Docker's default container AppArmor profile contains a single "file" clause, without any additional information:
file,
What does this really mean, does this clause grant full access to any file? I've checked with AppArmor's apparmor.d(5) man page, but it does not mention this case explicitly, contrary to, say:
# Allow all PTrace access
ptrace,
Months later I finally stumbled upon an explanation, not from the AppArmor project itself, but from OpenSUSE, in their "Security and Hardening Guide", chapter "Profile Components and Syntax", heading "30.7.70 Optional allow and file Rules":
The following rule grants access to all files:
file,