@{DOCKER_GRAPH_PATH}=/var/lib/docker

profile /usr/bin/docker (attach_disconnected) {
  # Prevent following links to these files during container setup.
  deny /etc/** mkl,
  deny /dev/** kl,
  deny /sys/** mkl,
  deny /proc/** mkl,

  mount -> @{DOCKER_GRAPH_PATH}/**,
  mount -> /,
  mount -> /proc/**,
  mount -> /sys/**,
  mount -> /run/docker/netns/**,

  umount,
  pivot_root,
  signal (receive) peer=@{profile_name},
  signal (receive) peer=unconfined,
  signal (send),
  ipc rw,
  network,
  capability,
  file,

  ptrace peer=@{profile_name},

  /usr/bin/docker pix,
  /sbin/xtables-multi rCix,
  /sbin/iptables rCx,
  /sbin/modprobe rCx,
  /sbin/auplink rCx,
  /usr/bin/xz rCx,

  # Transitions
  change_profile -> docker-*,
  change_profile -> unconfined,

  profile /sbin/iptables {
   signal (receive) peer=/usr/bin/docker,
   capability net_admin,
  }
  profile /sbin/auplink flags=(attach_disconnected) {
   signal (receive) peer=/usr/bin/docker,
   capability sys_admin,
   capability dac_override,

   @{DOCKER_GRAPH_PATH}/aufs/** rw,
   # For user namespaces:
   @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,

   # The following may be removed via delegates
   /sys/fs/aufs/** r,
   /lib/** r,
   /apparmor/.null r,
   /dev/null rw,
   /etc/ld.so.cache r,
   /sbin/auplink rm,
   /proc/fs/aufs/** rw,
   /proc/[0-9]*/mounts rw,
  }
  profile /sbin/modprobe {
   signal (receive) peer=/usr/bin/docker,
   capability sys_module,
   file,
  }
  # xz works via pipes, so we do not need access to the filesystem.
  profile /usr/bin/xz {
   signal (receive) peer=/usr/bin/docker,
  }
}