diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go index ee5b2743ba6db246598ea17ffc7449c9d5a56c85..30d49b37b34bb427394d8e89013f2081ec306725 100644 --- a/daemon/execdriver/native/apparmor.go +++ b/daemon/execdriver/native/apparmor.go @@ -59,21 +59,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, } - -profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) { - #include - - network, - capability, - file, - umount, - mount, - pivot_root, - change_profile -> *, - - ptrace, - signal, -} ` func generateProfile(out io.Writer) error { diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go index 351f26794f76e4fa36d079c5f10887ac845a7a37..c5d4d964c3397466db8ac065ae258585279fed6e 100644 --- a/daemon/execdriver/native/driver.go +++ b/daemon/execdriver/native/driver.go @@ -54,11 +54,11 @@ func NewDriver(root, initPath string, options []string) (*driver, error) { if apparmor.IsEnabled() { if err := installAppArmorProfile(); err != nil { - apparmor_profiles := []string{"docker-default", "docker-unconfined"} + apparmorProfiles := []string{"docker-default"} // Allow daemon to run if loading failed, but are active // (possibly through another run, manually, or via system startup) - for _, policy := range apparmor_profiles { + for _, policy := range apparmorProfiles { if err := hasAppArmorProfileLoaded(policy); err != nil { return nil, fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", policy) } diff --git a/docs/security/apparmor.md b/docs/security/apparmor.md index 7cd88d314bb74ba3bece9293e7c85d581bd38a6b..1e82200b6c2866a9d6b994656dd565350558c532 100644 --- a/docs/security/apparmor.md +++ b/docs/security/apparmor.md @@ -20,10 +20,6 @@ The `docker-default` profile the default for running containers. It is moderately protective while providing wide application compatability. -The `docker-unconfined` profile is intended for -privileged applications and is the default when runing -a container with the *--privileged* flag. - The system's standard `unconfined` profile inherits all system-wide policies, applying path-based policies intended for the host system inside of containers.