diff --git a/interfaces/prompting/constraints.go b/interfaces/prompting/constraints.go
index a90d12158ae..f2b70f8cdb2 100644
--- a/interfaces/prompting/constraints.go
+++ b/interfaces/prompting/constraints.go
@@ -137,8 +137,8 @@ var (
 	// and if it does not, it should be interpreted as AA_MAY_READ.
 	interfaceFilePermissionsMaps = map[string]map[string]notify.FilePermission{
 		"home": {
-			"read":    notify.AA_MAY_READ,
-			"write":   notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
+			"read":    notify.AA_MAY_READ | notify.AA_MAY_GETATTR,
+			"write":   notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_SETATTR | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
 			"execute": notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP,
 		},
 	}
diff --git a/interfaces/prompting/constraints_test.go b/interfaces/prompting/constraints_test.go
index 39332a303b5..5b82b75aebe 100644
--- a/interfaces/prompting/constraints_test.go
+++ b/interfaces/prompting/constraints_test.go
@@ -465,7 +465,7 @@ func (s *constraintsSuite) TestAbstractPermissionsFromAppArmorPermissionsUnhappy
 		},
 		{
 			"home",
-			notify.AA_MAY_GETATTR | notify.AA_MAY_READ,
+			notify.AA_MAY_GETCRED | notify.AA_MAY_READ,
 			"cannot map AppArmor permission to abstract permission for the home interface.*",
 		},
 	}
@@ -485,12 +485,12 @@ func (s *constraintsSuite) TestAbstractPermissionsToAppArmorPermissionsHappy(c *
 		{
 			"home",
 			[]string{"read"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_READ,
+			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_GETATTR,
 		},
 		{
 			"home",
 			[]string{"write"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
+			notify.AA_MAY_OPEN | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_SETATTR | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
 		},
 		{
 			"home",
@@ -500,12 +500,12 @@ func (s *constraintsSuite) TestAbstractPermissionsToAppArmorPermissionsHappy(c *
 		{
 			"home",
 			[]string{"read", "execute"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP,
+			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_GETATTR | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP,
 		},
 		{
 			"home",
 			[]string{"execute", "write", "read"},
-			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
+			notify.AA_MAY_OPEN | notify.AA_MAY_READ | notify.AA_MAY_GETATTR | notify.AA_MAY_EXEC | notify.AA_EXEC_MMAP | notify.AA_MAY_WRITE | notify.AA_MAY_APPEND | notify.AA_MAY_CREATE | notify.AA_MAY_DELETE | notify.AA_MAY_RENAME | notify.AA_MAY_SETATTR | notify.AA_MAY_CHMOD | notify.AA_MAY_LOCK | notify.AA_MAY_LINK,
 		},
 	}
 	for _, testCase := range cases {
diff --git a/sandbox/apparmor/notify/permission.go b/sandbox/apparmor/notify/permission.go
index ff1c0600450..d5b39be4825 100644
--- a/sandbox/apparmor/notify/permission.go
+++ b/sandbox/apparmor/notify/permission.go
@@ -32,9 +32,9 @@ const (
 	AA_MAY_OPEN
 	// AA_MAY_RENAME implies that a process may rename a file.
 	AA_MAY_RENAME
-	// AA_MAY_SETATTR is not checked by the kernel.
+	// AA_MAY_SETATTR implies that a process may modify file attributes.
 	AA_MAY_SETATTR
-	// AA_MAY_GETATTR is not checked by the kernel.
+	// AA_MAY_GETATTR implies that a process may read file attributes.
 	AA_MAY_GETATTR
 	// AA_MAY_SETCRED is not used in the kernel.
 	AA_MAY_SETCRED