diff --git a/profiles/apparmor.d/iotop-c b/profiles/apparmor.d/iotop-c
index f02fbc7a6..ce35fc081 100644
--- a/profiles/apparmor.d/iotop-c
+++ b/profiles/apparmor.d/iotop-c
@@ -8,7 +8,15 @@ profile iotop-c /usr/sbin/iotop-c {
   include <abstractions/nameservice-strict>
 
   capability net_admin,
-  capability sys_admin,
+  # The ioprio_set syscall checks for sys_admin or sys_nice
+  # (with sys_admin checked first, with OR shortcut logic)
+  # when used to set a real-time scheduler, and later checks
+  # for sys_nice if the target uid is not equal to the caller's
+  # uid or euid (e.g the sys_nice check will not be exercised
+  # when changing euid via sudo). sys_nice covers the perms
+  # required for this syscall and is less broad than sys_admin,
+  # so silence a denial of sys_admin and force reliance on sys_nice.
+  deny capability sys_admin,
   capability sys_nice,
 
   network netlink raw,