====== apparmor profile ======

===== Issue =====

No network connectivity from container. Journal shows:
<code>
audit: type=1400 audit(1634036792.582:254): apparmor="DENIED" operation="create" profile="docker-default" pid=32133 comm="ping" family="inet" sock_type="dgram" protocol=17 requested_mask="create" denied_mask="create"
</code>

Reason: default ''docker-default'' app armor profile is applied. File doesn't exists in ''/etc/apparmor.d/'' so it cannot be disabled.
To workaround this issue, needs to create file:
<file cfg /etc/apparmor.d/docker-default>
#include <tunables/global>

    profile docker-default flags=(attach_disconnected, mediate_deleted) {

      #include <abstractions/base>

      ptrace peer=@{profile_name},

      network,
      capability,
      file,
      umount,

      deny @{PROC}/* w,  # deny write for all files directly in /proc (not in a subdir)
      # deny write to files not in /proc/<number>/** or /proc/sys/**
      deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
      deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
      deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
      deny @{PROC}/sysrq-trigger rwklx,
      deny @{PROC}/kcore rwklx,
      deny @{PROC}/mem rwklx,
      deny @{PROC}/kmem rwklx,

      deny mount,

      deny /sys/[^f]*/** wklx,
      deny /sys/f[^s]*/** wklx,
      deny /sys/fs/[^c]*/** wklx,
      deny /sys/fs/c[^g]*/** wklx,
      deny /sys/fs/cg[^r]*/** wklx,
      deny /sys/firmware/** rwklx,
      deny /sys/kernel/security/** rwklx,
    }
</file>

and then switch profile to complain mode or disable it (''aa-disable docker-default'')