Add AppArmor policy for the engine

Wraps the engine itself with an AppArmor policy.

This restricts what may be done by applications
we call out to, such as 'xz'.

Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.

Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.

Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 39dae54a3f40035b1b7e5ca86c53d05dec832ed2
Component: engine

components/engine/hack/make/ubuntu

@@ -75,6 +75,7 @@ bundle_ubuntu() {
 	# Include contributed apparmor policy
 	mkdir -p "$DIR/etc/apparmor.d/"
 	cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"
+	cp contrib/apparmor/docker-engine "$DIR/etc/apparmor.d/"
 
 	# Copy the binary
 	# This will fail if the binary bundle hasn't been built
@@ -95,6 +96,7 @@ fi
 
 if ( aa-status --enabled ); then
 	/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
+	/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker-engine
 fi
 
 if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then