diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
index b23a92cb..ee4c8dea 100644
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@@ -7,7 +7,6 @@ include <tunables/global>
 
 @{exec_path} = /{,usr/}bin/ss
 profile ss @{exec_path} {
-  @{exec_path} r,
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
@@ -15,32 +14,32 @@ profile ss @{exec_path} {
   capability dac_read_search,
   capability sys_ptrace,
 
-  ptrace (read),
-
-  signal (receive) set=(int) peer=grc,
-
-  /etc/iproute2/{,**} r,
-
-        @{PROC} r,
-        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
-        @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pid}/attr/current r,
-  owner @{PROC}/@{pid}/net/sockstat r,
-  owner @{PROC}/@{pid}/net/snmp r,
-  owner @{PROC}/@{pid}/net/unix r,
-  owner @{PROC}/@{pid}/net/raw r,
-  owner @{PROC}/@{pid}/net/tcp r,
-  owner @{PROC}/@{pid}/net/udp r,
-
-  # [e]xtended
-  owner @{PROC}/@{pid}/mounts r,
-        @{sys}/fs/cgroup/{,**/} r,
+  ptrace (read),  # unconfined, TODO
 
   network netlink raw,
 
+  @{exec_path} r,
+
+  /etc/iproute2/{,**} r,
+
   owner /tmp/*.ss     rw,
   owner @{HOME}/*.ss  rw,
 
+        @{PROC} r,
+        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+        @{PROC}/@{pids}/fd/ r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pids}/net/sockstat r,
+  owner @{PROC}/@{pids}/net/snmp r,
+  owner @{PROC}/@{pids}/net/unix r,
+  owner @{PROC}/@{pids}/net/raw r,
+  owner @{PROC}/@{pids}/net/tcp r,
+  owner @{PROC}/@{pids}/net/udp r,
+
+  # [e]xtended
+  owner @{PROC}/@{pids}/mounts r,
+        @{sys}/fs/cgroup/{,**/} r,
+
   include if exists <local/ss>
 }