diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat
new file mode 100644
index 000000000..e315441bf
--- /dev/null
+++ b/apparmor.d/groups/network/socat
@@ -0,0 +1,59 @@
+#------------------------------------------------------------------
+#    Author: Nishit Majithia (nishitm)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#    SPDX-License-Identifier: GPL-2.0-only
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile socat /usr/bin/socat {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+  capability dac_override,
+  capability net_raw,
+  capability net_admin,
+  capability sys_module,
+  capability sys_admin,
+  capability fsetid,
+  capability chown,
+  capability net_bind_service,
+  capability sys_resource,
+
+  # Allow creation of network sockets and `socat` uses dccp for some
+  # fuctionalities that is why it is necessary to allow whole `network`
+  network,
+
+  # Enale /dev/ptmx access for testsuite
+  # file rw /dev/ptmx,
+  # file rw /dev/pts/*,
+
+  # TUN/TAP device
+  file rw /dev/net/tun,
+
+  # Process-specific access
+  file rw @{PROC}/@{pid}/fd/*,
+  file r @{PROC}/@{pid}/stat,
+
+  # Allow reading from /dev/tty
+  file rw /dev/tty,
+
+  # Allow reading /dev/vsock
+  file r /dev/vsock,
+
+  # certs/keys can be are stored in:
+  #     - /etc/ssl/certs/*.{key,crt}
+  #     - $HOME/.cert/**/*.pem
+  file r /etc/ssl/certs/{,*.{key,crt}},
+  file r @{HOME}/.certs/{,**},
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/socat>
+}