@@ -5,6 +5,7 @@ import (

 	"github.com/docker/docker/daemon/caps"

 	"github.com/docker/docker/daemon/exec"

 	"github.com/docker/docker/libcontainerd"

+	"github.com/opencontainers/runc/libcontainer/apparmor"

 	"github.com/opencontainers/runtime-spec/specs-go"

 )

@@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer

 	if ec.Privileged {

 		p.Capabilities = caps.GetAllCapabilities()

 	}

+	if apparmor.IsEnabled() {

+		var appArmorProfile string

+		if c.AppArmorProfile != "" {

+			appArmorProfile = c.AppArmorProfile

+		} else if c.HostConfig.Privileged {

+			appArmorProfile = "unconfined"

+		} else {

+			appArmorProfile = "docker-default"

+		}

+

+		if appArmorProfile == "docker-default" {

+			// Unattended upgrades and other fun services can unload AppArmor

+			// profiles inadvertently. Since we cannot store our profile in

+			// /etc/apparmor.d, nor can we practically add other ways of

+			// telling the system to keep our profile loaded, in order to make

+			// sure that we keep the default profile enabled we dynamically

+			// reload it if necessary.

+			if err := ensureDefaultAppArmorProfile(); err != nil {

+				return err

+			}

+		}

+	}

 	return nil

 }