diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl
new file mode 100644
index 000000000..b2fb30320
--- /dev/null
+++ b/apparmor.d/profiles-s-z/sysctl
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/sysctl
+profile sysctl @{exec_path} {
+  include <abstractions/base>
+
+  capability mac_admin,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_resource,
+
+  @{exec_path} mr,
+
+  @{PROC}/sys/ r,
+  @{PROC}/sys/** rw,
+
+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
+  include if exists <local/sysctl>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d65d6a2bc..16c07e072 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -114,6 +114,7 @@ sudo complain
 swaplabel complain
 swapoff complain
 swapon complain
+sysctl complain
 systemd-analyze complain
 systemd-ask-password complain
 systemd-binfmt complain