diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app
index d8cb1739..2ee1bc2c 100644
--- a/apparmor.d/abstractions/bwrap-app
+++ b/apparmor.d/abstractions/bwrap-app
@@ -17,6 +17,7 @@
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/gnome-strict>
+  include <abstractions/gstreamer>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl-intel>
diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email
index d30b4fe5..b4074eec 100644
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@@ -23,6 +23,8 @@ profile xdg-email @{exec_path} flags=(complain) {
   @{bin}/which       rix,
   @{bin}/xdg-mime    rPx,
 
+  @{thunderbird_path} rPx,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/xdg-email>
diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider
index bdaeaad5..cd4dad7c 100644
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@@ -36,6 +36,9 @@ profile epiphany-search-provider @{exec_path} {
   owner @{user_cache_dirs}/epiphany/{,**} rwk,
   owner @{user_share_dirs}/epiphany/{,**} rwk,
 
+  owner /tmp/ContentRuleList@{rand6} rw,
+  owner /tmp/Serialized* rw, 
+
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
index 61864255..43655f24 100644
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@@ -65,8 +65,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{run}/gdm{3,}/gdm.pid rw,
   @{run}/gdm{3,}/greeter/ rw,
   @{run}/systemd/seats/seat@{int} r,
-  @{run}/systemd/sessions/*     r,
-  @{run}/systemd/sessions/*.ref r,
+  @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
 
   @{run}/udev/data/+drm:card[0-9]-* r,    # for screen outputs
diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config
index 7c677974..d4adac0c 100644
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@@ -31,6 +31,9 @@ profile gdm-generate-config @{exec_path} {
   /var/lib/ r,
   /var/lib/gdm{3,}/{,**} r,
 
+  /var/lib/gdm{3,}/greeter-dconf-defaults rw,
+  /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
+
   @{PROC}/ r,
   @{PROC}/@{pid}/cgroup  r,
   @{PROC}/@{pid}/cmdline r,
diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts
index c4758b1e..34bc3731 100644
--- a/apparmor.d/groups/gnome/gnome-contacts
+++ b/apparmor.d/groups/gnome/gnome-contacts
@@ -9,6 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-contacts
 profile gnome-contacts @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
@@ -23,9 +27,12 @@ profile gnome-contacts @{exec_path} {
 
   network netlink raw,
 
-  @{exec_path} mr,
+  # dbus: own bus=session name=org.gnome.Contacts
 
-  /usr/share/applications/{,*.desktop} r,
+  # dbus: talk bus=session name=org.gnome.evolution.dataserver.AddressBookFactory label=evolution-addressbook-factory
+  # dbus: talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
+
+  @{exec_path} mr,
 
   owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
   owner @{user_config_dirs}/gnome-contacts/{,**} rw,
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 9bc85d0a..b3b2c1a2 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -9,8 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/bootctl
 profile bootctl @{exec_path} {
   include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/consoles>
   include <abstractions/disks-read>
+  include <abstractions/systemd-common>
 
   capability mknod,
   capability net_admin,
@@ -42,7 +43,7 @@ profile bootctl @{exec_path} {
 
   @{run}/host/container-manager r,
 
-  @{sys}//class/tpmrm/ r,
+  @{sys}/class/tpmrm/ r,
 
   @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@@ -68,8 +69,8 @@ profile bootctl @{exec_path} {
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
   @{sys}/firmware/efi/fw_platform_size r,
 
- owner @{PROC}/@{pid}/cgroup r,
        @{PROC}/sys/kernel/random/poolsize r,
+ owner @{PROC}/@{pid}/cgroup r,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index 00a47e23..d356dc4b 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   network inet dgram,
   network inet6 dgram,
 
-  # mqueue read type=posix /,
+  # mqueue r type=posix /,
 
   ptrace (read),
 
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 1aba1ca8..1511c568 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -40,6 +40,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/{,ba,da}sh               rix,
   @{bin}/dpkg                     rPx -> child-dpkg,
   @{bin}/hwe-support-status       rPx,
   @{bin}/ischroot                 rix,
@@ -56,6 +57,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   /usr/share/X11/{,**} r,
 
   /etc/gtk-3.0/settings.ini r,
+  /etc/pulse/client.conf r,
+  /etc/pulse/client.conf.d/{,**} r,
   /etc/update-manager/{,**} r,
 
   /boot/ r,
@@ -68,6 +71,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
+  owner @{user_config_dirs}/pulse/cookie rk,
+
+  owner @{run}/user/@{uid}/pulse/ r,
+  owner @{run}/user/@{uid}/pulse/native rw,
+
   @{run}/systemd/inhibit/*.ref w,
 
   owner @{PROC}/@{pid}/fd/ r,
@@ -75,6 +83,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pids}/mountinfo r,
 
   /dev/ptmx rw,
+  /dev/shm/ r,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus
index 6acfa4e3..a6848b7d 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-dbus
+++ b/apparmor.d/profiles-a-f/cups-notifier-dbus
@@ -10,6 +10,7 @@ include <tunables/global>
 profile cups-notifier-dbus @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/nameservice-strict>
 
   signal (receive) set=(term) peer=cupsd,
 
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index 8216ccbc..f61edf84 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -20,7 +20,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setuid,
 
-  unix (receive) type=stream,
+  deny unix (receive) type=stream,
 
   @{exec_path} rm,
 
@@ -56,7 +56,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{bin}/{,g,m}awk  rix,
   @{bin}/update-secureboot-policy rPUx,
 
-  @{lib}/gcc/@{multiarch}/@{int}*/*             rix,
+  @{lib}/gcc/@{multiarch}/@{int}*/*            rix,
   @{lib}/linux-kbuild-*/scripts/**             rix,
   @{lib}/linux-kbuild-*/tools/objtool/objtool  rix,
   @{lib}/llvm-[0-9]*/bin/clang                 rix,
@@ -81,28 +81,28 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /etc/dkms/{,**} r,
 
   # For building module in /usr/src/ subdirs
+  /usr/include/**.h r,
   /usr/src/ r,
   /usr/src/** rw,
-  /usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
   /usr/src/linux-headers-*/scripts/**              rix,
+  /usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr,
   /usr/src/linux-headers-*/tools/**                rix,
-  /usr/include/**.h r,
 
   # For autosign modules
-  owner /etc/kernel_key/sign-kernel.sh rix,
-  owner /etc/kernel_key/*.key r,
   owner /etc/kernel_key/*.crt r,
+  owner /etc/kernel_key/*.key r,
+  owner /etc/kernel_key/sign-kernel.sh rix,
 
   owner @{HOME}/ r,
 
+  owner /tmp/* rw,
   owner /tmp/cc* rw,
   owner /tmp/dkms.*/ rw,
-  owner /tmp/tmp.* rw,
   owner /tmp/sh-thd.* rw,
-  owner /tmp/* rw,
+  owner /tmp/tmp.* rw,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   # Inherit silencer
   deny /apparmor/.null rw,
@@ -125,7 +125,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
     owner /tmp/tmp.* r,
 
-    # Inherit silencer
     deny /apparmor/.null rw,
 
     include if exists <local/dkms_kmod>
diff --git a/apparmor.d/profiles-a-f/fzsftp b/apparmor.d/profiles-a-f/fzsftp
deleted file mode 100644
index 8d66f6c8..00000000
--- a/apparmor.d/profiles-a-f/fzsftp
+++ /dev/null
@@ -1,42 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/fzsftp
-profile fzsftp @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice>
-
-  signal (receive) set=(term, kill) peer=filezilla,
-
-  # Needed?
-  deny ptrace (trace),
-
-  @{exec_path} mr,
-
-  @{bin}/{,ba,da}sh mrix,
-  @{bin}/ps          rix,
-  @{bin}/ls          rix,
-
-       @{PROC}/ r,
-       @{PROC}/uptime r,
-       @{PROC}/sys/kernel/osrelease r,
-       @{PROC}/sys/kernel/pid_max r,
-       @{PROC}/tty/drivers r,
-  deny @{PROC}/@{pids}/stat r,
-  deny @{PROC}/@{pids}/cmdline r,
-
-  /tmp/ r,
-
-  owner @{HOME}/.putty/randomseed rw,
-
-  # file_inherit
-  #deny @{user_cache_dirs}/filezilla/** rw,
-
-  include if exists <local/fzsftp>
-}
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index f5f461f2..7c60a23a 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -35,7 +35,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   @{sys}/bus/ r,
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
-  @{sys}/devices/@{pci}/drm/card@{int}/gt_cur_freq_mhz r,
+  @{sys}/devices/@{pci}/drm/card@{int}/gt_*_freq_mhz r,
   @{sys}/devices/@{pci}/enable r,
   @{sys}/devices/system/node/node@{int}/cpumap r,
 
@@ -51,7 +51,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   /dev/char/@{dynamic}:@{int} w,  # For dynamic assignment range 234 to 254, 384 to 511
 
   /dev/dri/ r,
-  /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
+  /dev/nvidia-caps/ rw,
+  /dev/nvidia-caps/nvidia-cap@{int} rw,
 
   include if exists <local/nvtop>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index d4491ca8..449c6913 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pass
 profile pass @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -69,8 +70,9 @@ profile pass @{exec_path} {
 
   profile editor {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/consoles>
     include <abstractions/fzf>
+    include <abstractions/nameservice-strict>
 
     @{bin}/vim{,.*} mrix,
 
@@ -95,6 +97,7 @@ profile pass @{exec_path} {
 
   profile git {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
     include <abstractions/openssl>
     include <abstractions/ssl_certs>
@@ -129,6 +132,7 @@ profile pass @{exec_path} {
 
   profile gpg {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
 
     capability dac_read_search,
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index 4f2d95c2..c4d0e962 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -12,7 +12,6 @@ profile pkexec @{exec_path} {
   include <abstractions/base>
   include <abstractions/authentication>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
@@ -32,20 +31,7 @@ profile pkexec @{exec_path} {
 
   ptrace (read),
 
-  dbus (send) bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
-
-  dbus (receive) bus=system path=/org/freedesktop/PolicyKit1*/Authority
-       interface=org.freedesktop.PolicyKit1*.Authority
-       member=Changed
-       peer=(name=:*),
-
-  dbus (receive) bus=system path=/org/freedesktop/PolicyKit1*/AuthenticationAgent
-       interface=org.freedesktop.PolicyKit1*.AuthenticationAgent
-       member=BeginAuthentication
-       peer=(name=:*),
+  # dbus: talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 44771760..b909d6a5 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -82,7 +82,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
   @{bin}/xdg-user-dir           rix,
   @{bin}/xz                     rix,
   @{bin}/zenity                 rix,
-  @{lib}/ld-linux.so*    rix,
+  @{lib}/ld-linux.so*           rix,
 
   @{lib_dirs}/*.so*  mr,
   @{lib_dirs}/*driverquery rix,
diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index 00da3c8d..f93b11c3 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -2,7 +2,7 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Define some paths for some program commonly used
+# Define some paths for some commonly used programs
 
 # Browsers
 
@@ -26,3 +26,8 @@
 @{opera_lib_dirs} = @{lib}/@{multiarch}/@{opera_name}
 @{opera_path} =  @{opera_lib_dirs}/@{opera_name}
 
+# Emails
+
+@{thunderbird_name} = thunderbird{,-bin}
+@{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name}
+@{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name}