Comment 4 for bug 2039294

the docker-default profile is shipped with/part of docker. It is generated and loaded by docker, you can see the docker apparmor code here

https://github.com/moby/moby/tree/master/profiles/apparmor

and the docker-default profile in particular is in
https://github.com/moby/moby/blob/master/profiles/apparmor/template.go

the signal rule needs to be updated, or a new rule added to allow runc

  signal receive signal=usr1 peer="/usr/sbin/runc",