@@ -59,21 +59,6 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {

   deny /sys/firmware/efi/efivars/** rwklx,

   deny /sys/kernel/security/** rwklx,

 }

-

-profile docker-unconfined flags=(attach_disconnected,mediate_deleted,complain) {

-  #include <abstractions/base>

-

-  network,

-  capability,

-  file,

-  umount,

-  mount,

-  pivot_root,

-  change_profile -> *,

-

-  ptrace,

-  signal,

-}

 `

 func generateProfile(out io.Writer) error {

@@ -58,7 +58,7 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) {

 	if apparmor.IsEnabled() {

 		if err := installAppArmorProfile(); err != nil {

-			apparmorProfiles := []string{"docker-default", "docker-unconfined"}

+			apparmorProfiles := []string{"docker-default"}

 			// Allow daemon to run if loading failed, but are active

 			// (possibly through another run, manually, or via system startup)

@@ -20,10 +20,6 @@ The `docker-default` profile the default for running

 containers. It is moderately protective while

 providing wide application compatability.

-The `docker-unconfined` profile is intended for

-privileged applications and is the default when runing

-a container with the *--privileged* flag.

-

 The system's standard `unconfined` profile inherits all

 system-wide policies, applying path-based policies

 intended for the host system inside of containers.