diff --git a/manager/app/src/main/cpp/ksu.cc b/manager/app/src/main/cpp/ksu.cc
index 76ab732d..e6c1d7c6 100644
--- a/manager/app/src/main/cpp/ksu.cc
+++ b/manager/app/src/main/cpp/ksu.cc
@@ -31,6 +31,9 @@
 #define CMD_ADD_DENY_LIST 16
 #define CMD_REMOVE_DENY_LIST 17
 
+#define CMD_GET_APP_PROFILE 18
+#define CMD_SET_APP_PROFILE 19
+
 static bool ksuctl(int cmd, void* arg1, void* arg2) {
     int32_t result = 0;
     prctl(KERNEL_SU_OPTION, cmd, arg1, arg2, &result);
@@ -75,6 +78,22 @@ bool is_safe_mode() {
     return ksuctl(CMD_CHECK_SAFEMODE, nullptr, nullptr);
 }
 
+bool set_app_profile(const app_profile *profile) {
+    return ksuctl(CMD_SET_APP_PROFILE, (void*) profile, nullptr);
+}
+
+bool get_app_profile(int32_t key, app_profile *profile) {
+    return ksuctl(CMD_GET_APP_PROFILE, (void*) profile, nullptr);
+}
+
+bool get_default_non_root_app_profile(app_profile *profile) {
+    return get_app_profile(DEFAULT_NON_ROOT_PROFILE_KEY, profile);
+}
+
+bool get_default_root_app_profile(app_profile *profile) {
+    return get_app_profile(DEFAULT_ROOT_PROFILE_KEY, profile);
+}
+
 bool is_allowlist_mode() {
     int32_t mode = -1;
     ksuctl(CMD_GET_WORK_MODE, &mode, nullptr);
diff --git a/manager/app/src/main/cpp/ksu.h b/manager/app/src/main/cpp/ksu.h
index a8b7b50b..b85e2684 100644
--- a/manager/app/src/main/cpp/ksu.h
+++ b/manager/app/src/main/cpp/ksu.h
@@ -33,4 +33,33 @@ bool add_to_deny_list(int uid);
 
 bool remove_from_deny_list(int uid);
 
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+#define DEFAULT_ROOT_PROFILE_KEY 0
+#define DEFAULT_NON_ROOT_PROFILE_KEY 9999 // This UID means NOBODY in Android
+
+struct app_profile {
+
+    int32_t key; // this is usually the uid of the app, but can be other value for special apps
+
+    int32_t uid;
+    int32_t gid;
+
+    int32_t groups[KSU_MAX_GROUPS];
+    int32_t groups_count;
+
+    // kernel_cap_t is u32[2]
+    uint64_t capabilities;
+    char selinux_domain[KSU_SELINUX_DOMAIN];
+
+    bool allow_su;
+    bool mount_module;
+};
+
+bool set_app_profile(const app_profile *profile);
+
+bool get_app_profile(int32_t key, app_profile *profile);
+
 #endif //KERNELSU_KSU_H