diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common
index a9c26ac5..f37182d7 100644
--- a/apparmor.d/abstractions/chromium-common
+++ b/apparmor.d/abstractions/chromium-common
@@ -39,3 +39,5 @@
   owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  include if exists <abstractions/chromium-common.d>
\ No newline at end of file
diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read
index 5e8549ab..1399c2c4 100644
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@@ -7,12 +7,12 @@
   # The /sys/ entries probably should be tightened
 
   /dev/ r,
+  /dev/block/ r,
+  /dev/disk/*/ r,
 
   # Regular disk/partition devices
-  /dev/block/ r,
   /dev/{s,v}d[a-z]* rk,
   /dev/{s,v}d[a-z]*[0-9]* rk,
-  /dev/disk/*/ r,
   @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
   @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/** r,
   @{sys}/devices/pci[0-9]*/**/{usb,ata}[0-9]/** r,
diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http
index 7f27b7d8..6ed3835a 100644
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
-  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
-  # used by APT to download packages, package list, and other things using APT methods as an
-  # unprivileged user/group (_apt/nogroup).
   capability setgid,
   capability setuid,
 
-  signal (receive) peer=apt,
   signal (receive) peer=apt-get,
+  signal (receive) peer=apt,
   signal (receive) peer=aptitude,
   signal (receive) peer=synaptic,
+  signal (receive) peer=unattended-upgrade,
+  signal (receive) peer=update-manager,
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 14c4a8a2..fa80efa9 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/unattended-upgrade
 profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/apt-common>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
@@ -27,10 +28,16 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  signal (send) peer=apt-methods-http,
+
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
        member=Inhibit,
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Properties
        member={PropertiesChanged,GetAll},
@@ -64,23 +71,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/update-notifier/update-motd-updates-available rPx,
 
   /usr/share/distro-info/* r,
-  /usr/share/dpkg/*table r,
 
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
-  /etc/apt/preferences.d/{,**} r,
-  /etc/apt/sources.list.d/{,**} r,
 
   /etc/machine-id r,
 
   /var/log/unattended-upgrades/*.log rw,
 
-  /var/lib/apt/extended_states r,
-  /var/lib/apt/lists/{,**} r,
   /var/lib/apt/periodic/unattended-upgrades-stamp w,
   /var/lib/dpkg/lock rwk,
   /var/lib/dpkg/lock-frontend rwk,
-  /var/lib/dpkg/status r,
   /var/lib/dpkg/updates/ r,
 
   /var/cache/apt/{,**} rwk,
@@ -94,7 +95,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/inhibit/[0-9]*.ref rw,
         @{run}/resolvconf/resolv.conf r,
 
-  owner /tmp/#[0-9]* rw,
+  owner /tmp/apt-dpkg-install-*/{,*} rw,
 
   owner @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pids}/mountinfo r,
diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd
index 352c5534..011272a2 100644
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@@ -26,6 +26,8 @@ profile plymouthd @{exec_path} {
   /usr/share/plymouth/{,**} r,
 
   /etc/default/keyboard r,
+  /etc/plymouth/plymouthd.conf r,
+  /etc/vconsole.conf r,
 
   @{run}/udev/data/+drm:* r,
   @{run}/udev/data/c226:* r,
@@ -34,6 +36,7 @@ profile plymouthd @{exec_path} {
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/uevent r,
+  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/uevent r,
   @{sys}/devices/virtual/tty/console/active r,
   @{sys}/firmware/acpi/bgrt/{,*} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index 1a63d501..d4f5d0bc 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -13,7 +13,7 @@ profile gnome-extensions-app @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gjs-console rPx,
+  /{usr/,}bin/gjs-console rix,
 
   /usr/share/terminfo/x/xterm-256color r,
 
diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications
index 98563afd..2cf18564 100644
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@@ -31,6 +31,10 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.Avahi.Server
        member={GetAPIVersion,GetState,ServiceBrowserNew},
 
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged,
+
   @{exec_path} mr,
   @{libexec}/gsd-printer rPx,
 
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index b35ae8f2..0919ba88 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -60,7 +60,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/{vendor,device,revision} r,
-  @{sys}/devices/virtual/net/lo/ r,
+  @{sys}/devices/virtual/net/*/ r,
   @{sys}/devices/virtual/tty/*/ r,
 
   include if exists <local/ModemManager>
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 1637a5d7..c612f740 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -36,7 +36,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   network packet dgram,
 
   dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{,/**}
-       interface=org.freedesktop.{DBus.Properties,NetworkManager*},
+       interface=org.freedesktop.{DBus.Properties,DBus.Introspectable,NetworkManager*},
 
   dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.PolicyKit[0-9].Authority
@@ -44,7 +44,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
-       member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown},
+       member={SessionRemoved,UserNew,SessionNew,Inhibit,PrepareForShutdown,UserRemoved},
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required
index 91fd3a8a..0ef30e5f 100644
--- a/apparmor.d/groups/ubuntu/notify-reboot-required
+++ b/apparmor.d/groups/ubuntu/notify-reboot-required
@@ -12,7 +12,8 @@ profile notify-reboot-required @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gettext rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/gettext     rix,
 
   /usr/share/update-notifier/notify-reboot-required r,
 
diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd
index ffa188b9..ebdb316f 100644
--- a/apparmor.d/groups/ubuntu/packagekitd
+++ b/apparmor.d/groups/ubuntu/packagekitd
@@ -46,7 +46,7 @@ profile packagekitd @{exec_path} {
 
   dbus receive bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
-       member={SessionNew,PrepareForShutdown},
+       member={SessionNew,PrepareForShutdown,SessionRemoved},
 
   dbus bind bus=system 
        name=org.freedesktop.PackageKit,
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 4953d5d1..1d5a0e58 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -10,7 +10,9 @@ include <tunables/global>
 profile software-properties-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
-  include <abstractions/python>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/dconf-write>
   include <abstractions/fonts>
   include <abstractions/openssl>
 
@@ -22,15 +24,25 @@ profile software-properties-gtk @{exec_path} {
   /{usr/,}bin/lsb_release              rPx -> lsb_release,
   /{usr/,}bin/ubuntu-advantage         rPx,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
+  /usr/share/mime/mime.cache r,
+  /usr/share/pixmaps/ r,
+  /usr/share/python-apt/{,**} r,
+  /usr/share/software-properties/{,**} r,
   /usr/share/ubuntu-drivers-common/detect/{,**} r,
+  /usr/share/X11/xkb/{,**} r,
+  /usr/share/xml/iso-codes/{,**} r,
 
   /etc/machine-id r,
-
-  owner @{PROC}/@{pid}/fd/ r,
+  /etc/update-manager/release-upgrades r,
 
   @{sys}/devices/ r,
   @{sys}/devices/**/ r,
+  @{sys}/devices/**/modalias r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   include if exists <local/software-properties-gtk>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage
index 57338fed..204dc38c 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage
@@ -13,11 +13,22 @@ profile ubuntu-advantage @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/ssl_certs> 
+  include <abstractions/openssl>
+
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
   /{usr/,}bin/dpkg                     rPx -> child-dpkg,
 
+  /etc/ubuntu-advantage/uaclient.conf r,
+
+  owner /tmp/tmp[0-9a-z]*/apt.conf r,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/ubuntu-advantage>
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index c2b43c28..3b173bc6 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -28,6 +28,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  signal (send) peer=apt-methods-http,
+
   dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
        interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}}
        member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache},
@@ -36,13 +38,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus
        member=StartServiceByName,
 
-  dbus send bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect,
+  dbus send bus=system path=/org/freedesktop/NetworkManager{,/ActiveConnection/[0-9]*,/Devices/[0-9]*}
+       interface=org.freedesktop.DBus.{Properties,Introspectable}
+       member={Introspect,Get},
 
   dbus send bus=system path=/org/freedesktop/UPower
-       interface=org.freedesktop.DBus.Properties
-       member=Get,
+       interface=org.freedesktop.DBus.{Properties,Introspectable}
+       member={Get,Introspect},
 
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 934e99f0..fbbb304a 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -10,8 +10,10 @@ include <tunables/global>
 profile cni-calico @{exec_path} {
   include <abstractions/base>
 
-  network inet,
-  network inet6,
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   @{exec_path} mr,
   @{exec_path}-ipam rix,
diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod
index ae8e492f..71f30ab2 100644
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@@ -12,22 +12,12 @@ include <tunables/global>
 profile kmod @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/openssl>
 
-  # To load/unload kernel modules
-  #  modprobe: ERROR: could not insert '*': Operation not permitted
-  #
-  #  modprobe: ERROR: ../libkmod/libkmod-module.c:799 kmod_module_remove_module() could not remove
-  #  '*': Operation not permitted
-  capability sys_module,
-
-  # For error logs to go through the syslog mechanism (as LOG_DAEMON with level LOG_NOTICE) rather
-  # than to standard error.
-  capability syslog,
-
-  # Needed for static-nodes
   capability dac_override,
-
   capability mknod,
+  capability sys_module,
+  capability syslog,
 
   unix (receive) type=stream,
 
@@ -37,36 +27,36 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/sysctl      rPx,
 
   /{usr/,}lib/modprobe.d/{,*.conf} r,
-  /etc/modprobe.d/{,*.conf} r,
-  /etc/depmod.d/{,**} r,
-
   /{usr/,}lib/modules/*/modules.* rw,
 
+  /etc/depmod.d/{,**} r,
+  /etc/modprobe.d/{,*.conf} r,
+
   /tmp/**/*.ko{,.zst} r,
   /usr/src/*/*.ko r,
   /var/lib/dkms/**/module/*.ko r,
+  /var/lib/dpkg/triggers/* r,
   /var/tmp/dracut.*/{,**} rw,
+  owner /boot/System.map-* r,
+  owner /tmp/mkinitcpio.*/{,**} rw,
+
+  # For local kernel build
+  owner /tmp/depmod.*/lib/modules/*/ r,
+  owner /tmp/depmod.*/lib/modules/*/modules.* rw,
+  owner @{user_build_dirs}/**/System.map r,
+  owner @{user_build_dirs}/**/lib/modules/*/ r,
+  owner @{user_build_dirs}/**/lib/modules/*/modules.* rw,
+  owner @{user_build_dirs}/**/lib/modules/*/kernel/{,**/} r,
+  owner @{user_build_dirs}/**/lib/modules/*/kernel/**/*.ko r,
+
+  owner @{run}/tmpfiles.d/ w,
+  owner @{run}/tmpfiles.d/static-nodes.conf w,
 
   @{sys}/module/{,**} r,
 
   @{PROC}/cmdline r,
   @{PROC}/modules r,
 
-  # Initframs
-  owner /tmp/mkinitcpio.*/{,**} rw,
-
-  owner @{run}/tmpfiles.d/ w,
-  owner @{run}/tmpfiles.d/static-nodes.conf w,
-
-  # For local kernel build
-  owner /tmp/depmod.*/lib/modules/*/ r,
-  owner /tmp/depmod.*/lib/modules/*/modules.* rw,
-  owner @{user_build_dirs}/**/System.map r,
-  owner @{user_build_dirs}/**/debian/*/lib/modules/*/ r,
-  owner @{user_build_dirs}/**/debian/*/lib/modules/*/modules.* rw,
-  owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/{,**/} r,
-  owner @{user_build_dirs}/**/debian/*/lib/modules/*/kernel/**/*.ko r,
-
   deny /apparmor/.null rw,
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index f8115614..afbc6b00 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -88,6 +88,7 @@ profile mkinitramfs @{exec_path} {
   owner /var/tmp/mkinitramfs-* rw,
 
   owner @{PROC}/@{uid}/fd/ r,
+        @{PROC}/cmdline r,
         @{PROC}/modules r,
 
   profile ldd {
diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga
index c5072be2..9c2550a9 100644
--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@@ -14,6 +14,8 @@ profile qemu-ga @{exec_path} {
   capability net_admin,
   capability sys_ptrace,
 
+  ptrace peer=unconfined,
+
   @{exec_path} mr,
 
   /{usr/,}bin/systemctl rix,
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index b8671752..be940b18 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -187,7 +187,7 @@ profile run-parts @{exec_path} {
     /etc/modprobe.d/*.conf r,
 
     @{run}/reboot-required w,
-    @{run}/reboot-required.pkgs w,
+    @{run}/reboot-required.pkgs rw,
 
     @{PROC}/devices r,
     @{PROC}/cmdline r,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index a39f81ad..8c090bdb 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -29,6 +29,8 @@ profile sudo @{exec_path} {
   capability sys_ptrace,
   capability sys_resource,
 
+  network inet dgram,
+  network inet6 dgram,
   network netlink raw,   # PAM
 
   ptrace (read),
@@ -72,6 +74,7 @@ profile sudo @{exec_path} {
         @{run}/faillock/{,*} rwk,
         @{run}/resolvconf/resolv.conf r,
 
+  @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/fd/ r,
   @{PROC}/@{pids}/stat r,
   @{PROC}/1/limits r,
diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin
index 05319928..dccd51f0 100644
--- a/apparmor.d/profiles-s-z/sulogin
+++ b/apparmor.d/profiles-s-z/sulogin
@@ -15,6 +15,8 @@ profile sulogin @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/{,ba,da}sh  rux,
+
   /etc/shadow r,
 
   /dev/ r,