diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index 5769224c4ef3af9f585fccdedecb48d6c3960b34..23e5a82151b20f1ef345982bae91b4aed6692c4d 100644
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -19,13 +19,13 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # #include <abstractions/user-download>
   # @{HOME}/ r,
 
-  # Allow access required in flatpak
-  owner /run/user/[0-9]*/doc/** rw,
-  owner /home/amnesia/.var/app/org.boum.tails.TorBrowser/** rwkl,
+  # Flatpak and XDG Desktop Portal support
   /.flatpak-info r,
-  /run/host/** r,
-  /run/user/[0-9]*/pulse/config r,
-
+  @{run}/flatpak/pulse/config r,
+  @{run}/host/** r,
+  owner @{HOME}/.var/app/org.boum.tails.TorBrowser/** rwkl,
+  owner @{run}/flatpak/doc/** rw,
+  owner @{run}/user/@{uid}/doc/by-app/org.boum.tails.TorBrowser/** rw,
 
   # Audio support
   /{,usr/}bin/pulseaudio Pixr,
@@ -114,7 +114,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # The Wayland Proxy prevents certain types of Wayland issues from
   # crashing the client application. Details:
   # https://mastransky.wordpress.com/2023/12/22/wayland-proxy-load-balancer/
-  owner @{run}/user/[0-9]*/wayland-proxy-@{pid} rw,
+  owner @{run}/user/@{uid}/wayland-proxy-@{pid} rw,
 
   # Silence denial logs about permissions we don't need
   deny @{HOME}/.cache/fontconfig/ rw,
@@ -124,7 +124,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   deny @{PROC}/@{pid}/net/route r,
   deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-  deny /run/user/[0-9]*/dconf/user rw,
+  deny @{run}/user/@{uid}/dconf/user rw,
   deny /usr/bin/lsb_release x,
 
   # Silence denial logs about PulseAudio
@@ -142,7 +142,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   /sys/class/ r,
   /sys/bus/ r,
   /sys/class/hidraw/ r,
-  /run/udev/data/c24{5,7,9}:* r,
+  @{run}/udev/data/c24{5,7,9}:* r,
   /dev/hidraw* rw,
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,
@@ -205,13 +205,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Silence denial logs about permissions we don't need (Tails-specific)
   deny /usr/local/lib/tor-browser/update.test/ rw,
 
-  # Deny access to global tmp directories, that's granted by the user-tmp
-  # abstraction, which is sourced by the gnome abstraction, that we include.
-  deny owner /var/tmp/**     rwklx,
-  deny /var/tmp/             rwklx,
-  deny owner /tmp/**         rwklx,
-  deny /tmp/                 rwklx,
-
   # Deny access to GVFS
   deny @{HOME}/.local/share/gvfs-metadata/home r,