diff --git a/salt/profile/matrix/config.sls b/salt/profile/matrix/config.sls
index 45cae55..2bb5a3e 100644
--- a/salt/profile/matrix/config.sls
+++ b/salt/profile/matrix/config.sls
@@ -20,6 +20,13 @@ synapse_conf_file:
     - watch_in:
       - module: synapse_restart
 
+synapse_apparmor_file:
+  file.managed:
+    - name: /etc/apparmor.d/matrix-synapse
+    - source: salt://profile/matrix/files/matrix-synapse.apparmor
+    - require_in:
+      - service: synapse_service
+
 synapse_appservice_discord_file:
   file.managed:
     - name: /etc/matrix-synapse/appservices/appservice-discord.yaml
diff --git a/salt/profile/matrix/files/matrix-synapse.apparmor b/salt/profile/matrix/files/matrix-synapse.apparmor
new file mode 100644
index 0000000..3e81ea5
--- /dev/null
+++ b/salt/profile/matrix/files/matrix-synapse.apparmor
@@ -0,0 +1,34 @@
+profile matrix-synapse {
+    include <abstractions/base>
+    include <abstractions/python>
+    include <abstractions/ssl_certs>
+
+    network inet stream,
+    network inet6 stream,
+
+    /etc/gai.conf r,
+    /etc/host.conf r,
+    /etc/hosts r,
+    /etc/mime.types r,
+    /etc/nsswitch.conf r,
+    /etc/passwd r,
+    /etc/resolv.conf r,
+    /etc/ssl/openssl.cnf r,
+
+    owner @{PROC}/@{pid}/{fd/,limits,mounts,stat} r,
+
+    /etc/matrix-synapse/** r,
+    owner /var/lib/matrix-synapse/ r,
+    owner /var/{lib,log}/matrix-synapse/** rw,
+
+    /usr/sbin/ldconfig PUx,
+
+    /usr/bin/bash Cx -> bash,
+
+    profile bash {
+        include <abstractions/base>
+
+        /usr/bin/bash r,
+        /usr/bin/uname PUx,
+    }
+}
diff --git a/salt/profile/matrix/files/synapse.service b/salt/profile/matrix/files/synapse.service
index 6a1358b..6b4ecca 100644
--- a/salt/profile/matrix/files/synapse.service
+++ b/salt/profile/matrix/files/synapse.service
@@ -6,6 +6,7 @@ Type=simple
 Restart=on-failure
 RestartSec=3
 
+AppArmorProfile=matrix-synapse
 User=synapse
 Group=synapse
 WorkingDirectory=/var/lib/matrix-synapse/