diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release
new file mode 100644
index 000000000..5c05ba4db
--- /dev/null
+++ b/profiles/apparmor.d/lsb_release
@@ -0,0 +1,50 @@
+# Note: This profile does not specify an attachment path because it is
+# intended to be used only via "Px -> lsb_release" exec transitions from
+# other profiles. We want to confine the lsb_release(1) utility when it
+# is invoked from other confined applications, but not when it is used
+# in regular (unconfined) shell scripts or run directly by the user.
+
+#include <tunables/global>
+
+# Do not attach to /usr/bin/lsb_release by default
+profile lsb_release {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  /dev/tty rw,
+
+  /usr/bin/lsb_release r,
+  /usr/bin/python3.[0-9] mr,
+
+  /etc/debian_version r,
+  /etc/default/apport r,
+  /etc/dpkg/origins/** r,
+  /etc/lsb-release r,
+  /etc/lsb-release.d/ r,
+
+  /{usr/,}bin/bash ixr,
+  /{usr/,}bin/dash ixr,
+  /usr/bin/basename ixr,
+  /usr/bin/dpkg-query ixr,
+  /usr/bin/getopt ixr,
+  /usr/bin/sed ixr,
+  /usr/bin/tr ixr,
+
+  # TODO - many more permissions needed for this to work
+  deny /usr/bin/apt-cache x,
+
+  /usr/bin/ r,
+  /usr/include/python*/pyconfig.h r,
+  /usr/share/distro-info/** r,
+  /usr/share/dpkg/** r,
+  /usr/share/terminfo/** r,
+  /var/lib/dpkg/** r,
+
+  # file_inherit
+  deny /tmp/gtalkplugin.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/lsb_release>
+}