diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index bf2eb41d..2f64f26c 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -10,27 +10,45 @@ include <tunables/global>
 profile apport-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/python>
 
   capability sys_ptrace,
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/killall5  rix,
-  /{usr/,}bin/{,ba,da}sh    rix,
-  /{usr/,}bin/apt-cache     rPx,
-  /{usr/,}bin/cut           rix,
-  /{usr/,}bin/dpkg          rPx,
-  /{usr/,}bin/gdb           rCx -> gdb,
-  /{usr/,}bin/grep          rix,
-  /{usr/,}bin/gsettings     rPx,
-  /{usr/,}bin/journalctl    rPx,
-  /{usr/,}bin/kmod          rPx,
-  /{usr/,}bin/ldd           rix,
-  /{usr/,}bin/lsb_release   rPx -> lsb_release,
-  /{usr/,}bin/md5sum        rix,
+  /{usr/,}{s,}bin/killall5          rix,
+  /{usr/,}bin/{,ba,da}sh            rix,
+  /{usr/,}bin/{f,}grep              rix,
+  /{usr/,}bin/cut                   rix,
+  /{usr/,}bin/ischroot              rix,
+  /{usr/,}bin/ldd                   rix,
+  /{usr/,}bin/md5sum                rix,
+  /{usr/,}bin/which{,.debianutils}  rix,
+  /{usr/,}lib/@{multiarch}/ld*.so*  rix,
+  /{usr/,}bin/dpkg-query            rpx,
+  /{usr/,}bin/pkexec                rPx, # TODO: rCx or something
+  /{usr/,}bin/apt-cache             rPx,
+  /{usr/,}bin/dpkg                  rPx,
+  /{usr/,}bin/dpkg-divert           rPx,
+  /{usr/,}bin/gdb                   rCx -> gdb,
+  /{usr/,}bin/gsettings             rPx,
+  /{usr/,}bin/journalctl            rPx,
+  /{usr/,}bin/kmod                  rPx,
+  /{usr/,}bin/lsb_release           rPx -> lsb_release,
+  /{usr/,}bin/systemctl             rPx -> child-systemctl,
 
+  /usr/share/alsa/{,**} r,
+  /usr/share/apport/{,**} r,
   /usr/share/apport/general-hooks/*.py r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/themes/{,**} r,
+  /usr/share/X11/xkb/{,**} r,
 
   /etc/apport/blacklist.d/apport r,
   /etc/apport/blacklist.d/README.blacklist r,
@@ -40,19 +58,45 @@ profile apport-gtk @{exec_path} {
   /etc/default/apport r,
   /etc/init.d/apport r,
   /etc/logrotate.d/apport r,
+  /etc/xdg/autostart/*.desktop r,
 
+  /var/crash/{,*.@{uid}.crash} r,
+  /var/lib/dpkg/info/ r,
   /var/lib/dpkg/info/*.md5sums r,
   /var/log/installer/media-info r,
 
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,
+
+  /tmp/[a-z0-9]* rw,
+  /tmp/apport_core_* rw,
+  /tmp/launchpadlib.cache.[a-z0-9]*/ w,
+  /tmp/tmp[a-z0-9]*/{,**} rw,
+
   owner @{PROC}/@{pid}/cgroup r,
         @{PROC}/ r,
-        @{PROC}/@{pids}/fd/  r,
         @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/fd/  r,
         @{PROC}/@{pids}/stat r,
+        @{PROC}/modules r,
+        @{PROC}/version_signature r,
 
   profile gdb {
     include <abstractions/base>
+    include <abstractions/python>
+    include <abstractions/fonts>
+
     /{usr/,}bin/gdb mr,
+  
+    /{usr/,}bin/iconv rix,
+    /{usr/,}{s,}bin/* r,
+
+    /usr/share/gdb/{,**} r,
+
+    /etc/gdb/{,**} r,
+
+    /tmp/apport_core_* r,
+
+    @{PROC}/@{pids}/fd/ r,
 
   }
 
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index 705eb72d..5ad67ae7 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -26,6 +26,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/net/unix r,
+  owner @{PROC}/@{pid}/stat r,
         @{PROC}/ r,
         @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pids}/maps r,
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 869866f3..3a947ef9 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -7,14 +7,44 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/update-manager
-profile update-manager @{exec_path} {
+profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/apt-common>
+  include <abstractions/consoles>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/dconf-write>
   include <abstractions/fonts>
-  include <abstractions/ssl_certs>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/python>
-  include <abstractions/dconf>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
+       interface={org.debian{,.apt},org.freedesktop.DBus.{Introspectable,Properties}}
+       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll},
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=StartServiceByName,
+
+  dbus send bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+
+  dbus send bus=system path=/org/freedesktop/UPower
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit,
 
   @{exec_path} mr,
 
@@ -28,7 +58,9 @@ profile update-manager @{exec_path} {
 
   /usr/share/applications/{,**} r,
   /usr/share/distro-info/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
+  /usr/share/pixmaps/{,*} r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
   /usr/share/update-manager/{,**} r,
   /usr/share/X11/{,**} r,
@@ -36,12 +68,19 @@ profile update-manager @{exec_path} {
   /etc/machine-id r,
   /etc/update-manager/{,**} r,
 
+  /boot/ r,
+
+  /var/lib/dpkg/info/*.list r,
+  /var/lib/dpkg/updates/ r,
+  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
+  /var/lib/snapd/desktop/icons/{,*} r,
   /var/lib/update-manager/{,**} rw,
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
+
+  @{run}/systemd/inhibit/*.ref w,
 
   owner @{PROC}/@{pid}/fd/ r,