github.com/campoy/docker@v1.8.0-rc1/contrib/apparmor/docker (about)

     1  #include <tunables/global>
     2  
     3  profile docker-default flags=(attach_disconnected,mediate_deleted) {
     4    #include <abstractions/base>
     5  
     6    network,
     7    capability,
     8    file,
     9    umount,
    10  
    11    deny @{PROC}/sys/fs/** wklx,
    12    deny @{PROC}/sysrq-trigger rwklx,
    13    deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
    14    deny @{PROC}/sys/kernel/*/** wklx,
    15  
    16    deny mount,
    17  
    18    deny /sys/[^f]*/** wklx,
    19    deny /sys/f[^s]*/** wklx,
    20    deny /sys/fs/[^c]*/** wklx,
    21    deny /sys/fs/c[^g]*/** wklx,
    22    deny /sys/fs/cg[^r]*/** wklx,
    23    deny /sys/firmware/efi/efivars/** rwklx,
    24    deny /sys/kernel/security/** rwklx,
    25  }