diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index 7f0b7cad..c6aa55f4 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -18,6 +18,7 @@
   @{bin}/nautilus               rPx,
 
   # Browsers
+  @{bin}/chromium               rPx,
   @{brave_path}                 rPx,
   @{chrome_path}                rPx,
   @{chromium_path}              rPx,
diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home
index 389c0236..1f034c5b 100644
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@@ -9,7 +9,7 @@
 # should be authorized. Meaning, you should not allow everything (or a large area)
 # and blacklist some sub area.
 
-# Use in this project: file browser and search engine
+# The only legitimate use in this project is for file browser and search engine.
 
   deny @{HOME}/.*.bak                     mrwkl,
   deny @{HOME}/.*.swp                     mrwkl,
diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict
index 1dae338c..cf9ba380 100644
--- a/apparmor.d/abstractions/nvidia-strict
+++ b/apparmor.d/abstractions/nvidia-strict
@@ -31,4 +31,6 @@
   /dev/nvidia@{int} rw,
   /dev/nvidiactl rw,
 
+  deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r,
+
   include if exists <abstractions/nvidia-strict.d>
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 1af82d41..670f2a52 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -166,31 +166,31 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
         /tmp/ r,
         /var/tmp/ r,
-  owner /tmp/user/@{uid}/ rw,
-  owner /tmp/user/@{uid}/* rwk,
-  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
-  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
-  owner /tmp/user/@{uid}/@{name}/ rw,
-  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/.xfsm-ICE-@{rand6} rw,
   owner /tmp/@{name}/ rw,
   owner /tmp/@{name}/* rwk,
   owner /tmp/@{rand6}.tmp r,
+  owner /tmp/@{rand8}.txt w,
+  owner /tmp/* w,  # file downloads (to anywhere)
   owner /tmp/firefox_*/ rw,
   owner /tmp/firefox_*/* rwk,
   owner /tmp/mozilla_*/ rw,
   owner /tmp/mozilla_*/* rw,
-  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
-  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
-  owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk,
+  owner /tmp/mozilla-temp-@{int} rw,
   owner /tmp/Mozilla@{uuid}-cachePurge-??????????????? rwk,
   owner /tmp/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk,
+  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
+  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
+  owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk,
   owner /tmp/Temp-@{uuid}/{**,} rw,
-  owner /tmp/mozilla-temp-@{int} rw,
-  owner /tmp/@{rand8}.txt w,
   owner /tmp/tmp-???.xpi rw,
-  owner /tmp/.xfsm-ICE-@{rand6} rw,
   owner /tmp/tmpaddon r,
-  owner /tmp/* w,  # file downloads (to anywhere)
+  owner /tmp/user/@{uid}/ rw,
+  owner /tmp/user/@{uid}/@{name}/ rw,
+  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/user/@{uid}/* rwk,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
 
   @{run}/mount/utab r,
 
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index a2bc2278..fc190487 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -22,6 +22,7 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 5fe4ad86..6ea00c5e 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -81,6 +81,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/startplasma-wayland  rPx,
   @{bin}/startplasma-x11      rPx,
   @{bin}/systemctl            rPx -> child-systemctl,
+  @{bin}/unix_chkpwd          rPx,
   @{bin}/xrdb                 rPx,
   @{bin}/xset                 rPx,
   @{etc_ro}/X11/xdm/Xsession  rPx,
diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter
index a0d2b381..0f0e6055 100644
--- a/apparmor.d/groups/kde/utempter
+++ b/apparmor.d/groups/kde/utempter
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/utempter/utempter
-profile utempter @{exec_path} {
+profile utempter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 2600cf4c..b40ee538 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -16,6 +16,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/devices-usb>
   include <abstractions/dri-enumerate>
 
+  capability net_admin,
+
   network qipcrtr dgram,
   network netlink raw,
 
diff --git a/apparmor.d/groups/service/init-exim4 b/apparmor.d/groups/service/init-exim4
index 1ffc8e34..99e8b8be 100644
--- a/apparmor.d/groups/service/init-exim4
+++ b/apparmor.d/groups/service/init-exim4
@@ -15,7 +15,13 @@ profile init-exim4 @{exec_path} {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability kill,
   capability net_admin,
+  capability sys_ptrace,
+
+  signal (send) peer=exim4,
+
+  ptrace (read) peer=@{systemd},
 
   @{exec_path} mr,
 
@@ -45,7 +51,7 @@ profile init-exim4 @{exec_path} {
 
   /var/lib/exim4/* rw,
 
-  owner @{run}/exim4/{,**} rw,
+  @{run}/exim4/{,**} rw,
 
   include if exists <local/init-exim4>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer
index 94d3169c..46d4552a 100644
--- a/apparmor.d/profiles-a-f/evince-thumbnailer
+++ b/apparmor.d/profiles-a-f/evince-thumbnailer
@@ -7,10 +7,16 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/evince-thumbnailer
-profile evince-thumbnailer @{exec_path} {
+profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
 
+  /usr/share/mime/mime.cache r,
+  /usr/share/poppler/{,**} r,
+
+  owner /tmp/gnome-desktop-file-to-thumbnail.pdf r,
+  owner /tmp/gnome-desktop-thumbnailer.png w,
+
   include if exists <local/evince-thumbnailer>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4
index 96f970fd..f558212a 100644
--- a/apparmor.d/profiles-a-f/exim4
+++ b/apparmor.d/profiles-a-f/exim4
@@ -30,6 +30,8 @@ profile exim4 @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) peer=init-exim4,
+
   @{exec_path} mrix,
 
   /etc/email-addresses r,
diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop
index e5430e96..87851156 100644
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@@ -36,7 +36,7 @@ profile htop @{exec_path} {
 
   owner @{user_config_dirs}/ rw,
   owner @{user_config_dirs}/htop/ rw,
-  owner @{user_config_dirs}/htop/htoprc rw,
+  owner @{user_config_dirs}/htop/* rw,
 
   owner @{PROC}/@{pid}/smaps_rollup r,
 
diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui
index 53a57767..4bcd4bb4 100644
--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui
@@ -6,11 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/snapd/snapd-aa-prompt-ui
+@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
+
+@{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui
 profile snapd-aa-prompt-ui @{exec_path} {
   include <abstractions/base>
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
   /snap/snapd/@{int}@{lib}/snapd/info r,