diff --git a/pillar/role/matrix.sls b/pillar/role/matrix.sls
index f2ec648..58e3af8 100644
--- a/pillar/role/matrix.sls
+++ b/pillar/role/matrix.sls
@@ -16,3 +16,8 @@ sudoers:
       groups:
         matrix-admins:
           - 'ALL=(ALL) ALL'
+
+apparmor:
+  profiles:
+    matrix-synapse:
+      source: salt://profile/matrix/files/matrix-synapse.apparmor
diff --git a/salt/profile/matrix/files/matrix-synapse.apparmor b/salt/profile/matrix/files/matrix-synapse.apparmor
new file mode 100644
index 0000000..66ea768
--- /dev/null
+++ b/salt/profile/matrix/files/matrix-synapse.apparmor
@@ -0,0 +1,32 @@
+profile matrix-synapse {
+    include <abstractions/base>
+    include <abstractions/python>
+    include <abstractions/ssl_certs>
+    include <abstractions/openssl>
+
+    network inet stream,
+    network inet6 stream,
+
+    /etc/gai.conf r,
+    /etc/host.conf r,
+    /etc/hosts r,
+    /etc/mime.types r,
+    /etc/nsswitch.conf r,
+    /etc/passwd r,
+    /etc/resolv.conf r,
+
+    owner @{PROC}/@{pid}/{fd/,limits,mounts,stat} r,
+
+    /etc/matrix-synapse/** r,
+    owner /var/lib/matrix-synapse/ r,
+    owner /var/{lib,log}/matrix-synapse/** rw,
+
+    /usr/bin/bash Cx -> bash,
+
+    profile bash {
+        include <abstractions/base>
+
+        /usr/bin/bash r,
+        /usr/bin/uname PUx,
+    }
+}
diff --git a/salt/profile/matrix/files/synapse.service b/salt/profile/matrix/files/synapse.service
index 6a1358b..6b4ecca 100644
--- a/salt/profile/matrix/files/synapse.service
+++ b/salt/profile/matrix/files/synapse.service
@@ -6,6 +6,7 @@ Type=simple
 Restart=on-failure
 RestartSec=3
 
+AppArmorProfile=matrix-synapse
 User=synapse
 Group=synapse
 WorkingDirectory=/var/lib/matrix-synapse/