diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon
index a2582c01..00befd61 100644
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@@ -68,6 +68,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm/.local/share/icc/ r,
   /var/lib/gdm/.local/share/icc/edid-*.icc r,
 
+  # Extra rules for Flatpak
+  /var/lib/flatpak/exports/share/dbus-1/{,**} r,
+  /var/lib/flatpak/app/**/export/share/dbus-1/services/{,**} r,
+
   /dev/dri/card[0-9]* rw,
   /dev/input/event[0-9]* rw,
 
diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher
index 7a053f81..65df3e06 100644
--- a/apparmor.d/groups/desktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/desktop/at-spi-bus-launcher
@@ -26,7 +26,8 @@ profile at-spi-bus-launcher @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dbus-daemon rPx,
+  /{usr/,}bin/dbus-daemon         rPx,
+  /{usr/,}bin/dbus-broker-launch rPUx,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/groups/desktop/colord b/apparmor.d/groups/desktop/colord
index 2ec714e3..90a0b9a7 100644
--- a/apparmor.d/groups/desktop/colord
+++ b/apparmor.d/groups/desktop/colord
@@ -18,17 +18,25 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /{usr/,}lib/colord/colord-sane  rPx,
-  @{libexec}/colord-sane  rPx,
+  @{libexec}/colord-sane          rPx,
+
+  /etc/machine-id r,
+  /etc/udev/hwdb.bin r,
+
+  /usr/share/mime/mime.cache r,
+  /usr/share/color/icc/{,**} r,
 
   owner /var/lib/colord/** r,
   owner /var/lib/colord/.cache/ rw,
   owner /var/lib/colord/.cache/** rw,
   owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
+
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
   /var/lib/gdm/.local/share/icc/edid-*.icc r,
 
-  /etc/udev/hwdb.bin r,
+  @{user_share_dirs}/icc/edid-*.icc r,
 
-  /usr/share/color/icc/{,**} r,
+  @{run}/systemd/sessions/[0-9]* r,
 
   @{sys}/class/drm/ r,
   @{sys}/class/video4linux/ r,
@@ -39,11 +47,5 @@ profile colord @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
 
-  /usr/share/mime/mime.cache r,
-
-  @{user_share_dirs}/icc/edid-*.icc r,
-
-  @{run}/systemd/sessions/[0-9]* r,
-
   include if exists <local/colord>
 }
diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
index a5a4f1a7..99feeacf 100644
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@@ -24,7 +24,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/gdm-session-worker rPx,
+  /{usr/,}bin/plymouth            rPUx,
+  /{usr/,}lib/gdm-session-worker  rPx,
 
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index c3001161..6f569f54 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -22,6 +22,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setuid,
   capability sys_nice,
+  capability sys_resource,
   capability sys_tty_config,
 
   signal (receive) set=term peer=gdm,
diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session
index e8a316e5..76ead06c 100644
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@@ -33,8 +33,9 @@ profile gdm-wayland-session @{exec_path} {
   /{usr/,}bin/flatpak             rPUx,
   /{usr/,}lib/gnome-session-binary rPx,
 
-  /etc/shells r,
   /etc/gdm/custom.conf r,
+  /etc/machine-id r,
+  /etc/shells r,
 
   /usr/share/gdm/gdm.schemas r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
index 185c67be..9cdf799c 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -25,6 +25,9 @@ profile gnome-control-center-print-renderer @{exec_path} {
   /usr/share/pixmaps/{,**} r,
   /usr/share/X11/xkb/** r,
 
+  /var/lib/flatpak/exports/share/icons/{,**} r,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
+
   owner @{user_cache_dirs}/mesa_shader_cache/index rw,
   owner @{user_share_dirs}/icons/{,**} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 2d5e59e4..8e9859bb 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -34,15 +34,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/aa-notify                                    rPx,
   /{usr/,}bin/blueman-applet                               rPx,
+  /{usr/,}bin/firewall-applet                             rPUx,
   /{usr/,}bin/gnome-keyring-daemon                         rPx,
   /{usr/,}bin/gnome-shell                                  rPx,
+  /{usr/,}bin/pkcs11-register                              rPx,
+  /{usr/,}bin/start-pulseaudio-x11                         rPx,
   /{usr/,}bin/xbrlapi                                      rPx,
   /{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
   /{usr/,}lib/gsd-*                                        rPx,
 
-  /{usr/,}bin/pkcs11-register                              rPx,
-  /{usr/,}bin/start-pulseaudio-x11                         rPx,
-
   /usr/share/applications/org.gnome.Shell.desktop r,
   /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 94c1e98a..2276d3c6 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -68,7 +68,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
   /var/lib/gdm/.config/pulse/ r,
   /var/lib/gdm/.config/pulse/client.conf r,
-  /var/lib/gdm/.config/pulse/cookie rw,
+  /var/lib/gdm/.config/pulse/cookie rwk,
   /var/lib/gdm/.local/share/applications/{,**} r,
   /var/lib/gdm/.local/share/gnome-shell/ rw,
 
@@ -106,6 +106,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
+  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
+  /var/lib/flatpak/exports/share/gnome-shell/{,**} r,
+
   @{run}/systemd/users/@{uid} r,
   @{run}/systemd/seats/seat[0-9]* r,
   @{run}/systemd/sessions/ r,
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 77569d2f..53cb3202 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -30,6 +30,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   /usr/share/gnome-system-monitor/{,**} r,
   /usr/share/pixmaps/{,**} r,
 
+  /etc/machine-id r,
+
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include <abstractions/dconf>
diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
index d923d5c2..ac69f23e 100644
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@@ -25,6 +25,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/gdm/.local/share/icc/ rw,
   /var/lib/gdm/.local/share/icc/edid-*.icc rw,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications
index e47020be..4ef365b4 100644
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@@ -20,6 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
   /{usr/,}lib/gsd-printer rPx,
 
+  /etc/machine-id r,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   owner /dev/tty[0-9]* rw,
diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
index 455aad95..ba6a7975 100644
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@@ -35,6 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
   @{run}/systemd/sessions/[0-9]* r,
 
   /etc/fstab r,
+  /etc/machine-id r,
 
   # Mount points
   @{MOUNTS}/*/ r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index b9309905..62248a59 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -37,6 +37,7 @@ profile gvfsd-fuse @{exec_path} {
     umount @{run}/user/@{uid}/**/,
 
     /etc/fuse.conf r,
+    /etc/machine-id r,
 
     /dev/fuse rw,
 
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 409ae4cc..1f053f31 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -10,8 +10,8 @@ include <tunables/global>
 profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
   include <abstractions/openssl>
+  include <abstractions/ssl_certs>
 
   network inet stream,
   network inet6 stream,
@@ -35,17 +35,18 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/nm-dhcp-helper rPx,
-  /{usr/,}lib/nm-dispatcher rPx,
-  /{usr/,}lib/nm-iface-helper rPx,
-  /{usr/,}lib/nm-initrd-generator rPx,
-  /{usr/,}lib/nm-openvpn-auth-dialog rPx,
-  /{usr/,}lib/nm-openvpn-service rPx,
-  /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
- 
-  /{usr/,}bin/systemctl rPx -> child-systemctl,
   /{usr/,}bin/{,ba,da}sh rix,
 
+  /{usr/,}bin/resolvconf                         rPx,
+  /{usr/,}bin/systemctl                          rPx -> child-systemctl,
+  /{usr/,}lib/nm-dhcp-helper                     rPx,
+  /{usr/,}lib/nm-dispatcher                      rPx,
+  /{usr/,}lib/nm-iface-helper                    rPx,
+  /{usr/,}lib/nm-initrd-generator                rPx,
+  /{usr/,}lib/nm-openvpn-auth-dialog             rPx,
+  /{usr/,}lib/nm-openvpn-service                 rPx,
+  /{usr/,}lib/nm-openvpn-service-openvpn-helper  rPx,
+
   /dev/rfkill rw,
 
   / r,
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index cf283239..660ed2d2 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -34,8 +34,10 @@ profile bootctl @{exec_path} {
 
    /etc/machine-id r,
 
+  @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
+  @{sys}/firmware/dmi/entries/*/raw r,
   @{sys}/firmware/efi/efivars/ r,
   @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
   @{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index ea82e314..6336eb9d 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -32,6 +32,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/systemd/coredump/ r,
   /var/lib/systemd/coredump/** rwl,
+  /var/lib/systemd/coredump/#[0-9]* rwl,
 
   owner @{PROC}/@{pid}/setgroups r,
         @{PROC}/@{pids}/comm r,
diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs
index d069ae8e..01962a1d 100644
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@@ -16,6 +16,7 @@ profile systemd-makefs @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}{s,}bin/mkswap     rPx,
+  /{usr/,}bin/mkfs.*         rPx,
 
   @{sys}/devices/virtual/block/zram[0-9]*/ r,
   @{sys}/devices/virtual/block/zram[0-9]*/** r,
diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd
index 4fdd147a..f4578f7a 100644
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-oomd
 profile systemd-oomd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability dac_override,
   capability kill,
@@ -17,11 +18,9 @@ profile systemd-oomd @{exec_path} {
 
   /etc/systemd/oomd.conf r,
 
-  @{PROC}/1/cgroup r,
-  @{PROC}/cmdline r,
+  @{sys}/fs/cgroup/cgroup.controllers r,
+
   @{PROC}/pressure/{cpu,io,memory} r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/random/boot_id r,
 
   include if exists <local/systemd-oomd>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir
index 3be09dd3..ed4f35c5 100644
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@@ -24,6 +24,8 @@ profile systemd-user-runtime-dir @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
+
   @{run}/user/@{uid}/{,**} rw,
 
   @{PROC}/1/environ r,
diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator
index ea8cba12..8ca0cfc3 100644
--- a/apparmor.d/groups/systemd/zram-generator
+++ b/apparmor.d/groups/systemd/zram-generator
@@ -18,12 +18,15 @@ profile zram-generator @{exec_path} {
 
   /etc/systemd/zram-generator.conf r,
 
-  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset} rw,
+  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset,comp_algorithm} rw,
   @{sys}/block/zram[0-9]*/{disksize,reset} rw,
 
-  owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
+  owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw,
   owner @{run}/systemd/generator/dev-zram[0-9]*.swap rw,
   owner @{run}/systemd/generator/swap.target.wants/{,dev-zram[0-9]*.swap} rw,
+  owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
+
+  @{PROC}/crypto r,
 
   include if exists <local/zram-generator>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser
index 3ca1d49e..46e6ae2d 100644
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@@ -18,6 +18,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
   /etc/apparmor.d/{,**} r,
   /etc/apparmor.d/cache.d/{,**} rw,
 
+  /usr/share/apparmor/{,**} r,
+
   owner /var/cache/apparmor/{,**} rw,
   owner /var/lib/docker/tmp/docker-default[0-9]* r,
 
diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg
index f29127dc..55963c46 100644
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@@ -32,7 +32,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
   /usr/share/applications/*.desktop r,
 
   @{user_share_dirs}/applications/ r,
-  @{user_share_dirs}/applications/*.desktop r,
+  @{user_share_dirs}/applications/*.desktop rw,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount
index d4089889..bf04ed85 100644
--- a/apparmor.d/profiles-a-f/fusermount
+++ b/apparmor.d/profiles-a-f/fusermount
@@ -41,6 +41,7 @@ profile fusermount @{exec_path} {
   umount @{run}/user/@{uid}/gvfs/,
 
   /etc/fuse.conf r,
+  /etc/machine-id r,
 
   /dev/fuse rw,
 
diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id
index a829805f..0132cae1 100644
--- a/apparmor.d/profiles-g-l/id
+++ b/apparmor.d/profiles-g-l/id
@@ -14,5 +14,7 @@ profile id @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
+
   include if exists <local/id>
 }
diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod
index 214f5e9f..50d515df 100644
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@@ -29,7 +29,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
 
   unix (receive) type=stream,
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
+
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/sysctl      rPx,
 
   /{usr/,}lib/modprobe.d/{,*.conf} r,
   /etc/modprobe.d/{,*.conf} r,
diff --git a/apparmor.d/profiles-m-r/pipewire b/apparmor.d/profiles-m-r/pipewire
index 31a96761..3fef3593 100644
--- a/apparmor.d/profiles-m-r/pipewire
+++ b/apparmor.d/profiles-m-r/pipewire
@@ -19,8 +19,9 @@ profile pipewire @{exec_path} {
 
   /usr/share/pipewire/pipewire.conf r,
 
-  /etc/pipewire/pipewire.conf r,
+  /etc/machine-id r,
   /etc/pipewire/client.conf r,
+  /etc/pipewire/pipewire.conf r,
 
   owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
 
diff --git a/apparmor.d/profiles-m-r/pipewire-pulse b/apparmor.d/profiles-m-r/pipewire-pulse
index d0eacad3..b646f457 100644
--- a/apparmor.d/profiles-m-r/pipewire-pulse
+++ b/apparmor.d/profiles-m-r/pipewire-pulse
@@ -18,6 +18,8 @@ profile pipewire-pulse @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
+
   /etc/pipewire/client.conf r,
   /etc/pipewire/pipewire-pulse.conf r,
   /usr/share/pipewire/client.conf r,
diff --git a/apparmor.d/profiles-m-r/polkitd b/apparmor.d/profiles-m-r/polkitd
index 0431f84f..41b9fa36 100644
--- a/apparmor.d/profiles-m-r/polkitd
+++ b/apparmor.d/profiles-m-r/polkitd
@@ -29,6 +29,8 @@ profile polkitd @{exec_path} {
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
 
+  /etc/machine-id r,
+
   # System rules
   /etc/polkit-1/rules.d/ r,
   /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r,
diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon
index 0059da5f..0cd2fe02 100644
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@@ -24,7 +24,7 @@ profile power-profiles-daemon @{exec_path} {
   @{sys}/class/ r,
   @{sys}/class/power_supply/ r,
   @{sys}/devices/**/power_supply/*/uevent r,
-  @{sys}/devices/system/cpu/*_pstate/no_turbo r,
+  @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
   @{sys}/devices/system/cpu/cpufreq/ r,
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
 
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index 1c37a957..f53da15f 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -9,17 +9,22 @@ include <tunables/global>
 @{exec_path} = /{usr/,}sbin/resolvconf
 profile resolvconf @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/cat         rix,
   /{usr/,}bin/flock       rix,
+  /{usr/,}bin/mkdir       rix,
   /{usr/,}bin/mv          rix,
   /{usr/,}bin/rm          rix,
   /{usr/,}bin/run-parts   rix,
   /{usr/,}bin/sed         rix,
 
+  /usr/lib/resolvconf/{,**} r,
+
+  /etc/resolv.conf rw,
   /etc/resolvconf/update.d/libc mr,
 
   owner @{run}/resolvconf/{,**} rw,
diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber
index bbb42281..8033eaf9 100644
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@@ -20,10 +20,14 @@ profile wireplumber @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
+
   /usr/share/alsa-card-profile/{,**} r,
   /usr/share/spa-*/bluez[0-9]*/{,*} r,
   /usr/share/wireplumber/{,**} r,
 
+  /var/lib/gdm/.local/state/wireplumber/{,**} r,
+
   owner @{HOME}/.local/state/ w,
   owner @{HOME}/.local/state/wireplumber/{,**} rw,
 
diff --git a/apparmor.d/profiles-s-z/xdg-dbus-proxy b/apparmor.d/profiles-s-z/xdg-dbus-proxy
index 46318030..bd89e3f9 100644
--- a/apparmor.d/profiles-s-z/xdg-dbus-proxy
+++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy
@@ -16,6 +16,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
 
   owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
   owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/{session,a11y}-bus-proxy-[0-9A-Z]* rw,
 
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
 
diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal
index 8861047c..aee450df 100644
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal
@@ -11,18 +11,27 @@ profile xdg-desktop-portal @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability sys_ptrace,
+
   network netlink raw,
 
   ptrace (read),
 
   @{exec_path} mr,
 
+  /{usr/,}lib/x r,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/mime/mime.cache r,
   /usr/share/pipewire/client.conf r,
   /usr/share/xdg-desktop-portal/portals/{,*.portal} r,
 
+  /etc/machine-id r,
+
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
+
   owner @{user_config_dirs}/user-dirs.dirs r,
+  owner @{run}/user/@{uid}/.flatpak/*/* r,
 
   include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,
diff --git a/apparmor.d/profiles-s-z/xdg-document-portal b/apparmor.d/profiles-s-z/xdg-document-portal
index 538befb5..f125b350 100644
--- a/apparmor.d/profiles-s-z/xdg-document-portal
+++ b/apparmor.d/profiles-s-z/xdg-document-portal
@@ -14,6 +14,7 @@ profile xdg-document-portal @{exec_path} {
 
   /{usr/,}bin/fusermount rPx,
 
+  owner @{user_share_dirs}/flatpak/db/documents r,
   owner @{run}/user/@{uid}/doc/ rw,
 
   /dev/fuse rw,
diff --git a/apparmor.d/profiles-s-z/xdg-permission-store b/apparmor.d/profiles-s-z/xdg-permission-store
index 235b5e37..76335028 100644
--- a/apparmor.d/profiles-s-z/xdg-permission-store
+++ b/apparmor.d/profiles-s-z/xdg-permission-store
@@ -16,6 +16,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
+  @{user_share_dirs}/flatpak/db/background r,
 
   /dev/tty[0-9]* rw,
 
diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags
index ced63b18..095eda15 100644
--- a/dists/flags/debian.flags
+++ b/dists/flags/debian.flags
@@ -16,7 +16,6 @@ dpkg-trigger complain
 dpkg-vendor complain
 ifup complain
 macchanger complain
-resolvconf complain
 run-parts complain
 unattended-upgrade complain
 unattended-upgrade-shutdown attach_disconnected,complain
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index ab29cbd5..fca2ab9e 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -102,6 +102,7 @@ pass complain
 pass-import complain
 pinentry-gtk-2 complain
 podman attach_disconnected,complain
+resolvconf complain
 run-parts complain
 runuser complain
 s3fs complain