diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 623b1779..818ecff8 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -120,7 +120,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   /.flatpak-info r,
 
   /usr/share/pipewire/client.conf r,
-  /usr/share/xdg-desktop-portal/portals/{,*.portal} r,
+  /usr/share/xdg-desktop-portal/** r,
 
   /etc/pipewire/client.conf.d/ r,
 
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 69b47afe..1cacb88a 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -17,6 +17,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_chroot,
 
+  network unix stream,
+
   @{exec_path} rmix,
 
   @{bin}/{,ba}sh             rix,
@@ -117,7 +119,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
-  deny unix (receive) type=stream,
 
   include if exists <local/mkinitcpio>
 }
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 3f86cd7e..958f3ad4 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -159,7 +159,6 @@ profile pacman @{exec_path} {
   # Silencer, 
   deny @{HOME}/ r,
   deny /tmp/ r,
-  deny unix (receive) type=stream,
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
index 7b03073d..b2beaae9 100644
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@@ -27,13 +27,10 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll},
 
-  dbus bind bus=system 
-       name=org.freedesktop.timedate[0-9],
+  dbus bind bus=system name=org.freedesktop.timedate[0-9],
 
   @{exec_path} mr,
 
-  /dev/rtc[0-9] r,
-
   @{etc_rw}/.#adjtime* rw,
   @{etc_rw}/adjtime rw,
 
@@ -45,5 +42,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/notify rw,
 
+  /dev/rtc@{int} r,
+
   include if exists <local/systemd-timedated>
 }
diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd
index dc2cc393..01e173e3 100644
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@@ -2,6 +2,8 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd
+
 abi <abi/3.0>,
 
 include <tunables/global>
@@ -11,11 +13,16 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability chown,
   capability dac_override,
   capability dac_read_search,
+  capability net_admin,
   capability net_bind_service,
+  capability net_raw,
   capability setgid,
   capability setuid,
+  capability sys_nice,
+  capability sys_resource,
   capability sys_time,
 
   network inet dgram,
@@ -24,14 +31,33 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /etc/chrony.conf r,
+  /etc/adjtime r,
+  /etc/chrony.* r,
   /etc/chrony.d/{,*} r,
+  /etc/chrony/{,**} r,
 
-  /var/lib/chrony/drift* rw,
+  /var/lib/chrony/{,*} rw,
+  /var/log/chrony/{,*} rw,
 
-  @{run}/chrony-dhcp/ r,
-  @{run}/chrony/chronyd.pid rw,
-  @{run}/chrony/chronyd.sock rw,
+  # To sign replies to MS-SNTP clients by the smbd daemon
+  /var/lib/samba/ntp_signd/socket rw,
+
+  @{run}/chrony-dhcp/{,*} r,
+  @{run}/chrony.*.sock rw,
+  @{run}/chrony/{,*} rw,
+
+  # Allow reading the chronyd configuration file that timemaster(8) generates
+  @{run}/timemaster/chrony.conf r,
+
+  # Using the “tempcomp” directive gives chronyd the ability to improve
+  # the stability and accuracy of the clock by compensating the temperature
+  # changes measured by a sensor close to the oscillator.
+  @{sys}/class/hwmon/hwmon@{int}/temp@{int}_input r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp@{int}_input r,
+
+  /dev/pps@{int} rw,
+  /dev/ptp@{int} rw,
+  /dev/rtc{,@{int}} rw,
 
   include if exists <local/chronyd>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/element b/apparmor.d/profiles-a-f/element
index e3589107..1fac85f9 100644
--- a/apparmor.d/profiles-a-f/element
+++ b/apparmor.d/profiles-a-f/element
@@ -84,6 +84,8 @@ profile element @{exec_path} {
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
+  /dev/tty rw,
+
   deny / r,
   deny @{HOME}/ r,
   deny @{user_share_dirs}/gvfs-metadata/* r,
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 83b53d68..c9783723 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -35,6 +35,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
   @{bin}/invoke-rc.d            rix,
   @{bin}/kill                   rix,
   @{bin}/ls                     rix,
+  @{bin}/setfacl                rix,
   @{bin}/shred                  rix,
   @{bin}/xz                     rix,
   @{bin}/zstd                   rix,
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index 56fdddab..5c270a5d 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -50,6 +50,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   @{PROC}/@{pids}/stat r,
   @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,
 
+  /dev/char/509:@{int} w,
   /dev/dri/ r,
   /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
 
diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd
index 40e4d0ed..e725ecfe 100644
--- a/apparmor.d/profiles-m-r/passimd
+++ b/apparmor.d/profiles-m-r/passimd
@@ -24,8 +24,12 @@ profile passimd @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dbus-1/interfaces/org.freedesktop.Passim.xml r,
 
+  /etc/passim.conf r,
+
   /var/lib/passim/{,**} r,
   /var/lib/passim/data/{,**} rw,
 
+  @{PROC}/@{pid}/cmdline r,
+
   include if exists <local/passimd>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index 8e2f2ae9..84d34247 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -39,8 +39,8 @@ profile snapd @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
-  mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/,
-  umount /tmp/syscheck-mountpoint-[0-9]*/,
+  mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/,
+  umount /tmp/syscheck-mountpoint-@{int}/,
   umount /snap/*/*/,
 
   ptrace (read) peer=snap,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index 0280c78f..c34c8de7 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -37,7 +37,7 @@ profile sudo @{exec_path} {
 
   signal (send) peer=unconfined,
   signal (send) set=(cont,hup) peer=su,
-  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},
+  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot,pacman},
   signal (send,receive) peer=cockpit-bridge,
 
   dbus send bus=system path=/org/freedesktop/login[0-9]
diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest
index e5c5f9e6..7739c01e 100644
--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@@ -9,6 +9,7 @@ include <tunables/global>
 @{name} = thunderbird{,-bin}
 @{lib_dirs} = @{lib}/@{name}
 @{config_dirs} = @{HOME}/.@{name}/
+@{cache_dirs} = @{user_cache_dirs}/@{name}/
 
 @{exec_path} = @{lib_dirs}/vaapitest
 profile thunderbird-vaapitest @{exec_path} {
@@ -29,6 +30,7 @@ profile thunderbird-vaapitest @{exec_path} {
 
   @{sys}/devices/@{pci}/{irq,resource,revision} r,
 
+  deny @{cache_dirs}/*/startupCache/** r,
   deny @{config_dirs}/*/.parentlock rw,
   deny @{config_dirs}/*/startupCache/** r,
 
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 334a45c7..ab62573b 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -123,6 +123,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   /var/lib/udisks2/mounted-fs{,*} rw,
 
   # Be able to create/delete dirs for removable media
+  @{MOUNTDIRS}/ rw,
   @{MOUNTS}/ rw,
   @{MOUNTS}/*/ rw,
 
diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel
index 7dd95453..182a770b 100644
--- a/apparmor.d/profiles-s-z/userdel
+++ b/apparmor.d/profiles-s-z/userdel
@@ -20,10 +20,10 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   capability fsetid,
   capability sys_ptrace,
 
-  ptrace (read),
-
   network netlink raw,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   /etc/login.defs r,
diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod
index 101e26a5..39211dbc 100644
--- a/apparmor.d/profiles-s-z/usermod
+++ b/apparmor.d/profiles-s-z/usermod
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,31 +13,23 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # To set the right permission to the files in the /etc/ dir.
   capability chown,
-  capability fsetid,
-
-  # To read user home files and change their user/group.
-  #  usermod: Failed to change ownership of the home directory
   capability dac_read_search,
-
-  # To move user home files to a new location.
   capability fowner,
-
-  # To prevent removing a user when it's used by some process.
+  capability fsetid,
   capability sys_ptrace,
-  ptrace (read),
 
   network netlink raw,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   @{bin}/nscd rix,
 
   /etc/login.defs r,
+  /etc/subuid r,
 
   /etc/{passwd,shadow,gshadow,group} rw,
   /etc/{passwd,shadow,gshadow,group}.@{pid} w,
@@ -52,16 +45,14 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-  /etc/subuid r,
-
-  @{PROC}/ r,
-  @{PROC}/@{pids}/task/ r,
-
   # To create and move user dirs
   @{HOME}/{,**}    rw,
   /var/            r,
   /var/lib/        r,
   /var/lib/*/{,**} rw,
 
+  @{PROC}/ r,
+  @{PROC}/@{pids}/task/ r,
+
   include if exists <local/usermod>
 }
diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc
index 28840870..cdee0d5f 100644
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@@ -21,6 +21,7 @@ profile vlc @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/ibus>
+  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
   include <abstractions/ssl_certs>
diff --git a/apparmor.d/profiles-s-z/warzone2100 b/apparmor.d/profiles-s-z/warzone2100
deleted file mode 100644
index edaedf32..00000000
--- a/apparmor.d/profiles-s-z/warzone2100
+++ /dev/null
@@ -1,48 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/warzone2100
-profile warzone2100 @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/freedesktop.org>
-  include <abstractions/vulkan>
-  include <abstractions/mesa>
-  include <abstractions/dri-enumerate>
-  include <abstractions/nameservice-strict>
-  include <abstractions/audio>
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink raw,
-
-  deny ptrace (read),
-
-  @{exec_path} mr,
-
-  @{bin}/{,ba,da}sh   rix,
-  @{bin}/which{,.debianutils}        rix,
-
-  owner @{user_share_dirs}/warzone2100-*/ rw,
-  owner @{user_share_dirs}/warzone2100-*/** rw,
-
-  # What's this for?
-  deny owner @{user_share_dirs}/applications/*.desktop w,
-
-  /usr/share/warzone2100/{,**} r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  deny @{PROC}/@{pids}/cmdline r,
-       @{PROC}/@{pids}/stat r,
-
-  include if exists <local/warzone2100>
-}