diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common
new file mode 100644
index 00000000..81047af0
--- /dev/null
+++ b/apparmor.d/abstractions/chromium-common
@@ -0,0 +1,41 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/3.0>,
+
+  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
+  # to "1".
+  capability sys_admin,
+  capability sys_chroot,
+  capability setuid,
+  capability setgid,
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
+        /var/tmp/ r,
+        /tmp/ r,
+  owner /tmp/.org.chromium.Chromium.*/ rw,
+  owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
+  owner /tmp/.org.chromium.Chromium.*/SingletonSocket w,
+  owner /tmp/.org.chromium.Chromium.*/SS w,
+  owner /tmp/.org.chromium.Chromium.* rw,
+  owner /tmp/scoped_dir*/ rw,
+  owner /tmp/scoped_dir*/SingletonCookie w,
+  owner /tmp/scoped_dir*/SingletonSocket w,
+  owner /tmp/scoped_dir*/SS w,
+
+        /dev/shm/ r,
+  owner /dev/shm/.org.chromium.Chromium.* rw,
+
+  owner @{HOME}/.local/share/.org.chromium.Chromium.* rw,
+
+  # Should this be read-only? (##FIXME##)
+  # To remove the following error:
+  #  Error initializing NSS with a persistent database
+  owner @{HOME}/.pki/ rw,
+  owner @{HOME}/.pki/nssdb/ rw,
+  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
diff --git a/apparmor.d/abstractions/deny-dconf b/apparmor.d/abstractions/deny-dconf
deleted file mode 100644
index 75f2d825..00000000
--- a/apparmor.d/abstractions/deny-dconf
+++ /dev/null
@@ -1,23 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/3.0>,
-
-  deny /etc/dconf/{,**} r,
-
-  # When this is blocked, expect lots of the following errors:
-  #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
-  #  dconf will not work properly.
-  deny owner @{run}/user/@{uid}/dconf/{,**} rw,
-
-  deny owner @{user_config_dirs}/dconf/{,**} rw,
-  deny owner @{user_cache_dirs}/dconf/{,**} rw,
-
-  # When GSETTINGS_BACKEND=keyfile
-  deny owner @{user_config_dirs}/glib-2.0/ rw,
-  deny owner @{user_config_dirs}/glib-2.0/settings/ rw,
-  deny owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
-  deny owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
-
-  include if exists <abstractions/deny-dconf.d>
\ No newline at end of file
diff --git a/apparmor.d/abstractions/deny-root-dir-access b/apparmor.d/abstractions/deny-root-dir-access
deleted file mode 100644
index c76eac7a..00000000
--- a/apparmor.d/abstractions/deny-root-dir-access
+++ /dev/null
@@ -1,18 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-  # The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
-  # access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
-  # user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
-  #
-  # Note that some apps will work anyway when run as root even if all of the files in the /root/
-  # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
-  # needed files in the user home dir.
-
-  abi <abi/3.0>,
-
-  # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
-  audit deny /root/{,**} rwkmlx,
-
-  include if exists <abstractions/deny-root-dir-access.d>
\ No newline at end of file
diff --git a/apparmor.d/abstractions/gtk b/apparmor.d/abstractions/gtk
index bf92d8ea..a5cccf3e 100644
--- a/apparmor.d/abstractions/gtk
+++ b/apparmor.d/abstractions/gtk
@@ -7,8 +7,10 @@
 
   /usr/share/themes/{,**} r,
 
-  /usr/share/gtksourceview-[0-9]*/ r,
-  /usr/share/gtksourceview-[0-9]*/** r,
+  /usr/share/gtksourceview-[0-9]*/{,**} r,
+
+  /usr/share/gtk-2.0/ r,
+  /usr/share/gtk-2.0/gtkrc r,
 
   /usr/share/gtk-{3,4}.0/ r,
   /usr/share/gtk-{3,4}.0/settings.ini r,
@@ -20,6 +22,9 @@
 
   /etc/gtk/gtkrc r,
 
+  owner @{HOME}/.themes/{,**} r,
+  owner @{HOME}/.local/share/themes/{,**} r,
+
   owner @{HOME}/.gtk r,
   owner @{HOME}/.gtkrc r,
   owner @{HOME}/.gtkrc-2.0 r,
@@ -43,4 +48,5 @@
   # Xsession errors file
   owner @{HOME}/.xsession-errors w,
 
-  include if exists <abstraction/gtk.d>
\ No newline at end of file
+  # Include additions to the abstraction
+  include if exists <abstractions/gtk.d>
diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio
index e7fe3d21..1c246fcd 100644
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@@ -27,15 +27,7 @@ profile android-studio @{exec_path} {
   include <abstractions/audio>
   include <abstractions/python>
   include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>
-
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  include <abstractions/chromium-common>
 
   capability sys_ptrace,
 
@@ -174,12 +166,6 @@ profile android-studio @{exec_path} {
   owner @{HOME}/.java/.userPrefs/ rw,
   owner @{HOME}/.java/.userPrefs/** rwk,
 
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   owner @{HOME}/.emulator_console_auth_token rw,
 
   deny owner @{HOME}/Desktop/* rw,
@@ -206,8 +192,6 @@ profile android-studio @{exec_path} {
 
   @{sys}/fs/cgroup/{,**} r,
 
-    /var/tmp/ r,
-        /tmp/ r,
   owner /tmp/** rwk,
   owner /tmp/native-platform[0-9]*dir/*.so rwm,
 
@@ -220,8 +204,6 @@ profile android-studio @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  owner /dev/shm/.org.chromium.Chromium.* rw,
-
   /dev/kvm rw,
 
   @{sys}/devices/virtual/block/**/rotational r,
diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom
index 3ec84074..13afe288 100644
--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@@ -16,6 +16,7 @@ profile atom @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
   include <abstractions/enchant>
+  include <abstractions/chromium-common>
   # The following doesn't seem to be needed
   ##include <abstractions/mesa>
   ##include <abstractions/consoles>
@@ -24,8 +25,6 @@ profile atom @{exec_path} {
   include <abstractions/thumbnails-cache-read>
   ##include <abstractions/zsh>
   ##include <abstractions/fzf>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=lsb_release,
   ptrace (read) peer=xdg-settings,
@@ -93,16 +92,12 @@ profile atom @{exec_path} {
 
   owner @{user_config_dirs}/git/config r,
 
-  # To remove the following error:
-  #  Error initializing NSS with a persistent database
-  deny owner @{HOME}/.pki/ rw,
-  deny owner @{HOME}/.pki/nssdb/ rw,
-  deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   /etc/fstab r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   # Needed or atom gets crash with the following error:
@@ -125,9 +120,6 @@ profile atom @{exec_path} {
        owner @{PROC}/@{pid}/mounts r,
   deny owner @{PROC}/@{pid}/loginuid r,
 
-  deny       /dev/shm/ r,
-       owner /dev/shm/.org.chromium.Chromium.* rw,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
@@ -140,9 +132,6 @@ profile atom @{exec_path} {
   # The irq file is needed to render pages.
   deny @{sys}/devices/pci[0-9]*/**/irq r,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.* rw,
   owner /tmp/atom-[0-9a-f]*.sock rw,
   owner "/tmp/Atom Crashes/" rw,
   owner /tmp/github-[0-9]*-[0-9]*-*.*/ rw,
@@ -154,9 +143,6 @@ profile atom @{exec_path} {
   owner /tmp/apm-install-dir-[0-9]*-[0-9]*-*.*/** rw,
   owner /tmp/net-export/ rw,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre
index aea80d21..daf63e0a 100644
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@@ -41,15 +41,7 @@ profile calibre @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>
-
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  include <abstractions/chromium-common>
 
   capability sys_ptrace,
 
@@ -142,9 +134,7 @@ profile calibre @{exec_path} {
 
   @{sys}/devices/pci[0-9]*/**/irq r,
 
-        /dev/shm/ r,
-        /dev/shm/#[0-9]*[0-9] rw,
-  owner /dev/shm/.org.chromium.Chromium.* rw,
+  /dev/shm/#[0-9]*[0-9] rw,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
@@ -157,7 +147,6 @@ profile calibre @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {
diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code
index dec9e093..e2bd477c 100644
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@@ -16,14 +16,13 @@ profile code @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
+  include <abstractions/chromium-common>
   # The following doesn't seem to be needed
   ##include <abstractions/mesa>
   ##include <abstractions/consoles>
   ##include <abstractions/audio>
   ##include <abstractions/user-download-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=lsb_release,
 
@@ -70,16 +69,12 @@ profile code @{exec_path} {
   owner @{MOUNTS}/*/code/ r,
   owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
 
-  # To remove the following error:
-  #  Error initializing NSS with a persistent database
-  deny owner @{HOME}/.pki/ rw,
-  deny owner @{HOME}/.pki/nssdb/ rw,
-  deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   /etc/fstab r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   # Needed or code gets crash with the following error:
@@ -106,9 +101,6 @@ profile code @{exec_path} {
   deny owner @{PROC}/@{pid}/net/if_inet6 r,
   deny owner @{PROC}/@{pids}/cmdline r,
 
-  deny       /dev/shm/ r,
-       owner /dev/shm/.org.chromium.Chromium.* rw,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
@@ -120,8 +112,6 @@ profile code @{exec_path} {
   # The irq file is needed to render pages.
   deny @{sys}/devices/pci[0-9]*/**/irq r,
 
-        /var/tmp/ r,
-        /tmp/ r,
   owner "/tmp/VSCode Crashes/" rw,
   owner /tmp/vscode-typescript[0-9]*/ rw,
 
@@ -132,9 +122,5 @@ profile code @{exec_path} {
   # For installing extensions
   owner /tmp/@{uuid} rw,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
   include if exists <local/code>
 }
-
diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord
index 8c55767e..ccfe78bf 100644
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/groups/apps/discord
@@ -6,11 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{DISCORD_LIBDIR} = /usr/share/discord
-@{DISCORD_HOMEDIR} = @{user_config_dirs}/discord
-@{DISCORD_CACHEDIR} = @{user_cache_dirs}/discord
+@{DISCORD_LIBDIR}   = /usr/share/discord
+@{DISCORD_LIBDIR}  += /usr/share/discord-ptb
+@{DISCORD_HOMEDIR}  = @{HOME}/.config/discord
+@{DISCORD_HOMEDIR} += @{HOME}/.config/discordptb
+@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
 
-@{exec_path} = @{DISCORD_LIBDIR}/Discord /{usr/,}bin/discord
+@{exec_path} = @{DISCORD_LIBDIR}/Discord{,PTB} /{usr/,}bin/discord{,-ptb}
 profile discord @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -24,7 +26,7 @@ profile discord @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/user-download-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
+  include <abstractions/chromium-common>
 
   signal (send) set=(kill, term) peer=@{profile_name}//lsb_release,
 
@@ -40,14 +42,6 @@ profile discord @{exec_path} {
 
   @{exec_path} mrix,
 
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
-
   /{usr/,}bin/{,ba,da}sh   rix,
 
   /{usr/,}bin/xdg-open     rCx -> open,
@@ -59,11 +53,8 @@ profile discord @{exec_path} {
     @{DISCORD_LIBDIR}/ r,
     @{DISCORD_LIBDIR}/** r,
   # @{DISCORD_LIBDIR}/**.so mr,
-  # @{DISCORD_LIBDIR}/libEGL.so mr,
-  # @{DISCORD_LIBDIR}/libGLESv2.so mr,
-  # To remove the following error:
-  #  discord-canary: error while loading shared libraries: libffmpeg.so: cannot open shared object
-  #  file: No such file or directory
+    @{DISCORD_LIBDIR}/libEGL.so mr,
+    @{DISCORD_LIBDIR}/libGLESv2.so mr,
     @{DISCORD_LIBDIR}/libffmpeg.so mr,
   # @{DISCORD_LIBDIR}/swiftshader/libEGL.so mr,
   # @{DISCORD_LIBDIR}/swiftshader/libGLESv2.so mr,
@@ -85,7 +76,11 @@ profile discord @{exec_path} {
        owner @{PROC}/@{pids}/task/ r,
              @{PROC}/@{pids}/task/@{tid}/status r,
   deny       @{PROC}/@{pids}/stat r,
-  deny owner @{PROC}/@{pids}/statm r,
+  # Needed to remove the following error:
+  #  Error occurred in handler for 'DISCORD_PROCESS_UTILS_GET_MEMORY_INFO': [Error: Failed to
+  #  create memory dump]
+       owner @{PROC}/@{pids}/statm r,
+  #
   deny       @{PROC}/@{pids}/cmdline r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
              @{PROC}/sys/fs/inotify/max_user_watches r,
@@ -106,25 +101,11 @@ profile discord @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/irq r,
 
   deny       /dev/ r,
-  deny       /dev/shm/ rw,
-       owner /dev/shm/.org.chromium.Chromium.* rw,
 
-        /var/tmp/ r,
-        /tmp/ r,
   owner /tmp/net-export/ rw,
   owner /tmp/discord.sock rw,
-  owner /tmp/.org.chromium.Chromium.*/ rw,
-  owner /tmp/.org.chromium.Chromium.*/discord1_[0-9]*.png rw,
-  owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
-  owner /tmp/.org.chromium.Chromium.*/SS rw,
   owner "/tmp/Discord Crashes/" rw,
 
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   owner @{run}/user/@{uid}/discord-ipc-[0-9] rw,
 
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/groups/apps/discord-chrome-sandbox b/apparmor.d/groups/apps/discord-chrome-sandbox
index df2c9e00..11bca3f9 100644
--- a/apparmor.d/groups/apps/discord-chrome-sandbox
+++ b/apparmor.d/groups/apps/discord-chrome-sandbox
@@ -14,7 +14,6 @@ include <tunables/global>
 
 profile discord-chrome-sandbox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox
index 6ef33f84..e199bfb8 100644
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/groups/apps/dropbox
@@ -23,7 +23,6 @@ profile dropbox @{exec_path} {
   include <abstractions/qt5-settings-write>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   ptrace peer=@{profile_name},
 
diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla
index bdcf2f38..85ea3cf7 100644
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/groups/apps/filezilla
@@ -15,7 +15,6 @@ profile filezilla @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=fzsftp,
 
diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot
index 7cb92e4b..99ba7358 100644
--- a/apparmor.d/groups/apps/flameshot
+++ b/apparmor.d/groups/apps/flameshot
@@ -23,7 +23,6 @@ profile flameshot @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
@@ -68,7 +67,6 @@ profile flameshot @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {
diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube
index 8088155b..2cafcf3f 100644
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@@ -25,16 +25,7 @@ profile freetube @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
-
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  include <abstractions/chromium-common>
 
   network inet dgram,
   network inet6 dgram,
@@ -55,17 +46,6 @@ profile freetube @{exec_path} {
   owner @{user_config_dirs}/FreeTube/ rw,
   owner @{user_config_dirs}/FreeTube/** rwk,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.*/ rw,
-  owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
-  owner /tmp/.org.chromium.Chromium.*/SS w,
-  owner /tmp/.org.chromium.Chromium.* rw,
-  owner /tmp/net-export/ rw,
-
-        /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.* rw,
-
   # The /proc/ dir is needed to avoid the following error:
   #   traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in
   #          freetube[56499b8a8000+531e000]
@@ -84,8 +64,13 @@ profile freetube @{exec_path} {
              @{PROC}/sys/kernel/yama/ptrace_scope r,
   deny       @{PROC}/vmstat r,
              @{PROC}/sys/fs/inotify/max_user_watches r,
+
   /etc/fstab r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   owner @{user_share_dirs} r,
@@ -97,10 +82,6 @@ profile freetube @{exec_path} {
   # The irq file is needed to render pages.
   deny @{sys}/devices/pci[0-9]*/**/irq r,
 
-  # Needed?
-  deny owner @{HOME}/.pki/ rw,
-  deny owner @{HOME}/.pki/** rwk,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/groups/apps/freetube-chrome-sandbox
index 144c19d0..1aff2ad8 100644
--- a/apparmor.d/groups/apps/freetube-chrome-sandbox
+++ b/apparmor.d/groups/apps/freetube-chrome-sandbox
@@ -15,7 +15,6 @@ include <tunables/global>
 profile freetube-chrome-sandbox @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   capability sys_admin,
   capability setgid,
diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular
index a37242f1..96abdb7e 100644
--- a/apparmor.d/groups/apps/okular
+++ b/apparmor.d/groups/apps/okular
@@ -25,7 +25,6 @@ profile okular @{exec_path} {
   include <abstractions/kde-icon-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/qt5-compose-cache-write>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop
index c2d2f41f..de35eb22 100644
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@@ -22,19 +22,11 @@ profile signal-desktop @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>
+  include <abstractions/chromium-common>
 
   # Needed?
   deny capability sys_ptrace,
 
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
-
   network inet dgram,
   network inet6 dgram,
   network inet stream,
@@ -59,18 +51,8 @@ profile signal-desktop @{exec_path} {
   @{SIGNAL_HOMEDIR}/ rw,
   @{SIGNAL_HOMEDIR}/** rwk,
 
-  #owner @{HOME}/.pki/nssdb/pkcs11.txt r,
-  #owner @{HOME}/.pki/nssdb/cert9.db rwk,
-  #owner @{HOME}/.pki/nssdb/key4.db rwk,
-
   # Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in
   # your system, use the TMPDIR variable to set some other tmp dir.
-  /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.*/ rw,
-  owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
-  owner /tmp/.org.chromium.Chromium.*/SS w,
-  owner /tmp/.org.chromium.Chromium.* rw,
-  /var/tmp/ r,
   owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw,
 
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@@ -90,9 +72,6 @@ profile signal-desktop @{exec_path} {
              @{PROC}/sys/fs/inotify/max_user_watches r,
              @{PROC}/vmstat r,
 
-  deny /dev/shm/ r,
-       /dev/shm/.org.chromium.Chromium.* rw,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
index 6ff5aebc..fa52abe5 100644
--- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
+++ b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
@@ -13,7 +13,6 @@ include <tunables/global>
 @{exec_path} = "/opt/Signal{, Beta}/chrome-sandbox"
 profile signal-desktop-chrome-sandbox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/apps/spotify b/apparmor.d/groups/apps/spotify
index f17c3a9d..7ddec0ec 100644
--- a/apparmor.d/groups/apps/spotify
+++ b/apparmor.d/groups/apps/spotify
@@ -21,7 +21,7 @@ profile spotify @{exec_path} {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
+  include <abstractions/chromium-common>
 
   @{exec_path} mrix,
 
@@ -57,8 +57,6 @@ profile spotify @{exec_path} {
 
   /etc/fstab r,
 
-  owner /dev/shm/.org.chromium.Chromium.* rw,
-
   deny @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   # To remove the following error:
   #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
@@ -69,19 +67,10 @@ profile spotify @{exec_path} {
 
   /usr/share/X11/XErrorDB r,
 
-        /tmp/ r,
   owner /tmp/[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
 
   # What's this for?
   #owner /tmp/[0-9]*.[0-9]*.[0-9]*.[0-9]*-linux-*.zip rw,
 
-  /var/tmp/ r,
-
-  deny owner @{HOME}/.pki/ rw,
-  deny owner @{HOME}/.pki/nssdb/ rw,
-  deny owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  deny owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   include if exists <local/spotify>
 }
diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop
index feadd8a9..943b9811 100644
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@@ -27,8 +27,6 @@ profile telegram-desktop @{exec_path} {
   include <abstractions/enchant>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
@@ -76,6 +74,10 @@ profile telegram-desktop @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # Needed when saving files as, or otherwise the app crashes
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird
index a712abeb..93e4ec2f 100644
--- a/apparmor.d/groups/apps/thunderbird
+++ b/apparmor.d/groups/apps/thunderbird
@@ -30,8 +30,6 @@ profile thunderbird @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   ptrace peer=@{profile_name},
 
@@ -93,6 +91,10 @@ profile thunderbird @{exec_path} {
   owner @{HOME}/Mail/ rw,
   owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # Fix error in libglib while saving files as
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
@@ -187,7 +189,6 @@ profile thunderbird @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile gpg {
diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
index 63721e65..6ba6c30a 100644
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@@ -108,7 +108,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   owner @{libo_user_dirs}/**/           rw,  #allow creating directories that we own
   owner @{libo_user_dirs}/**~lock.*     rw,  #lock file support
   owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk,  #Open files rw with the right exts
-  owner @{libo_user_dirs}/{,**/}lu???????????{,?}.tmp rwk, #Temporary file used when saving
+  owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk, #Temporary file used when saving
   owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
 
   # Settings
diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc
index a3b39cba..eb065a9b 100644
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@@ -70,7 +70,6 @@ profile vlc @{exec_path} {
   include <abstractions/private-files-strict>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=anyremote//*,
 
diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs
index 4908da8c..ae1c3750 100644
--- a/apparmor.d/groups/apt/apt-listbugs
+++ b/apparmor.d/groups/apt/apt-listbugs
@@ -23,21 +23,25 @@ profile apt-listbugs @{exec_path} {
   network netlink raw,
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/logname      rix,
+  /{usr/,}bin/{,ba,da}sh       rix,
+  /{usr/,}bin/logname          rix,
 
-  /{usr/,}bin/apt-config   rPx,
+  /{usr/,}bin/apt-config       rPx,
   # Do not strip env to avoid errors like the following:
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
-  /{usr/,}bin/dpkg-query   rpx,
+  /{usr/,}bin/dpkg-query       rpx,
 
   /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
 
   /usr/share/rubygems-integration/*/specifications/ r,
-  /usr/share/rubygems-integration/*/specifications/* r,
+  /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
+
+  /{usr/,}lib/ruby/gems/*/specifications/ r,
+  /{usr/,}lib/ruby/gems/*/specifications/** r,
+  /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
 
   /etc/apt/listbugs/{,*} r,
 
diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins
index d8f5a179..fef665e7 100644
--- a/apparmor.d/groups/apt/apt-listbugs-migratepins
+++ b/apparmor.d/groups/apt/apt-listbugs-migratepins
@@ -13,10 +13,14 @@ profile apt-listbugs-migratepins @{exec_path} {
   include <abstractions/ruby>
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
   /usr/share/rubygems-integration/*/specifications/ r,
-  /usr/share/rubygems-integration/*/specifications/* r,
+  /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
+
+  /{usr/,}lib/ruby/gems/*/specifications/ r,
+  /{usr/,}lib/ruby/gems/*/specifications/** r,
+  /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
 
   /etc/apt/preferences r,
 
diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean
index 240b8b5c..b4afe3d1 100644
--- a/apparmor.d/groups/apt/apt-listbugs-prefclean
+++ b/apparmor.d/groups/apt/apt-listbugs-prefclean
@@ -13,7 +13,7 @@ profile apt-listbugs-prefclean @{exec_path} {
   include <abstractions/ruby>
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
   /{usr/,}bin/date rix,
   /{usr/,}bin/cat rix,
diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges
index 601b1959..6647ca09 100644
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@@ -79,6 +79,7 @@ profile apt-listchanges @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
+    capability dac_read_search,
     #capability sys_tty_config,
 
     /{usr/,}bin/sensible-pager mr,
diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts
index 83167f6c..8d73a320 100644
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@@ -18,7 +18,6 @@ profile querybts @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/apt-common>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug
index 1cdb4707..1a9b4e37 100644
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@@ -19,8 +19,6 @@ profile reportbug @{exec_path} {
   include <abstractions/enchant>
   include <abstractions/python>
   include <abstractions/apt-common>
-  include <abstractions/deny-root-dir-access>
-  include <abstractions/deny-dconf>
 
   network inet dgram,
   network inet6 dgram,
@@ -65,6 +63,10 @@ profile reportbug @{exec_path} {
   /{usr/,}bin/run-parts        rCx -> run-parts,
   /{usr/,}bin/gpg              rCx -> gpg,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # For sending additional information
   /etc/** r,
 
diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic
index 65adc15d..42e20413 100644
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@@ -16,7 +16,6 @@ profile synaptic @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/apt-common>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-dconf>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave
index 6a7cf816..00541513 100644
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@@ -24,19 +24,10 @@ profile brave @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
+  include <abstractions/chromium-common>
 
   capability sys_ptrace,
 
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
-
   ptrace (read),
 
   @{exec_path} mrix,
@@ -78,14 +69,6 @@ profile brave @{exec_path} {
 
   /usr/share/chromium/extensions/ r,
 
-  # To remove the following error:
-  #  Error initializing NSS with a persistent database
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   owner @{HOME}/ r,
   owner @{user_config_dirs}/BraveSoftware/ w,
   owner @{BRAVE_HOMEDIR}/ rw,
@@ -122,6 +105,10 @@ profile brave @{exec_path} {
 
   /etc/fstab r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   # Needed or Brave crash with the following error:
@@ -148,14 +135,10 @@ profile brave @{exec_path} {
              @{PROC}/sys/fs/inotify/max_user_watches r,
   deny       @{PROC}filesystems r,
 
-  owner /dev/shm/.org.chromium.Chromium.* rw,
   owner /dev/shm/org.chromium.Chromium.shmem.[A-F0-9]*._service_shmem rw,
 
   /dev/bus/usb/[0-9]*/[0-9]* rw,
 
-  # For downloading files
-  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
@@ -179,22 +162,12 @@ profile brave @{exec_path} {
 
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.* rw,
-  owner /tmp/.org.chromium.Chromium.*/{,**} rw,
-  # For installing/updating/removing extensions
-  owner /tmp/scoped_dir*/{,**} rw,
-  owner /tmp/tmp.* rw,
   # For brave://net-export/
   owner /tmp/net-export/ rw,
 
   # Silencer
   deny @{BRAVE_INSTALLDIR}/** w,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
 
   profile open {
     include <abstractions/base>
diff --git a/apparmor.d/groups/browsers/brave-browser b/apparmor.d/groups/browsers/brave-browser
index 106f8a6b..9e544d35 100644
--- a/apparmor.d/groups/browsers/brave-browser
+++ b/apparmor.d/groups/browsers/brave-browser
@@ -14,7 +14,6 @@ include <tunables/global>
 profile brave-browser @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh    rix,
diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox
index c91749d6..46574327 100644
--- a/apparmor.d/groups/browsers/brave-sandbox
+++ b/apparmor.d/groups/browsers/brave-sandbox
@@ -13,7 +13,6 @@ include <tunables/global>
 @{exec_path} = @{BRAVE_INSTALLDIR}/{brave,chrome}-sandbox
 profile brave-sandbox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium
index f49ede7a..23621a72 100644
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@@ -14,7 +14,6 @@ include <tunables/global>
 profile chromium @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler b/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler
new file mode 100644
index 00000000..a60ed295
--- /dev/null
+++ b/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium
+@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium
+@{CHROMIUM_CACHEDIR} = @{HOME}/.cache/chromium
+
+@{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome_crashpad_handler
+profile chromium-chrome-crashpad-handler @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  capability sys_ptrace,
+
+  ptrace peer=chromium-chromium,
+  signal (send) peer=chromium-chromium,
+
+  @{exec_path} mrix,
+
+  owner "@{HOME}/.config/chromium/Crash Reports/**" rwk,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pids}/mem r,
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/task/ r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_max_freq r,
+
+  include if exists <local/chromium-chrome-crashpad-handler>
+}
diff --git a/apparmor.d/groups/browsers/chromium-chrome-sandbox b/apparmor.d/groups/browsers/chromium-chrome-sandbox
index 171556eb..9c85879c 100644
--- a/apparmor.d/groups/browsers/chromium-chrome-sandbox
+++ b/apparmor.d/groups/browsers/chromium-chrome-sandbox
@@ -14,7 +14,6 @@ include <tunables/global>
 
 profile chromium-chrome-sandbox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index c9a50454..dc894765 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -28,7 +28,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (read) peer=chrome-gnome-shell,
 
@@ -46,6 +45,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=lsb_release,
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
+  signal (receive) peer=chromium-chrome-crashpad-handler,
 
   network inet dgram,
   network inet6 dgram,
@@ -55,9 +55,9 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/chrome-gnome-shell          rPx,
-  @{CHROMIUM_INSTALLDIR}/chrome-sandbox   rPx,
-  @{CHROMIUM_INSTALLDIR}/crashpad_handler rPx,
+  /{usr/,}bin/chrome-gnome-shell                  rPx,
+  @{CHROMIUM_INSTALLDIR}/chrome-sandbox           rPx,
+  @{CHROMIUM_INSTALLDIR}/chrome_crashpad_handler  rPx,
 
   # For storing passwords externally
   /{usr/,}bin/keepassxc-proxy   rPUx,
@@ -70,14 +70,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/xdg-desktop-menu   rPx,
   /{usr/,}bin/xdg-icon-resource  rPx,
 
-  # To remove the following error:
-  #  Error initializing NSS with a persistent database
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   # Chromium files
   /usr/share/chromium/{,**} r,
 
@@ -121,36 +113,39 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   /etc/fstab r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   # Needed or chromium gets crash with the following error:
   #  FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0)
              @{PROC}/ r,
   #
-  deny       @{PROC}/vmstat r,
+             @{PROC}/vmstat r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
              @{PROC}/@{pid}/fd/ r,
-  deny       @{PROC}/@{pids}/stat r,
-  deny       @{PROC}/@{pids}/statm r,
+             @{PROC}/@{pids}/stat r,
+             @{PROC}/@{pids}/statm r,
   # To remove the following error:
   #  Failed to adjust OOM score of renderer with pid : Permission denied
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+       owner @{PROC}/@{pid}/oom_{,score_}adj rw,
   #
   deny       @{PROC}/@{pids}/cmdline r,
-  deny owner @{PROC}/@{pids}/environ r,
+       owner @{PROC}/@{pids}/environ r,
        owner @{PROC}/@{pids}/task/ r,
-  deny       @{PROC}/@{pids}/task/@{tid}/stat r,
+             @{PROC}/@{pids}/task/@{tid}/stat r,
              @{PROC}/@{pids}/task/@{tid}/status r,
-  deny owner @{PROC}/@{pid}/limits r,
-  deny owner @{PROC}/@{pid}/mem r,
+       owner @{PROC}/@{pid}/limits r,
+       owner @{PROC}/@{pid}/mem r,
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
   # To remove the following error:
   #  file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches
              @{PROC}/sys/fs/inotify/max_user_watches r,
-
-   deny /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.* rw,
+  #
+       owner @{PROC}/@{pids}/clear_refs w,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
@@ -174,19 +169,10 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.* rw,
-  owner /tmp/.org.chromium.Chromium.*/{,**} rw,
-
   # For the temp profile
   owner /tmp/tmp.*/ rw,
   owner /tmp/tmp.*/** rwk,
 
-  # For installing/updating extensions
-  owner /tmp/scoped_dir*/ rw,
-  owner /tmp/scoped_dir*/** rw,
-
   # Silencer
   deny @{CHROMIUM_INSTALLDIR}/** w,
 
diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler
index dd2326de..09cdbf1a 100644
--- a/apparmor.d/groups/browsers/chromium-crashpad-handler
+++ b/apparmor.d/groups/browsers/chromium-crashpad-handler
@@ -14,7 +14,6 @@ include <tunables/global>
 
 profile chromium-crashpad_handler @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 5bc83a7c..fef15987 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -17,7 +17,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/dconf>
-  include <abstractions/deny-root-dir-access>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/fonts>
diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter
index 3f57d1d3..115c6336 100644
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@@ -20,8 +20,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>
-  include <abstractions/deny-dconf>
 
   signal (receive) set=(term, kill) peer=firefox,
 
@@ -55,6 +53,10 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
 
   owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /usr/share/X11/xkb/** r,
@@ -62,8 +64,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
   # file_inherit
   owner @{MOZ_CACHEDIR}/firefox/*.*/** r,
   owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r,
-  owner @{MOZ_HOMEDIR}/firefox/*.*/.parentlock rw,
-  owner @{HOME}/.xsession-errors w,
   /dev/dri/renderD128 rw,
   /dev/dri/card[0-9]* rw,
 
diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer
index a34727fd..af60b617 100644
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@@ -13,7 +13,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/firefox/minidump-analyzer
 profile firefox-minidump-analyzer @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender
index 53dc072e..38dccd40 100644
--- a/apparmor.d/groups/browsers/firefox-pingsender
+++ b/apparmor.d/groups/browsers/firefox-pingsender
@@ -16,7 +16,6 @@ profile firefox-pingsender @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=firefox,
 
diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome
index cda308c4..5fde3923 100644
--- a/apparmor.d/groups/browsers/google-chrome-chrome
+++ b/apparmor.d/groups/browsers/google-chrome-chrome
@@ -24,15 +24,7 @@ profile google-chrome-chrome @{exec_path} {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
-
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  include <abstractions/chromium-common>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -69,20 +61,10 @@ profile google-chrome-chrome @{exec_path} {
   /{usr/,}bin/xdg-mime          rPx,
   /{usr/,}bin/xdg-settings      rPx,
 
-  # To remove the following error:
-  #  Error initializing NSS with a persistent database
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   # Google Chrome home files
   owner @{HOME}/ r,
   owner @{CHROME_HOMEDIR}/ rw,
   owner @{CHROME_HOMEDIR}/** rwk,
-  # Flashplayer
-  owner @{CHROME_HOMEDIR}/PepperFlash/**/libpepflashplayer.so mr,
 
   owner @{user_share_dirs}/.com.google.Chrome.* rw,
 
@@ -141,8 +123,6 @@ profile google-chrome-chrome @{exec_path} {
        owner @{PROC}/@{pid}/mounts r,
   deny       @{PROC}/diskstats r,
 
-  owner /dev/shm/.com.google.Chrome.* rw,
-
   # To play DRM media (protected content)
   @{CHROME_INSTALLDIR}/libwidevinecdm.so mr,
   @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr,
@@ -168,13 +148,6 @@ profile google-chrome-chrome @{exec_path} {
   # The irq file is needed to render pages.
   @{sys}/devices/pci[0-9]*/**/irq r,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.com.google.Chrome.* rw,
-  owner /tmp/.com.google.Chrome.*/{,**} rw,
-  # For installing/updating extensions
-  owner /tmp/scoped_dir*/{,**} rw,
-
   # Silencer
   deny @{CHROME_INSTALLDIR}/** w,
 
diff --git a/apparmor.d/groups/browsers/google-chrome-chrome-sandbox b/apparmor.d/groups/browsers/google-chrome-chrome-sandbox
index 23e59bf9..5fb0db20 100644
--- a/apparmor.d/groups/browsers/google-chrome-chrome-sandbox
+++ b/apparmor.d/groups/browsers/google-chrome-chrome-sandbox
@@ -13,7 +13,6 @@ include <tunables/global>
 @{exec_path} = @{CHROME_INSTALLDIR}/chrome-sandbox
 profile google-chrome-chrome-sandbox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
diff --git a/apparmor.d/groups/browsers/google-chrome-google-chrome b/apparmor.d/groups/browsers/google-chrome-google-chrome
index 96183b3b..203673ec 100644
--- a/apparmor.d/groups/browsers/google-chrome-google-chrome
+++ b/apparmor.d/groups/browsers/google-chrome-google-chrome
@@ -14,7 +14,6 @@ include <tunables/global>
 profile google-chrome-google-chrome @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera
index 07548eb1..9727e24c 100644
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@@ -25,16 +25,7 @@ profile opera @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
-
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  include <abstractions/chromium-common>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -62,21 +53,11 @@ profile opera @{exec_path} {
   /{usr/,}bin/xdg-desktop-menu   rPx,
   /{usr/,}bin/xdg-icon-resource  rPx,
 
-  # To remove the following error:
-  #  Error initializing NSS with a persistent database
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   # Opera home files
   owner @{HOME}/ r,
   owner @{OPERA_HOMEDIR}/ rw,
   owner @{OPERA_HOMEDIR}/** rwk,
 
-  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
-
   # Cache files
   owner @{user_cache_dirs}/ rw,
   owner @{OPERA_CACHEDIR}/{,**/} rw,
@@ -100,13 +81,12 @@ profile opera @{exec_path} {
   owner @{user_config_dirs}/chromium/*/ r,
   owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
 
-  # Flashplayer
-  owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/PepperFlash/**/manifest.json r,
-  owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/PepperFlash/latest-component-updated-flash r,
-  owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/PepperFlash/**/libpepflashplayer.so mr,
-
   /etc/fstab r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   # Needed or opera crashes with the following error:
@@ -133,8 +113,6 @@ profile opera @{exec_path} {
        owner @{PROC}/@{pid}/mounts r,
              @{PROC}/sys/fs/inotify/max_user_watches r,
 
-  owner /dev/shm/.org.chromium.Chromium.* rw,
-
   # To play DRM media (protected content)
   /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr,
   /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr,
@@ -159,14 +137,6 @@ profile opera @{exec_path} {
   # The irq file is needed to render pages.
   @{sys}/devices/pci[0-9]*/**/irq r,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.* rw,
-  owner /tmp/.org.chromium.Chromium.*/{,*} rw,
-
-  # For installing/updating extensions
-  owner /tmp/scoped_dir*/{,**} rw,
-
   # For crashreporter
   owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw,
 
diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter
index 79e0074f..4f8ea915 100644
--- a/apparmor.d/groups/browsers/opera-crashreporter
+++ b/apparmor.d/groups/browsers/opera-crashreporter
@@ -19,7 +19,6 @@ profile opera-crashreporter @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (trace, read) peer=opera,
 
diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox
index 38b230e9..f9f364ca 100644
--- a/apparmor.d/groups/browsers/opera-sandbox
+++ b/apparmor.d/groups/browsers/opera-sandbox
@@ -15,7 +15,6 @@ profile opera-sandbox @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   # For kernel unprivileged user namespaces
   capability sys_admin,
diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher
index 65df3e06..1e53a5a7 100644
--- a/apparmor.d/groups/desktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/desktop/at-spi-bus-launcher
@@ -12,7 +12,6 @@ include <tunables/global>
 profile at-spi-bus-launcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   # Needed?
   deny capability sys_nice,
diff --git a/apparmor.d/groups/desktop/at-spi2-registryd b/apparmor.d/groups/desktop/at-spi2-registryd
index 2be81ce0..939496d8 100644
--- a/apparmor.d/groups/desktop/at-spi2-registryd
+++ b/apparmor.d/groups/desktop/at-spi2-registryd
@@ -11,7 +11,6 @@ include <tunables/global>
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   # Needed?
   deny capability sys_nice,
diff --git a/apparmor.d/groups/desktop/dconf-editor b/apparmor.d/groups/desktop/dconf-editor
index 7d646693..d219dc27 100644
--- a/apparmor.d/groups/desktop/dconf-editor
+++ b/apparmor.d/groups/desktop/dconf-editor
@@ -14,7 +14,6 @@ profile dconf-editor @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/dconf>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon
index 0d511f54..f40b5d2c 100644
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@@ -11,10 +11,7 @@ include <tunables/global>
 profile gnome-keyring-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>
 
-  # Remove the following error:
-  #  gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used
   capability ipc_lock,
 
   signal (send) set=(term) peer=ssh-agent,
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index 61899a4c..4032e4db 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -72,6 +72,9 @@ profile gpg @{exec_path} {
   /usr/share/keyrings/*.{gpg,asc} r,
   /etc/keyrings/*.{gpg,asc} r,
 
+  # APT repositories
+  /var/lib/apt/lists/*_InRelease r,
+
   # Verify files
   owner @{HOME}/** r,
   owner @{MOUNTS}/*/** r,
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index 6336eb9d..6798cded 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -19,6 +19,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setpcap,
   capability setuid,
+  capability sys_admin,
   capability sys_ptrace,
 
   @{exec_path} mr,
@@ -27,12 +28,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
   /{usr/,}sbin/* r,
   @{libexec}/** r,
   /opt/** r,
+  / r,
+
+  mount -> /,
 
   /etc/systemd/coredump.conf r,
 
-  /var/lib/systemd/coredump/ r,
-  /var/lib/systemd/coredump/** rwl,
-  /var/lib/systemd/coredump/#[0-9]* rwl,
+        /var/lib/systemd/coredump/ r,
+  owner /var/lib/systemd/coredump/#[0-9]* rw,
+  owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
 
   owner @{PROC}/@{pid}/setgroups r,
         @{PROC}/@{pids}/comm r,
diff --git a/apparmor.d/profiles-a-f/amarok b/apparmor.d/profiles-a-f/amarok
index 7d709a69..b562dcf5 100644
--- a/apparmor.d/profiles-a-f/amarok
+++ b/apparmor.d/profiles-a-f/amarok
@@ -46,7 +46,6 @@ profile amarok @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 
diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki
index bd2bf6f3..ad78d0a0 100644
--- a/apparmor.d/profiles-a-f/anki
+++ b/apparmor.d/profiles-a-f/anki
@@ -25,7 +25,6 @@ profile anki @{exec_path} {
   include <abstractions/trash>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=anki//mpv,
 
diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote
index 959b513e..27e1945a 100644
--- a/apparmor.d/profiles-a-f/anyremote
+++ b/apparmor.d/profiles-a-f/anyremote
@@ -11,7 +11,6 @@ profile anyremote @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(int, term, kill),
   signal (send) set=(term, kill),
diff --git a/apparmor.d/profiles-a-f/appimage-beyond-all-reason b/apparmor.d/profiles-a-f/appimage-beyond-all-reason
index 866eca0b..dd72bbee 100644
--- a/apparmor.d/profiles-a-f/appimage-beyond-all-reason
+++ b/apparmor.d/profiles-a-f/appimage-beyond-all-reason
@@ -22,18 +22,10 @@ profile appimage-beyond-all-reason @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/ssl_certs>
   include <abstractions/audio>
+  include <abstractions/chromium-common>
 
   capability sys_ptrace,
 
-  # For kernel unprivileged user namespaces
-  capability sys_admin,
-  capability sys_chroot,
-  capability setuid,
-  capability setgid,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
-
   network netlink raw,
   network inet dgram,
   network inet6 dgram,
@@ -51,20 +43,13 @@ profile appimage-beyond-all-reason @{exec_path} {
 
   mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,
 
-    /var/tmp/ r,
-	    /tmp/ r,
-	    /tmp/.mount_Beyond*/  rw,
-	    /tmp/.mount_Beyond*/beyond-all-reason rix,
-	    /tmp/.mount_Beyond*/AppRun rix,
-	    /tmp/.mount_Beyond*/bin/* rix,
-	    /tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
-	    /tmp/.mount_Beyond*/**  r,
-	    /tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
-  owner /tmp/.org.chromium.Chromium.*/ rw,
-  owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
-  owner /tmp/.org.chromium.Chromium.*/SS rw,
-  owner /tmp/.org.chromium.Chromium.*/*.png rw,
-  owner /tmp/.org.chromium.Chromium.* rw,
+  /tmp/.mount_Beyond*/  rw,
+  /tmp/.mount_Beyond*/beyond-all-reason rix,
+  /tmp/.mount_Beyond*/AppRun rix,
+  /tmp/.mount_Beyond*/bin/* rix,
+  /tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
+  /tmp/.mount_Beyond*/**  r,
+  /tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
 
   owner @{user_config_dirs}/Beyond-All-Reason/ rw,
   owner @{user_config_dirs}/Beyond-All-Reason/** rwk,
@@ -76,12 +61,6 @@ profile appimage-beyond-all-reason @{exec_path} {
   owner @{HOME}/.spring/ rw,
   owner @{HOME}/.spring/** rw,
 
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
              @{PROC}/ r,
        owner @{PROC}/@{pid}/fd/ r,
   deny owner @{PROC}/@{pid}/cmdline r,
@@ -94,8 +73,6 @@ profile appimage-beyond-all-reason @{exec_path} {
              @{PROC}sys/fs/inotify/max_user_watches r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
 
-  owner /dev/shm/.org.chromium.Chromium.* rw,
-
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/pci[0-9]*/**/class r,
   @{sys}/devices/virtual/tty/tty0/active r,
diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr
index 28f4dc78..495f45c2 100644
--- a/apparmor.d/profiles-a-f/arandr
+++ b/apparmor.d/profiles-a-f/arandr
@@ -16,7 +16,6 @@ profile arandr @{exec_path} {
   include <abstractions/python>
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril
new file mode 100644
index 00000000..a40ef1c3
--- /dev/null
+++ b/apparmor.d/profiles-a-f/atril
@@ -0,0 +1,96 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# Ebooks extensions
+# pdf, epub, djvu
+@{atril_ext}   = [pP][dD][fF]
+@{atril_ext}  += [eE][pP][uU][bB]
+@{atril_ext}  += [dD][jJ][vV][uU]
+
+# PNG preview
+@{atril_ext}  += [pP][nN][gG]
+
+@{exec_path} = /{usr/,}bin/atril{,-*}
+profile atril @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess rix,
+  /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess rix,
+
+  # Which media files atril should be able to open
+        / r,
+        /home/ r,
+  owner @{HOME}/ r,
+  owner @{HOME}/**/ r,
+        @{MOUNTS}/ r,
+  owner @{MOUNTS}/**/ r,
+        /tmp/ r,
+        /tmp/mozilla_*/ r,
+  owner /{home,media,tmp}/**.@{atril_ext} rw,
+
+  /usr/share/atril/{,**} r,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
+       owner @{PROC}/@{pid}/mountinfo r,
+       owner @{PROC}/@{pid}/mounts r,
+       owner @{PROC}/@{pid}/statm r,
+  deny owner @{PROC}/@{pid}/cmdline r,
+       owner @{PROC}/@{pid}/cgroup r,
+             @{PROC}/zoneinfo r,
+
+  /sys/firmware/acpi/pm_profile r,
+  /sys/devices/virtual/dmi/id/chassis_type r,
+  /sys/fs/cgroup/** r,
+
+  /etc/fstab r,
+
+  /usr/share/poppler/** r,
+
+  owner @{user_config_dirs}/atril/ rw,
+  owner @{user_config_dirs}/atril/* rw,
+
+  owner @{user_cache_dirs}/atril/ rw,
+  owner @{user_cache_dirs}/atril/** rw,
+
+  owner @{user_share_dirs}/gvfs-metadata/home r,
+  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
+
+  owner /tmp/gtkprint_* rw,
+  owner /tmp/atril-@{pid}/ rw,
+  owner /tmp/atril-@{pid}/*/ rw,
+  owner /tmp/atril-@{pid}/*/mimetype rw,
+  owner /tmp/atril-@{pid}/*/META-INF/ rw,
+  owner /tmp/atril-@{pid}/*/META-INF/container.xml rw,
+  owner /tmp/atril-@{pid}/*/index_split_[0-9]*.html rw,
+  owner /tmp/atril-@{pid}/*/page_styles.css rw,
+  owner /tmp/atril-@{pid}/*/titlepage.xhtml rw,
+  owner /tmp/atril-@{pid}/*/stylesheet.css rw,
+  owner /tmp/atril-@{pid}/*/images/ rw,
+  owner /tmp/atril-@{pid}/*/images/*.jpg rw,
+  owner /tmp/atril-@{pid}/*/toc.ncx rw,
+  owner /tmp/atril-@{pid}/*/content.opf rw,
+  owner /tmp/atril-@{pid}/*/META-INF/calibre_bookmarks.txt rw,
+
+  include if exists <local/atril>
+}
diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild
new file mode 100644
index 00000000..6240c486
--- /dev/null
+++ b/apparmor.d/profiles-a-f/atrild
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# Ebooks extensions
+# pdf, epub, djvu
+@{qpdfview_ext}   = [pP][dD][fF]
+@{qpdfview_ext}  += [eE][pP][uU][bB]
+@{qpdfview_ext}  += [dD][jJ][vV][uU]
+
+@{exec_path} = /{usr/,}lib/atril/atrild
+profile atrild @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/atrild>
+}
diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray
index f6388c8f..e2a83cb3 100644
--- a/apparmor.d/profiles-a-f/birdtray
+++ b/apparmor.d/profiles-a-f/birdtray
@@ -20,7 +20,6 @@ profile birdtray @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
@@ -71,7 +70,6 @@ profile birdtray @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {
diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird
index fb3b060c..7bef336b 100644
--- a/apparmor.d/profiles-a-f/cawbird
+++ b/apparmor.d/profiles-a-f/cawbird
@@ -18,7 +18,6 @@ profile cawbird @{exec_path} {
   include <abstractions/enchant>
   include <abstractions/audio>
   include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail
index 9713bfbc..df4b007b 100644
--- a/apparmor.d/profiles-a-f/claws-mail
+++ b/apparmor.d/profiles-a-f/claws-mail
@@ -19,7 +19,6 @@ profile claws-mail @{exec_path} flags=(complain) {
   include <abstractions/audio>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -66,9 +65,6 @@ profile claws-mail @{exec_path} flags=(complain) {
   /usr/share/sounds/freedesktop/stereo/*.oga r,
   /usr/share/publicsuffix/*.dafsa r,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton
index 367fde50..f24d2710 100644
--- a/apparmor.d/profiles-a-f/compton
+++ b/apparmor.d/profiles-a-f/compton
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/compton
 profile compton @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky
index 3a08586c..eae5f2a6 100644
--- a/apparmor.d/profiles-a-f/conky
+++ b/apparmor.d/profiles-a-f/conky
@@ -16,7 +16,6 @@ profile conky @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   # To get the external IP address
   # For samba share mounts
@@ -157,8 +156,11 @@ profile conky @{exec_path} {
     include <abstractions/openssl>
     include <abstractions/ssl_certs>
 
-    network inet,
-    network inet6,
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
 
     /{usr/,}bin/wget mr,
     /{usr/,}bin/curl mr,
diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall
index cd7041a6..47933cc8 100644
--- a/apparmor.d/profiles-a-f/convertall
+++ b/apparmor.d/profiles-a-f/convertall
@@ -19,7 +19,6 @@ profile convertall @{exec_path} {
   include <abstractions/python>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh     rix,
diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop
index 46ac315f..ce8e9646 100644
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@@ -23,14 +23,7 @@ profile deltachat-desktop @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  include <abstractions/chromium-common>
 
   network inet dgram,
   network inet6 dgram,
@@ -59,13 +52,6 @@ profile deltachat-desktop @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-        /var/tmp/ r,
-        /tmp/ r,
-  owner /tmp/.org.chromium.Chromium.*/ rw,
-  owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
-  owner /tmp/.org.chromium.Chromium.*/SS w,
-  owner /tmp/.org.chromium.Chromium.*/*.png rw,
-  owner /tmp/.org.chromium.Chromium.* rw,
   owner /tmp/[0-9a-f]*/ rw,
   owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw,
   owner /tmp/[0-9a-f]*/db.sqlite rwk,
@@ -85,8 +71,6 @@ profile deltachat-desktop @{exec_path} {
              @{PROC}/sys/fs/inotify/max_user_watches r,
 
         /dev/ r,
-        /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.* rw,
 
   # (#FIXME#)
   deny @{sys}/bus/pci/devices/ r,
diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script
index 8c58edfe..4aaf87a9 100644
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@@ -57,8 +57,7 @@ profile dhclient-script @{exec_path} {
   /{usr/,}bin/ip        rix,
 
   # For loadbalance
-  /etc/iproute2/rt_tables r,
-  /etc/iproute2/rt_tables.d/{,*} r,
+  /etc/iproute2/** r,
   owner @{PROC}/@{pid}/loginuid r,
 
   # For updating the /etc/resolv.conf file
@@ -91,7 +90,7 @@ profile dhclient-script @{exec_path} {
   @{run}/chrony-dhcp/ rw,
 
   # file_inherit
-  /var/lib/dhcp/dhclient.leases r,
+  /var/lib/dhcp/*.leases r,
 
 
   profile run-parts {
@@ -102,7 +101,7 @@ profile dhclient-script @{exec_path} {
     /etc/dhcp/dhclient-{enter,exit}-hooks.d/ r,
 
     # file_inherit
-    owner /var/lib/dhcp/dhclient.leases r,
+    /var/lib/dhcp/*.leases r,
 
   }
 
diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa
index 7dcd7de9..33acd41f 100644
--- a/apparmor.d/profiles-a-f/engrampa
+++ b/apparmor.d/profiles-a-f/engrampa
@@ -16,7 +16,6 @@ profile engrampa @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -75,6 +74,8 @@ profile engrampa @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  /etc/magic r,
+
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince
index 4f2231b4..01509248 100644
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@@ -10,7 +10,6 @@ include <tunables/global>
 profile evince @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf>
-  include <abstractions/deny-root-dir-access>
   include <abstractions/gnome>
   include <abstractions/openssl>
   include <abstractions/user-download-strict>
diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut
index f8c290af..9086451a 100644
--- a/apparmor.d/profiles-a-f/execute-dcut
+++ b/apparmor.d/profiles-a-f/execute-dcut
@@ -10,7 +10,6 @@ include <tunables/global>
 profile execute-dcut @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/python>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput
index 59904a4e..5748116e 100644
--- a/apparmor.d/profiles-a-f/execute-dput
+++ b/apparmor.d/profiles-a-f/execute-dput
@@ -11,7 +11,6 @@ profile execute-dput @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/python>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg
index 0f56dd2a..0d423f59 100644
--- a/apparmor.d/profiles-a-f/ffmpeg
+++ b/apparmor.d/profiles-a-f/ffmpeg
@@ -45,13 +45,13 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/ffmpeg
 profile ffmpeg @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dri-common>
   include <abstractions/audio>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay
index 83aa889c..9305b255 100644
--- a/apparmor.d/profiles-a-f/ffplay
+++ b/apparmor.d/profiles-a-f/ffplay
@@ -45,7 +45,6 @@ profile ffplay @{exec_path} {
   include <abstractions/audio>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe
index 1391d5b2..628a0225 100644
--- a/apparmor.d/profiles-a-f/ffprobe
+++ b/apparmor.d/profiles-a-f/ffprobe
@@ -40,10 +40,10 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/ffprobe
 profile ffprobe @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dri-common>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount
index bf04ed85..a0125f26 100644
--- a/apparmor.d/profiles-a-f/fusermount
+++ b/apparmor.d/profiles-a-f/fusermount
@@ -29,7 +29,7 @@ profile fusermount @{exec_path} {
   mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
   mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/,
   mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
-  mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/doc/,
+  mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/,
 
   umount @{HOME}/*/,
   umount @{HOME}/*/*/,
@@ -37,8 +37,7 @@ profile fusermount @{exec_path} {
   umount @{MOUNTS}/*/,
   umount @{MOUNTS}/*/*/,
   umount /tmp/.mount_*/,
-  umount @{run}/user/@{uid}/doc/,
-  umount @{run}/user/@{uid}/gvfs/,
+  umount @{run}/user/@{uid}/*/,
 
   /etc/fuse.conf r,
   /etc/machine-id r,
diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim
index 94ea627c..1bca6d89 100644
--- a/apparmor.d/profiles-g-l/gajim
+++ b/apparmor.d/profiles-g-l/gajim
@@ -25,7 +25,6 @@ profile gajim @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/gstreamer>
   include <abstractions/enchant>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/games-wesnoth b/apparmor.d/profiles-g-l/games-wesnoth
index b548d4a0..d9af5f75 100644
--- a/apparmor.d/profiles-g-l/games-wesnoth
+++ b/apparmor.d/profiles-g-l/games-wesnoth
@@ -16,7 +16,6 @@ profile games-wesnoth @{exec_path} {
   include <abstractions/audio>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/profiles-g-l/games-wesnoth-sh b/apparmor.d/profiles-g-l/games-wesnoth-sh
index e30b3636..167009b1 100644
--- a/apparmor.d/profiles-g-l/games-wesnoth-sh
+++ b/apparmor.d/profiles-g-l/games-wesnoth-sh
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/games/wesnoth-[0-9]*{-nolog,-smalgui,_editor} /usr/games/wesnoth-nolog
 profile games-wesnoth-sh @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh       rix,
diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote
index 8eef2054..cc43f74d 100644
--- a/apparmor.d/profiles-g-l/ganyremote
+++ b/apparmor.d/profiles-g-l/ganyremote
@@ -18,7 +18,6 @@ profile ganyremote @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   network inet stream,
   network inet6 stream,
diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime
index 6914f7e1..6a43f7d0 100644
--- a/apparmor.d/profiles-g-l/globaltime
+++ b/apparmor.d/profiles-g-l/globaltime
@@ -13,7 +13,6 @@ profile globaltime @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa
index 81550ddd..64a7b598 100644
--- a/apparmor.d/profiles-g-l/gpa
+++ b/apparmor.d/profiles-g-l/gpa
@@ -15,7 +15,6 @@ profile gpa @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo
index 39244fb3..a8008aff 100644
--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@@ -15,7 +15,6 @@ profile gpo @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder
index 1cdd05c2..ccfad166 100644
--- a/apparmor.d/profiles-g-l/gpodder
+++ b/apparmor.d/profiles-g-l/gpodder
@@ -18,7 +18,6 @@ profile gpodder @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres
index eaf445bc..27c43a4b 100644
--- a/apparmor.d/profiles-g-l/gpodder-migrate2tres
+++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres
@@ -10,7 +10,6 @@ include <tunables/global>
 profile gpodder-migrate2tres @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol
index 9443d5dd..8adee824 100644
--- a/apparmor.d/profiles-g-l/gsmartcontrol
+++ b/apparmor.d/profiles-g-l/gsmartcontrol
@@ -14,7 +14,6 @@ profile gsmartcontrol @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-dconf>
 
   capability dac_read_search,
 
@@ -67,9 +66,6 @@ profile gsmartcontrol @{exec_path} {
   # hence this behavior should be blocked.
   deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
 
   profile dbus {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer
index 2184266e..67e1baec 100644
--- a/apparmor.d/profiles-g-l/gtk-youtube-viewer
+++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer
@@ -17,7 +17,6 @@ profile gtk-youtube-viewer @{exec_path} {
   include <abstractions/perl>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo
index ea1b544c..50159643 100644
--- a/apparmor.d/profiles-g-l/hardinfo
+++ b/apparmor.d/profiles-g-l/hardinfo
@@ -38,7 +38,7 @@ profile hardinfo @{exec_path} {
   /{usr/,}bin/python2.[0-9]*  rix,
   /{usr/,}bin/python3.[0-9]*  rix,
   /{usr/,}bin/perl            rix,
-  /{usr/,}bin/ruby2.[0-9]*    rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
   /{usr/,}bin/make            rix,
   /{usr/,}bin/strace          rix,
   /{usr/,}bin/gdb             rix,
diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat
index 0f01e784..4cc7555e 100644
--- a/apparmor.d/profiles-g-l/hexchat
+++ b/apparmor.d/profiles-g-l/hexchat
@@ -21,7 +21,6 @@ profile hexchat @{exec_path} {
   # For python/perl plugins
   include <abstractions/python>
   include <abstractions/perl>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix
index 4ebb16de..5bc7cdfc 100644
--- a/apparmor.d/profiles-g-l/hypnotix
+++ b/apparmor.d/profiles-g-l/hypnotix
@@ -31,6 +31,7 @@ profile hypnotix @{exec_path} {
   include <abstractions/python>
 
   signal (send) set=(term, kill) peer=youtube-dl,
+  signal (send) set=(term, kill) peer=yt-dlp,
 
   network inet dgram,
   network inet6 dgram,
@@ -48,7 +49,8 @@ profile hypnotix @{exec_path} {
 
   /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
 
-  /{usr/,}bin/youtube-dl      rPx,
+  /{usr/,}bin/youtube-dl     rPUx,
+  /{usr/,}bin/yt-dlp         rPUx,
   /{usr/,}lib/firefox/firefox rPx,
 
   # Which files hypnotix should be able to open
diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup
index 3c4283d9..33358331 100644
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@@ -23,14 +23,20 @@ profile ifup @{exec_path} {
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/ip         rix,
   /{usr/,}bin/sleep      rix,
+  /{usr/,}bin/seq        rix,
 
   /{usr/,}{s,}bin/dhclient  rPx,
   /{usr/,}bin/macchanger rPx,
 
+  /{usr/,}lib/ifupdown/*.sh rix,
+
   /{usr/,}bin/run-parts  rCx -> run-parts,
+  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}sbin/sysctl    rCx -> sysctl,
 
   /etc/network/interfaces r,
   /etc/network/interfaces.d/{,*} r,
+  /etc/iproute2/rt_scopes r,
 
   @{run}/network/ rw,
   @{run}/network/{.,}ifstate* rwk,
@@ -82,5 +88,37 @@ profile ifup @{exec_path} {
 
   }
 
+  profile kmod {
+    include <abstractions/base>
+
+    /{usr/,}bin/kmod mr,
+
+    @{sys}/module/** r,
+
+    @{PROC}/cmdline r,
+    @{PROC}/modules r,
+
+    /etc/modprobe.d/ r,
+    /etc/modprobe.d/*.conf r,
+
+  }
+
+  profile sysctl {
+    include <abstractions/base>
+
+#    capability mac_admin,
+#    capability sys_admin,
+#    capability sys_resource,
+
+    /{usr/,}sbin/sysctl mr,
+
+    @{PROC}/sys/ r,
+    @{PROC}/sys/** r,
+
+    @{PROC}/sys/net/ipv6/conf/*/accept_ra rw,
+    @{PROC}/sys/net/ipv6/conf/*/autoconf rw,
+
+  }
+
   include if exists <local/ifup>
 }
diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader
index cca16ade..54d512f4 100644
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@@ -17,7 +17,6 @@ profile jdownloader @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} rix,
 
diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install
index 78e166e7..e5223d19 100644
--- a/apparmor.d/profiles-g-l/jdownloader-install
+++ b/apparmor.d/profiles-g-l/jdownloader-install
@@ -17,7 +17,6 @@ profile jdownloader-install @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll
index a357840b..c80ec1eb 100644
--- a/apparmor.d/profiles-g-l/jekyll
+++ b/apparmor.d/profiles-g-l/jekyll
@@ -13,12 +13,16 @@ profile jekyll @{exec_path} {
   include <abstractions/base>
   include <abstractions/ruby>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* r,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
-  /usr/share/rubygems-integration/** r,
+  /usr/share/rubygems-integration/*/specifications/ r,
+  /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
+
+  /{usr/,}lib/ruby/gems/*/specifications/ r,
+  /{usr/,}lib/ruby/gems/*/specifications/** r,
+  /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
 
   /usr/share/ruby-addressable/unicode.data r,
 
diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu
index 867d363e..d639e482 100644
--- a/apparmor.d/profiles-g-l/jgmenu
+++ b/apparmor.d/profiles-g-l/jgmenu
@@ -15,7 +15,6 @@ profile jgmenu @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
   include <abstractions/app-launcher-user>
 
   @{exec_path} mrix,
diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote
index 7a6a68c1..0b893ad6 100644
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@@ -22,7 +22,6 @@ profile kanyremote @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
-  include <abstractions/deny-root-dir-access>
 
   network inet stream,
   network inet6 stream,
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index 0703dd80..fbd38420 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -25,7 +25,6 @@ profile keepassxc @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli
index 32251a02..555c6723 100644
--- a/apparmor.d/profiles-g-l/keepassxc-cli
+++ b/apparmor.d/profiles-g-l/keepassxc-cli
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/keepassxc-cli
 profile keepassxc-cli @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy
index 2ea5b7bc..ae24a13c 100644
--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@@ -10,7 +10,6 @@ include <tunables/global>
 profile keepassxc-proxy @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet
index a0500914..800e9732 100644
--- a/apparmor.d/profiles-g-l/kerneloops-applet
+++ b/apparmor.d/profiles-g-l/kerneloops-applet
@@ -13,7 +13,6 @@ profile kerneloops-applet @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi
index b756d8e6..e0f54cd5 100644
--- a/apparmor.d/profiles-g-l/kodi
+++ b/apparmor.d/profiles-g-l/kodi
@@ -17,7 +17,6 @@ profile kodi @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/python>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr
index 01152adb..3ad826a6 100644
--- a/apparmor.d/profiles-g-l/kodi-xrandr
+++ b/apparmor.d/profiles-g-l/kodi-xrandr
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr
 profile kodi-xrandr @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/kscreenlocker-greet b/apparmor.d/profiles-g-l/kscreenlocker-greet
index acf2453f..f3195cdf 100644
--- a/apparmor.d/profiles-g-l/kscreenlocker-greet
+++ b/apparmor.d/profiles-g-l/kscreenlocker-greet
@@ -18,7 +18,6 @@ profile kscreenlocker-greet @{exec_path} {
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-shader-cache>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) peer=kcheckpass,
 
diff --git a/apparmor.d/profiles-g-l/kwalletd5 b/apparmor.d/profiles-g-l/kwalletd5
index b76bf6b7..906242de 100644
--- a/apparmor.d/profiles-g-l/kwalletd5
+++ b/apparmor.d/profiles-g-l/kwalletd5
@@ -21,7 +21,6 @@ profile kwalletd5 @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/kwalletmanager5 b/apparmor.d/profiles-g-l/kwalletmanager5
index a416f140..da18f3d1 100644
--- a/apparmor.d/profiles-g-l/kwalletmanager5
+++ b/apparmor.d/profiles-g-l/kwalletmanager5
@@ -22,7 +22,6 @@ profile kwalletmanager5 @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc
index 50ab18f0..7790d273 100644
--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@@ -20,7 +20,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
   include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>
 
   network netlink raw,
 
diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light
index d3105f2d..479e817b 100644
--- a/apparmor.d/profiles-g-l/light
+++ b/apparmor.d/profiles-g-l/light
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/light
 profile light @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker
index 595fde49..ee14411a 100644
--- a/apparmor.d/profiles-g-l/light-locker
+++ b/apparmor.d/profiles-g-l/light-locker
@@ -16,7 +16,6 @@ profile light-locker @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/wayland>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -28,13 +27,9 @@ profile light-locker @{exec_path} {
   # when locking the screen and switching/closing sessions
   @{run}/systemd/sessions/[0-9]* r,
 
-  # To silecne the following error:
-  #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
-  #  dconf will not work properly.
-  ##include <abstractions/dconf>
-  #owner @{run}/user/@{uid}/dconf/ w,
-  #owner @{run}/user/@{uid}/dconf/user rw,
-  include <abstractions/deny-dconf>
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
 
   @{sys}/devices/pci[0-9]*/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/vendor r,
diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command
index 73508f94..a0fcba19 100644
--- a/apparmor.d/profiles-g-l/light-locker-command
+++ b/apparmor.d/profiles-g-l/light-locker-command
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/light-locker-command
 profile light-locker-command @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks
index 12425b32..d27a3287 100644
--- a/apparmor.d/profiles-g-l/lightworks
+++ b/apparmor.d/profiles-g-l/lightworks
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/lightworks
 profile lightworks @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh          rix,
diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt
index 36542f8b..b5077ef4 100644
--- a/apparmor.d/profiles-g-l/lightworks-ntcardvt
+++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/lightworks/ntcardvt
 profile lightworks-ntcardvt @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 5f1cd693..29089244 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -23,11 +23,15 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
   # Needed?
   audit deny capability net_admin,
 
+  signal (send) set=(hup),
+
   @{exec_path} mr,
 
   /{usr/,}{s,}bin/ r,
 
   /{usr/,}bin/{,ba,da}sh             rix,
+  /{usr/,}bin/cat                    rix,
+  /{usr/,}bin/kill                   rix,
   /{usr/,}bin/ls                     rix,
   /{usr/,}bin/gzip                   rix,
   /{usr/,}bin/zstd                   rix,
diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx
index 7dcf4baa..1a8ef8e8 100644
--- a/apparmor.d/profiles-g-l/lynx
+++ b/apparmor.d/profiles-g-l/lynx
@@ -13,7 +13,6 @@ profile lynx @{exec_path} {
   include <abstractions/wutmp>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo
index 99ab4053..2dc46484 100644
--- a/apparmor.d/profiles-m-r/mediainfo
+++ b/apparmor.d/profiles-m-r/mediainfo
@@ -36,7 +36,6 @@ profile mediainfo @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui
index 7f3c11d3..21f54328 100644
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@@ -40,7 +40,6 @@ profile mediainfo-gui @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync
index 401527eb..96e479d6 100644
--- a/apparmor.d/profiles-m-r/megasync
+++ b/apparmor.d/profiles-m-r/megasync
@@ -25,7 +25,6 @@ profile megasync @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube
index 4f5b438b..2f19be1e 100644
--- a/apparmor.d/profiles-m-r/minitube
+++ b/apparmor.d/profiles-m-r/minitube
@@ -23,7 +23,6 @@ profile minitube @{exec_path} {
   include <abstractions/qt5-shader-cache>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge
index 49bd5b84..6516468c 100644
--- a/apparmor.d/profiles-m-r/mkvmerge
+++ b/apparmor.d/profiles-m-r/mkvmerge
@@ -42,7 +42,6 @@ profile mkvmerge @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
 
diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui
index 3528448e..faae0775 100644
--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@@ -54,7 +54,6 @@ profile mkvtoolnix-gui @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mkvmerge,
 
diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix
new file mode 100644
index 00000000..4475f4a2
--- /dev/null
+++ b/apparmor.d/profiles-m-r/monitorix
@@ -0,0 +1,106 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/monitorix
+profile monitorix @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+
+  capability net_admin,
+  capability chown,
+  capability fowner,
+  capability setgid,
+  capability fsetid,
+  capability setuid,
+  capability dac_override,
+  capability kill,
+
+  network netlink raw,
+  network inet stream,
+  network inet6 stream,
+
+  ptrace (read),
+
+  signal (receive) set=(hup) peer=logroate,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/{,e}grep           rix,
+  /{usr/,}bin/df                 rix,
+  /{usr/,}bin/cat                rix,
+  /{usr/,}bin/tail               rix,
+  /{usr/,}bin/gawk               rix,
+  /{usr/,}bin/free               rix,
+  /{usr/,}bin/ss                 rix,
+  /{usr/,}bin/who                rix,
+  /{usr/,}sbin/lvm               rix,
+  /{usr/,}sbin/xtables-nft-multi rix,
+  /{usr/,}bin/sensors            rix,
+  /{usr/,}bin/getconf            rix,
+  /{usr/,}bin/ps                 rix,
+
+  /etc/monitorix/monitorix.conf r,
+  /etc/monitorix/conf.d/ r,
+  /etc/monitorix/conf.d/[0-9][0-9]-*.conf r,
+
+  /var/log/monitorix w,
+  /var/log/monitorix-* w,
+
+  owner @{run}/monitorix.pid w,
+
+  /var/lib/monitorix/*.rrd* rwk,
+  /var/lib/monitorix/www/** rw,
+  /var/lib/monitorix/www/cgi/monitorix.cgi rwix,
+
+  / r,
+  /tmp/ r,
+  /etc/shadow r,
+
+  /dev/tty r,
+
+  @{run}/utmp rk,
+
+        @{PROC}/ r,
+        @{PROC}/swaps r,
+        @{PROC}/diskstats r,
+        @{PROC}/loadavg r,
+        @{PROC}/sys/kernel/random/entropy_avail r,
+        @{PROC}/uptime r,
+        @{PROC}/interrupts r,
+        @{PROC}/sys/fs/dentry-state r,
+        @{PROC}/sys/fs/file-nr r,
+        @{PROC}/sys/fs/inode-nr r,
+        @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/net/dev r,
+  owner @{PROC}/@{pid}/net/ip_tables_names r,
+  owner @{PROC}/@{pid}/net/ip6_tables_names r,
+        @{PROC}/@{pid}/net/udp{,6} r,
+        @{PROC}/@{pid}/net/tcp{,6} r,
+        @{PROC}/sys/kernel/pid_max r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/fdinfo/ r,
+        @{PROC}/@{pids}/io r,
+
+  @{sys}/class/i2c-adapter/ r,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
+  @{sys}/class/hwmon/ r,
+  @{sys}/devices/**/thermal*/{,**} r,
+  @{sys}/devices/**/hwmon*/{,**} r,
+
+  /etc/sensors3.conf r,
+  /etc/sensors.d/ r,
+
+  include if exists <local/monitorix>
+}
diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount
index d1f2b9d6..5d3647f4 100644
--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@@ -41,6 +41,10 @@ profile mount @{exec_path} flags=(complain) {
   /{usr/,}{s,}bin/mount.*    rPx,
 
   # Mount points
+  @{HOME}/ r,
+  @{HOME}/*/ r,
+  @{HOME}/*/*/ r,
+  @{MOUNTS}/ r,
   @{MOUNTS}/*/ r,
   @{MOUNTS}/*/*/ r,
   /media/cdrom[0-9]/ r,
diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt
index abb70193..3e72a474 100644
--- a/apparmor.d/profiles-m-r/mpsyt
+++ b/apparmor.d/profiles-m-r/mpsyt
@@ -14,7 +14,6 @@ profile mpsyt @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mpv,
 
diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv
index 2fccf2f1..79c82891 100644
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@@ -70,11 +70,11 @@ profile mpv @{exec_path} {
   include <abstractions/private-files-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
   signal (send) set=(term, kill) peer=youtube-dl,
+  signal (send) set=(term, kill) peer=yt-dlp,
 
   network inet dgram,
   network inet6 dgram,
@@ -149,6 +149,7 @@ profile mpv @{exec_path} {
 
   # External apps
   /{usr/,}bin/youtube-dl rPUx,
+  /{usr/,}bin/yt-dlp     rPUx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble
index 72b25d1a..30bb31b3 100644
--- a/apparmor.d/profiles-m-r/mumble
+++ b/apparmor.d/profiles-m-r/mumble
@@ -24,7 +24,6 @@ profile mumble @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay
index 8f23dab3..bfc23918 100644
--- a/apparmor.d/profiles-m-r/mumble-overlay
+++ b/apparmor.d/profiles-m-r/mumble-overlay
@@ -10,7 +10,6 @@ include <tunables/global>
 profile mumble-overlay @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx
index a7eeadbe..7e9438c5 100644
--- a/apparmor.d/profiles-m-r/numlockx
+++ b/apparmor.d/profiles-m-r/numlockx
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/numlockx
 profile numlockx @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu
index 5e965bcf..e8d1fb0b 100644
--- a/apparmor.d/profiles-m-r/obamenu
+++ b/apparmor.d/profiles-m-r/obamenu
@@ -10,7 +10,6 @@ include <tunables/global>
 profile obamenu @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* rix,
diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf
index 9da1201e..9ad55666 100644
--- a/apparmor.d/profiles-m-r/obconf
+++ b/apparmor.d/profiles-m-r/obconf
@@ -15,8 +15,6 @@ profile obconf @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -35,6 +33,10 @@ profile obconf @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop
index f79bf002..efe0e8ab 100644
--- a/apparmor.d/profiles-m-r/obxprop
+++ b/apparmor.d/profiles-m-r/obxprop
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/obxprop
 profile obxprop @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox
index 18abf6b7..05a758b9 100644
--- a/apparmor.d/profiles-m-r/openbox
+++ b/apparmor.d/profiles-m-r/openbox
@@ -13,7 +13,6 @@ profile openbox @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill),
 
diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session
index f901de07..3c2de698 100644
--- a/apparmor.d/profiles-m-r/openbox-session
+++ b/apparmor.d/profiles-m-r/openbox-session
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/openbox-session
 profile openbox-session @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage
index 29f0b723..4d8eff76 100644
--- a/apparmor.d/profiles-m-r/orage
+++ b/apparmor.d/profiles-m-r/orage
@@ -15,7 +15,6 @@ profile orage @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -42,7 +41,6 @@ profile orage @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {
diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd
index 9a4732ad..5a8ab571 100644
--- a/apparmor.d/profiles-m-r/pacmd
+++ b/apparmor.d/profiles-m-r/pacmd
@@ -11,10 +11,10 @@ profile pacmd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   #capability sys_ptrace,
   ptrace peer=pulseaudio,
+  ptrace (read) peer=pipewire,
 
   signal (send) peer=pulseaudio,
 
diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl
index ba5f7359..07538159 100644
--- a/apparmor.d/profiles-m-r/pactl
+++ b/apparmor.d/profiles-m-r/pactl
@@ -11,7 +11,6 @@ profile pactl @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol
index cf1a08b5..1b2c8954 100644
--- a/apparmor.d/profiles-m-r/pavucontrol
+++ b/apparmor.d/profiles-m-r/pavucontrol
@@ -14,7 +14,6 @@ profile pavucontrol @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom
index 51d01a10..de3be988 100644
--- a/apparmor.d/profiles-m-r/picom
+++ b/apparmor.d/profiles-m-r/picom
@@ -12,7 +12,6 @@ profile picom @{exec_path} {
   include <abstractions/dri-common>
   include <abstractions/nameservice-strict>
   include <abstractions/mesa>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/pipewire b/apparmor.d/profiles-m-r/pipewire
index d602df82..a8f0fc53 100644
--- a/apparmor.d/profiles-m-r/pipewire
+++ b/apparmor.d/profiles-m-r/pipewire
@@ -13,7 +13,7 @@ profile pipewire @{exec_path} {
   include <abstractions/audio>
   include <abstractions/nameservice-strict>
 
-  ptrace (read),
+  ptrace (read) peer=pipewire*,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/pipewire-media-session b/apparmor.d/profiles-m-r/pipewire-media-session
index 5f844d44..bf6e8873 100644
--- a/apparmor.d/profiles-m-r/pipewire-media-session
+++ b/apparmor.d/profiles-m-r/pipewire-media-session
@@ -22,10 +22,12 @@ profile pipewire-media-session @{exec_path} {
 
   /usr/share/alsa-card-profile/{,**} r,
   /usr/share/alsa/{,**} r,
+  /usr/share/pipewire/*.conf r,
   /usr/share/pipewire/media-session.d/{,**} r,
   /usr/share/spa-*/bluez[0-9]*/{,*} r,
 
   /etc/alsa/{,**} r,
+  /etc/pipewire/*.conf r,
   /etc/pipewire/media-session.d/*.conf r,
   /etc/pulse/{,**} r,
 
diff --git a/apparmor.d/profiles-m-r/pipewire-pulse b/apparmor.d/profiles-m-r/pipewire-pulse
index d5f03c45..942e51fe 100644
--- a/apparmor.d/profiles-m-r/pipewire-pulse
+++ b/apparmor.d/profiles-m-r/pipewire-pulse
@@ -15,7 +15,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
 
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace (read) peer=pipewire*,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/polkit-agent-helper b/apparmor.d/profiles-m-r/polkit-agent-helper
index 35812d4f..194209a5 100644
--- a/apparmor.d/profiles-m-r/polkit-agent-helper
+++ b/apparmor.d/profiles-m-r/polkit-agent-helper
@@ -13,7 +13,6 @@ profile polkit-agent-helper @{exec_path} {
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
   signal (receive) set=(term, kill) peer=gnome-shell,
diff --git a/apparmor.d/profiles-m-r/polkit-kde-authentication-agent b/apparmor.d/profiles-m-r/polkit-kde-authentication-agent
index 6a3b12f2..76086eb1 100644
--- a/apparmor.d/profiles-m-r/polkit-kde-authentication-agent
+++ b/apparmor.d/profiles-m-r/polkit-kde-authentication-agent
@@ -20,7 +20,6 @@ profile polkit-kde-authentication-agent @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/mesa>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
diff --git a/apparmor.d/profiles-m-r/polkit-mate-authentication-agent b/apparmor.d/profiles-m-r/polkit-mate-authentication-agent
index e2ac83e2..38ee6a3b 100644
--- a/apparmor.d/profiles-m-r/polkit-mate-authentication-agent
+++ b/apparmor.d/profiles-m-r/polkit-mate-authentication-agent
@@ -17,8 +17,6 @@ profile polkit-mate-authentication-agent @{exec_path} {
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
-  include <abstractions/deny-root-dir-access>
-  include <abstractions/deny-dconf>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -35,6 +33,10 @@ profile polkit-mate-authentication-agent @{exec_path} {
 
   owner @{HOME}/.Xauthority r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /usr/share/X11/xkb/** r,
diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi
index 5b352657..372c5f83 100644
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@@ -25,7 +25,6 @@ profile psi @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=lsb_release,
 
@@ -92,9 +91,6 @@ profile psi @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus
index b3187bcd..6834f197 100644
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@@ -25,7 +25,6 @@ profile psi-plus @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=lsb_release,
 
@@ -92,9 +91,6 @@ profile psi-plus @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
diff --git a/apparmor.d/profiles-m-r/pulseaudio b/apparmor.d/profiles-m-r/pulseaudio
index 7f28d354..785c056f 100644
--- a/apparmor.d/profiles-m-r/pulseaudio
+++ b/apparmor.d/profiles-m-r/pulseaudio
@@ -15,7 +15,6 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dbus-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 
diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index 184548ea..0ec27039 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -35,7 +35,6 @@ profile qbittorrent @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
   include if exists <abstractions/ubuntu-unity7-base>
   include if exists <abstractions/dbus-network-manager-strict>
 
diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox
index 53f31752..defec22b 100644
--- a/apparmor.d/profiles-m-r/qbittorrent-nox
+++ b/apparmor.d/profiles-m-r/qbittorrent-nox
@@ -14,7 +14,6 @@ profile qbittorrent-nox @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi
index 64f56c00..e143633a 100644
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@@ -52,7 +52,6 @@ profile qnapi @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
   # action (stop qnapi), the apps send the term/kill signal to qnapi.
diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview
index 17a5eb58..451ae197 100644
--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@@ -28,7 +28,6 @@ profile qpdfview @{exec_path} {
   include <abstractions/qt5-settings-write>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -48,7 +47,7 @@ profile qpdfview @{exec_path} {
   owner @{MOUNTS}/**/ r,
         /tmp/ r,
         /tmp/mozilla_*/ r,
-  owner /{home,media,tmp,tmp/mozilla_*}/**.@{qpdfview_ext} rw,
+  owner /{home,media,tmp}/**.@{qpdfview_ext} rw,
 
   owner @{user_config_dirs}/qpdfview/ rw,
   owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9],
diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox
index 0fa502bb..c988f712 100644
--- a/apparmor.d/profiles-m-r/qtox
+++ b/apparmor.d/profiles-m-r/qtox
@@ -21,7 +21,6 @@ profile qtox @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss
index f520731f..31b990b7 100644
--- a/apparmor.d/profiles-m-r/quiterss
+++ b/apparmor.d/profiles-m-r/quiterss
@@ -24,7 +24,6 @@ profile quiterss @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>
   # This one is needed when you want to receive sound notifications
   include <abstractions/audio>
 
@@ -68,13 +67,13 @@ profile quiterss @{exec_path} {
 
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,
+  owner /var/tmp/etilqs_* rw,
 
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {
diff --git a/apparmor.d/profiles-m-r/redshift b/apparmor.d/profiles-m-r/redshift
index 8c6ef806..3e890b3e 100644
--- a/apparmor.d/profiles-m-r/redshift
+++ b/apparmor.d/profiles-m-r/redshift
@@ -12,7 +12,6 @@ profile redshift @{exec_path} {
   include <abstractions/base>
   include <abstractions/wayland>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo
index 89a30512..10026a4c 100644
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@@ -15,7 +15,6 @@ profile repo @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro
index 8150e83f..bd38ee85 100644
--- a/apparmor.d/profiles-m-r/reprepro
+++ b/apparmor.d/profiles-m-r/reprepro
@@ -11,7 +11,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/reprepro
 profile reprepro @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot
index 09b68b6e..ff81a458 100644
--- a/apparmor.d/profiles-s-z/scrot
+++ b/apparmor.d/profiles-s-z/scrot
@@ -10,7 +10,6 @@ include <tunables/global>
 profile scrot @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer
index fd4cc054..c156317f 100644
--- a/apparmor.d/profiles-s-z/smplayer
+++ b/apparmor.d/profiles-s-z/smplayer
@@ -71,7 +71,6 @@ profile smplayer @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
   include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>
 
   # Needed for hardware decoding
   ##include <abstractions/nvidia>
@@ -141,6 +140,7 @@ profile smplayer @{exec_path} {
   /{usr/,}bin/mpv        rPUx,
   /{usr/,}bin/smtube     rPUx,
   /{usr/,}bin/youtube-dl rPUx,
+  /{usr/,}bin/yt-dlp     rPUx,
 
   # PulseAudio (to use "pacmd")
   /{usr/,}bin/pacmd      rPUx,
diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube
index bcc872c3..be2f3e8d 100644
--- a/apparmor.d/profiles-s-z/smtube
+++ b/apparmor.d/profiles-s-z/smtube
@@ -21,7 +21,6 @@ profile smtube @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
@@ -70,6 +69,7 @@ profile smtube @{exec_path} {
   /{usr/,}bin/vlc        rPUx,
   /{usr/,}bin/cvlc       rPUx,
   /{usr/,}bin/youtube-dl rPUx,
+  /{usr/,}bin/yt-dlp     rPUx,
 
   /{usr/,}bin/xdg-open   rCx -> open,
 
diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest
index 732de55a..8208ddfd 100644
--- a/apparmor.d/profiles-s-z/speedtest
+++ b/apparmor.d/profiles-s-z/speedtest
@@ -12,7 +12,6 @@ profile speedtest @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-s-z/spflashtool b/apparmor.d/profiles-s-z/spflashtool
index af188bae..e4d60642 100644
--- a/apparmor.d/profiles-s-z/spflashtool
+++ b/apparmor.d/profiles-s-z/spflashtool
@@ -13,7 +13,6 @@ profile spflashtool @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx
index 22afada1..df9e4ef0 100644
--- a/apparmor.d/profiles-s-z/startx
+++ b/apparmor.d/profiles-s-z/startx
@@ -11,7 +11,6 @@ profile startx @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry
index f9a96bf7..78d88b51 100644
--- a/apparmor.d/profiles-s-z/strawberry
+++ b/apparmor.d/profiles-s-z/strawberry
@@ -27,7 +27,6 @@ profile strawberry @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
   include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=strawberry-tagreader,
 
diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader
index fc230f00..7e462e94 100644
--- a/apparmor.d/profiles-s-z/strawberry-tagreader
+++ b/apparmor.d/profiles-s-z/strawberry-tagreader
@@ -14,7 +14,6 @@ profile strawberry-tagreader @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=strawberry,
   signal (receive) set=(term, kill) peer=anyremote//*,
diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing
index f7c9c868..682e55fc 100644
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/syncthing
 profile syncthing @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer
index 35127a40..dd433076 100644
--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@@ -17,7 +17,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>
 
   network inet stream,
   network inet6 stream,
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index a8e20a63..a4ed8017 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -10,6 +10,8 @@ include <tunables/global>
 profile thermald @{exec_path} {
   include <abstractions/base>
 
+  capability sys_boot,
+
   @{exec_path} mr,
 
   owner @{run}/thermald/ rw,
@@ -42,6 +44,7 @@ profile thermald @{exec_path} {
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
 
+  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r,
 
@@ -49,6 +52,9 @@ profile thermald @{exec_path} {
   @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
   @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r,
   @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,
 
   include if exists <local/thermald>
 }
diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2
index 14b81346..eff48ef0 100644
--- a/apparmor.d/profiles-s-z/tint2
+++ b/apparmor.d/profiles-s-z/tint2
@@ -12,7 +12,6 @@ profile tint2 @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/deny-root-dir-access>
   include <abstractions/app-launcher-user>
 
   network netlink dgram,
diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf
index fdd67445..ada94a64 100644
--- a/apparmor.d/profiles-s-z/tint2conf
+++ b/apparmor.d/profiles-s-z/tint2conf
@@ -13,7 +13,6 @@ profile tint2conf @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt
index 6a749097..c2d4834c 100644
--- a/apparmor.d/profiles-s-z/transmission-qt
+++ b/apparmor.d/profiles-s-z/transmission-qt
@@ -25,7 +25,6 @@ profile transmission-qt @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie
index 1aa1a2ae..593d9923 100644
--- a/apparmor.d/profiles-s-z/udiskie
+++ b/apparmor.d/profiles-s-z/udiskie
@@ -19,8 +19,6 @@ profile udiskie @{exec_path} {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/mesa>
   include <abstractions/dri-enumerate>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
@@ -39,6 +37,10 @@ profile udiskie @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # Allowed apps to open
   /{usr/,}bin/spacefm rPx,
 
diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt
index 3a075f7d..85177f65 100644
--- a/apparmor.d/profiles-s-z/usbguard-applet-qt
+++ b/apparmor.d/profiles-s-z/usbguard-applet-qt
@@ -18,7 +18,6 @@ profile usbguard-applet-qt @{exec_path} {
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   # Needed?
   ptrace (read),
diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox
index 3e54d0e5..a758d8d0 100644
--- a/apparmor.d/profiles-s-z/utox
+++ b/apparmor.d/profiles-s-z/utox
@@ -17,7 +17,6 @@ profile utox @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/audio>
   include <abstractions/video>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi
index 3960329e..e3a17b8b 100644
--- a/apparmor.d/profiles-s-z/vcsi
+++ b/apparmor.d/profiles-s-z/vcsi
@@ -13,7 +13,6 @@ profile vcsi @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/user-download-strict>
   include <abstractions/python>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter
index c835490d..7bc9bd7b 100644
--- a/apparmor.d/profiles-s-z/vidcutter
+++ b/apparmor.d/profiles-s-z/vidcutter
@@ -51,7 +51,6 @@ profile vidcutter @{exec_path} {
   include <abstractions/python>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat
index 4cb815de..a9bdfe12 100644
--- a/apparmor.d/profiles-s-z/vnstat
+++ b/apparmor.d/profiles-s-z/vnstat
@@ -10,7 +10,6 @@ include <tunables/global>
 profile vnstat @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   # The following rules are needed when adding a new interface to the vnstat database. Usually this
   # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon
index 3d703c97..7002765b 100644
--- a/apparmor.d/profiles-s-z/volumeicon
+++ b/apparmor.d/profiles-s-z/volumeicon
@@ -19,7 +19,6 @@ profile volumeicon @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/wayland>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd
index c127dc7d..d549f7bf 100644
--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@@ -11,7 +11,6 @@ profile vsftpd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>
 
   # Only for local users authentication
   include <abstractions/authentication>
diff --git a/apparmor.d/profiles-s-z/warzone2100 b/apparmor.d/profiles-s-z/warzone2100
index 0ac5b1d7..8d182e86 100644
--- a/apparmor.d/profiles-s-z/warzone2100
+++ b/apparmor.d/profiles-s-z/warzone2100
@@ -16,7 +16,6 @@ profile warzone2100 @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl
index aef13ae0..49be4bfe 100644
--- a/apparmor.d/profiles-s-z/wmctrl
+++ b/apparmor.d/profiles-s-z/wmctrl
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/wmctrl
 profile wmctrl @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui
index 2521335f..0c6d5ff8 100644
--- a/apparmor.d/profiles-s-z/wpa-gui
+++ b/apparmor.d/profiles-s-z/wpa-gui
@@ -17,7 +17,6 @@ profile wpa-gui @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver
index 58f6a771..64447750 100644
--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@@ -16,7 +16,6 @@ profile xarchiver @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth
index e6b8cba2..096d9d23 100644
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xauth @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight
index cbeccb4e..1e05fea4 100644
--- a/apparmor.d/profiles-s-z/xbacklight
+++ b/apparmor.d/profiles-s-z/xbacklight
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xbacklight
 profile xbacklight @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xdg-desktop-menu b/apparmor.d/profiles-s-z/xdg-desktop-menu
index a4968b3b..463926a4 100644
--- a/apparmor.d/profiles-s-z/xdg-desktop-menu
+++ b/apparmor.d/profiles-s-z/xdg-desktop-menu
@@ -11,7 +11,6 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/profiles-s-z/xdg-email b/apparmor.d/profiles-s-z/xdg-email
index e45cea99..ee313a64 100644
--- a/apparmor.d/profiles-s-z/xdg-email
+++ b/apparmor.d/profiles-s-z/xdg-email
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path}  r,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/profiles-s-z/xdg-icon-resource b/apparmor.d/profiles-s-z/xdg-icon-resource
index f43ca2da..b5cdda39 100644
--- a/apparmor.d/profiles-s-z/xdg-icon-resource
+++ b/apparmor.d/profiles-s-z/xdg-icon-resource
@@ -11,7 +11,6 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/profiles-s-z/xdg-screensaver b/apparmor.d/profiles-s-z/xdg-screensaver
index 8e7786a9..5a90a5bd 100644
--- a/apparmor.d/profiles-s-z/xdg-screensaver
+++ b/apparmor.d/profiles-s-z/xdg-screensaver
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xdg-screensaver @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/profiles-s-z/xfce4-notifyd b/apparmor.d/profiles-s-z/xfce4-notifyd
index d769a25a..70584efd 100644
--- a/apparmor.d/profiles-s-z/xfce4-notifyd
+++ b/apparmor.d/profiles-s-z/xfce4-notifyd
@@ -17,7 +17,6 @@ profile xfce4-notifyd @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xfconfd b/apparmor.d/profiles-s-z/xfconfd
index 61c44110..40409f6e 100644
--- a/apparmor.d/profiles-s-z/xfconfd
+++ b/apparmor.d/profiles-s-z/xfconfd
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd
 profile xfconfd @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xhost b/apparmor.d/profiles-s-z/xhost
index 54aef47d..ca186264 100644
--- a/apparmor.d/profiles-s-z/xhost
+++ b/apparmor.d/profiles-s-z/xhost
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xhost @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit
index 1710570f..4ee25604 100644
--- a/apparmor.d/profiles-s-z/xinit
+++ b/apparmor.d/profiles-s-z/xinit
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xinit @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xkbcomp b/apparmor.d/profiles-s-z/xkbcomp
index d6eb0eb7..39bff6c6 100644
--- a/apparmor.d/profiles-s-z/xkbcomp
+++ b/apparmor.d/profiles-s-z/xkbcomp
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xorg b/apparmor.d/profiles-s-z/xorg
index 8949c39f..5777432f 100644
--- a/apparmor.d/profiles-s-z/xorg
+++ b/apparmor.d/profiles-s-z/xorg
@@ -24,7 +24,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/freedesktop.org>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   # When the Xserver is started via startx as a regular user, there's no need for any of the
   # following CAPs. When some DM is used instead, some of the CAPs are needed.
diff --git a/apparmor.d/profiles-s-z/xrdb b/apparmor.d/profiles-s-z/xrdb
index 68b3a5eb..28751b5c 100644
--- a/apparmor.d/profiles-s-z/xrdb
+++ b/apparmor.d/profiles-s-z/xrdb
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xrdb
 profile xrdb @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel
index fd04122c..2711a8e7 100644
--- a/apparmor.d/profiles-s-z/xsel
+++ b/apparmor.d/profiles-s-z/xsel
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xsel @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xset b/apparmor.d/profiles-s-z/xset
index b03ad22c..6bf68d81 100644
--- a/apparmor.d/profiles-s-z/xset
+++ b/apparmor.d/profiles-s-z/xset
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xset @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/xsetroot b/apparmor.d/profiles-s-z/xsetroot
index 315dc70d..712384d1 100644
--- a/apparmor.d/profiles-s-z/xsetroot
+++ b/apparmor.d/profiles-s-z/xsetroot
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xsetroot
 profile xsetroot @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl
index 07c72c61..361df0c7 100644
--- a/apparmor.d/profiles-s-z/youtube-dl
+++ b/apparmor.d/profiles-s-z/youtube-dl
@@ -52,7 +52,6 @@ profile youtube-dl @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer
index b3be3343..8de23f04 100644
--- a/apparmor.d/profiles-s-z/youtube-viewer
+++ b/apparmor.d/profiles-s-z/youtube-viewer
@@ -14,7 +14,6 @@ profile youtube-viewer @{exec_path} {
   include <abstractions/perl>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm,
 
diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp
index 2c510f2b..43e6294a 100644
--- a/apparmor.d/profiles-s-z/yt-dlp
+++ b/apparmor.d/profiles-s-z/yt-dlp
@@ -41,12 +41,12 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/yt-dlp
 profile yt-dlp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/python>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,
@@ -58,16 +58,22 @@ profile yt-dlp @{exec_path} {
   /{usr/,}bin/python3.[0-9]* r,
 
   /{usr/,}bin/ r,
-  /{usr/,}bin/file rix,
+  /{usr/,}bin/file    rix,
+
+  /{usr/,}bin/ffmpeg  rPx,
+  /{usr/,}bin/ffprobe rPx,
 
   # Which files yt-dlp should be able to open
   owner /media/**/ r,
   owner /media/**.@{ytdlp_ext} rw,
 
+  owner @{HOME}/.cache/ rw,
+  owner @{HOME}/.cache/yt-dlp/ rw,
+  owner @{HOME}/.cache/yt-dlp/** rw,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   /etc/magic r,
 
-
   include if exists <local/yt-dlp>
 }
diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl
index 4943c19f..2e1b239b 100644
--- a/apparmor.d/profiles-s-z/ytdl
+++ b/apparmor.d/profiles-s-z/ytdl
@@ -46,7 +46,6 @@ profile ytdl @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),