diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc
new file mode 100644
index 00000000..2040b132
--- /dev/null
+++ b/apparmor.d/profiles-g-l/grc
@@ -0,0 +1,62 @@
+# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{GRC_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/share /usr/lib/systemd
+
+@{exec_path} = /{,usr/}bin/grc
+profile grc @{exec_path} {
+  @{exec_path} r,
+  include <abstractions/base>
+  include <abstractions/private-files-strict>
+
+  # python-strict
+  /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
+  /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
+  /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth}       r,
+  /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r,
+  /{,usr/}bin/python3.[0-9]{,[0-9]} r,
+
+  owner @{HOME}/.grc/** r,
+        /etc/grc.conf r,
+        /{,usr/}{,local/}share/grc/{,**} r,
+
+  /{,usr/}bin/grcat       rix,
+  /{,usr/}bin/cat         rix,
+  /{,usr/}bin/tail        rix,
+  /{,usr/}bin/head        rix,
+  /{,usr/}bin/{,g,m}awk   rix,
+  /{,usr/}bin/{,e}grep    rix,
+  /{,usr/}bin/sed         rix,
+  /{,usr/}bin/less        rix,
+
+  /{,usr/}bin/ping        rPx,
+  /{,usr/}bin/traceroute  rPx,
+  /{,usr/}bin/df          rPx,
+  /{,usr/}bin/dfc         rPx,
+  /{,usr/}bin/ss          rPx,
+  /{,usr/}bin/ls          rPx,
+  /{,usr/}bin/ps          rPx,
+  /{,usr/}bin/ip          rPx,
+  /{,usr/}bin/lsblk       rPx,
+  /{,usr/}bin/diff        rPx,
+  /{,usr/}sbin/blkid      rPx,
+
+  @{GRC_PATHS_RO}/**  r,
+  @{MOUNTS}/**        r,
+
+  deny /var/log/{,**/}*.gz r,
+
+  # Extremely sensitive files
+  audit deny /etc/**.key             mrwkl,
+  audit deny /etc/ssh/ssh_host_*_key mrwkl,
+
+  # Noise
+  deny /{,usr/}bin/ r,
+
+  include if exists <local/grc>
+}
diff --git a/apparmor.d/profiles-g-l/ls b/apparmor.d/profiles-g-l/ls
new file mode 100644
index 00000000..26ce8724
--- /dev/null
+++ b/apparmor.d/profiles-g-l/ls
@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}bin/ls
+profile ls @{exec_path} {
+  @{exec_path} r,
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+
+  # Directory traverse
+  /    r,
+  /**/ r,
+
+  include if exists <local/ls>
+}
diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
new file mode 100644
index 00000000..ff959b34
--- /dev/null
+++ b/apparmor.d/profiles-s-z/ss
@@ -0,0 +1,39 @@
+# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}bin/ss
+profile ss @{exec_path} {
+  @{exec_path} r,
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  capability dac_read_search,
+  capability sys_ptrace,
+
+  ptrace (read),
+
+  /etc/iproute2/{,**} r,
+
+  @{PROC} r,
+  @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/attr/current r,
+  @{PROC}/@{pid}/net/sockstat r,
+  @{PROC}/@{pid}/net/snmp r,
+
+  owner /tmp/*.ss     rw,
+  owner @{HOME}/*.ss  rw,
+
+  # [e]xtended
+  @{PROC}/@{pid}/mounts r,
+  @{sys}/fs/cgroup/{,**/} r,
+
+  include if exists <local/ss>
+}