>
diff --git a/apparmor.d/tunables/home b/apparmor.d/tunables/home
index 550ccd5d..4df34b55 100644
--- a/apparmor.d/tunables/home
+++ b/apparmor.d/tunables/home
@@ -22,4 +22,4 @@
 
 # Also, include files in tunables/home.d for site-specific adjustments to
 # @{HOMEDIRS}.
-#include <tunables/home.d>
+include <tunables/home.d>
diff --git a/apparmor.d/tunables/multiarch b/apparmor.d/tunables/multiarch
index c54082e0..32fd1aa1 100644
--- a/apparmor.d/tunables/multiarch
+++ b/apparmor.d/tunables/multiarch
@@ -14,4 +14,4 @@
 
 # Also, include files in tunables/multiarch.d for site and packaging
 # specific adjustments to @{multiarch}.
-#include <tunables/multiarch.d>
+include <tunables/multiarch.d>
diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs
index fcaf8d40..9488f96a 100644
--- a/apparmor.d/tunables/xdg-user-dirs
+++ b/apparmor.d/tunables/xdg-user-dirs
@@ -21,4 +21,4 @@
 
 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
 # to the various XDG directories
-#include <tunables/xdg-user-dirs.d>
+include <tunables/xdg-user-dirs.d>
diff --git a/apparmor.d/tune2fs b/apparmor.d/tune2fs
index 9646466a..33333e07 100644
--- a/apparmor.d/tune2fs
+++ b/apparmor.d/tune2fs
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/{tune2fs,e2label}
 profile tune2fs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/disks-write>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -33,5 +33,5 @@ profile tune2fs @{exec_path} {
   @{HOME}/** rw,
   /media/*/** rw,
 
-  #include if exists <local/tune2fs>
+  include if exists <local/tune2fs>
 }
diff --git a/apparmor.d/ucf b/apparmor.d/ucf
index 13a2a14d..3b90c5db 100644
--- a/apparmor.d/ucf
+++ b/apparmor.d/ucf
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/ucf
 profile ucf @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh     rix,
@@ -73,8 +73,8 @@ profile ucf @{exec_path} flags=(complain) {
 
 
   profile pager flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/                r,
     /{usr/,}bin/sensible-pager mr,
@@ -85,10 +85,10 @@ profile ucf @{exec_path} flags=(complain) {
   }
 
   profile frontend flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/perl>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/perl>
+    include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
     /{usr/,}bin/perl r,
@@ -103,10 +103,10 @@ profile ucf @{exec_path} flags=(complain) {
     owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
 
     # The following is needed when debconf uses GUI frontends.
-    #include <abstractions/gtk>
-    #include <abstractions/fonts>
-    #include <abstractions/fontconfig-cache-read>
-    #include <abstractions/freedesktop.org>
+    include <abstractions/gtk>
+    include <abstractions/fonts>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/freedesktop.org>
     capability dac_read_search,
     /{usr/,}bin/lsb_release rPx -> child-lsb_release,
     /{usr/,}bin/hostname    rPx,
@@ -115,5 +115,5 @@ profile ucf @{exec_path} flags=(complain) {
 
   }
 
-  #include if exists <local/ucf>
+  include if exists <local/ucf>
 }
diff --git a/apparmor.d/udevadm b/apparmor.d/udevadm
index 2c9bbf72..18f48320 100644
--- a/apparmor.d/udevadm
+++ b/apparmor.d/udevadm
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/udevadm
 @{exec_path} += /{usr/,}lib/systemd/systemd-udevd
 profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
-  #include <abstractions/systemd-common>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   # (##FIXME##)
   capability sys_admin,
@@ -34,6 +34,10 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
 
   ptrace (read),
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/chgrp rix,
@@ -83,5 +87,5 @@ profile udevadm @{exec_path} flags=(complain,attach_disconnected) {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/udevadm>
+  include if exists <local/udevadm>
 }
diff --git a/apparmor.d/udiskie b/apparmor.d/udiskie
index 0f450829..e1c0d092 100644
--- a/apparmor.d/udiskie
+++ b/apparmor.d/udiskie
@@ -9,25 +9,25 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie
 profile udiskie @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -54,8 +54,8 @@ profile udiskie @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -71,5 +71,5 @@ profile udiskie @{exec_path} {
 
   }
 
-  #include if exists <local/udiskie>
+  include if exists <local/udiskie>
 }
diff --git a/apparmor.d/udiskie-info b/apparmor.d/udiskie-info
index 7bdfaa1c..afb06a45 100644
--- a/apparmor.d/udiskie-info
+++ b/apparmor.d/udiskie-info
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie-info
 profile udiskie-info @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -28,5 +28,5 @@ profile udiskie-info @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/udiskie-info>
+  include if exists <local/udiskie-info>
 }
diff --git a/apparmor.d/udiskie-mount b/apparmor.d/udiskie-mount
index 7bdf8770..eee23302 100644
--- a/apparmor.d/udiskie-mount
+++ b/apparmor.d/udiskie-mount
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie-mount
 profile udiskie-mount @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -28,5 +28,5 @@ profile udiskie-mount @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/udiskie-mount>
+  include if exists <local/udiskie-mount>
 }
diff --git a/apparmor.d/udiskie-umount b/apparmor.d/udiskie-umount
index 8e21a083..ffe1affe 100644
--- a/apparmor.d/udiskie-umount
+++ b/apparmor.d/udiskie-umount
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udiskie-umount
 profile udiskie-umount @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9] r,
@@ -28,5 +28,5 @@ profile udiskie-umount @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  #include if exists <local/udiskie-umount>
+  include if exists <local/udiskie-umount>
 }
diff --git a/apparmor.d/udisksctl b/apparmor.d/udisksctl
index 8d2d62ab..d96df14d 100644
--- a/apparmor.d/udisksctl
+++ b/apparmor.d/udisksctl
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/udisksctl
 profile udisksctl @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
-  #include if exists <local/udisksctl>
+  include if exists <local/udisksctl>
 }
diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd
index 6e472617..25d609bd 100644
--- a/apparmor.d/udisksd
+++ b/apparmor.d/udisksd
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/udisks2/udisksd
 @{exec_path} += /usr/libexec/udisks2/udisksd
 profile udisksd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/disks-write>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/disks-write>
 
   # To remove the following errors:
   #  udisksd[]: Error probing device: Error sending ATA command IDENTIFY DEVICE to '/dev/sda':
@@ -33,6 +33,8 @@ profile udisksd @{exec_path} {
   # Needed?
   deny capability sys_nice,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh      rix,
@@ -131,7 +133,7 @@ profile udisksd @{exec_path} {
 
 
   profile systemd-escape {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     ptrace (read),
 
@@ -149,5 +151,5 @@ profile udisksd @{exec_path} {
 
   }
 
-  #include if exists <local/udisksd>
+  include if exists <local/udisksd>
 }
diff --git a/apparmor.d/umount b/apparmor.d/umount
index b55a082c..f72b0166 100644
--- a/apparmor.d/umount
+++ b/apparmor.d/umount
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/umount
 profile umount @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To be able to umount anything
   #  umount2("/mnt", 0)               = -1 EPERM (Operation not permitted)
@@ -28,6 +28,9 @@ profile umount @{exec_path} flags=(complain) {
 
   umount,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   # Mount points
@@ -48,5 +51,5 @@ profile umount @{exec_path} flags=(complain) {
   owner @{run}/mount/utab{,.*} rw,
   owner @{run}/mount/utab.lock wk,
 
-  #include if exists <local/umount>
+  include if exists <local/umount>
 }
diff --git a/apparmor.d/uname b/apparmor.d/uname
index 2cfc9405..edadf223 100644
--- a/apparmor.d/uname
+++ b/apparmor.d/uname
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/uname
 profile uname @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/uname>
+  include if exists <local/uname>
 }
diff --git a/apparmor.d/unhide-linux b/apparmor.d/unhide-linux
index 9f48f3b9..89548433 100644
--- a/apparmor.d/unhide-linux
+++ b/apparmor.d/unhide-linux
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide{,-linux}
 profile unhide-linux @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability kill,
   capability sys_ptrace,
@@ -40,5 +40,5 @@ profile unhide-linux @{exec_path} {
   @{PROC}/sys/kernel/pid_max r,
   @{PROC}/sys/kernel/osrelease r,
 
-  #include if exists <local/unhide-linux>
+  include if exists <local/unhide-linux>
 }
diff --git a/apparmor.d/unhide-posix b/apparmor.d/unhide-posix
index 550a55cb..07eaf0a3 100644
--- a/apparmor.d/unhide-posix
+++ b/apparmor.d/unhide-posix
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide-posix
 profile unhide-posix @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -43,5 +43,5 @@ profile unhide-posix @{exec_path} {
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/tty/drivers r,
 
-  #include if exists <local/unhide-posix>
+  include if exists <local/unhide-posix>
 }
diff --git a/apparmor.d/unhide-rb b/apparmor.d/unhide-rb
index 8ca7c545..984a1b97 100644
--- a/apparmor.d/unhide-rb
+++ b/apparmor.d/unhide-rb
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide_rb
 profile unhide-rb @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_ptrace,
 
@@ -27,5 +27,5 @@ profile unhide-rb @{exec_path} {
   @{PROC}/@{pids}/task/ r,
 
 
-  #include if exists <local/unhide-rb>
+  include if exists <local/unhide-rb>
 }
diff --git a/apparmor.d/unhide-tcp b/apparmor.d/unhide-tcp
index 48917e27..457744cf 100644
--- a/apparmor.d/unhide-tcp
+++ b/apparmor.d/unhide-tcp
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unhide-tcp
 profile unhide-tcp @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability net_bind_service,
   capability syslog,
@@ -38,5 +38,5 @@ profile unhide-tcp @{exec_path} {
   # For logs
   /**/unhide-tcp_[0-9]*-[0-9]*-[0-9]*.log w,
 
-  #include if exists <local/unhide-tcp>
+  include if exists <local/unhide-tcp>
 }
diff --git a/apparmor.d/unix-chkpwd b/apparmor.d/unix-chkpwd
index 5e2542c9..57bf62c9 100644
--- a/apparmor.d/unix-chkpwd
+++ b/apparmor.d/unix-chkpwd
@@ -9,18 +9,20 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/unix_chkpwd
 profile unix-chkpwd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/shadow r,
@@ -28,5 +30,5 @@ profile unix-chkpwd @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/unix-chkpwd>
+  include if exists <local/unix-chkpwd>
 }
diff --git a/apparmor.d/unmkinitramfs b/apparmor.d/unmkinitramfs
index a6330fde..4af9bd70 100644
--- a/apparmor.d/unmkinitramfs
+++ b/apparmor.d/unmkinitramfs
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/unmkinitramfs
 profile unmkinitramfs @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To avoid the following error:
   #  cpio: etc/console-setup/null: Cannot mknod: Operation not permitted
@@ -49,5 +49,5 @@ profile unmkinitramfs @{exec_path} {
         /var/tmp/ r,
   owner /var/tmp/unmkinitramfs_* rw,
 
-  #include if exists <local/unmkinitramfs>
+  include if exists <local/unmkinitramfs>
 }
diff --git a/apparmor.d/update-alternatives b/apparmor.d/update-alternatives
index 3c4d3568..f1db00ce 100644
--- a/apparmor.d/update-alternatives
+++ b/apparmor.d/update-alternatives
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/update-alternatives
 profile update-alternatives @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -35,5 +35,5 @@ profile update-alternatives @{exec_path} {
 
   /usr/** rw,
 
-  #include if exists <local/update-alternatives>
+  include if exists <local/update-alternatives>
 }
diff --git a/apparmor.d/update-apt-xapian-index b/apparmor.d/update-apt-xapian-index
index 3dbec032..65ec6a8f 100644
--- a/apparmor.d/update-apt-xapian-index
+++ b/apparmor.d/update-apt-xapian-index
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-apt-xapian-index
 profile update-apt-xapian-index @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/apt-common>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/apt-common>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -43,6 +43,6 @@ profile update-apt-xapian-index @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/update-apt-xapian-index>
+  include if exists <local/update-apt-xapian-index>
 }
 
diff --git a/apparmor.d/update-ca-certificates b/apparmor.d/update-ca-certificates
index 18682176..8acedd0b 100644
--- a/apparmor.d/update-ca-certificates
+++ b/apparmor.d/update-ca-certificates
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-ca-certificates
 profile update-ca-certificates @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/ssl_certs>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -38,9 +38,11 @@ profile update-ca-certificates @{exec_path} {
 
   /{usr/,}bin/openssl    rix,
 
+  /etc/ca-certificates/update.d/             r,
   /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore,
   /{usr/,}bin/run-parts                      rCx -> run-parts,
 
+  /etc/ r,
   /etc/ca-certificates.conf r,
   /etc/ssl/certs/ca-certificates.crt rw,
   /etc/ssl/certs/*.pem rw,
@@ -48,13 +50,19 @@ profile update-ca-certificates @{exec_path} {
 
   /{usr/,}lib/locale/locale-archive r,
 
+        /tmp/ r,
   owner /tmp/ca-certificates{,.crt}.tmp.* rw,
 
+  # For shell pwd
+  /root/ r,
+
+  /usr/local/share/ r,
+
   @{PROC}/filesystems r,
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -66,13 +74,16 @@ profile update-ca-certificates @{exec_path} {
   }
 
   profile jks-keystore {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/ssl_certs>
 
     /etc/ca-certificates/update.d/jks-keystore mr,
 
+    /{usr/,}lib/ r,
     /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java     rix,
+    /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr,
 
     /{usr/,}bin/{,ba,da}sh rix,
     /{usr/,}bin/sed        rix,
@@ -89,6 +100,8 @@ profile update-ca-certificates @{exec_path} {
 
     /etc/java-[0-9]*-openjdk/{,**} r,
 
+    owner @{PROC}/@{pid}/coredump_filter rw,
+    owner @{PROC}/@{pid}/coredump rw,
     owner @{PROC}/@{pid}/cgroup r,
     owner @{PROC}/@{pid}/mountinfo r,
     @{sys}/fs/cgroup/** r,
@@ -101,5 +114,5 @@ profile update-ca-certificates @{exec_path} {
 
   }
 
-  #include if exists <local/update-ca-certificates>
+  include if exists <local/update-ca-certificates>
 }
diff --git a/apparmor.d/update-command-not-found b/apparmor.d/update-command-not-found
index c01b1533..116262f9 100644
--- a/apparmor.d/update-command-not-found
+++ b/apparmor.d/update-command-not-found
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /usr/share/command-not-found/cnf-update-db
 @{exec_path} += /{usr/,}sbin/update-command-not-found
 profile update-command-not-found @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
 
   #capability sys_tty_config,
 
@@ -48,5 +48,5 @@ profile update-command-not-found @{exec_path} {
   # file_inherit
   /var/log/cron-apt/temp w,
 
-  #include if exists <local/update-command-not-found>
+  include if exists <local/update-command-not-found>
 }
diff --git a/apparmor.d/update-desktop-database b/apparmor.d/update-desktop-database
index 1e21e7ca..bfa10b1f 100644
--- a/apparmor.d/update-desktop-database
+++ b/apparmor.d/update-desktop-database
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/update-desktop-database
 profile update-desktop-database @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile update-desktop-database @{exec_path} {
 
   /usr/share/*/*.desktop r,
 
-  #include if exists <local/update-desktop-database>
+  include if exists <local/update-desktop-database>
 }
diff --git a/apparmor.d/update-dlocatedb b/apparmor.d/update-dlocatedb
index d1bfddb0..c1d500f2 100644
--- a/apparmor.d/update-dlocatedb
+++ b/apparmor.d/update-dlocatedb
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-dlocatedb
 profile update-dlocatedb @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -37,12 +37,12 @@ profile update-dlocatedb @{exec_path} {
   /var/lib/dlocate/dpkg-list w,
 
   # For shell pwd
-  / r,
+  /root/ r,
 
 
   profile updatedb {
-    #include <abstractions/base>
-    #include <abstractions/perl>
+    include <abstractions/base>
+    include <abstractions/perl>
 
     /usr/share/dlocate/updatedb r,
     /{usr/,}bin/perl r,
@@ -66,5 +66,5 @@ profile update-dlocatedb @{exec_path} {
 
   }
 
-  #include if exists <local/update-dlocatedb>
+  include if exists <local/update-dlocatedb>
 }
diff --git a/apparmor.d/update-initramfs b/apparmor.d/update-initramfs
index e8793583..bcb5727f 100644
--- a/apparmor.d/update-initramfs
+++ b/apparmor.d/update-initramfs
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-initramfs
 profile update-initramfs @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh    rix,
@@ -55,5 +55,5 @@ profile update-initramfs @{exec_path} {
   owner /boot/initrd.img-* rw,
   owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*,
 
-  #include if exists <local/update-initramfs>
+  include if exists <local/update-initramfs>
 }
diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids
index d29747f9..d10b5889 100644
--- a/apparmor.d/update-pciids
+++ b/apparmor.d/update-pciids
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-pciids
 profile update-pciids @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -49,10 +49,15 @@ profile update-pciids @{exec_path} {
 
 
   profile browse {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
@@ -66,5 +71,5 @@ profile update-pciids @{exec_path} {
 
   }
 
-  #include if exists <local/update-pciids>
+  include if exists <local/update-pciids>
 }
diff --git a/apparmor.d/update-smart-drivedb b/apparmor.d/update-smart-drivedb
index c9d2afdd..5e743930 100644
--- a/apparmor.d/update-smart-drivedb
+++ b/apparmor.d/update-smart-drivedb
@@ -9,13 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/update-smart-drivedb
 profile update-smart-drivedb @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -32,6 +33,7 @@ profile update-smart-drivedb @{exec_path} {
   /{usr/,}bin/mv         rix,
   /{usr/,}bin/cmp        rix,
 
+  /{usr/,}sbin/          r,
   /{usr/,}sbin/smartctl  rPx,
 
   /{usr/,}bin/gpg        rCx -> gpg,
@@ -43,9 +45,13 @@ profile update-smart-drivedb @{exec_path} {
 
   owner /var/lib/smartmontools/drivedb/.gnupg.[0-9]*.tmp/{,**} rw,
 
+  # For shell pwd
+  /root/ r,
+
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/gpg mr,
 
@@ -61,10 +67,16 @@ profile update-smart-drivedb @{exec_path} {
   }
 
   profile browse {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/openssl>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
@@ -85,5 +97,5 @@ profile update-smart-drivedb @{exec_path} {
 
   }
 
-  #include if exists <local/update-smart-drivedb>
+  include if exists <local/update-smart-drivedb>
 }
diff --git a/apparmor.d/updatedb-mlocate b/apparmor.d/updatedb-mlocate
index 064e13a1..d50d1965 100644
--- a/apparmor.d/updatedb-mlocate
+++ b/apparmor.d/updatedb-mlocate
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/updatedb.mlocate
 profile updatedb-mlocate @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability fowner,
@@ -68,5 +68,5 @@ profile updatedb-mlocate @{exec_path} {
 
   /etc/updatedb.conf r,
 
-  #include if exists <local/updatedb-mlocate>
+  include if exists <local/updatedb-mlocate>
 }
diff --git a/apparmor.d/upower b/apparmor.d/upower
index eb77816e..ddc2a564 100644
--- a/apparmor.d/upower
+++ b/apparmor.d/upower
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/upower
 profile upower @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed?
   deny capability sys_nice,
 
   @{exec_path} mr,
 
-  #include if exists <local/upower>
+  include if exists <local/upower>
 }
diff --git a/apparmor.d/upowerd b/apparmor.d/upowerd
index 68688aed..33808aac 100644
--- a/apparmor.d/upowerd
+++ b/apparmor.d/upowerd
@@ -9,13 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/upower/upowerd /usr/libexec/upowerd
 profile upowerd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
+
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -58,5 +60,5 @@ profile upowerd @{exec_path} {
 
   @{run}/systemd/inhibit/[0-9]*.ref rw,
 
-  #include if exists <local/upowerd>
+  include if exists <local/upowerd>
 }
diff --git a/apparmor.d/uptime b/apparmor.d/uptime
index 59bcd59a..4fb083a9 100644
--- a/apparmor.d/uptime
+++ b/apparmor.d/uptime
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/uptime
 profile uptime @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/wutmp>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile uptime @{exec_path} {
   @{PROC}/loadavg r,
   @{PROC}/sys/kernel/osrelease r,
 
-  #include if exists <local/uptime>
+  include if exists <local/uptime>
 }
diff --git a/apparmor.d/usb-devices b/apparmor.d/usb-devices
index 1e836722..6117a9ae 100644
--- a/apparmor.d/usb-devices
+++ b/apparmor.d/usb-devices
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/usb-devices
 profile usb-devices @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -31,5 +31,8 @@ profile usb-devices @{exec_path} {
 
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**} r,
 
-  #include if exists <local/usb-devices>
+  # For shell pwd
+  /root/ r,
+
+  include if exists <local/usb-devices>
 }
diff --git a/apparmor.d/usbguard b/apparmor.d/usbguard
index ca3126c6..1010d723 100644
--- a/apparmor.d/usbguard
+++ b/apparmor.d/usbguard
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/usbguard
 profile usbguard @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -33,5 +33,5 @@ profile usbguard @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r,
 
-  #include if exists <local/usbguard>
+  include if exists <local/usbguard>
 }
diff --git a/apparmor.d/usbguard-applet-qt b/apparmor.d/usbguard-applet-qt
index bfc0a709..c8ecc9f6 100644
--- a/apparmor.d/usbguard-applet-qt
+++ b/apparmor.d/usbguard-applet-qt
@@ -9,23 +9,23 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/usbguard-applet-qt
 profile usbguard-applet-qt @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   # Needed?
   ptrace (read),
@@ -54,5 +54,5 @@ profile usbguard-applet-qt @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  #include if exists <local/usbguard-applet-qt>
+  include if exists <local/usbguard-applet-qt>
 }
diff --git a/apparmor.d/usbguard-daemon b/apparmor.d/usbguard-daemon
index 67554cde..282113b1 100644
--- a/apparmor.d/usbguard-daemon
+++ b/apparmor.d/usbguard-daemon
@@ -9,19 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/usbguard-daemon
 profile usbguard-daemon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   # Needed? (##FIXME##)
   #capability chown,
   #capability fowner,
 
+  network netlink dgram,
+
   @{exec_path} mr,
 
   /etc/usbguard/*.conf rw,
@@ -42,5 +44,5 @@ profile usbguard-daemon @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,product,idProduct,idVendor,serial} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/connect_type r,
 
-  #include if exists <local/usbguard-daemon>
+  include if exists <local/usbguard-daemon>
 }
diff --git a/apparmor.d/usbguard-dbus b/apparmor.d/usbguard-dbus
index 8fd8fb74..ebcd36b3 100644
--- a/apparmor.d/usbguard-dbus
+++ b/apparmor.d/usbguard-dbus
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/usbguard-dbus
 profile usbguard-dbus @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Needed?
   deny capability sys_nice,
@@ -24,5 +24,5 @@ profile usbguard-dbus @{exec_path} {
   /dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,
   /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,
 
-  #include if exists <local/usbguard-dbus>
+  include if exists <local/usbguard-dbus>
 }
diff --git a/apparmor.d/uscan b/apparmor.d/uscan
index d937d677..3d8be013 100644
--- a/apparmor.d/uscan
+++ b/apparmor.d/uscan
@@ -9,20 +9,26 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/uscan
 profile uscan @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
@@ -58,7 +64,7 @@ profile uscan @{exec_path} {
   owner /tmp/*/trustedkeys.gpg w,
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpg  mr,
     /{usr/,}bin/gpgv mr,
@@ -73,5 +79,5 @@ profile uscan @{exec_path} {
 
   }
 
-  #include if exists <local/uscan>
+  include if exists <local/uscan>
 }
diff --git a/apparmor.d/useradd b/apparmor.d/useradd
index e2142898..bde29be8 100644
--- a/apparmor.d/useradd
+++ b/apparmor.d/useradd
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/useradd
 profile useradd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To create a user home dir and give it proper permissions:
   #  mkdir("/home/user", 000)      = 0
@@ -39,6 +39,8 @@ profile useradd @{exec_path} {
   # To write records to the kernel auditing log.
   capability audit_write,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/usermod     rPx,
@@ -77,9 +79,9 @@ profile useradd @{exec_path} {
 
 
   profile pam_tally2 {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability audit_write,
 
@@ -89,5 +91,5 @@ profile useradd @{exec_path} {
 
   }
 
-  #include if exists <local/useradd>
+  include if exists <local/useradd>
 }
diff --git a/apparmor.d/userdel b/apparmor.d/userdel
index bcad77df..2a610f1f 100644
--- a/apparmor.d/userdel
+++ b/apparmor.d/userdel
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/userdel
 profile userdel @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # The userdel command is issued as root and its task is to delete regular user accounts. It
   # optionally can remove user files (via --remove). Because of that, the userdel command needs the
@@ -36,6 +36,8 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   capability sys_ptrace,
   ptrace (read),
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/login.defs r,
@@ -66,5 +68,5 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   # To remove user mail
   /var/mail/* w,
 
-  #include if exists <local/userdel>
+  include if exists <local/userdel>
 }
diff --git a/apparmor.d/usermod b/apparmor.d/usermod
index 36398914..29ef512c 100644
--- a/apparmor.d/usermod
+++ b/apparmor.d/usermod
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/usermod
 profile usermod @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   # To write records to the kernel auditing log.
   capability audit_write,
@@ -64,5 +64,5 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
   @{HOME}/{,**} rw,
   /var/{,**}    rw,
 
-  #include if exists <local/usermod>
+  include if exists <local/usermod>
 }
diff --git a/apparmor.d/usr.bin.irssi b/apparmor.d/usr.bin.irssi
index 9ba8e1c0..149c2e5f 100644
--- a/apparmor.d/usr.bin.irssi
+++ b/apparmor.d/usr.bin.irssi
@@ -1,12 +1,12 @@
 # Author: Jamie Strandboge
 #         For use with irssi within screen
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/irssi flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/perl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/perl>
+  include <abstractions/ssl_certs>
 
   /usr/share/irssi/themes/*.theme r,
   /usr/share/irssi/help/* r,
@@ -17,7 +17,7 @@
   /{usr/,}bin/dash ix,
 
   # for screen_away
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
   /usr/bin/screen ix,
   owner /{,var/}run/screen/** r,
   owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]* w,
@@ -50,5 +50,5 @@
   owner @{HOME}/.irssi/fnotify rwk,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.irssi>
+  include <local/usr.bin.irssi>
 }
diff --git a/apparmor.d/usr.bin.lxc-start b/apparmor.d/usr.bin.lxc-start
index 2f289627..e9fdd43b 100644
--- a/apparmor.d/usr.bin.lxc-start
+++ b/apparmor.d/usr.bin.lxc-start
@@ -1,5 +1,5 @@
-#include <tunables/global>
+include <tunables/global>
 
 profile lxc-start /usr/bin/lxc-start flags=(attach_disconnected) {
-  #include <abstractions/lxc/start-container>
+  include <abstractions/lxc/start-container>
 }
diff --git a/apparmor.d/usr.bin.man b/apparmor.d/usr.bin.man
index 2d2ca199..4b87c63b 100644
--- a/apparmor.d/usr.bin.man
+++ b/apparmor.d/usr.bin.man
@@ -1,9 +1,9 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/man {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # Use a special profile when man calls anything groff-related.  We only
   # include the programs that actually parse input data in a non-trivial
@@ -50,15 +50,15 @@
   signal peer=/usr/bin/man//&man_filter,
 
   # Site-specific additions and overrides.  See local/README for details.
-  #include <local/usr.bin.man>
+  include <local/usr.bin.man>
 }
 
 profile man_groff {
-  #include <abstractions/base>
+  include <abstractions/base>
   # Recent kernels revalidate open FDs, and there are often some still
   # open on TTYs.  This is temporary until man learns to close irrelevant
   # open FDs before execve.
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
   # man always runs its groff pipeline with the input file open on stdin,
   # so we can skip <abstractions/user-manpages>.
 
@@ -88,11 +88,11 @@ profile man_groff {
 }
 
 profile man_filter {
-  #include <abstractions/base>
+  include <abstractions/base>
   # Recent kernels revalidate open FDs, and there are often some still
   # open on TTYs.  This is temporary until man learns to close irrelevant
   # open FDs before execve.
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
 
   /{,usr/}bin/bzip2 rm,
   /{,usr/}bin/gzip rm,
diff --git a/apparmor.d/usr.bin.pidgin b/apparmor.d/usr.bin.pidgin
index 5e187020..1f6eee54 100644
--- a/apparmor.d/usr.bin.pidgin
+++ b/apparmor.d/usr.bin.pidgin
@@ -1,24 +1,24 @@
 # vim:syntax=apparmor
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/pidgin {
-  #include <abstractions/audio>
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-strict>
-  #include <abstractions/dconf>
-  #include <abstractions/enchant>
-  #include <abstractions/gnome>
-  #include <abstractions/gstreamer>
-  #include <abstractions/ibus>
-  #include <abstractions/nameservice>
-  #include <abstractions/private-files-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/ubuntu-browsers>
-  #include <abstractions/ubuntu-helpers>
-  #include <abstractions/user-download>
+  include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/dconf>
+  include <abstractions/enchant>
+  include <abstractions/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/ibus>
+  include <abstractions/nameservice>
+  include <abstractions/private-files-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/ubuntu-browsers>
+  include <abstractions/ubuntu-helpers>
+  include <abstractions/user-download>
 
   dbus receive
        bus=system
@@ -83,5 +83,5 @@
   owner @{PROC}/@{pid}/fd/ r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.pidgin>
+  include <local/usr.bin.pidgin>
 }
diff --git a/apparmor.d/usr.bin.totem b/apparmor.d/usr.bin.totem
index 1176965e..8701b89e 100644
--- a/apparmor.d/usr.bin.totem
+++ b/apparmor.d/usr.bin.totem
@@ -1,17 +1,17 @@
 # vim:syntax=apparmor
 # Author: Jamie Strandboge <jamie@canonical.com>
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/totem {
-  #include <abstractions/audio>
-  #include <abstractions/dconf>
-  #include <abstractions/ibus>
-  #include <abstractions/mesa>
-  #include <abstractions/nvidia>
-  #include <abstractions/python>
-  #include <abstractions/totem>
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/audio>
+  include <abstractions/dconf>
+  include <abstractions/ibus>
+  include <abstractions/mesa>
+  include <abstractions/nvidia>
+  include <abstractions/python>
+  include <abstractions/totem>
+  include <abstractions/ubuntu-helpers>
 
   signal (send) set=("kill") peer=unconfined,
 
@@ -38,7 +38,7 @@
 
   # Allow read and write on almost anything in @{HOME}. Lenient, but
   # private-files-strict is in effect.
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   owner @{HOME}/[^.]*    rw,
   owner @{HOME}/[^.]*/** rw,
 
@@ -53,5 +53,5 @@
   /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.totem>
+  include <local/usr.bin.totem>
 }
diff --git a/apparmor.d/usr.bin.totem-previewers b/apparmor.d/usr.bin.totem-previewers
index 7b861d0a..76204b23 100644
--- a/apparmor.d/usr.bin.totem-previewers
+++ b/apparmor.d/usr.bin.totem-previewers
@@ -1,10 +1,10 @@
 # vim:syntax=apparmor
 # Author: Jamie Strandboge <jamie@canonical.com>
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/bin/totem-video-thumbnailer flags=(attach_disconnected) {
-  #include <abstractions/totem>
+  include <abstractions/totem>
 
   # Probably needed due to this program being run with bwrap
   @{HOMEDIRS} w,
@@ -12,7 +12,7 @@
 
   # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   owner @{HOME}/[^.]*    rw,
   owner @{HOME}/[^.]*/** rw,
 
@@ -23,19 +23,19 @@
   /usr/bin/totem-video-thumbnailer rm,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.totem-previewers>
+  include <local/usr.bin.totem-previewers>
 }
 
 /usr/bin/totem-audio-preview flags=(attach_disconnected) {
-  #include <abstractions/totem>
-  #include <abstractions/audio>
+  include <abstractions/totem>
+  include <abstractions/audio>
 
   # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   owner @{HOME}/[^.]*    rw,
   owner @{HOME}/[^.]*/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.totem-previewers>
+  include <local/usr.bin.totem-previewers>
 }
diff --git a/apparmor.d/usr.lib.libreoffice.program.oosplash b/apparmor.d/usr.lib.libreoffice.program.oosplash
index 565cb03c..f5b055a1 100644
--- a/apparmor.d/usr.lib.libreoffice.program.oosplash
+++ b/apparmor.d/usr.lib.libreoffice.program.oosplash
@@ -12,11 +12,11 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+include <tunables/global>
 
 profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/X>
+  include <abstractions/base>
+  include <abstractions/X>
 
   /etc/libreoffice/                     r,
   /etc/libreoffice/**                   r,
diff --git a/apparmor.d/usr.lib.libreoffice.program.senddoc b/apparmor.d/usr.lib.libreoffice.program.senddoc
index 75ae73fe..12724fd6 100644
--- a/apparmor.d/usr.lib.libreoffice.program.senddoc
+++ b/apparmor.d/usr.lib.libreoffice.program.senddoc
@@ -12,12 +12,12 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+include <tunables/global>
 
-profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc {
-  #include <abstractions/base>
+profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain) {
+  include <abstractions/base>
 
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
 
   /{usr/,}bin/sh        rmix,
   /{usr/,}bin/bash      rmix,
diff --git a/apparmor.d/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/usr.lib.libreoffice.program.soffice.bin
index 5b33af2a..57dd9c99 100644
--- a/apparmor.d/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/usr.lib.libreoffice.program.soffice.bin
@@ -73,32 +73,32 @@
 
 @{libo_user_dirs} = @{HOME} /mnt /media
 
-#include <tunables/global>
+include <tunables/global>
 
 profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
 
-  #include <abstractions/audio>
-  #include <abstractions/bash>
-  #include <abstractions/cups-client>
-  #include <abstractions/dbus>
-  #include <abstractions/dbus-session>
-  #include <abstractions/dbus-accessibility>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/ibus>
-  #include <abstractions/nameservice>
-  #include <abstractions/gnome>
+  include <abstractions/audio>
+  include <abstractions/bash>
+  include <abstractions/cups-client>
+  include <abstractions/dbus>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-accessibility>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/ibus>
+  include <abstractions/nameservice>
+  include <abstractions/gnome>
 # GnuPG1 only...
-# #include <abstractions/gnupg>
-  #include <abstractions/python>
-  #include <abstractions/p11-kit>
+# include <abstractions/gnupg>
+  include <abstractions/python>
+  include <abstractions/p11-kit>
 
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
 
-  #include <abstractions/opencl-intel>
-  #include <abstractions/opencl-mesa>
-  #include <abstractions/opencl-nvidia>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
 
   #List directories for file browser
   /                                     r,
@@ -214,8 +214,8 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   owner @{HOME}/.local/share/user-places.xbel r,
 
   # there is abstractions/gnupg but that's just for gpg1...
-  profile gpg {
-    #include <abstractions/base>
+  profile gpg flags=(complain) {
+    include <abstractions/base>
 
    /usr/bin/gpgconf rm,
    /usr/bin/gpg rm,
diff --git a/apparmor.d/usr.lib.libreoffice.program.xpdfimport b/apparmor.d/usr.lib.libreoffice.program.xpdfimport
index bdfc5572..04c469e6 100644
--- a/apparmor.d/usr.lib.libreoffice.program.xpdfimport
+++ b/apparmor.d/usr.lib.libreoffice.program.xpdfimport
@@ -12,12 +12,12 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+include <tunables/global>
 
-profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport {
-  #include <abstractions/base>
+profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(complain) {
+  include <abstractions/base>
 
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
 
   /usr/share/poppler/**     r,
   /usr/share/libreoffice/share/config/* r,
diff --git a/apparmor.d/usr.lib.libvirt.virt-aa-helper b/apparmor.d/usr.lib.libvirt.virt-aa-helper
index 3eebc207..867c7295 100644
--- a/apparmor.d/usr.lib.libvirt.virt-aa-helper
+++ b/apparmor.d/usr.lib.libvirt.virt-aa-helper
@@ -1,7 +1,7 @@
-#include <tunables/global>
+include <tunables/global>
 
 profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # needed for searching directories
   capability dac_override,
@@ -70,5 +70,5 @@ profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper {
   /**/disk{,.*} r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.lib.libvirt.virt-aa-helper>
+  include <local/usr.lib.libvirt.virt-aa-helper>
 }
diff --git a/apparmor.d/usr.sbin.apt-cacher-ng b/apparmor.d/usr.sbin.apt-cacher-ng
index 8a5e854e..571f58be 100644
--- a/apparmor.d/usr.sbin.apt-cacher-ng
+++ b/apparmor.d/usr.sbin.apt-cacher-ng
@@ -2,13 +2,13 @@
 
 @{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
 
-#include <tunables/global>
+include <tunables/global>
 
-profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/user-tmp>
+profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/user-tmp>
 
   /etc/apt-cacher-ng/ r,
   /etc/apt-cacher-ng/** r,
@@ -31,5 +31,5 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
   /usr/lib/apt-cacher-ng/acngtool ixr,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.apt-cacher-ng>
+  include <local/usr.sbin.apt-cacher-ng>
 }
diff --git a/apparmor.d/usr.sbin.avahi-daemon b/apparmor.d/usr.sbin.avahi-daemon
index 62f56df7..7de07d3e 100644
--- a/apparmor.d/usr.sbin.avahi-daemon
+++ b/apparmor.d/usr.sbin.avahi-daemon
@@ -1,9 +1,11 @@
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/dbus>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus>
+  include <abstractions/nameservice>
 
   capability chown,
   capability dac_override,
@@ -23,11 +25,11 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(complain) {
   /usr/{bin,sbin}/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
   /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
-  /{,var/}run/avahi-daemon/ w,
-  /{,var/}run/avahi-daemon/pid krw,
-  /{,var/}run/avahi-daemon/socket w,
-  /{,var/}run/systemd/notify w,
+  @{run}/avahi-daemon/ w,
+  @{run}/avahi-daemon/pid krw,
+  @{run}/avahi-daemon/socket w,
+  @{run}/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.avahi-daemon>
+  include if exists <local/usr.sbin.avahi-daemon>
 }
diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd
index 9b8d0668..f30cba71 100644
--- a/apparmor.d/usr.sbin.cupsd
+++ b/apparmor.d/usr.sbin.cupsd
@@ -2,17 +2,17 @@
 # Last Modified: Thu Aug  2 12:54:46 2007
 # Author: Martin Pitt <martin.pitt@ubuntu.com>
 
-#include <tunables/global>
+include <tunables/global>
 
 /usr/sbin/cupsd flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/authentication>
-  #include <abstractions/dbus>
-  #include <abstractions/fonts>
-  #include <abstractions/nameservice>
-  #include <abstractions/perl>
-  #include <abstractions/user-tmp>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/authentication>
+  include <abstractions/dbus>
+  include <abstractions/fonts>
+  include <abstractions/nameservice>
+  include <abstractions/perl>
+  include <abstractions/user-tmp>
 
   capability chown,
   capability fowner,
@@ -169,15 +169,15 @@
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.cupsd>
+  include <local/usr.sbin.cupsd>
 }
 
 # separate profile since this needs to write into /home
 /usr/lib/cups/backend/cups-pdf {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-tmp>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
 
   capability chown,
   capability fowner,
@@ -211,7 +211,7 @@
   # allow read and write on almost anything in @{HOME} (lenient, but
   # private-files-strict is in effect), to support customized "Out"
   # setting in cups-pdf.conf (Debian#940578)
-  #include <abstractions/private-files-strict>
+  include <abstractions/private-files-strict>
   @{HOME}/[^.]*/{,**/} rw,
   @{HOME}/[^.]*/**     rw,
 }
diff --git a/apparmor.d/usr.sbin.dnsmasq b/apparmor.d/usr.sbin.dnsmasq
index 88f09913..d911b60d 100644
--- a/apparmor.d/usr.sbin.dnsmasq
+++ b/apparmor.d/usr.sbin.dnsmasq
@@ -9,19 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-@{TFTP_DIR}=/var/tftp /srv/tftpboot
+abi <abi/3.0>,
 
-#include <tunables/global>
+@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
 
-# This profile has the name "/usr/sbin/dnsmasq", but attaches to both /usr/bin/dnsmasq and /usr/sbin/dnsmasq.
-# We are sorry for the confusion ;-) but this trick is needed to support distributions with merged bin and sbin
-# while not breaking the libvirtd profile that has rules with peer=/usr/sbin/dnsmasq
-# Future versions of AppArmor (> 2.13.x) will have "dnsmasq" as profile name.
-
-profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/dbus>
-  #include <abstractions/nameservice>
+include <tunables/global>
+profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dbus>
+  include <abstractions/nameservice>
 
   capability chown,
   capability net_bind_service,
@@ -34,10 +30,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   network inet6 raw,
 
   signal (receive) peer=/usr/{bin,sbin}/libvirtd,
-  signal (receive) peer=/usr/sbin/libvirtd,
   signal (receive) peer=libvirtd,
   ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
-  ptrace (readby) peer=/usr/sbin/libvirtd,
   ptrace (readby) peer=libvirtd,
 
   owner /dev/tty rw,
@@ -54,6 +48,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   /etc/NetworkManager/dnsmasq.d/* r,
   /etc/NetworkManager/dnsmasq-shared.d/ r,
   /etc/NetworkManager/dnsmasq-shared.d/* r,
+  /etc/dnsmasq-conf.conf r,
+  /etc/dnsmasq-resolv.conf r,
 
   /usr/{bin,sbin}/dnsmasq mr,
 
@@ -62,10 +58,10 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   /usr/share/dnsmasq{-base,}/ r,
   /usr/share/dnsmasq{-base,}/* r,
 
-  /{,var/}run/*dnsmasq*.pid w,
-  /{,var/}run/dnsmasq-forwarders.conf r,
-  /{,var/}run/dnsmasq/ r,
-  /{,var/}run/dnsmasq/* rw,
+  @{run}/*dnsmasq*.pid w,
+  @{run}/dnsmasq-forwarders.conf r,
+  @{run}/dnsmasq/ r,
+  @{run}/dnsmasq/* rw,
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
@@ -74,6 +70,8 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   # access to iface mtu needed for Router Advertisement messages in IPv6
   # Neighbor Discovery protocol (RFC 2461)
   @{PROC}/sys/net/ipv6/conf/*/mtu r,
+  # closing superfluous file descriptors scans /proc/self/fd/ to find open ones
+  @{PROC}/@{pid}/fd/ r,
 
   # for the read-only TFTP server
   @{TFTP_DIR}/ r,
@@ -84,19 +82,19 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   /var/lib/libvirt/dnsmasq/*         r,
 
   # libvirt pid files for dnsmasq
-  /{,var/}run/libvirt/network/      r,
-  /{,var/}run/libvirt/network/*.pid rw,
+  @{run}/libvirt/network/      r,
+  @{run}/libvirt/network/*.pid rw,
 
   # libvirt lease helper
   /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
   /usr/libexec/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
 
   # lxc-net pid and lease files
-  /{,var/}run/lxc/dnsmasq.pid    rw,
+  @{run}/lxc/dnsmasq.pid    rw,
   /var/lib/misc/dnsmasq.*.leases rw,
 
   # lxd-bridge pid and lease files
-  /{,var/}run/lxd-bridge/dnsmasq.pid   rw,
+  @{run}/lxd-bridge/dnsmasq.pid   rw,
   /var/lib/lxd-bridge/dnsmasq.*.leases rw,
   /var/lib/lxd/networks/*/dnsmasq.* r,
   /var/lib/lxd/networks/*/dnsmasq.leases rw,
@@ -104,15 +102,15 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
 
   # NetworkManager integration
   /var/lib/NetworkManager/dnsmasq-*.leases rw,
-  /{,var/}run/nm-dns-dnsmasq.conf r,
-  /{,var/}run/nm-dnsmasq-*.pid rw,
-  /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
-  /{,var/}run/NetworkManager/dnsmasq.conf r,
-  /{,var/}run/NetworkManager/dnsmasq.pid w,
-  /{,var/}run/NetworkManager/NetworkManager.pid w,
+  @{run}/nm-dns-dnsmasq.conf r,
+  @{run}/nm-dnsmasq-*.pid rw,
+  @{run}/sendsigs.omit.d/*dnsmasq.pid w,
+  @{run}/NetworkManager/dnsmasq.conf r,
+  @{run}/NetworkManager/dnsmasq.pid w,
+  @{run}/NetworkManager/NetworkManager.pid w,
 
   profile libvirt_leaseshelper {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /etc/libnl-3/classid r,
 
@@ -130,9 +128,9 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
     /var/lib/libvirt/dnsmasq/*.leases  rw,
     /var/lib/libvirt/dnsmasq/*.status* rw,
 
-    /{,var/}run/leaseshelper.pid rwk,
+    @{run}/leaseshelper.pid rwk,
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.dnsmasq>
+  include if exists <local/usr.sbin.dnsmasq>
 }
diff --git a/apparmor.d/usr.sbin.fwknopd b/apparmor.d/usr.sbin.fwknopd
index e70b3cae..46117423 100644
--- a/apparmor.d/usr.sbin.fwknopd
+++ b/apparmor.d/usr.sbin.fwknopd
@@ -1,10 +1,10 @@
 # Last Modified: Sun Aug 18 22:54:57 2013
 # Assumes fwknopd was built with:
 #    './configure --prefix=/usr --sysconfdir=/etc --localstatedir=/run'
-#include <tunables/global>
+include <tunables/global>
 
-/usr/sbin/fwknopd {
-  #include <abstractions/base>
+/usr/sbin/fwknopd flags=(complain) {
+  include <abstractions/base>
 
   capability ipc_lock,
   capability net_admin,
diff --git a/apparmor.d/usr.sbin.identd b/apparmor.d/usr.sbin.identd
index 08d751e9..09c478e7 100644
--- a/apparmor.d/usr.sbin.identd
+++ b/apparmor.d/usr.sbin.identd
@@ -9,11 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile identd /usr/{bin,sbin}/identd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/nameservice>
   capability net_bind_service,
   capability setgid,
   capability setuid,
@@ -24,10 +26,10 @@ profile identd /usr/{bin,sbin}/identd flags=(complain) {
   /usr/{bin,sbin}/identd   rmix,
   @{PROC}/net/tcp          r,
   @{PROC}/net/tcp6         r,
-  /{,var/}run/identd.pid   w,
-  /{,var/}run/identd/           w,
-  /{,var/}run/identd/identd.pid w,
+  @{run}/identd.pid   w,
+  @{run}/identd/           w,
+  @{run}/identd/identd.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.identd>
+  include if exists <local/usr.sbin.identd>
 }
diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd
index 60829ee0..1badcca2 100644
--- a/apparmor.d/usr.sbin.libvirtd
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -1,9 +1,9 @@
-#include <tunables/global>
+include <tunables/global>
 @{LIBVIRT}="libvirt"
 
 profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/dbus>
+  include <abstractions/base>
+  include <abstractions/dbus>
 
   capability kill,
   capability net_admin,
@@ -115,7 +115,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {
-   #include <abstractions/base>
+   include <abstractions/base>
 
    capability setuid,
    capability setgid,
@@ -137,5 +137,5 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
   }
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.libvirtd>
+  include <local/usr.sbin.libvirtd>
 }
diff --git a/apparmor.d/usr.sbin.mdnsd b/apparmor.d/usr.sbin.mdnsd
index 82b4088e..9852fbf3 100644
--- a/apparmor.d/usr.sbin.mdnsd
+++ b/apparmor.d/usr.sbin.mdnsd
@@ -9,12 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   capability net_bind_service,
   capability setgid,
@@ -28,9 +30,9 @@ profile mdnsd /usr/{bin,sbin}/mdnsd flags=(complain) {
 
   @{PROC}/net/ r,
   @{PROC}/net/unix r,
-  /{,var/}run/mdnsd lw,
-  /{,var/}run/mdnsd.pid w,
+  @{run}/mdnsd lw,
+  @{run}/mdnsd.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.mdnsd>
+  include if exists <local/usr.sbin.mdnsd>
 }
diff --git a/apparmor.d/usr.sbin.nmbd b/apparmor.d/usr.sbin.nmbd
index e0e9cd0c..a796d242 100644
--- a/apparmor.d/usr.sbin.nmbd
+++ b/apparmor.d/usr.sbin.nmbd
@@ -1,9 +1,11 @@
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/samba>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
 
   capability net_bind_service,
 
@@ -24,12 +26,11 @@ profile nmbd /usr/{bin,sbin}/nmbd flags=(complain) {
   /var/{cache,lib}/samba/unexpected rw,
   /var/cache/samba/msg/ rw,
   /var/cache/samba/msg/* w,
-  /var/cache/samba/msg.lock/{,*} rwk,
 
-  /{,var/}run/nmbd.pid rwk,
-  /{,var/}run/samba/** rwk,
-  /{,var/}run/systemd/notify w,
+  @{run}/nmbd.pid rwk,
+  @{run}/samba/** rwk,
+  @{run}/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.nmbd>
+  include if exists <local/usr.sbin.nmbd>
 }
diff --git a/apparmor.d/usr.sbin.nscd b/apparmor.d/usr.sbin.nscd
index b1b1b953..0d2c4d14 100644
--- a/apparmor.d/usr.sbin.nscd
+++ b/apparmor.d/usr.sbin.nscd
@@ -9,12 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/ssl_certs>
 
   deny capability block_suspend,
   capability net_bind_service,
@@ -24,12 +26,12 @@ profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
   /etc/netgroup r,
   /etc/nscd.conf r,
   /usr/{bin,sbin}/nscd rmix,
-  /{,var/}run/.nscd_socket wl,
-  /{,var/}run/nscd/ rw,
-  /{,var/}run/nscd/db* rwl,
-  /{,var/}run/nscd/socket wl,
+  @{run}/.nscd_socket wl,
+  @{run}/nscd/ rw,
+  @{run}/nscd/db* rwl,
+  @{run}/nscd/socket wl,
   /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
-  /{,var/}run/{nscd/,}nscd.pid rwl,
+  @{run}/{nscd/,}nscd.pid rwl,
   /var/lib/libvirt/dnsmasq/ r,
   /var/lib/libvirt/dnsmasq/*.status r,
   /var/log/nscd.log rw,
@@ -39,5 +41,5 @@ profile nscd /usr/{bin,sbin}/nscd flags=(complain) {
   @{PROC}/@{pid}/mounts r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.nscd>
+  include if exists <local/usr.sbin.nscd>
 }
diff --git a/apparmor.d/usr.sbin.ntpd b/apparmor.d/usr.sbin.ntpd
index e8225d7d..b54a35e1 100644
--- a/apparmor.d/usr.sbin.ntpd
+++ b/apparmor.d/usr.sbin.ntpd
@@ -11,13 +11,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
-#include <tunables/ntpd>
+include <tunables/global>
+include <tunables/ntpd>
 /usr/sbin/ntpd flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-tmp>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+  include <abstractions/openssl>
 
   capability ipc_lock,
   capability net_admin,
@@ -87,5 +87,5 @@
   #     capability ipc_owner,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.ntpd>
+  include <local/usr.sbin.ntpd>
 }
diff --git a/apparmor.d/usr.sbin.smbd b/apparmor.d/usr.sbin.smbd
index 7d8b68a9..aed862ac 100644
--- a/apparmor.d/usr.sbin.smbd
+++ b/apparmor.d/usr.sbin.smbd
@@ -1,14 +1,16 @@
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile smbd /usr/{bin,sbin}/smbd flags=(complain) {
-  #include <abstractions/authentication>
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/cups-client>
-  #include <abstractions/nameservice>
-  #include <abstractions/samba>
-  #include <abstractions/user-tmp>
-  #include <abstractions/wutmp>
+  include <abstractions/authentication>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/cups-client>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
+  include <abstractions/user-tmp>
+  include <abstractions/wutmp>
 
   capability audit_write,
   capability dac_override,
@@ -43,22 +45,21 @@ profile smbd /usr/{bin,sbin}/smbd flags=(complain) {
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,
   /var/lib/sss/pubconf/kdcinfo.* r,
-  /{,var/}run/dbus/system_bus_socket rw,
-  /{,var/}run/smbd.pid rwk,
-  /{,var/}run/samba/** rk,
-  /{,var/}run/samba/ncalrpc/ rw,
-  /{,var/}run/samba/ncalrpc/** rw,
-  /{,var/}run/samba/smbd.pid rw,
-  /{,var/}run/samba/msg.lock/ rw,
-  /{,var/}run/samba/msg.lock/[0-9]* rwk,
+  @{run}/dbus/system_bus_socket rw,
+  @{run}/smbd.pid rwk,
+  @{run}/samba/** rk,
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
+  @{run}/samba/smbd.pid rw,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,
+  /var/lib/samba/usershares/{,**} lrwk,
 
   # Permissions for all configured shares (file autogenerated by
   # update-apparmor-samba-profile on service startup.
-  #include if exists <samba/smbd-shares>
+  include if exists <samba/smbd-shares>
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.smbd>
+  include if exists <local/usr.sbin.smbd>
 }
diff --git a/apparmor.d/usr.sbin.smbldap-useradd b/apparmor.d/usr.sbin.smbldap-useradd
index d52307a7..d1f75740 100644
--- a/apparmor.d/usr.sbin.smbldap-useradd
+++ b/apparmor.d/usr.sbin.smbldap-useradd
@@ -1,11 +1,14 @@
 # Last Modified: Tue Jan  3 00:17:40 2012
-#include <tunables/global>
+
+abi <abi/3.0>,
+
+include <tunables/global>
 
 profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/bash>
-  #include <abstractions/nameservice>
-  #include <abstractions/perl>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/nameservice>
+  include <abstractions/perl>
 
   /dev/tty rw,
   /{,usr/}bin/bash ix,
@@ -18,11 +21,11 @@ profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd flags=(complain) {
   /var/log/samba/log.smbd w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.smbldap-useradd>
+  include if exists <local/usr.sbin.smbldap-useradd>
 
   profile /etc/init.d/nscd flags=(complain) {
-    #include <abstractions/base>
-    #include <abstractions/nameservice>
+    include <abstractions/base>
+    include <abstractions/nameservice>
 
     capability sys_ptrace,
 
diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.sbin.tcpdump
index c3b91896..ae69e145 100644
--- a/apparmor.d/usr.sbin.tcpdump
+++ b/apparmor.d/usr.sbin.tcpdump
@@ -1,10 +1,10 @@
 # vim:syntax=apparmor
-#include <tunables/global>
+include <tunables/global>
 
 profile tcpdump /usr/sbin/tcpdump {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/user-tmp>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
 
   capability net_raw,
   capability setuid,
@@ -61,5 +61,5 @@ profile tcpdump /usr/sbin/tcpdump {
   /usr/sbin/tcpdump mr,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.tcpdump>
+  include <local/usr.sbin.tcpdump>
 }
diff --git a/apparmor.d/usr.sbin.traceroute b/apparmor.d/usr.sbin.traceroute
index 2c08027f..926ccdaf 100644
--- a/apparmor.d/usr.sbin.traceroute
+++ b/apparmor.d/usr.sbin.traceroute
@@ -9,11 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/global>
+abi <abi/3.0>,
+
+include <tunables/global>
 profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
 
   deny capability net_admin, # noisy setsockopt() calls
   capability net_raw,
@@ -26,5 +28,5 @@ profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/tracerou
   @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.sbin.traceroute>
+  include if exists <local/usr.sbin.traceroute>
 }
diff --git a/apparmor.d/uupdate b/apparmor.d/uupdate
index 579cc5cd..bafdbede 100644
--- a/apparmor.d/uupdate
+++ b/apparmor.d/uupdate
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{BUILD_DIR} = /media/debuilder/
 
 @{exec_path} = /{usr/,}bin/uupdate
 profile uupdate @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/perl>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -58,5 +58,5 @@ profile uupdate @{exec_path} flags=(complain) {
   # For package building
   owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
 
-  #include if exists <local/uupdates>
+  include if exists <local/uupdates>
 }
diff --git a/apparmor.d/vcsi b/apparmor.d/vcsi
index ff9cda23..c82ae6b8 100644
--- a/apparmor.d/vcsi
+++ b/apparmor.d/vcsi
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/vcsi
 profile vcsi @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/python>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/python>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -37,5 +37,5 @@ profile vcsi @{exec_path} {
 
   owner /tmp/* rw,
 
-  #include if exists <local/vcsi>
+  include if exists <local/vcsi>
 }
diff --git a/apparmor.d/vidcutter b/apparmor.d/vidcutter
index db9da1cb..8c19b886 100644
--- a/apparmor.d/vidcutter
+++ b/apparmor.d/vidcutter
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -40,24 +40,24 @@
 
 @{exec_path} = /{usr/,}bin/vidcutter
 profile vidcutter @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/audio>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/python>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-dconf>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/user-download-strict>
+  include <abstractions/audio>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-dconf>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -139,8 +139,8 @@ profile vidcutter @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
     /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
@@ -157,5 +157,5 @@ profile vidcutter @{exec_path} {
 
   }
 
-  #include if exists <local/vidcutter>
+  include if exists <local/vidcutter>
 }
diff --git a/apparmor.d/vipw-vigr b/apparmor.d/vipw-vigr
index a3a6b9a7..c89532d5 100644
--- a/apparmor.d/vipw-vigr
+++ b/apparmor.d/vipw-vigr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/vi{pw,gr}
 profile vipw-vigr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability chown,
 
@@ -45,8 +45,8 @@ profile vipw-vigr @{exec_path} {
 
 
   profile editor {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     capability fsetid,
 
@@ -68,5 +68,5 @@ profile vipw-vigr @{exec_path} {
 
   }
 
-  #include if exists <local/vipw-vigr>
+  include if exists <local/vipw-vigr>
 }
diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager
index 0e44dc55..68edd4e2 100644
--- a/apparmor.d/virt-manager
+++ b/apparmor.d/virt-manager
@@ -9,29 +9,33 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/virt-manager
 @{exec_path} += /usr/share/virt-manager/virt-manager
-profile virt-manager @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/openssl>
-  #include <abstractions/audio>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-common>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/deny-dconf>
+profile virt-manager @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+  include <abstractions/audio>
+  include <abstractions/mesa>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
+  include <abstractions/deny-dconf>
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} rix,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -84,6 +88,7 @@ profile virt-manager @{exec_path} flags=(complain) {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/net/route r,
 
   /dev/ r,
 
@@ -126,5 +131,5 @@ profile virt-manager @{exec_path} flags=(complain) {
   # Silecne the noise
   deny /usr/share/virt-manager/{,**} w,
 
-  #include if exists <local/virt-manager>
+  include if exists <local/virt-manager>
 }
diff --git a/apparmor.d/vlc b/apparmor.d/vlc
index 4a9cfa14..4277eece 100644
--- a/apparmor.d/vlc
+++ b/apparmor.d/vlc
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -58,27 +58,33 @@
 
 @{exec_path} = /{usr/,}bin/{c,}vlc
 profile vlc @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/audio>
-  #include <abstractions/nvidia>
-  #include <abstractions/qt5-settings-write>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/vlc-art-cache-write>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/vulkan>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/opencl-intel>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/audio>
+  include <abstractions/nvidia>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/vlc-art-cache-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/user-download-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=anyremote//*,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mrix,
 
   # Which media files VLC should be able to open
@@ -154,5 +160,5 @@ profile vlc @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  #include if exists <local/vlc>
+  include if exists <local/vlc>
 }
diff --git a/apparmor.d/vnstat b/apparmor.d/vnstat
index 51933602..805237fc 100644
--- a/apparmor.d/vnstat
+++ b/apparmor.d/vnstat
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/vnstat
 profile vnstat @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed when adding a new interface to the vnstat database. Usually this
   # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
@@ -71,5 +71,5 @@ profile vnstat @{exec_path} {
   deny @{sys}/devices/**/hwmon/**/temp*_input r,
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/vnstat>
+  include if exists <local/vnstat>
 }
diff --git a/apparmor.d/vnstatd b/apparmor.d/vnstatd
index 43c60fd6..57166e15 100644
--- a/apparmor.d/vnstatd
+++ b/apparmor.d/vnstatd
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/vnstatd
 profile vnstatd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -34,5 +34,5 @@ profile vnstatd @{exec_path} {
   owner /var/lib/vnstat/vnstat.db rwk,
   owner /var/lib/vnstat/vnstat.db-journal rw,
 
-  #include if exists <local/vnstatd>
+  include if exists <local/vnstatd>
 }
diff --git a/apparmor.d/volumeicon b/apparmor.d/volumeicon
index fff723c2..9a68a6a6 100644
--- a/apparmor.d/volumeicon
+++ b/apparmor.d/volumeicon
@@ -9,24 +9,24 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/volumeicon
 profile volumeicon @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/audio>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wayland>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/audio>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -49,5 +49,5 @@ profile volumeicon @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/volumeicon>
+  include if exists <local/volumeicon>
 }
diff --git a/apparmor.d/vsftpd b/apparmor.d/vsftpd
index 97735c2f..3a994aeb 100644
--- a/apparmor.d/vsftpd
+++ b/apparmor.d/vsftpd
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/vsftpd
 profile vsftpd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/deny-root-dir-access>
 
   # Only for local users authentication
-  #include <abstractions/authentication>
+  include <abstractions/authentication>
 
   # To be able to listen on ports < 1024
   capability net_bind_service,
@@ -48,7 +48,7 @@ profile vsftpd @{exec_path} {
   capability net_admin,
   capability dac_read_search,
   # If session_support=YES, vsftpd will also try and update utmp and wtmp
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
 
   # To validate allowed users shells
   /etc/shells r,
@@ -79,5 +79,5 @@ profile vsftpd @{exec_path} {
   /media/ftp/ r,
   /media/ftp/** rwk,
 
-  #include if exists <local/vsftpd>
+  include if exists <local/vsftpd>
 }
diff --git a/apparmor.d/wavemon b/apparmor.d/wavemon
index 43630aeb..bc07f682 100644
--- a/apparmor.d/wavemon
+++ b/apparmor.d/wavemon
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/wavemon
 profile wavemon @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To scan WiFi networks
   capability net_admin,
@@ -28,5 +28,5 @@ profile wavemon @{exec_path} {
 
   @{PROC}/@{pid}/net/dev r,
 
-  #include if exists <local/wavemon>
+  include if exists <local/wavemon>
 }
diff --git a/apparmor.d/wget b/apparmor.d/wget
index 1c171cef..257f7b5e 100644
--- a/apparmor.d/wget
+++ b/apparmor.d/wget
@@ -9,23 +9,29 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/wget
 profile wget @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   # For downloading files as root to user owned dirs
   capability dac_read_search,
   capability dac_override,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/wgetrc r,
@@ -38,5 +44,5 @@ profile wget @{exec_path} {
   owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w,
   owner /var/cache/google-android-platform-*-installer/platform-*.zip w,
 
-  #include if exists <local/wget>
+  include if exists <local/wget>
 }
diff --git a/apparmor.d/whdd b/apparmor.d/whdd
index c18aac1c..d45ea8d9 100644
--- a/apparmor.d/whdd
+++ b/apparmor.d/whdd
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/whdd
 profile whdd @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   capability sys_rawio,
   capability sys_admin,
@@ -38,5 +38,5 @@ profile whdd @{exec_path} {
 
   /dev/sd[a-z] rw,
 
-  #include if exists <local/whdd>
+  include if exists <local/whdd>
 }
diff --git a/apparmor.d/whiptail b/apparmor.d/whiptail
index 6d7d8f8b..c947bb02 100644
--- a/apparmor.d/whiptail
+++ b/apparmor.d/whiptail
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/whiptail
 profile whiptail @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   owner /tmp/gpm* w,
 
-  #include if exists <local/whiptail>
+  include if exists <local/whiptail>
 }
diff --git a/apparmor.d/who b/apparmor.d/who
index e4ac4f6f..adfe1ac9 100644
--- a/apparmor.d/who
+++ b/apparmor.d/who
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/who
 profile who @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/wutmp>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
   capability kill,
 
   @{exec_path} mr,
 
-  #include if exists <local/who>
+  include if exists <local/who>
 }
diff --git a/apparmor.d/wireshark b/apparmor.d/wireshark
index 2a905e31..9999baa5 100644
--- a/apparmor.d/wireshark
+++ b/apparmor.d/wireshark
@@ -10,28 +10,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # pcap pcapng
 @{wireshark_ext} = [pP][cC][aA][pP]{,[nN][gG]}
 
 @{exec_path} = /{usr/,}bin/wireshark
 profile wireshark @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-  #include <abstractions/X>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/gtk>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/mesa>
-  #include <abstractions/qt5-compose-cache-write>
-  #include <abstractions/qt5-settings-write>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+  include <abstractions/X>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gtk>
+  include <abstractions/user-download-strict>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
 
   signal (send) peer=dumpcap,
 
@@ -95,8 +95,8 @@ profile wireshark @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -112,5 +112,5 @@ profile wireshark @{exec_path} {
 
   }
 
-  #include if exists <local/wireshark>
+  include if exists <local/wireshark>
 }
diff --git a/apparmor.d/wmctrl b/apparmor.d/wmctrl
index b6e301db..58da5bc1 100644
--- a/apparmor.d/wmctrl
+++ b/apparmor.d/wmctrl
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/wmctrl
 profile wmctrl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/wmctrl>
+  include if exists <local/wmctrl>
 }
diff --git a/apparmor.d/wpa-gui b/apparmor.d/wpa-gui
index b7662a8a..fa2641f3 100644
--- a/apparmor.d/wpa-gui
+++ b/apparmor.d/wpa-gui
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/wpa_gui
 profile wpa-gui @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -45,5 +45,5 @@ profile wpa-gui @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/wpa-gui>
+  include if exists <local/wpa-gui>
 }
diff --git a/apparmor.d/wpa-supplicant b/apparmor.d/wpa-supplicant
index 37cec03f..06cd2331 100644
--- a/apparmor.d/wpa-supplicant
+++ b/apparmor.d/wpa-supplicant
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/wpa_supplicant
 profile wpa-supplicant @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
 
   # To remove the following errors:
   #  wpa_supplicant[]: wlan0: Failed to initialize driver interface
@@ -35,6 +35,9 @@ profile wpa-supplicant @{exec_path} {
   capability fsetid,
   audit deny capability sys_module,
 
+  network packet raw,
+  network packet dgram,
+
   @{exec_path} mr,
 
   owner @{run}/wpa_supplicant/ rw,
@@ -54,5 +57,5 @@ profile wpa-supplicant @{exec_path} {
   #/etc/wpa_supplicant/wpa_supplicant.conf w,
   #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
 
-  #include if exists <local/wpa-supplicant>
+  include if exists <local/wpa-supplicant>
 }
diff --git a/apparmor.d/wpa_cli b/apparmor.d/wpa_cli
index a9fadcfb..8f03fda0 100644
--- a/apparmor.d/wpa_cli
+++ b/apparmor.d/wpa_cli
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/wpa_cli
 profile wpa_cli @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile wpa_cli @{exec_path} {
   owner @{HOME}/.wpa_cli_history rw,
   owner @{HOME}/.wpa_cli_history-[0-9]*.tmp rw,
 
-  #include if exists <local/wpa_cli>
+  include if exists <local/wpa_cli>
 }
diff --git a/apparmor.d/wrmsr b/apparmor.d/wrmsr
index c2112242..302e1db9 100644
--- a/apparmor.d/wrmsr
+++ b/apparmor.d/wrmsr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path}  = /{usr/,}sbin/wrmsr
 profile wrmsr @{exec_path} flags=(complain) {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   # To access /dev/cpu/*/msr .
   capability sys_rawio,
@@ -24,5 +24,5 @@ profile wrmsr @{exec_path} flags=(complain) {
 
   owner /dev/cpu/[0-9]*/msr w,
 
-  #include if exists <local/wrmsr>
+  include if exists <local/wrmsr>
 }
diff --git a/apparmor.d/x11-xsession b/apparmor.d/x11-xsession
index 80c3f97f..37efad08 100644
--- a/apparmor.d/x11-xsession
+++ b/apparmor.d/x11-xsession
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /etc/X11/Xsession
 profile x11-xsession @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
@@ -66,7 +66,7 @@ profile x11-xsession @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -81,7 +81,7 @@ profile x11-xsession @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/dbus-update-activation-environment mr,
 
@@ -91,7 +91,7 @@ profile x11-xsession @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
 
@@ -105,7 +105,7 @@ profile x11-xsession @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -128,5 +128,5 @@ profile x11-xsession @{exec_path} {
 
   }
 
-  #include if exists <local/x11-xsession>
+  include if exists <local/x11-xsession>
 }
diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver
index 9b369e08..0d41058d 100644
--- a/apparmor.d/xarchiver
+++ b/apparmor.d/xarchiver
@@ -9,21 +9,21 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xarchiver
 profile xarchiver @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/user-download-strict>
-  #include <abstractions/thumbnails-cache-read>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
@@ -81,8 +81,8 @@ profile xarchiver @{exec_path} {
 
 
   profile open {
-    #include <abstractions/base>
-    #include <abstractions/xdg-open>
+    include <abstractions/base>
+    include <abstractions/xdg-open>
 
     /{usr/,}bin/xdg-open mr,
 
@@ -102,5 +102,5 @@ profile xarchiver @{exec_path} {
 
   }
 
-  #include if exists <local/xarchiver>
+  include if exists <local/xarchiver>
 }
diff --git a/apparmor.d/xauth b/apparmor.d/xauth
index 914e3afb..00193783 100644
--- a/apparmor.d/xauth
+++ b/apparmor.d/xauth
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xauth
 profile xauth @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -31,5 +31,5 @@ profile xauth @{exec_path} {
   owner /tmp/serverauth.*-n rw,
   owner /tmp/serverauth.*   rwl -> /tmp/serverauth.*-n,
 
-  #include if exists <local/xauth>
+  include if exists <local/xauth>
 }
diff --git a/apparmor.d/xautolock b/apparmor.d/xautolock
index aa0d2178..9ccb2d96 100644
--- a/apparmor.d/xautolock
+++ b/apparmor.d/xautolock
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xautolock
 profile xautolock @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -34,5 +34,5 @@ profile xautolock @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/xautolock>
+  include if exists <local/xautolock>
 }
diff --git a/apparmor.d/xbacklight b/apparmor.d/xbacklight
index 0545df97..973e2b97 100644
--- a/apparmor.d/xbacklight
+++ b/apparmor.d/xbacklight
@@ -9,18 +9,18 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xbacklight
 profile xbacklight @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/xbacklight>
+  include if exists <local/xbacklight>
 }
diff --git a/apparmor.d/xdg-desktop-menu b/apparmor.d/xdg-desktop-menu
index 87fdce01..68a5c3a5 100644
--- a/apparmor.d/xdg-desktop-menu
+++ b/apparmor.d/xdg-desktop-menu
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-desktop-menu
 profile xdg-desktop-menu @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -49,5 +49,5 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
   /usr/share/applications/defaults.list r,
   /usr/share/applications/defaults.list.new w,
 
-  #include if exists <local/xdg-desktop-menu>
+  include if exists <local/xdg-desktop-menu>
 }
diff --git a/apparmor.d/xdg-email b/apparmor.d/xdg-email
index ec88d475..76cfcd81 100644
--- a/apparmor.d/xdg-email
+++ b/apparmor.d/xdg-email
@@ -9,17 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path}  r,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  #include if exists <local/xdg-email>
+  include if exists <local/xdg-email>
 }
diff --git a/apparmor.d/xdg-icon-resource b/apparmor.d/xdg-icon-resource
index 72016d29..03270d2a 100644
--- a/apparmor.d/xdg-icon-resource
+++ b/apparmor.d/xdg-icon-resource
@@ -9,16 +9,16 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-icon-resource
 profile xdg-icon-resource @{exec_path} flags=(complain) {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -46,5 +46,5 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
   owner @{HOME}/.local/share/icons/**/.xdg-icon-resource-dummy rw,
   /opt/**/*.png r,
 
-  #include if exists <local/xdg-icon-resource>
+  include if exists <local/xdg-icon-resource>
 }
diff --git a/apparmor.d/xdg-mime b/apparmor.d/xdg-mime
index 227b68ca..677ab6d4 100644
--- a/apparmor.d/xdg-mime
+++ b/apparmor.d/xdg-mime
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-mime
 profile xdg-mime @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/freedesktop.org>
+  include <abstractions/base>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
@@ -53,13 +53,16 @@ profile xdg-mime @{exec_path} {
 
   owner @{run}/user/[0-9]*/ r,
 
+  # For shell pwd
+  owner @{HOME}/ r,
+
   # file_inherit
   /media/** rw,
 
 
-  profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+  profile dbus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -71,5 +74,5 @@ profile xdg-mime @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/xdg-mime>
+  include if exists <local/xdg-mime>
 }
diff --git a/apparmor.d/xdg-open b/apparmor.d/xdg-open
index 01995998..36f94000 100644
--- a/apparmor.d/xdg-open
+++ b/apparmor.d/xdg-open
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-open
 profile xdg-open @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/app-launcher-user>
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
 
   @{exec_path} r,
 
@@ -59,8 +59,8 @@ profile xdg-open @{exec_path} {
 
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -72,5 +72,5 @@ profile xdg-open @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/xdg-open>
+  include if exists <local/xdg-open>
 }
diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver
index 05384ade..327fb2d1 100644
--- a/apparmor.d/xdg-screensaver
+++ b/apparmor.d/xdg-screensaver
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-screensaver
 profile xdg-screensaver @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
@@ -53,8 +53,8 @@ profile xdg-screensaver @{exec_path} {
 
 
   profile xautolock {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/xautolock mr,
 
@@ -66,8 +66,8 @@ profile xdg-screensaver @{exec_path} {
   }
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     /{usr/,}bin/dbus-send     mr,
 
@@ -76,5 +76,5 @@ profile xdg-screensaver @{exec_path} {
 
   }
 
-  #include if exists <local/xdg-screensaver>
+  include if exists <local/xdg-screensaver>
 }
diff --git a/apparmor.d/xdg-settings b/apparmor.d/xdg-settings
index 1c2e2cd0..7e008bff 100644
--- a/apparmor.d/xdg-settings
+++ b/apparmor.d/xdg-settings
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-settings
 profile xdg-settings @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} r,
 
@@ -48,7 +48,6 @@ profile xdg-settings @{exec_path} {
   /{usr/,}bin/xprop    rPx,
   /{usr/,}bin/xdg-mime rPx,
 
-
   owner @{PROC}/@{pid}/fd/ r,
 
   /etc/xdg/xfce4/helpers.rc r,
@@ -59,10 +58,15 @@ profile xdg-settings @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  # For shell pwd
+  owner @{HOME}/ r,
+
+  @{run}/user/[0-9]*/ r,
+
 
   profile dbus {
-    #include <abstractions/base>
-    #include <abstractions/nameservice-strict>
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
 
     /{usr/,}bin/dbus-launch   mr,
     /{usr/,}bin/dbus-send     mr,
@@ -74,5 +78,5 @@ profile xdg-settings @{exec_path} {
     @{HOME}/.Xauthority r,
   }
 
-  #include if exists <local/xdg-settings>
+  include if exists <local/xdg-settings>
 }
diff --git a/apparmor.d/xdpyinfo b/apparmor.d/xdpyinfo
index 30adae51..b38cf415 100644
--- a/apparmor.d/xdpyinfo
+++ b/apparmor.d/xdpyinfo
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdpyinfo
 profile xdpyinfo @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile xdpyinfo @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xdpyinfo>
+  include if exists <local/xdpyinfo>
 }
diff --git a/apparmor.d/xfce4-notifyd b/apparmor.d/xfce4-notifyd
index cf9d4ba9..974a25b8 100644
--- a/apparmor.d/xfce4-notifyd
+++ b/apparmor.d/xfce4-notifyd
@@ -9,22 +9,22 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce4/notifyd/xfce4-notifyd
 profile xfce4-notifyd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/X>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/gtk>
-  #include <abstractions/mesa>
-  #include <abstractions/dri-enumerate>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/X>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/dri-enumerate>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -38,5 +38,5 @@ profile xfce4-notifyd @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/xfce4-notifyd>
+  include if exists <local/xfce4-notifyd>
 }
diff --git a/apparmor.d/xfconfd b/apparmor.d/xfconfd
index 21a1f02c..96a73c71 100644
--- a/apparmor.d/xfconfd
+++ b/apparmor.d/xfconfd
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd
 profile xfconfd @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -26,5 +26,5 @@ profile xfconfd @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xfconfd>
+  include if exists <local/xfconfd>
 }
diff --git a/apparmor.d/xhost b/apparmor.d/xhost
index 5cbcee52..4e234d0e 100644
--- a/apparmor.d/xhost
+++ b/apparmor.d/xhost
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xhost
 profile xhost @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -27,5 +27,5 @@ profile xhost @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xhost>
+  include if exists <local/xhost>
 }
diff --git a/apparmor.d/xinit b/apparmor.d/xinit
index c5fcc2e1..a0cbdb73 100644
--- a/apparmor.d/xinit
+++ b/apparmor.d/xinit
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xinit
 profile xinit @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -79,7 +79,7 @@ profile xinit @{exec_path} {
 
 
   profile run-parts {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/run-parts mr,
 
@@ -93,7 +93,7 @@ profile xinit @{exec_path} {
   }
 
   profile gpg {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/gpgconf mr,
 
@@ -111,7 +111,7 @@ profile xinit @{exec_path} {
   }
 
   profile udevadm {
-    #include <abstractions/base>
+    include <abstractions/base>
 
     /{usr/,}bin/udevadm mr,
 
@@ -138,5 +138,5 @@ profile xinit @{exec_path} {
 
   }
 
-  #include if exists <local/xinit>
+  include if exists <local/xinit>
 }
diff --git a/apparmor.d/xinput b/apparmor.d/xinput
index 81231e0d..a634bc82 100644
--- a/apparmor.d/xinput
+++ b/apparmor.d/xinput
@@ -9,18 +9,17 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xinput
 profile xinput @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 
-  #include if exists <local/xinput>
+  include if exists <local/xinput>
 }
diff --git a/apparmor.d/xkbcomp b/apparmor.d/xkbcomp
index cbbeb17c..a2a95c4e 100644
--- a/apparmor.d/xkbcomp
+++ b/apparmor.d/xkbcomp
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xkbcomp
 profile xkbcomp @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -38,5 +38,5 @@ profile xkbcomp @{exec_path} {
   owner /var/log/lightdm/x-[0-9]*.log w,
   /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/xkbcomp>
+  include if exists <local/xkbcomp>
 }
diff --git a/apparmor.d/xorg b/apparmor.d/xorg
index 928535da..41b47597 100644
--- a/apparmor.d/xorg
+++ b/apparmor.d/xorg
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # The attach_disconnected flag is needed when xserver is started via startx, or the mouse/keyboard
 # won't work.
@@ -23,13 +23,13 @@
 @{exec_path} += /{usr/,}bin/Xorg
 @{exec_path} += /{usr/,}lib/xorg/Xorg
 profile xorg @{exec_path} flags=(attach_disconnected) {
-  #include <abstractions/base>
-  #include <abstractions/opencl-intel>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/mesa>
-  #include <abstractions/nameservice-strict>
+  include <abstractions/base>
+  include <abstractions/opencl-intel>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   ##include <abstractions/deny-root-dir-access>
 
   # When the Xserver is started via startx as a regular user, there's no need for any of the
@@ -65,6 +65,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   signal (receive) peer=sddm,
   signal (receive) peer=xinit,
 
+  network netlink raw,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh rix,
@@ -157,5 +159,5 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /usr/share/glvnd/egl_vendor.d/ r,
   /usr/share/glvnd/egl_vendor.d/[0-9][0-9]_*.json r,
 
-  #include if exists <local/xorg>
+  include if exists <local/xorg>
 }
diff --git a/apparmor.d/xprop b/apparmor.d/xprop
index 32ce6044..7ff5fcd9 100644
--- a/apparmor.d/xprop
+++ b/apparmor.d/xprop
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xprop
 profile xprop @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile xprop @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xprop>
+  include if exists <local/xprop>
 }
diff --git a/apparmor.d/xrandr b/apparmor.d/xrandr
index a4bc6352..24952b6b 100644
--- a/apparmor.d/xrandr
+++ b/apparmor.d/xrandr
@@ -9,13 +9,13 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xrandr
 profile xrandr @{exec_path} {
-  #include <abstractions/base>
+  include <abstractions/base>
 
   @{exec_path} mr,
 
@@ -24,5 +24,5 @@ profile xrandr @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
-  #include if exists <local/xrandr>
+  include if exists <local/xrandr>
 }
diff --git a/apparmor.d/xrdb b/apparmor.d/xrdb
index 8e558219..1437614a 100644
--- a/apparmor.d/xrdb
+++ b/apparmor.d/xrdb
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xrdb
 profile xrdb @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -43,6 +43,6 @@ profile xrdb @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xrdb>
+  include if exists <local/xrdb>
 }
 
diff --git a/apparmor.d/xsel b/apparmor.d/xsel
index 1e3d91d4..ead35e00 100644
--- a/apparmor.d/xsel
+++ b/apparmor.d/xsel
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xsel
 profile xsel @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -32,5 +32,5 @@ profile xsel @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xsel>
+  include if exists <local/xsel>
 }
diff --git a/apparmor.d/xset b/apparmor.d/xset
index c394a82a..abd0ee04 100644
--- a/apparmor.d/xset
+++ b/apparmor.d/xset
@@ -9,15 +9,15 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xset
 profile xset @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -28,5 +28,5 @@ profile xset @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   deny /dev/dri/card[0-9]* rw,
 
-  #include if exists <local/xset>
+  include if exists <local/xset>
 }
diff --git a/apparmor.d/xsetroot b/apparmor.d/xsetroot
index 2cfb417a..2d226a3a 100644
--- a/apparmor.d/xsetroot
+++ b/apparmor.d/xsetroot
@@ -9,14 +9,14 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xsetroot
 profile xsetroot @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -29,5 +29,5 @@ profile xsetroot @{exec_path} {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
-  #include if exists <local/xsetroot>
+  include if exists <local/xsetroot>
 }
diff --git a/apparmor.d/youtube-dl b/apparmor.d/youtube-dl
index 9bfa857a..0bfbe2d9 100644
--- a/apparmor.d/youtube-dl
+++ b/apparmor.d/youtube-dl
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -47,21 +47,27 @@
 
 @{exec_path} = /{usr/,}bin/youtube-dl
 profile youtube-dl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/X>
-  #include <abstractions/audio>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/X>
+  include <abstractions/audio>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=mpv,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
@@ -92,5 +98,5 @@ profile youtube-dl @{exec_path} {
   /{usr/,}bin/ffmpeg  rPUx,
   /{usr/,}bin/ffprobe rPUx,
 
-  #include if exists <local/youtube-dl>
+  include if exists <local/youtube-dl>
 }
diff --git a/apparmor.d/youtube-viewer b/apparmor.d/youtube-viewer
index 78501f64..aab58fc6 100644
--- a/apparmor.d/youtube-viewer
+++ b/apparmor.d/youtube-viewer
@@ -9,22 +9,28 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/youtube-viewer
 profile youtube-viewer @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/perl>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
@@ -49,11 +55,11 @@ profile youtube-viewer @{exec_path} {
 
 
   profile wget {
-    #include <abstractions/base>
-    #include <abstractions/consoles>
-    #include <abstractions/nameservice-strict>
-    #include <abstractions/user-download-strict>
-    #include <abstractions/ssl_certs>
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/user-download-strict>
+    include <abstractions/ssl_certs>
 
     signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm,
 
@@ -66,5 +72,5 @@ profile youtube-viewer @{exec_path} {
 
   }
 
-  #include if exists <local/youtube-viewer>
+  include if exists <local/youtube-viewer>
 }
diff --git a/apparmor.d/ytdl b/apparmor.d/ytdl
index 19de628e..fdd9d91e 100644
--- a/apparmor.d/ytdl
+++ b/apparmor.d/ytdl
@@ -9,9 +9,9 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
@@ -47,12 +47,18 @@
 
 @{exec_path} = /{usr/,}bin/ytdl
 profile ytdl @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/python>
-  #include <abstractions/nameservice-strict>
-  #include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
-  #include <abstractions/deny-root-dir-access>
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/deny-root-dir-access>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -75,5 +81,5 @@ profile ytdl @{exec_path} {
   # Needed when displaying info on available formats
   owner @{HOME}/.cache/youtube-dl/youtube-sigfuncs/js*.json r,
 
-  #include if exists <local/ytdl>
+  include if exists <local/ytdl>
 }
diff --git a/apparmor.d/zenmap b/apparmor.d/zenmap
index d7f07bd3..69c6ac58 100644
--- a/apparmor.d/zenmap
+++ b/apparmor.d/zenmap
@@ -9,19 +9,19 @@
 #
 # ------------------------------------------------------------------
 
-#abi <abi/3.0>,
+abi <abi/3.0>,
 
-#include <tunables/global>
+include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/{zenmap,nmapfe}
 profile zenmap @{exec_path} {
-  #include <abstractions/base>
-  #include <abstractions/gtk>
-  #include <abstractions/freedesktop.org>
-  #include <abstractions/fonts>
-  #include <abstractions/fontconfig-cache-read>
-  #include <abstractions/python>
-  #include <abstractions/user-download-strict>
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/freedesktop.org>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/python>
+  include <abstractions/user-download-strict>
 
   signal (send) set=(term, kill) peer=nmap,
 
@@ -46,5 +46,5 @@ profile zenmap @{exec_path} {
   owner /tmp/* rw,
   owner /tmp/zenmap-stdout-* rw,
 
-  #include if exists <local/zenmap>
+  include if exists <local/zenmap>
 }