diff --git a/.image-garden.mk b/.image-garden.mk
index bd12d1a4f..19cc2ded1 100644
--- a/.image-garden.mk
+++ b/.image-garden.mk
@@ -35,6 +35,7 @@ packages:
 - python3-tk
 - python3-ttkthemes
 - swig
+- tinyproxy
 - toybox
 endef
 
diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy
new file mode 100644
index 000000000..22c8c9881
--- /dev/null
+++ b/profiles/apparmor.d/tinyproxy
@@ -0,0 +1,58 @@
+# -*- mode: apparmor; -*-
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile tinyproxy /usr/bin/tinyproxy {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  # allow to drop privileges
+  capability setuid,
+  capability setgid,
+
+  # to provide flexibility, when run as root tinyproxy may need to read files
+  # owned by other users
+  capability dac_override,
+  capability dac_read_search,
+  # also tinyproxy may be configured to bind to a privileged port so ensure we
+  # allow this as well
+  capability net_bind_service,
+
+  file mr /usr/bin/tinyproxy,
+
+  file r @{etc_ro}/tinyproxy/tinyproxy.conf,
+  # tinyproxy.conf allows to configure the locations of various files that will
+  # be written to by tinyproxy including ErrorFile, DefaultErrorFile, LogFile,
+  # and StatFile as well as PidFile. This profile allows tinyproxy to write to
+  # the default locations but if these are changed in the configuration file,
+  # additional rules should be added to the /etc/apparmor.d/local/tinyproxy file
+  # to allow this access
+  file rw /run/tinyproxy/tinyproxy.pid,  # PidFile
+  file rw /var/log/tinyproxy/tinyproxy.log, # LogFile
+
+  file r /usr/share/tinyproxy/*, #ErrorFile, DefaultErrorFile, StatFile etc
+
+  # for network access
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+
+  # for DNS resolution
+  network netlink raw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/tinyproxy>
+}
diff --git a/tests/profiles/tinyproxy/task.yaml b/tests/profiles/tinyproxy/task.yaml
new file mode 100644
index 000000000..056e55f07
--- /dev/null
+++ b/tests/profiles/tinyproxy/task.yaml
@@ -0,0 +1,14 @@
+summary: smoke test for the tinyproxy profile
+execute: |
+    # restart tinyproxy service as it may already be running
+    systemctl restart tinyproxy
+
+    # wait for it to be running
+    sleep 1
+
+    # check is running
+    systemctl is-active tinyproxy
+
+    # check tinyproxy system service is confined
+    cat /proc/$(pidof tinyproxy)/attr/apparmor/current | MATCH 'tinyproxy \(enforce\)'
+