network,
  capability,
  file,

  # The following 3 entries are only supported by recent apparmor versions.
  # Comment them if the apparmor parser doesn't recognize them.
  dbus,
  signal,
  ptrace,

  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
  mount -> /usr/lib/x86_64-linux-gnu/lxc/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
  mount options=(rw, make-slave) -> **,
  mount options=(rw, make-rslave) -> **,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
  mount -> /var/lib/lxc/{**,},

  # required for some pre-mount hooks
  mount fstype=overlayfs,
  mount fstype=aufs,
  mount fstype=ecryptfs,

  # all umounts are under the original root's /mnt, but right now we
  # can't allow those umounts after pivot_root.  So allow all umounts
  # right now.  They'll be restricted for the container at least.
  umount,
  #umount /mnt/{**,},

  # This may look a bit redundant, however it appears we need all of
  # them if we want things to work properly on all combinations of kernel
  # and userspace parser...
  pivot_root /usr/lib*/lxc/,
  pivot_root /usr/lib*/*/lxc/,
  pivot_root /usr/lib*/lxc/**,
  pivot_root /usr/lib*/*/lxc/**,
  pivot_root /usr/lib/x86_64-linux-gnu/lxc/{,**},

  change_profile -> lxc-*,
  change_profile -> lxc-**,
  change_profile -> unconfined,
  change_profile -> :lxc-*:unconfined,