diff --git a/files/apparmor/usr.bin.ceph-osd b/files/apparmor/usr.bin.ceph-osd
index 95846077..0d1b49d6 100644
--- a/files/apparmor/usr.bin.ceph-osd
+++ b/files/apparmor/usr.bin.ceph-osd
@@ -1,15 +1,20 @@
 # vim:syntax=apparmor
 #include <tunables/global>
 
-/usr/bin/ceph-osd {
+/usr/bin/ceph-osd flags=(attach_disconnected) {
+  #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/python>
 
   /usr/bin/ceph-osd mr,
 
+  capability audit_write,
   capability setgid,
   capability setuid,
+  capability sys_admin,
+  capability sys_rawio,
+  capability sys_resource,
   capability dac_override,
   capability dac_read_search,
 
@@ -21,10 +26,12 @@
 
   owner @{PROC}/@{pids}/auxv r,
   owner @{PROC}/@{pids}/net/dev r,
+  owner @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/task/*/comm rw,
 
   @{PROC}/loadavg r,
   @{PROC}/1/cmdline r,
+  @{PROC}/1/limits r,
   @{PROC}/partitions r,
   @{PROC}/sys/kernel/random/uuid r,
 
@@ -38,12 +45,28 @@
 
   /dev/ r,
   /dev/** rwk,
+  /run/udev/data/* r,
   /sys/devices/** r,
 
   /run/blkid/blkid.tab r,
 
   /bin/dash rix,
 
+  /usr/bin/sudo rix,
+  /usr/libexec/sudo/* rm,
+  /etc/default/locale r,
+  /etc/environment r,
+  /etc/pam.d/* r,
+  /etc/security/limits.d/ r,
+  /etc/sudo.conf r,
+  /etc/sudoers r,
+  /etc/sudoers.d/ r,
+  /etc/sudoers.d/* r,
+
+  /usr/sbin/smartctl rix,
+  /var/lib/smartmontools/** r,
+  /usr/sbin/nvme rix,
+
   /usr/bin/lsb_release rix,
   /usr/share/distro-info/** r,
   /etc/lsb-release r,