diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap
new file mode 100644
index 00000000..0efe0a6b
--- /dev/null
+++ b/apparmor.d/groups/_full/bwrap
@@ -0,0 +1,74 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for bwrap.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/bwrap
+profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/bwrap-app>
+  include <abstractions/dbus>
+  include <abstractions/fontconfig-cache-write>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
+  capability sys_ptrace,
+  capability sys_resource,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  mount,
+  umount,
+
+  pivot_root oldroot=/newroot/ -> /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
+
+  ptrace peer=bwrap//&bwrap-app,
+
+  signal peer=bwrap//&bwrap-app,
+  signal (receive) set=(kill),
+
+  @{bin}/**                         rm,
+  @{lib}/**                         rm,
+  /opt/*/**                         rm,
+  /usr/share/*/*                    rm,
+
+  @{bin}/**                         Px -> bwrap//&bwrap-app,
+  @{bin}/xdg-dbus-proxy             Px -> bwrap//&xdg-dbus-proxy,
+  @{lib}/**                         Px -> bwrap//&bwrap-app,
+  /opt/*/**                         Px -> bwrap//&bwrap-app,
+  /usr/share/*/*                    Px -> bwrap//&bwrap-app,
+
+  /usr/.ref rk,
+
+  /bindfile@{rand6} rw,
+  /newroot/{,**} rw,
+  /tmp/newroot/ w,
+  /tmp/oldroot/ w,
+
+  owner /var/cache/ w,
+
+  owner @{run}/ld-so-cache-dir/* rw,
+
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces w,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  include if exists <usr/bwrap.d>
+  include if exists <local/bwrap>
+}
diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app
new file mode 100644
index 00000000..8895c894
--- /dev/null
+++ b/apparmor.d/groups/_full/bwrap-app
@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for user sandboxed application
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/bwrap-app>
+  include <abstractions/fontconfig-cache-write>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  ptrace peer=bwrap//&bwrap-app,
+
+  signal peer=bwrap//&bwrap-app,
+
+  @{bin}/**                       rmix,
+  @{lib}/**                       rmix,
+  /opt/*/**                       rmix,
+  /usr/share/*/*                  rmix,
+
+  owner /var/cache/ w,
+
+  include if exists <usr/bwrap-app.d>
+  include if exists <local/bwrap-app>
+}
diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default
index ec74ebab..027dc15f 100644
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@@ -16,15 +16,18 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/consoles>
   include <abstractions/dbus-session>
   include <abstractions/dconf-write>
-  include <abstractions/deny-sensitive-home>
+  include <abstractions/devices-usb>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
   include <abstractions/gnome>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
   include <abstractions/video>
   include <abstractions/vulkan>
   include <abstractions/zsh>
@@ -41,8 +44,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   signal (receive) set=(hup),
 
-  @{bin}/{,**} r,
-  @{bin}/bwrap           rPx -> default-bwrap,
+  @{bin}/bwrap           rPx -> bwrap,
   @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
   @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
   @{bin}/su              rPx -> default-sudo,
@@ -55,15 +57,19 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{bin}/exo-open        rPx -> child-open,
   @{bin}/xdg-open        rPx -> child-open,
+  @{lib}/gio-launch-desktop rPx -> child-open,
 
   audit @{bin}/**        Pix,
   audit @{lib}/**        Pix,
   audit /opt/*/**        Pix,
   audit /usr/share/*/*   Pix,
 
+  @{bin}/{,**} r,
+  @{lib}/{,**} r,
   /usr/share/** r,
 
   /etc/xdg/** r,
+  /etc/gnutls/config r,
 
   # Full access to user's data
   / r,
@@ -71,10 +77,10 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rwl,
-  owner @{HOME}/{,**} rwl,
+  owner @{HOME}/{,**} rwlk,
   owner @{run}/user/@{uid}/{,**} rw,
-  owner @{user_config_dirs}/** rwkl -> @{user_config_dirs}/**,
-  owner @{user_share_dirs}/** rwkl -> @{user_share_dirs}/**,
+  owner @{user_config_dirs}/** rwkl,
+  owner @{user_share_dirs}/** rwkl,
   owner /tmp/{,**} rwk,
 
   owner @{run}/user/@{uid}/{,**} rw,
@@ -86,16 +92,22 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
+  @{sys}/ r,
   @{sys}/bus/ r,
+  @{sys}/bus/pci/devices/ r,
   @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/class/hidraw/ r,
   @{sys}/class/input/ r,
+  @{sys}/class/power_supply/ r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+  @{sys}/devices/**/input/input@{int}/ r,
+  @{sys}/devices/**/uevent r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/firmware/acpi/pm_profile r,
-
-  @{sys}/devices/**/uevent r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
-        @{PROC}/@{pid}/loginuid r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/core_pattern r,
         @{PROC}/sys/kernel/random/boot_id r,
@@ -104,6 +116,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/mem r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/_full/default-app b/apparmor.d/groups/_full/default-app
deleted file mode 100644
index 9b195ea9..00000000
--- a/apparmor.d/groups/_full/default-app
+++ /dev/null
@@ -1,6 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Default profile for user sandboxed application
-
diff --git a/apparmor.d/groups/_full/default-bwrap b/apparmor.d/groups/_full/default-bwrap
deleted file mode 100644
index 0ecde79e..00000000
--- a/apparmor.d/groups/_full/default-bwrap
+++ /dev/null
@@ -1,5 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Default profile for bwrap
diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo
index 09a34319..84213813 100644
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@@ -31,6 +31,15 @@ profile default-sudo @{exec_path} {
 
   ptrace (read),
 
+  dbus send bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.logi1.Manager
+       member=CreateSession
+       peer=(name=org.freedesktop.login1),
+
+  dbus (send receive) bus=session path=/org/freedesktop/systemd1
+         interface=org.freedesktop.systemd.Manager
+         member={JobRemoved,StartTransientUnit},
+
   @{bin}/sudo     mr,
   @{bin}/su       mr,
   @{lib}/sudo/**  mr,
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index 144c24dc..9cdc29ee 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -16,7 +16,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd
-profile systemd-user flags=(attach_disconnected) {
+profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 64518e80..71b18da3 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -1,12 +1,12 @@
 # Common profile flags definition for all distributions
 # One profile by line using the format: '<profile> <flags>'
 
+bwrap attach_disconnected,mediate_deleted,complain
+bwrap-app attach_disconnected,mediate_deleted,complain
 default attach_disconnected,mediate_deleted,complain
-default-app attach_disconnected,complain
-default-bwrap attach_disconnected,complain
 default-sudo complain
 systemd attach_disconnected,mediate_deleted,complain
-systemd-user attach_disconnected,complain
+systemd-user attach_disconnected,mediate_deleted,complain
 
 aa-load complain
 acpid attach_disconnected,complain