diff --git a/contrib/apparmor/docker b/contrib/apparmor/docker index 4674ecf6e9c..7044545e871 100644 --- a/contrib/apparmor/docker +++ b/contrib/apparmor/docker @@ -23,3 +23,15 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) { deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, } + +profile docker-unconfined flags=(attach_disconnected,mediate_deleted) { + #include + + network, + capability, + file, + umount, + mount, + pivot_root, + change_profile -> *, +} diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index 0f0a6a12dc4..c5e0cdee4a4 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -198,7 +198,7 @@ func (d *driver) setPrivileged(container *configs.Config) (err error) { container.Devices = hostDevices if apparmor.IsEnabled() { - container.AppArmorProfile = "unconfined" + container.AppArmorProfile = "docker-unconfined" } return nil