Adjust docker-default profile when docker daemon is confined

Adjust the docker-default profile for when the docker daemon is running in
AppArmor confinement. To enable 'docker kill' we need to allow the container
to receive kill signals from the daemon.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

daemon/execdriver/native/apparmor.go

@@ -55,6 +55,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/fs/cg[^r]*/** wklx,
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
+
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+  # suppress ptrace denails when using 'docker ps'
+  ptrace (trace,read) peer=docker-default,
 }
 `