=== modified file 'debian/control'
--- debian/control	2014-05-29 12:15:34 +0000
+++ debian/control	2014-06-24 22:22:27 +0000
@@ -12,7 +12,8 @@
                libudev-dev,
                udev,
                libbluetooth-dev (>= 4.30),
-               mobile-broadband-provider-info
+               mobile-broadband-provider-info,
+               dh-apparmor
 Standards-Version: 3.9.4
 Homepage: http://www.ofono.org/
 # If you aren't a member of ~phablet-team but need to upload

=== modified file 'debian/ofono.dirs'
--- debian/ofono.dirs	2013-10-02 15:34:41 +0000
+++ debian/ofono.dirs	2014-06-24 22:22:27 +0000
@@ -1,1 +1,2 @@
 /var/lib/ofono
+/etc/apparmor.d

=== modified file 'debian/ofono.install'
--- debian/ofono.install	2013-10-02 15:34:41 +0000
+++ debian/ofono.install	2014-06-24 22:22:27 +0000
@@ -4,3 +4,4 @@
 debian/tmp/etc/ofono
 debian/tmp/lib/udev/rules.d/*
 debian/tmp/usr/share/man
+debian/usr.sbin.ofonod etc/apparmor.d

=== modified file 'debian/ofono.upstart'
--- debian/ofono.upstart	2013-10-02 15:34:41 +0000
+++ debian/ofono.upstart	2014-06-24 22:22:27 +0000
@@ -6,4 +6,8 @@
 expect fork
 respawn
 
+pre-start script
+    /lib/init/apparmor-profile-load usr.sbin.ofonod
+end script
+
 exec ofonod -P ril

=== modified file 'debian/rules'
--- debian/rules	2013-12-23 18:38:54 +0000
+++ debian/rules	2014-06-24 22:22:27 +0000
@@ -23,3 +23,7 @@
 
 override_dh_strip:
 	dh_strip --dbg-package=ofono-dbg
+
+override_dh_installdeb:
+	dh_apparmor --profile-name=usr.sbin.ofonod -pofono
+	dh_installdeb

=== added file 'debian/usr.sbin.ofonod'
--- debian/usr.sbin.ofonod	1970-01-01 00:00:00 +0000
+++ debian/usr.sbin.ofonod	2014-06-24 22:22:27 +0000
@@ -0,0 +1,55 @@
+#include <tunables/global>
+
+# Permissive profile limit dbus access
+/usr/sbin/ofonod (attach_disconnected) {
+  capability,
+  mount,
+  remount,
+  umount,
+  network,
+
+  /   rwkl,
+  /** rwlkm,
+  /** pix,
+
+  # We can do anything on dbus
+  dbus (bind, send),
+
+  # Some methods are ok by anyone (ie, dbus-daemon itself)
+  dbus (receive)
+       bus=system
+       interface="org.freedesktop.DBus.Properties",
+
+  # Limit who can connect on DBus to these (LP: #1296415)
+  dbus (receive) peer=(label=/usr/lib/*/indicator-network/indicator-network-service),
+  dbus (receive) peer=(label=/usr/sbin/NetworkManager),
+  dbus (receive) peer=(label=/etc/NetworkManager/dispatcher.d/03mmsproxy),
+  dbus (receive) peer=(label=/usr/bin/nuntium),
+  dbus (receive) peer=(label=/usr/bin/ubuntu-download-manager),
+  dbus (receive) peer=(label=/usr/bin/powerd),
+  dbus (receive) peer=(label=/usr/bin/system-settings),
+  dbus (receive) peer=(label=/usr/lib/*/urfkill/urfkilld),
+  dbus (receive) peer=(label=/usr/lib/telepathy/telepathy-ofono),
+  dbus (receive) peer=(label=ofono_scripts),
+
+  # Allow some ptrace, but don't allow others to ptrace us
+  ptrace (read, readby, trace),
+
+  # We have to let all signals through, since 'init' is unconfined
+  signal,
+}
+
+profile ofono_scripts /usr/share/ofono/scripts/* (attach_disconnected) {
+  capability,
+  mount,
+  remount,
+  umount,
+  network,
+  dbus,
+  ptrace,
+  signal,
+
+  /   rwkl,
+  /** rwlkm,
+  /** pix,
+}