diff --git a/profiles/apparmor.d/unshare-userns-restrict b/profiles/apparmor.d/unshare-userns-restrict
new file mode 100644
index 000000000..217cb0ebb
--- /dev/null
+++ b/profiles/apparmor.d/unshare-userns-restrict
@@ -0,0 +1,29 @@
+# This profile allows almost everything and only exists to allow
+# unshare to work on a system with user namespace restrictions
+# being enforced.
+# unshare is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking unshare from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+
+profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+    allow capability,
+    allow file rwlkm /{**,},
+    allow network,
+    allow unix,
+    allow ptrace,
+    allow signal,
+    allow mqueue,
+    allow io_uring,
+    allow userns,
+    allow mount,
+    allow umount,
+    allow pivot_root,
+    allow dbus,
+    audit allow cx /** -> unpriv_unshare,
+
+    profile unpriv_unshare flags=(attach_disconnected) {
+        allow all,
+	deny capability,
+    }
+}