diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 9a7d2557..1561e82c 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -12,9 +12,10 @@
 # some applications, flatpak needs write access to the sandbox content. This is
 # done through bwrap and therefore in this profile.
 #
-# 1. All of this will have to be improved. However, as of today, it is the only way
-# to not break some (major) flatpak app.
-# 2. It is not a big deal as flatpak is responsible for the sandbox anyway. This this only defence in depth. 
+# 1. All of this will have to be improved. However, as of today, it is the only
+#    way to not break some (major) flatpak app.
+# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
+#    This this only defence in depth. 
 # 3. The main purpose of this profile is to ensure all processes are confined.
 
 abi <abi/3.0>,
@@ -29,8 +30,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
 
   capability dac_override,
   capability dac_read_search,
-  # When bwrap is setup with setuid privileges, it needs the setuid capability.
-  capability setuid,
+  capability setuid,          # Needed when bwrap is setup with setuid privileges.
   capability sys_resource,
 
   network inet dgram,
@@ -69,6 +69,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
 
   /app/.ref k,
   /app/extra/** rw,
+  /app/lib/** rk,
   /bindfile@{rand6} rw,
 
   /var/lib/flatpak/app/{,**} r,
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 18db61d3..02dcab0f 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -20,7 +20,10 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{sh_path}                           rix,
   @{bin}/dbus-monitor                 rPUx,
+  @{bin}/flatpak                       rPx,
+  @{bin}/ps                            rPx,
   @{bin}/p11-kit                       rix,
   @{bin}/pkexec                        rPx,
   @{lib}/p11-kit/p11-kit-remote        rix,
diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper
index c29fe621..5bf664b8 100644
--- a/apparmor.d/profiles-a-f/flatpak-system-helper
+++ b/apparmor.d/profiles-a-f/flatpak-system-helper
@@ -50,7 +50,7 @@ profile flatpak-system-helper @{exec_path} {
         @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
-  
+
   profile gpg {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
@@ -68,6 +68,7 @@ profile flatpak-system-helper @{exec_path} {
     owner @{PROC}/@{pid}/fd/ r,
     owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+    include if exists <local/flatpak-system-helper_gpg>
   }
 
   include if exists <local/flatpak-system-helper>
diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon
new file mode 100644
index 00000000..c5ca0488
--- /dev/null
+++ b/apparmor.d/profiles-a-f/flatpak-validate-icon
@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/flatpak-validate-icon
+profile flatpak-validate-icon @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/flatpak-validate-icon>
+}
\ No newline at end of file