diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
new file mode 100644
index 000000000..dcfd7c1e0
--- /dev/null
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/sbctl
+profile sbctl @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+  capability linux_immutable,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/lsblk  rPx,
+
+  /usr/share/secureboot/{,**} rw,
+
+  /{boot,efi}/{,**} r,
+  /{boot,efi}/EFI/{,**} rw,
+  /{usr/,}lib/fwupd/efi/{,**} rw,
+  /boot/vmlinuz-linux* rw,
+
+  @{sys}/firmware/efi/efivars/db-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/PK-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
+  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/sbctl>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 68d66e12b..717b33b7b 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -130,6 +130,7 @@ resolvconf complain
 run-parts complain
 runuser complain
 s3fs complain
+sbctl complain
 scrcpy complain
 sftp-server complain
 slirp4netns attach_disconnected,complain