I am trying to use this command - sudo docker run -it  --security-opt=no-new-privileges:true  ubuntu bash 
Also, I have tried sudo docker run -it  ubuntu bash

(I am using Debian 11 and Kernel - 5.10.113)

And I am getting this denial - Dec  6 06:07:03 microk8s-19 kernel: audit: type=1400 audit(1670306823.891:1173): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/containerd" name="/usr/bin/bash" pid=12032 comm="runc:[2:INIT]" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="docker-default"

Also, there is nothing like - /usr/bin/bash that I have ever heard of so this looks quite strange to me.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is what my container profile looks like:
# Last Modified: Tue Dec  6 05:54:42 2022
#include <tunables/global>

/usr/bin/containerd flags=(attach_disconnected, complain, mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/totem>

  capability dac_override,
  capability dac_read_search,
  capability mknod,
  capability net_admin,
  capability setgid,
  capability setpcap,
  capability setuid,
  capability sys_admin,
  capability sys_resource,

  mount options=(rw, bind) -> /run/docker/runtime-runc/**,
  mount options=(ro, remount, bind) -> /run/docker/runtime-runc/**,
  mount options=(rw, bind) -> /usr/bin/runc,
  mount options=(rw, rslave) -> /,
  mount options=(rw, rbind) -> /opt/docker/lib/**,
  mount options=(rw, nosuid, nodev, noexec) -> /opt/docker/lib/**,
  mount options=(rw, nosuid, strictatime) -> /opt/docker/lib/**,
  mount options=(rw, nosuid, noexec) -> /opt/docker/lib/**,
  mount options=(ro, nosuid, nodev, noexec) -> /opt/docker/lib/**,
  mount options=(ro, nosuid, nodev, noexec, remount, rbind) -> /opt/docker/lib/**,
  mount options=(rw, rprivate) -> /opt/docker/lib/**,
  mount options=(rw, bind) -> /dev/**,
  mount options=(rw, rbind) -> /proc/**,
  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/**,
  mount options=(ro) -> /proc/**,
  mount options=(rw, rbind) -> /dev/**,
  mount fstype=ext4,
  mount fstype=overlay,
  mount fstype=tmpfs,
  mount fstype=devpts,
  mount fstype=sysfs,
  mount options=(rw,bind) /[^spd]*{,/**},
  mount options=(rw,bind) /d[^e]*{,/**},
  mount options=(rw,bind) /de[^v]*{,/**},
  mount options=(rw,bind) /dev/.[^l]*{,/**},
  mount options=(rw,bind) /dev/.l[^x]*{,/**},
  mount options=(rw,bind) /dev/.lx[^c]*{,/**},
  mount options=(rw,bind) /dev/.lxc?*{,/**},
  mount options=(rw,bind) /dev/[^.]*{,/**},
  mount options=(rw,bind) /dev?*{,/**},
  mount options=(rw,bind) /p[^r]*{,/**},
  mount options=(rw,bind) /pr[^o]*{,/**},
  mount options=(rw,bind) /pro[^c]*{,/**},
  mount options=(rw,bind) /proc?*{,/**},
  mount options=(rw,bind) /s[^y]*{,/**},
  mount options=(rw,bind) /sy[^s]*{,/**},
  mount options=(rw,bind) /sys?*{,/**},
  umount options=(ro),
  umount options=(rw, bind),
  umount options=(rw, rprivate),
  umount options=(ro, nosuid, nodev, noexec, remount, rbind),
  umount options=(ro, nosuid, nodev, noexec),
  umount options=(rw, nosuid, noexec),
  umount options=(rw, nosuid, strictatime),
  umount options=(rw, rbind),
  umount options=(rw, bind, ro, remount),
  umount options=(rw, rslave),
  umount options=(rw, nosuid, nodev, noexec),

  ptrace read peer=unconfined,

  pivot_root /opt/docker/lib/**,

  / r,
  /bin/kmod mrix,
  /dev/** rw,
  /etc/containerd/config.toml r,
  /etc/ld.so.cache r,
  /etc/modprobe.d/* r,
  /lib/modprobe.d/* r,
  /lib/modules/* r,
  /lib/x86_64-linux-gnu/* mr,
  /opt/docker/lib/** w,
  /proc/** rw,
  /run/containerd/* mrix,
  /usr/bin/bash mrix,
  /usr/bin/containerd mr,
  /usr/bin/containerd-shim-runc-v2 mrix,
  /usr/bin/dockerd ix,
  /usr/bin/groups mrix,
  /usr/bin/runc mrix,
  /var/lib/containerd/* mrix,
  /usr/bin/bash ix,
  owner /**/ rw,
  owner /proc/*/cmdline r,
  owner /proc/*/mountinfo r,
  owner /proc/*/oom_score_adj r,
  owner /proc/*/oom_score_adj w,
  owner /proc/*/uid_map r,
  owner /root/.bash_history rw,
  owner /run/containerd/** r,
  owner /run/containerd/** w,
  owner /run/docker/containerd/** rw,
  owner /run/docker/runtime-runc/** rwk,
  owner /sys/fs/cgroup/** rw,
  owner /var/lib/containerd/** rwk,

  change_profile -> **,

  profile /usr/bin/bash (complain) {
      include <abstractions/base>
    }

}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Note - For now I have the profile in complain mode. 
Not able to get the apparmor rule which would fix this denial.

- Shaheena K