9f8e7b5fed
By using the 'unconfined' policy for privileged containers, we have inherited the host's apparmor policies, which really make no sense in the context of the container's filesystem. For instance, policies written against the paths of binaries such as '/usr/sbin/tcpdump' can be easily circumvented by moving the binary within the container filesystem. Fixes GH#5490 Signed-off-by: Eric Windisch <eric@windisch.us> Upstream-commit: 87376c3add7dcd48830060652554e7ae43d11881 Component: engine