diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect
new file mode 100644
index 00000000..61696e1f
--- /dev/null
+++ b/apparmor.d/groups/systemd/systemd-dissect
@@ -0,0 +1,44 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/systemd-dissect
+profile systemd-dissect @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+  capability sys_admin,
+  capability sys_resource,
+
+  mount options=(rw, rslave) -> /,
+  mount options=(rw, nodev) -> /mnt/*/,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/fsck  rPx,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
+
+  # Location of file system OS images
+  @{user_build_dirs}/{,**} r,
+  @{user_pkg_dirs}/{,**} r,
+  @{user_projects_dirs}/{,**} r,
+  @{user_vm_dirs}/{,**} r,
+
+  owner /tmp/dissect-*/{,**} rw,
+
+  @{sys}/devices/virtual/block/loop[0-9]*/{,**} r,
+  @{sys}/kernel/uevent_seqnum r,
+
+  @{PROC}/@{pids}/cgroup r,
+
+  /dev/loop-control rwk,
+  /dev/loop*  rwk,
+
+  include if exists <local/systemd-dissect>
+}
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d05d2282..58916ada 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -169,6 +169,7 @@ systemd-binfmt attach_disconnected,complain
 systemd-cgls complain
 systemd-cgtop complain
 systemd-coredump attach_disconnected,complain
+systemd-dissect complain
 systemd-environment-d-generator complain
 systemd-escape complain
 systemd-hostnamed attach_disconnected,complain