diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go index ee5b2743ba..30d49b37b3 100644 --- a/daemon/execdriver/native/apparmor.go +++ b/daemon/execdriver/native/apparmor.go @@ -59,21 +59,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, } - -profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) { - #include - - network, - capability, - file, - umount, - mount, - pivot_root, - change_profile -> *, - - ptrace, - signal, -} ` func generateProfile(out io.Writer) error { diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go index 351f26794f..c5d4d964c3 100644 --- a/daemon/execdriver/native/driver.go +++ b/daemon/execdriver/native/driver.go @@ -54,11 +54,11 @@ func NewDriver(root, initPath string, options []string) (*driver, error) { if apparmor.IsEnabled() { if err := installAppArmorProfile(); err != nil { - apparmor_profiles := []string{"docker-default", "docker-unconfined"} + apparmorProfiles := []string{"docker-default"} // Allow daemon to run if loading failed, but are active // (possibly through another run, manually, or via system startup) - for _, policy := range apparmor_profiles { + for _, policy := range apparmorProfiles { if err := hasAppArmorProfileLoaded(policy); err != nil { return nil, fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", policy) } diff --git a/docs/security/apparmor.md b/docs/security/apparmor.md index 7cd88d314b..1e82200b6c 100644 --- a/docs/security/apparmor.md +++ b/docs/security/apparmor.md @@ -20,10 +20,6 @@ The `docker-default` profile the default for running containers. It is moderately protective while providing wide application compatability. -The `docker-unconfined` profile is intended for -privileged applications and is the default when runing -a container with the *--privileged* flag. - The system's standard `unconfined` profile inherits all system-wide policies, applying path-based policies intended for the host system inside of containers.