Merge pull request #17273 from stefanberger/apparmor_policy_1.9

More Rules for AppArmor

contrib/apparmor/template.go

@@ -14,6 +14,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
   mount -> /proc/**,
   mount -> /sys/**,
   mount -> /run/docker/netns/**,
+  mount -> /.pivot_root[0-9]*/,
+
+  / r,
 
   umount,
   pivot_root,
@@ -29,6 +32,7 @@ profile /usr/bin/docker (attach_disconnected, complain) {
   @{DOCKER_GRAPH_PATH}/** rwl,
   @{DOCKER_GRAPH_PATH}/linkgraph.db k,
   @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
+  @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
 
   # For non-root client use:
   /dev/urandom r,