Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go =================================================================== --- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go +++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go @@ -25,18 +25,6 @@ profile {{.Name}} flags=(attach_disconne network, capability, file, - umount, - - mount fstype=tmpfs, - mount fstype=mqueue, - mount fstype=fuse.*, - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, deny @{PROC}/sys/fs/** wklx, deny @{PROC}/sysrq-trigger rwklx, @@ -45,10 +33,6 @@ profile {{.Name}} flags=(attach_disconne deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, deny @{PROC}/sys/kernel/*/** wklx, - deny mount options=(ro, remount) -> /, - deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, - deny mount fstype=devpts, - deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx,