diff --git a/interfaces/apparmor/template.go b/interfaces/apparmor/template.go
index 1489712ac1b..d5d0a0c855d 100644
--- a/interfaces/apparmor/template.go
+++ b/interfaces/apparmor/template.go
@@ -343,8 +343,8 @@ var defaultTemplate = []byte(`
   /{dev,run}/shm/sem.snap.@{SNAP_NAME}.* rwk,
 
   # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user
-  owner /{dev,run}/user/[0-9]*/snap.@{SNAP_NAME}/   rw,
-  owner /{dev,run}/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,
+  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/   rw,
+  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,
 
   # Allow apps from the same package to communicate with each other via an
   # abstract or anonymous socket
diff --git a/interfaces/builtin/firewall_control.go b/interfaces/builtin/firewall_control.go
index 7ddb3f52df3..81b172936fc 100644
--- a/interfaces/builtin/firewall_control.go
+++ b/interfaces/builtin/firewall_control.go
@@ -69,6 +69,10 @@ unix (bind) type=stream addr="@xtables",
 @{PROC}/sys/net/netfilter/** r,
 @{PROC}/sys/net/nf_conntrack_max r,
 
+# read netfilter module parameters
+/sys/module/nf_*/                r,
+/sys/module/nf_*/parameters/{,*} r,
+
 # various firewall related sysctl files
 @{PROC}/sys/net/ipv4/conf/*/rp_filter w,
 @{PROC}/sys/net/ipv{4,6}/conf/*/accept_source_route w,
diff --git a/interfaces/builtin/network_control.go b/interfaces/builtin/network_control.go
index 0463e4ecb47..17a4ed83405 100644
--- a/interfaces/builtin/network_control.go
+++ b/interfaces/builtin/network_control.go
@@ -61,6 +61,10 @@ network sna,
 @{PROC}/sys/net/netfilter/** rw,
 @{PROC}/sys/net/nf_conntrack_max rw,
 
+# read netfilter module parameters
+/sys/module/nf_*/                r,
+/sys/module/nf_*/parameters/{,*} r,
+
 # networking tools
 /{,usr/}{,s}bin/arp ixr,
 /{,usr/}{,s}bin/arpd ixr,
diff --git a/interfaces/builtin/unity7.go b/interfaces/builtin/unity7.go
index 4c4fc105d3f..b4cbc3ebb39 100644
--- a/interfaces/builtin/unity7.go
+++ b/interfaces/builtin/unity7.go
@@ -433,6 +433,20 @@ dbus (receive)
     member="{GetAll,GetLayout}"
     peer=(label=unconfined),
 
+# Allow requesting interest in receiving media key events. This tells Gnome
+# settings that our application should be notified when key events we are
+# interested in are pressed.
+dbus (send)
+  bus=session
+  interface=org.gnome.SettingsDaemon.MediaKeys
+  path=/org/gnome/SettingsDaemon/MediaKeys
+  peer=(label=unconfined),
+dbus (send)
+  bus=session
+  interface=org.freedesktop.DBus.Properties
+  path=/org/gnome/SettingsDaemon/MediaKeys
+  member="Get{,All}"
+  peer=(label=unconfined),
 
 # Lttng tracing is very noisy and should not be allowed by confined apps. Can
 # safely deny. LP: #1260491