diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index bdbc10fe7..3b8e473fb 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -29,7 +30,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
-  mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  mount -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
   mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
 
   umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
new file mode 100644
index 000000000..d603f6464
--- /dev/null
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/containerd-shim-runc-v2
+profile containerd-shim-runc-v2 @{exec_path} flags=(complain,attach_disconnected) {
+  include <abstractions/base>
+
+  capability dac_read_search,
+  capability dac_override,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_resource,
+
+  mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/,
+  umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/,
+
+  @{exec_path} mrix,
+  /{usr/,}{s,}bin/runc rPUx,
+
+  /tmp/runc-process[0-9]* rw,
+
+  @{run}/containerd/containerd.sock.ttrpc rw,
+  @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stderr rw,
+  @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-z]*/io/[0-9]*/[0-9a-z]*-stdout rw,
+  @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/{,*} rw,
+  @{run}/containerd/s/[0-9a-z]* rw,
+  @{run}/secrets/kubernetes.io/serviceaccount/*/token w,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{sys}/fs/cgroup/kubepods/{,**} rw,
+  @{sys}/fs/cgroup/{,**} rw,
+
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/oom_score_adj rw,
+  @{PROC}/sys/net/core/somaxconn r,
+
+  include if exists <local/containerd-shim-runc-v2>
+}