diff --git a/examples/security/apparmor/README.md b/examples/security/apparmor/README.md
new file mode 100644
index 0000000..6413bb3
--- /dev/null
+++ b/examples/security/apparmor/README.md
@@ -0,0 +1,11 @@
+## Example AppArmor profile for Rspamd Docker container
+
+This is an example AppArmor profile for restricting the Rspamd Docker container. It might not be feature-complete: you should be prepared to deal with possible fallout by reviewing logs & making necessary changes. The profile is aimed merely at running Rspamd and doesn't support use-cases such as logging in to the container.
+
+### Usage
+
+```
+sudo cp rspamd-docker.profile /etc/apparmor.d/
+sudo systemctl reload apparmor
+docker run -v rspamd_dbdir:/var/lib/rspamd --security-opt apparmor=rspamd-docker -ti rspamd/rspamd
+```
diff --git a/examples/security/apparmor/rspamd-docker.profile b/examples/security/apparmor/rspamd-docker.profile
new file mode 100644
index 0000000..8882a92
--- /dev/null
+++ b/examples/security/apparmor/rspamd-docker.profile
@@ -0,0 +1,18 @@
+#include <tunables/global>
+
+profile rspamd-docker {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
+
+  owner /dev/shm/* rw,
+  /etc/magic r,
+  /etc/magic.mime r,
+  /etc/rspamd/** r,
+  /sys/kernel/mm/transparent_hugepage/enabled r,
+  /usr/bin/rspamd mr,
+  /usr/share/rspamd/** r,
+  /var/lib/rspamd/ r,
+  /var/lib/rspamd/** rwk,
+}