From 87376c3add7dcd48830060652554e7ae43d11881 Mon Sep 17 00:00:00 2001
From: Eric Windisch <eric@windisch.us>
Date: Fri, 15 May 2015 14:35:48 -0400
Subject: [PATCH] Introduce a dedicated unconfined AA policy

By using the 'unconfined' policy for privileged
containers, we have inherited the host's apparmor
policies, which really make no sense in the
context of the container's filesystem.

For instance, policies written against
the paths of binaries such as '/usr/sbin/tcpdump'
can be easily circumvented by moving the binary
within the container filesystem.

Fixes GH#5490

Signed-off-by: Eric Windisch <eric@windisch.us>
---
 contrib/apparmor/docker            | 12 ++++++++++++
 daemon/execdriver/native/create.go |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/contrib/apparmor/docker b/contrib/apparmor/docker
index 4674ecf6e9..7044545e87 100644
--- a/contrib/apparmor/docker
+++ b/contrib/apparmor/docker
@@ -23,3 +23,15 @@ profile docker-default flags=(attach_disconnected,mediate_deleted) {
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 }
+
+profile docker-unconfined flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  network,
+  capability,
+  file,
+  umount,
+  mount,
+  pivot_root,
+  change_profile -> *,
+}
diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
index 0f0a6a12dc..c5e0cdee4a 100644
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -198,7 +198,7 @@ func (d *driver) setPrivileged(container *configs.Config) (err error) {
 	container.Devices = hostDevices
 
 	if apparmor.IsEnabled() {
-		container.AppArmorProfile = "unconfined"
+		container.AppArmorProfile = "docker-unconfined"
 	}
 
 	return nil