diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.statd b/profiles/apparmor/profiles/extras/sbin.rpc.statd
index 82298e466..7a602abc0 100644
--- a/profiles/apparmor/profiles/extras/sbin.rpc.statd
+++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd
@@ -13,17 +13,38 @@
 profile rpc.statd /{usr/,}sbin/rpc.statd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+
+  # needed to sanely drop privileges
+  capability setgid,
+  capability setuid,
+
+  # changes ownership of pidfile
+  capability chown,
+
+  # not sure why this is needed
+  capability setpcap,
+
+  owner @{PROC}/@{pid}/fd/         r,
+  @{PROC}/fs/lockd/nlm_end_grace   w,
+  @{PROC}/sys/fs/nfs/**            r,
+  @{PROC}/sys/fs/nfs/nsm_local_state w,
+
+  /etc/netconfig                   r,
   /etc/rpc                         r,
-  /{usr/,}sbin/rpc.statd           rmix,
-  /sm                              rw,
-  /sm.bak                          rw,
-  /state                           rw,
+  /{usr/,}sbin/rpc.statd           mrix,
+  /{usr/,}sbin/sm-notify           mrix,
+  /var/lib/nfs/sm/                 r,
   /var/lib/nfs/sm/*                rw,
-  /var/lib/nfs/statd               rw,
-  /var/lib/nfs/statd/sm            r,
+  /var/lib/nfs/sm.bak/             r,
+  /var/lib/nfs/statd/              rw,
+  /var/lib/nfs/statd/sm/           r,
   /var/lib/nfs/statd/sm/*          rwl,
   /var/lib/nfs/statd/state         rw,
-  /var/lib/nfs/statd/sm.bak        r,
+  /var/lib/nfs/statd/sm.bak/       r,
   /var/lib/nfs/statd/sm.bak/*      rwl,
-  /{,var/}run/rpc.statd.pid           w,
+  /var/lib/nfs/state               rwk,
+  /var/lib/nfs/state.new           rwl,
+  /{,var/}run/rpc.statd.pid        w,
+  /{,var/}run/rpcbind.sock         rw,
+  /{,var/}run/sm-notify.pid        w,
 }