diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid
index e935d98c..85ce02b6 100644
--- a/apparmor.d/profiles-a-f/acpid
+++ b/apparmor.d/profiles-a-f/acpid
@@ -22,7 +22,6 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
 
   /etc/acpi/{,**} r,
   /etc/acpi/handler.sh rix,
-  /etc/acpi/powerbtn-acpi-support.sh rix,
 
   /dev/input/{,**} r,
   /dev/tty rw,
@@ -33,12 +32,43 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   owner @{run}/acpid.socket rw,
   owner @{run}/acpid.pid    rw,
 
+  /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh,
+
+  include if exists <local/acpid>
+}
+
+profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) {
+  /etc/acpi/powerbtn-acpi-support.sh r,
+  include <abstractions/base>
+  include <abstractions/wutmp>
+
+       capability sys_ptrace,
+  deny capability net_admin,  # ??
+
+  ptrace (read),  # unconfined, tighten later, TODO
+
+  deny / r,
+
+  @{PROC} r,
+  @{PROC}/uptime r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/cmdline r,
+
   /usr/share/acpi-support/** r,
+  
+  /{usr/,}bin/sed          rix,
+  /{usr/,}bin/pgrep        rix,
+  /{usr/,}bin/{,e}grep     rix,
+  /{usr/,}bin/pinky        rix,
+  /{usr/,}bin/{,ba,da}sh   rix,
+  /{usr/,}bin/dbus-send    rix,
+  /{usr/,}bin/systemctl    rix,
+  /{usr/,}sbin/killall5    rix,
+  /{usr/,}sbin/shutdown    rix,
+  /etc/acpi/powerbtn.sh    rix,
 
-  # powerbtn-acpi-support.sh
-  /{usr/,}bin/sed   rix,
-
-  /{usr/,}bin/ps    rPx,
+  /{usr/,}bin/ps           rPx,
 
   /{usr/,}bin/fgconsole rCx,
   profile fgconsole /usr/bin/fgconsole {
@@ -51,5 +81,5 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
     owner /dev/tty[0-9]* rw,
   }
 
-  include if exists <local/acpid>
+  include if exists <local/powerbtn-acpi-support.sh>
 }