From 59f2aefefec719db143a2c14783d430c6f50674d Mon Sep 17 00:00:00 2001
From: Jessica Frazelle <acidburn@docker.com>
Date: Thu, 6 Aug 2015 16:51:01 -0700
Subject: [PATCH] remove docker-unconfined profile we were not using it and it
 breaks apparmor on wheezy

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: e542238f2a4ba9d77bf8ebc77e319dd6b321925f
Component: engine
---
 .../engine/daemon/execdriver/native/apparmor.go   | 15 ---------------
 .../engine/daemon/execdriver/native/driver.go     |  2 +-
 components/engine/docs/security/apparmor.md       |  4 ----
 3 files changed, 1 insertion(+), 20 deletions(-)

diff --git a/components/engine/daemon/execdriver/native/apparmor.go b/components/engine/daemon/execdriver/native/apparmor.go
index ee5b2743ba..30d49b37b3 100644
--- a/components/engine/daemon/execdriver/native/apparmor.go
+++ b/components/engine/daemon/execdriver/native/apparmor.go
@@ -59,21 +59,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 }
-
-profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) {
-  #include <abstractions/base>
-
-  network,
-  capability,
-  file,
-  umount,
-  mount,
-  pivot_root,
-  change_profile -> *,
-
-  ptrace,
-  signal,
-}
 `
 
 func generateProfile(out io.Writer) error {
diff --git a/components/engine/daemon/execdriver/native/driver.go b/components/engine/daemon/execdriver/native/driver.go
index a6e0749ed6..b241bdbc50 100644
--- a/components/engine/daemon/execdriver/native/driver.go
+++ b/components/engine/daemon/execdriver/native/driver.go
@@ -58,7 +58,7 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) {
 
 	if apparmor.IsEnabled() {
 		if err := installAppArmorProfile(); err != nil {
-			apparmorProfiles := []string{"docker-default", "docker-unconfined"}
+			apparmorProfiles := []string{"docker-default"}
 
 			// Allow daemon to run if loading failed, but are active
 			// (possibly through another run, manually, or via system startup)
diff --git a/components/engine/docs/security/apparmor.md b/components/engine/docs/security/apparmor.md
index 7cd88d314b..1e82200b6c 100644
--- a/components/engine/docs/security/apparmor.md
+++ b/components/engine/docs/security/apparmor.md
@@ -20,10 +20,6 @@ The `docker-default` profile the default for running
 containers. It is moderately protective while
 providing wide application compatability.
 
-The `docker-unconfined` profile is intended for
-privileged applications and is the default when runing
-a container with the *--privileged* flag.
-
 The system's standard `unconfined` profile inherits all
 system-wide policies, applying path-based policies
 intended for the host system inside of containers.