diff --git a/profiles/abstractions/totem b/profiles/abstractions/totem
index 23eb217d49e4f836a16f82df6521ce672c274229..09cc8bb4b654626e5aac95db0e45fddce69d9ff6 100644
--- a/profiles/abstractions/totem
+++ b/profiles/abstractions/totem
@@ -30,13 +30,26 @@
/usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
- owner @{HOME}/.cache/tracker/meta.db k,
- owner @{HOME}/.cache/tracker/meta.db-shm k,
- owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm} k,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
+ owner @{HOME}/.cache/thumbnails/** rw,
+ owner @{HOME}/.cache/totem/** rwk,
+ owner @{HOME}/.cache/totem-* rwk,
+ owner @{HOME}/.cache/tracker/db-locale.txt r,
+ owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
+ owner @{HOME}/.cache/tracker/ontologies.gvdb r,
+ owner @{HOME}/.config/totem/ rwk,
+ owner @{HOME}/.config/totem/** rwk,
+ owner @{HOME}/.local/share/grilo-plugins/ rwk,
+ owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
+ owner @{HOME}/.local/share/gvfs-metadata/** r,
+ owner @{HOME}/.local/share/totem/ rwk,
owner @{PROC}/@{pid}/status r,
/run/udev/data/c* r,
/run/udev/data/+drm:card* r,
+ /run/udev/data/+usb* r,
/sys/devices/system/node/*/meminfo r,
diff --git a/profiles/usr.bin.totem b/profiles/usr.bin.totem
index 1455256d579a4eba7e946da004deeaf3153bbb45..744d2fe11af7e94b1de2498bd8fda59b2094cba1 100644
--- a/profiles/usr.bin.totem
+++ b/profiles/usr.bin.totem
@@ -6,6 +6,7 @@
/usr/bin/totem {
#include <abstractions/audio>
#include <abstractions/dconf>
+ #include <abstractions/ibus>
#include <abstractions/python>
#include <abstractions/totem>
@@ -14,18 +15,24 @@
/usr/bin/totem r,
/usr/bin/totem-video-thumbnailer Pix,
+ /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
/dev/sr* r,
- # Allow read and write on anything in @{HOME}. Lenient, but
+ # Quiet logs
+ deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
+
+ # Allow read and write on almost anything in @{HOME}. Lenient, but
# private-files-strict is in effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** rw,
+ owner @{HOME}/[^.]* rw,
+ owner @{HOME}/[^.]*/** rw,
owner /{,var/}run/user/*/dconf/user w,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
/sys/devices/pci[0-9]*/**/config r,
+ /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.totem>
diff --git a/profiles/usr.bin.totem-previewers b/profiles/usr.bin.totem-previewers
index 71f759c5b8212ea809fc29462b89a1981f23a19c..b08af56f7466152308d37fe457e7f173e5194965 100644
--- a/profiles/usr.bin.totem-previewers
+++ b/profiles/usr.bin.totem-previewers
@@ -6,16 +6,17 @@
/usr/bin/totem-video-thumbnailer {
#include <abstractions/totem>
- # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** r,
+ owner @{HOME}/[^.]* rw,
+ owner @{HOME}/[^.]*/** rw,
# Not needed by nautilus, but maybe other applications
owner /**.[pP][nN][gG] w,
owner /**.[jJ][pP]{,[eE]}[gG] w,
- /usr/bin/totem-video-thumbnailer r,
+ /usr/bin/totem-video-thumbnailer rm,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.totem-previewers>
@@ -28,7 +29,8 @@
# Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** r,
+ owner @{HOME}/[^.]* rw,
+ owner @{HOME}/[^.]*/** rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.totem-previewers>