From 8730c09b96620e60e14e5554ea5094974ef0c65b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 17:43:54 +0100
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/browsers/firefox-glxtest    |  2 +
 apparmor.d/groups/browsers/firefox-vaapitest  |  1 +
 apparmor.d/groups/bus/ibus-portal             |  1 +
 apparmor.d/groups/bus/ibus-x11                |  1 +
 apparmor.d/groups/children/child-open-strict  |  4 +-
 apparmor.d/groups/children/child-pager        |  2 +-
 apparmor.d/groups/freedesktop/cpupower        |  1 -
 .../freedesktop/xdg-desktop-portal-gnome      |  1 +
 apparmor.d/groups/freedesktop/xorg            |  9 ++++-
 apparmor.d/groups/gnome/gdm-generate-config   |  9 +----
 apparmor.d/groups/gnome/gio-launch-desktop    |  2 +
 apparmor.d/groups/gnome/gnome-clocks          |  2 +
 apparmor.d/groups/gnome/gnome-shell           | 10 +++--
 apparmor.d/groups/gnome/yelp                  |  1 +
 apparmor.d/groups/pacman/makepkg              |  9 +++--
 .../pacman/pacman-hook-gtk4-querymodules      |  1 +
 apparmor.d/groups/pacman/pacman-key           |  5 ++-
 apparmor.d/groups/pacman/reflector            |  3 +-
 apparmor.d/groups/ssh/ssh-agent               |  4 +-
 apparmor.d/groups/systemd/systemd-sleep       |  1 -
 .../groups/virt/cockpit-certificate-helper    | 18 ++++-----
 apparmor.d/groups/virt/containerd             |  5 +--
 apparmor.d/groups/virt/dockerd                | 37 +++++++++++--------
 apparmor.d/profiles-a-f/aa-enforce            |  2 +-
 apparmor.d/profiles-a-f/aa-log                |  2 +
 apparmor.d/profiles-a-f/aa-notify             | 10 +++--
 apparmor.d/profiles-a-f/chronyd               |  3 +-
 apparmor.d/profiles-a-f/discord               | 11 ++++--
 apparmor.d/profiles-a-f/element-desktop       |  4 +-
 apparmor.d/profiles-a-f/file-roller           |  2 +
 apparmor.d/profiles-a-f/flatpak               |  2 +-
 .../profiles-a-f/flatpak-session-helper       |  2 +
 apparmor.d/profiles-a-f/foliate               |  3 ++
 apparmor.d/profiles-g-l/gajim                 | 14 ++++---
 apparmor.d/profiles-g-l/gio-querymodules      |  1 +
 apparmor.d/profiles-g-l/keepassxc             |  3 +-
 apparmor.d/profiles-m-r/ntfs-3g               | 19 +++++-----
 apparmor.d/profiles-m-r/pass                  |  8 ++--
 apparmor.d/profiles-m-r/passwd                |  2 +-
 apparmor.d/profiles-m-r/protonmail            |  3 +-
 apparmor.d/profiles-m-r/rpi-imager            | 22 +++--------
 .../signal-desktop-chrome-sandbox             |  1 -
 apparmor.d/profiles-s-z/snapd                 |  2 +
 apparmor.d/profiles-s-z/steam                 | 12 ++----
 apparmor.d/profiles-s-z/steam-game-proton     |  1 +
 apparmor.d/profiles-s-z/steam-runtime         |  4 +-
 .../profiles-s-z/steam-runtime-steam-remote   |  2 +-
 47 files changed, 146 insertions(+), 118 deletions(-)

diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 02bbb92a..7a63d82e 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -29,6 +29,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/cmdline r,
 
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
   include if exists <local/firefox-glxtest>
 }
 
diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest
index 785a7f54..603b7a5d 100644
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
   deny @{config_dirs}/firefox/*/.parentlock rw,
   deny @{config_dirs}/firefox/*/startupCache/** r,
   deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   include if exists <local/firefox-vaapitest>
 }
diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal
index 9c779eb7..ea3d7a7a 100644
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@@ -28,6 +28,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index 066adc05..fbb92496 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -33,6 +33,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict
index cea3dc5e..f5d0d8ca 100644
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@@ -15,8 +15,8 @@ profile child-open-strict {
   include <abstractions/base>
   include <abstractions/app/open>
 
-  @{browsers_path}              rPx,
-  @{file_explorers_path}        rPx,
+  @{browsers_path}               Px,
+  @{file_explorers_path}         Px,
 
   include if exists <usr/child-open-strict.d>
   include if exists <local/child-open-strict>
diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index 45ac2516..504a3fb0 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -14,7 +14,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
-profile child-pager {
+profile child-pager flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower
index 58d4f0e8..2022a208 100644
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@@ -40,7 +40,6 @@ profile cpupower @{exec_path} {
 
   /dev/cpu/@{int}/msr r,
 
-
   profile kmod {
     include <abstractions/base>
     include <abstractions/app/kmod>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 02cf99b0..8184ffbd 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.Accounts>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.Shell.Introspect>
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 5797f27b..6be9e212 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -49,7 +49,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}        rix,
   @{bin}/xkbcomp    rPx,
-  @{bin}/pkexec     rPx,
+  @{bin}/pkexec     rCx -> pkexec,
 
   @{lib}/xorg/ r,
   @{lib}/xorg/modules/ r,
@@ -136,6 +136,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
   /dev/vga_arbiter rw,  # Graphic card modules
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/xorg_pkexec>
+  }
+
   include if exists <local/xorg>
 }
 
diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config
index db1c43d8..d9e121c4 100644
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
   @{sh_path}         rix,
   @{bin}/dconf       rix,
   @{bin}/install     rix,
-  @{bin}/pgrep       rCx -> pgrep,
+  @{bin}/pgrep       rix,
   @{bin}/pkill       rix,
   @{bin}/setpriv     rix,
   @{bin}/setsid      rix,
@@ -46,13 +46,6 @@ profile gdm-generate-config @{exec_path} {
   @{PROC}/@{pid}/stat r,
   @{PROC}/uptime r,
 
-  profile pgrep {
-    include <abstractions/base>
-    include <abstractions/app/pgrep>
-
-    include if exists <local/gdm-generate-config_pgrep>
-  }
-
   include if exists <local/gdm-generate-config>
 }
 
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 639b7a14..4e953996 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -23,6 +23,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/trash-strict>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks
index 5ebd08e5..d8f77070 100644
--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@@ -13,6 +13,8 @@ profile gnome-clocks @{exec_path} {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 04f90e33..0fd0d1e8 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -163,6 +163,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        member=Introspect
        peer=(name=org.freedesktop.DBus, label=dbus-session),
 
+  dbus send bus=session path=/org/gnome/*/SearchProvider
+      interface=org.gnome.Shell.SearchProvider2
+      peer=(name=@{busname}),
+
   @{exec_path} mr,
 
   @{bin}/unzip                  rix,
@@ -280,7 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
-  owner /dev/shm/.org.chromium.Chromium.@{rand6} r,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
         /tmp/.X@{int}-lock rw,
@@ -343,6 +347,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,
 
         @{PROC}/ r,
+        @{PROC}/@{pid}/attr/current r,
+        @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/net/* r,
         @{PROC}/1/cgroup r,
@@ -350,8 +356,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
         @{PROC}/vmstat r,
-  owner @{PROC}/@{pid}/attr/current r,
-  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index fe9123e5..e10c0cc2 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/yelp @{bin}/gnome-help
 profile yelp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus/org.a11y>
   include <abstractions/common/gnome>
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 4ccb1088..2c72da3b 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -11,15 +11,15 @@ profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  signal send set=winch peer=pacman,
-  signal send set=winch peer=pacman//systemctl,
-
   network inet stream,
   network inet6 stream,
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
+  signal send set=winch peer=pacman,
+  signal send set=winch peer=pacman//systemctl,
+
   file,
 
   @{bin}/gpg{,2}  Cx -> gpg,
@@ -74,6 +74,9 @@ profile makepkg @{exec_path} {
 
     ptrace read,
 
+    signal send set=winch peer=pacman,           
+    signal send set=winch peer=pacman//systemctl,
+
     @{bin}/pacman Px,
 
     include if exists <local/makepkg_sudo>
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
index aae81662..54a00250 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules
 profile pacman-hook-gtk4-querymodules @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 0375c786..a8fb360c 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -65,9 +65,10 @@ profile pacman-key @{exec_path} {
     owner @{PROC}/@{pid}/task/@{tid}/comm rw,
     owner @{PROC}/@{pid}/task/@{tid}/stat rw,
 
-   /dev/pts/@{int} rw,
-   /dev/tty@{int} rw,
+    /dev/pts/@{int} rw,
+    /dev/tty@{int} rw,
 
+    include if exists <local/pacman-key_gpg>
   }
 
   include if exists <local/pacman-key>
diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector
index 7b277fb3..135a5bdf 100644
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@@ -29,9 +29,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
   /etc/xdg/reflector/reflector.conf r,
   /etc/pacman.d/mirrorlist rw,
 
-  owner @{user_cache_dirs}/mirrorstatus.json rw,
   /var/cache/reflector/mirrorstatus.json rw,
 
+  owner @{user_cache_dirs}/mirrorstatus.json r,
+
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index d6dc9044..174efb5a 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner @{user_projects_dirs}/**/ssh/{,*} r,
 
-  owner @{tmp}/ssh-*/ rw,
-  owner @{tmp}/ssh-*/agent.* rw,
+  owner @{tmp}/ssh-@{rand12}/ rw,
+  owner @{tmp}/ssh-@{rand12}/agent.@{int} rw,
 
   owner @{run}/user/@{uid}/keyring/.ssh rw,
   owner @{run}/user/@{uid}/openssh_agent rw,
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index a17c1363..a683e3a7 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -31,7 +31,6 @@ profile systemd-sleep @{exec_path} {
 
   @{sys}/power/state rw,
 
-
   include if exists <local/systemd-sleep>
 }
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index 042c9cda..01d23171 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -13,15 +13,15 @@ profile cockpit-certificate-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sh_path}        rix,
-  @{bin}/chmod rix,
-  @{bin}/id rix,
-  @{bin}/mkdir rix,
-  @{bin}/mv rix,
-  @{bin}/openssl rix,
-  @{bin}/rm rix,
-  @{bin}/sscg rix,
-  @{bin}/tr rix,
+  @{sh_path}      rix,
+  @{bin}/chmod    rix,
+  @{bin}/id       rix,
+  @{bin}/mkdir    rix,
+  @{bin}/mv       rix,
+  @{bin}/openssl  rix,
+  @{bin}/rm       rix,
+  @{bin}/sscg     rix,
+  @{bin}/tr       rix,
 
   /etc/machine-id r,
   /etc/cockpit/ws-certs.d/* w,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 9ae6596e..18224022 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/apparmor_parser          rPx,
-  @{bin}/containerd-shim-runc-v2 rPUx,
+  @{bin}/containerd-shim-runc-v2  rPx,
   @{bin}/kmod                     rPx,
   @{bin}/unpigz                  rPUx,
   /{usr/,}{local/,}{s,}bin/zfs    rPx,
@@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
   /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
   /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
-  /var/lib/containerd/{,**} rwk,
-  /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
+  /var/lib/containerd/{,**} rwlk,
   /var/lib/docker/containerd/{,**} rwk,
   /var/lib/kubelet/seccomp/{,**} r,
   /var/lib/security-profiles-operator/{,**} r,
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 9e17f678..def1d76b 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -27,19 +27,22 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   capability sys_ptrace,
 
   network inet dgram,
-  network inet6 dgram,
   network inet stream,
+  network inet6 dgram,
   network inet6 stream,
   network netlink raw,
 
-  mount /tmp/containerd-mount@{int}/, 
-  mount /var/lib/docker/buildkit/**/,
-  mount /var/lib/docker/overlay2/**/,
-  mount /var/lib/docker/tmp/buildkit-mount@{int}/,
-  mount options=(rw, bind) -> /run/docker/netns/*,
-  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
-  mount options=(rw, rprivate) -> /.pivot_root@{int}/,
-  mount options=(rw, rslave) -> /,
+  mount                        /tmp/containerd-mount@{int}/,
+  mount                        /var/lib/docker/buildkit/**/,
+  mount                        /var/lib/docker/overlay2/**/,
+  mount                        /var/lib/docker/tmp/buildkit-mount@{int}/,
+  mount fstype=overlay                              overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
+  mount options=(rw bind)                                   -> /run/docker/netns/*,
+  mount options=(rw rbind)                                  -> /var/lib/docker/tmp/docker-builder@{int}/,
+  mount options=(rw rbind)     /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
+  mount options=(rw rprivate)                               -> /.pivot_root@{int}/,
+  mount options=(rw rprivate)                               -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
+  mount options=(rw rslave)                                 -> /,
 
   remount /tmp/containerd-mount@{int10}/,
   remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
@@ -48,18 +51,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   umount /run/docker/netns/*,
   umount /tmp/containerd-mount@{int}/,
   umount /var/lib/docker/buildkit/**/,
+  umount /var/lib/docker/rootfs/**/,
   umount /var/lib/docker/overlay*/**/,
   umount /var/lib/docker/tmp/buildkit-mount@{int}/,
 
-  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
-  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
+  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/               /var/lib/docker/overlay2/**/,
+  pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
+  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/                    /var/lib/docker/tmp/**/,
 
-  ptrace (read) peer=docker-*,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=docker-*,
+  ptrace read peer=unconfined,
 
-  signal (send) set=int peer=docker-proxy,
-  signal (send) set=kill peer=docker-*,
-  signal (send) set=term peer=containerd,
+  signal send set=int  peer=docker-proxy,
+  signal send set=kill peer=docker-*,
+  signal send set=term peer=containerd,
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 30c03508..5f00f838 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -33,7 +33,7 @@ profile aa-enforce @{exec_path} {
   owner @{tmp}/@{rand8} rw,
   owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
 
-  @{PROC}/@{pid}/fd r,
+  @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/aa-enforce>
 }
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index bfd0b457..8ad4d1a2 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -27,6 +27,8 @@ profile aa-log @{exec_path} {
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/@{hex32}/{,*} r,
 
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   /dev/tty@{int} rw,
 
   include if exists <local/aa-log>
diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify
index f2ff96df..95d24c9e 100644
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@@ -18,17 +18,19 @@ profile aa-notify @{exec_path} {
   capability setuid,
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
   @{bin}/ r,
 
-  /etc/apparmor/*.conf r,
-  /etc/inputrc r,
-  /usr/etc/inputrc.keys r,
   /usr/share/terminfo/** r,
 
+  @{etc_ro}/inputrc r,
+  @{etc_ro}/inputrc.keys r,
+  /etc/apparmor.d/{,**} r,
+  /etc/apparmor/*.conf r,
+
   /var/log/audit/audit.log r,
 
   owner @{HOME}/.inputrc r,
diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd
index a7d265e2..79fbf8d8 100644
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@@ -36,7 +36,8 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /etc/adjtime r,
-  /etc/chrony.* r,
+  /etc/chrony.conf r,
+  /etc/chrony.keys r,
   /etc/chrony.d/{,*} r,
   /etc/chrony/{,**} r,
 
diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord
index fc2aadd1..3ff222b4 100644
--- a/apparmor.d/profiles-a-f/discord
+++ b/apparmor.d/profiles-a-f/discord
@@ -38,14 +38,17 @@ profile discord @{exec_path} {
 
   @{open_path}         rPx -> child-open-strict,
 
+  /etc/lsb-release r,
+
   owner @{user_videos_dirs}/{,**} rwl,
   owner @{user_pictures_dirs}/{,**} rwl,
 
-  owner @{tmp}/net-export/ rw,
-  owner @{tmp}/discord.sock rw,
-  owner "@{tmp}/Discord Crashes/" rw,
+  owner @{config_dirs}/@{version}/modules/** m,
 
-  audit owner @{config_dirs}/*/modules/** rm,
+  owner "@{tmp}/Discord Crashes/" rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
+  owner @{tmp}/discord.sock rw,
+  owner @{tmp}/net-export/ rw,
 
   owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
 
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index b3cd7e34..e7d46f1f 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -32,7 +32,9 @@ profile element-desktop @{exec_path} {
 
   @{sh_path} r,
   @{open_path}         rPx -> child-open-strict,
-  @{bin}/xdg-settings  rPx,
+
+  #aa:stack X xdg-settings
+  @{bin}/xdg-settings  rPx -> element-desktop//&xdg-settings,
 
   /usr/share/webapps/element/{,**} r,
 
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index e82f0d37..8f81ad52 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -38,6 +38,8 @@ profile file-roller @{exec_path} {
   @{bin}/zstd          rix,
   @{lib}/p7zip/7z      rix,
 
+  / r,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index f6187940..d89f8c52 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -95,7 +95,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   /dev/tty rw,
   /dev/tty@{int} rw,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 5f02a2fa..1706f4b2 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -39,6 +39,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,
   /var/lib/flatpak/app/*/**/@{lib}/**  rPx -> flatpak-app,
 
+  owner @{user_config_dirs}/mimeapps.list w,
+
   owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
   owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
   
diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate
index 8498285d..3592893e 100644
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@@ -24,11 +24,14 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=com.github.johnfactotum.Foliate
+
   @{exec_path} mr,
 
   @{bin}/bwrap           rix,
   @{bin}/gjs-console     rix,
   @{bin}/xdg-dbus-proxy  rix,
+  @{bin}/speech-dispatcher rPx,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess  rix,
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess      rix,
diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim
index 5888743e..033f082f 100644
--- a/apparmor.d/profiles-g-l/gajim
+++ b/apparmor.d/profiles-g-l/gajim
@@ -100,15 +100,16 @@ profile gajim @{exec_path} {
     @{bin}/{,@{multiarch}-}ld.bfd     rix,
     @{lib}/gcc/@{multiarch}/@{int}/collect2 rix,
 
-    owner @{tmp}/cc* rw,
-    owner @{tmp}/tmp* rw,
+    /etc/debian_version r,
 
     /media/ccache/*/** rw,
 
+    owner @{tmp}/cc* rw,
+    owner @{tmp}/tmp* rw,
+
     owner @{run}/user/@{uid}/ccache-tmp/ rw,
 
-    /etc/debian_version r,
-
+    include if exists <local/gajim_ccache>
   }
 
   profile gpg {
@@ -121,8 +122,8 @@ profile gajim @{exec_path} {
     @{bin}/gpg-agent         rix,
     @{lib}/{,gnupg/}scdaemon rix,
 
-    owner @{run}/user/@{uid}/gnupg/d.*/ rw,
-    owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w,
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@@ -134,6 +135,7 @@ profile gajim @{exec_path} {
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+    include if exists <local/gajim_gpg>
   }
 
   include if exists <local/gajim>
diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules
index 3520ec06..3f4ef7fe 100644
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gio-querymodules
 profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index 96c9b6d2..c494e16d 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -18,7 +18,6 @@ profile keepassxc @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
@@ -93,7 +92,7 @@ profile keepassxc @{exec_path} {
 
         /dev/shm/#@{int} rw,
         /dev/tty rw,
-        /dev/urandom rw,
+        /dev/urandom w,
   owner /dev/tty@{int} rw,
 
   # Silencer
diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g
index a7a580c4..bc2cb7ef 100644
--- a/apparmor.d/profiles-m-r/ntfs-3g
+++ b/apparmor.d/profiles-m-r/ntfs-3g
@@ -22,15 +22,6 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
   capability setuid,
   capability sys_admin,
 
-  @{exec_path} mr,
-
-  @{bin}/kmod rPx,  # To load the fuse kernel module
-
-  # Mount points
-  @{MOUNTDIRS}/ r,
-  @{MOUNTS}/ r,
-  @{MOUNTS}/*/ r,
-
   # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
   mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
   mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
@@ -47,12 +38,22 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
   umount @{MOUNTS}/,
   umount @{MOUNTS}/*/,
 
+  @{exec_path} mr,
+
+  @{bin}/kmod rPx,  # To load the fuse kernel module
+
+  # Mount points
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/*/ r,
+
         @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/task/@{tid}/status r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/fuse rw,
+  /dev/tty@{int} rw,
 
   include if exists <local/ntfs-3g>
 }
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index b3c963dd..a5a46ac4 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -60,7 +60,7 @@ profile pass @{exec_path} {
   /usr/share/terminfo/** r,
 
   owner @{user_password_store_dirs}/{,**} rw,
-  owner /dev/shm/pass.*/{,*} rw,
+  owner /dev/shm/pass.@{rand}/{,*} rw,
 
   @{sys}/devices/system/node/ r,
 
@@ -90,7 +90,7 @@ profile pass @{exec_path} {
 
     owner @{user_password_store_dirs}/{,**/} r,
 
-    owner /dev/shm/pass.*/{,*} rw,
+    owner /dev/shm/pass.@{rand}/{,*} rw,
 
     deny owner @{HOME}/ r,
 
@@ -124,7 +124,7 @@ profile pass @{exec_path} {
     owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
 
     owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
-    owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw,
+    owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw,
 
     include if exists <local/pass_git>
   }
@@ -144,7 +144,7 @@ profile pass @{exec_path} {
 
     owner @{user_password_store_dirs}/   rw,
     owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
-    owner /dev/shm/pass.*/{,*} rw,
+    owner /dev/shm/pass.@{rand}/* rw,
     owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
 
     owner /dev/pts/@{int} rw,
diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd
index f37f5651..b0e326b2 100644
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@@ -21,7 +21,7 @@ profile passwd @{exec_path} {
   capability net_admin,
   capability setuid,
 
-  signal (receive) set=(term, kill) peer=gnome-control-center,
+  signal receive set=(term kill) peer=gnome-control-center,
 
   network netlink raw,
 
diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
index f6bc7e4b..e34722fb 100644
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 curiosityseeker
 # SPDX-License-Identifier: GPL-2.0-only
 
@@ -28,7 +29,7 @@ profile protonmail @{exec_path} flags=(complain) {
   @{exec_path} mrix,
 
   @{bin}/xdg-settings Px,
-  @{open_path}        rpx -> child-open,
+  @{open_path}        Px -> child-open,
 
   owner @{user_config_dirs}/ibus/bus/ r,
 
diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager
index 641217f5..b341bb73 100644
--- a/apparmor.d/profiles-m-r/rpi-imager
+++ b/apparmor.d/profiles-m-r/rpi-imager
@@ -8,24 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/rpi-imager
-profile rpi-imager @{exec_path} {
+profile rpi-imager @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/disks-write>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
-  include <abstractions/qt5>
   include <abstractions/qt5-shader-cache>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
 
   #capability sys_admin,
   # deny capability sys_nice,
@@ -42,18 +35,15 @@ profile rpi-imager @{exec_path} {
   @{bin}/lsblk rPx,
 
   /etc/fstab r,
-  /etc/X11/cursors/*.theme r,
-  /usr/share/hwdata/pnp.ids r,
-  /usr/share/X11/xkb/{,**} r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
   owner "@{user_cache_dirs}/Raspberry Pi/" rw,
   owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
-  owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_config_dirs}/QtProject.conf r,
+
+  owner "@{user_config_dirs}/Raspberry Pi/" rw,
+  owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**",
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index 0dc19e1a..10e1de4b 100644
--- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -30,5 +30,4 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
   include if exists <local/signal-desktop-chrome-sandbox>
 }
 
-
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index 672ae2f7..ae061b03 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -28,6 +28,7 @@ profile snapd @{exec_path} {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability mac_admin,
   capability net_admin,
   capability setgid,
   capability setuid,
@@ -153,6 +154,7 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/user.slice/ r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
   @{sys}/kernel/kexec_loaded r,
+  @{sys}/kernel/security/apparmor/.notify r,
   @{sys}/kernel/security/apparmor/features/{,**} r,
   @{sys}/kernel/security/apparmor/profiles r,
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 447ef9f1..b1dd8347 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -247,6 +247,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
     include <abstractions/audio-client>
     include <abstractions/common/bwrap>
+    include <abstractions/common/chromium>
     include <abstractions/dconf-write>
     include <abstractions/desktop>
     include <abstractions/fontconfig-cache-write>
@@ -254,6 +255,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/nameservice-strict>
     include <abstractions/video>
 
+    capability dac_override,
     capability dac_read_search,
     capability sys_chroot,
 
@@ -304,12 +306,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     owner /var/cache/ldconfig/aux-cache* rw,
     owner /var/pressure-vessel/ldso/* rw,
 
-    owner @{HOME}/.pki/ rw,
-    owner @{HOME}/.pki/nssdb/ rw,
-    owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-    owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-    owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-
     owner @{lib_dirs}/.cef-* wk,
 
     owner @{share_dirs}/{,**} r,
@@ -320,14 +316,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
           @{tmp}/ r,
     owner @{tmp}/#@{int} rw,
-    owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
     owner @{tmp}/dumps/ rw,
     owner @{tmp}/dumps/** rwk,
     owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
     owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
     owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
 
-    owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@@ -389,7 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
     owner @{share_dirs}/ r,
 
-    @{PROC}/@{pid}/cgroup r,
+    @{PROC}/1/cgroup r,
 
     include if exists <local/steam_check>
   }
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index 8f1939bd..0facb49a 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -19,6 +19,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/steam-game>
   include <abstractions/python>
 
+  capability dac_override,
   capability dac_read_search,
 
   network inet dgram,
diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime
index e0c6b146..b1fca8df 100644
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@@ -41,9 +41,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
   @{app_dirs}/@{runtime}/*entry-point rmix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-* rix,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
+  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
   @{app_dirs}/@{runtime}/run rix,
   @{bin}/bwrap rpx -> steam-game-proton,
diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
index 1a6dd406..c962f61e 100644
--- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@@ -18,7 +18,7 @@ profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  @{runtime_dirs}/** rm,
+  @{runtime_dirs}/** mr,
 
   owner @{HOME}/.steam/steam.pipe rw,