diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 227760da0..7a32bf898 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1732,7 +1732,7 @@ def collapse_log(hashlog, ignore_null_profiles=True):
     return log_dict
 
 
-def read_profiles(ui_msg=False, skip_profiles=[]):
+def read_profiles(ui_msg=False, skip_profiles=()):
     # we'll read all profiles from disk, so reset the storage first (autodep() might have created/stored
     # a profile already, which would cause a 'Conflicting profile' error in attach_profile_data())
     #
@@ -1762,7 +1762,7 @@ def read_profiles(ui_msg=False, skip_profiles=[]):
                 read_profile(full_file, True)
 
 
-def read_inactive_profiles(skip_profiles=[]):
+def read_inactive_profiles(skip_profiles=()):
     # The skip_profiles parameter should only be specified by tests.
 
     if hasattr(read_inactive_profiles, 'already_read'):
diff --git a/utils/apparmor/sandbox.py b/utils/apparmor/sandbox.py
index fe04de781..e2453af26 100644
--- a/utils/apparmor/sandbox.py
+++ b/utils/apparmor/sandbox.py
@@ -117,7 +117,7 @@ def set_environ(env):
         os.environ[k] = env[k]
 
 
-def aa_exec(command, opt, environ={}, verify_rules=[]):
+def aa_exec(command, opt, environ=None, verify_rules=()):
     """Execute binary under specified policy"""
     if opt.profile is not None:
         policy_name = opt.profile
@@ -162,7 +162,8 @@ def aa_exec(command, opt, environ={}, verify_rules=[]):
             if not found:
                 raise AppArmorException("Could not find required rule: %s" % r)
 
-    set_environ(environ)
+    if environ:
+        set_environ(environ)
     args = ['aa-exec', '-p', policy_name, '--']
     args.extend(command)
     rc, report = cmd(args)