diff --git a/debian/control b/debian/control
index 03940deaba87a4befc2549c6eb4613f7f38fe92f..3f1b0191a16d35fcd536fb67a48a9506e7ea6f48 100644
--- a/debian/control
+++ b/debian/control
@@ -13,6 +13,7 @@ Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git
 Vcs-Browser: https://salsa.debian.org/systemd-team/systemd
 Homepage: https://www.freedesktop.org/wiki/Software/systemd
 Build-Depends: debhelper (>= 10.4~),
+               dh-apparmor,
                pkg-config,
                xsltproc,
                docbook-xsl,
diff --git a/debian/lib.systemd.systemd-logind b/debian/lib.systemd.systemd-logind
new file mode 100644
index 0000000000000000000000000000000000000000..60425ad62bbf8bd463b0271a8a0269d8a475be60
--- /dev/null
+++ b/debian/lib.systemd.systemd-logind
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+#
+# Copyright (C) 2015-2017 Collabora Ltd.
+#
+# SPDX-License-Identifier: MPL-2.0
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This profile is fairly permissive: systemd-logind is very much a trusted
+# process anyway (it has CAP_MAC_ADMIN and CAP_SYS_ADMIN) so there's
+# little point in trying to restrict it extensively: it's mainly here so
+# we can identify logind as a D-Bus peer in other profiles.
+#
+# We put it in enforcing mode so that we have a consistent story (saying
+# everything is enforcing is simpler than listing exceptions), and
+# it could potentially also mitigate attacks in which logind could be
+# tricked into reading and trusting files that it shouldn't.
+
+#include <tunables/global>
+
+/lib/systemd/systemd-logind {
+  #include <abstractions/base>
+  #include <abstractions/dbus-strict>
+  #include <abstractions/nameservice>
+
+  capability sys_admin,
+  capability mac_admin,
+  capability audit_control,
+  capability chown,
+  capability kill,
+  capability dac_read_search,
+  capability dac_override,
+  capability fowner,
+  capability sys_tty_config,
+
+  /lib/systemd/systemd-logind mr,
+
+  dbus bind bus=system name=org.freedesktop.login1,
+  dbus (send, receive) bus=system,
+
+  network netlink,
+
+  mount fstype=tmpfs -> /run/user/*/,
+
+  /dev/dri/* rw,
+  /dev/input/* rw,
+  /dev/tty* rw,
+  /etc/systemd/** r,
+  /etc/udev/** r,
+  /proc/** r,
+  /run/systemd/notify w,
+  /run/systemd/seats/{,*} rw,
+  /run/systemd/sessions/{,*} rw,
+  /run/systemd/users/{,*} rw,
+  /run/systemd/inhibit/{,*} rw,
+  /run/nologin rw,
+  "/run/.#nologin*" rw,
+  /run/utmp rwk,
+  /run/systemd/shutdown/scheduled rw,
+  "/run/systemd/shutdown/.#scheduled*" rw,
+  /run/udev/** r,
+  /run/user/*/ w,
+  /var/lib/systemd/linger/{,**} r,
+  /sys/** r,
+}
diff --git a/debian/rules b/debian/rules
index 29fb0c8b310ed3b7851aff07d92ff03dd9a01e2e..d7b678fcff9d2e8c5b2883ab30a4bc971e0af821 100755
--- a/debian/rules
+++ b/debian/rules
@@ -269,6 +269,8 @@ ifeq ($(DEB_VENDOR),Ubuntu)
 	install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/
 endif
 
+	dh_apparmor -psystemd --profile-name=lib.systemd.systemd-logind
+
 override_dh_missing:
 	dh_missing --sourcedir debian/install/deb $(DH_MISSING)
 
diff --git a/debian/systemd.install b/debian/systemd.install
index 5ad451192bbb37838fc98113caf3722b790219a0..4f58408ca1db0a4833f95a35d5c4ade002ae4c18 100644
--- a/debian/systemd.install
+++ b/debian/systemd.install
@@ -66,3 +66,4 @@ var/lib
 ../../extra/units/* lib/systemd/system/
 ../../extra/dhclient-exit-hooks.d/ etc/dhcp/
 ../../extra/pam.d etc/
+../../lib.systemd.systemd-logind etc/apparmor.d/