diff --git a/config/apparmor/Makefile.am b/config/apparmor/Makefile.am
index f02ac937f..887d16c5a 100644
--- a/config/apparmor/Makefile.am
+++ b/config/apparmor/Makefile.am
@@ -7,6 +7,7 @@ EXTRA_DIST = \
 	lxc-containers \
 	lxc-generate-aa-rules.py \
 	profiles/lxc-default \
+	profiles/lxc-default-cgns \
 	profiles/lxc-default-with-mounting \
 	profiles/lxc-default-with-nesting \
 	usr.bin.lxc-start
@@ -20,6 +21,7 @@ install-apparmor:
 	$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
 	$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
 	$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+	$(INSTALL_DATA) profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
 	$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
@@ -30,6 +32,7 @@ uninstall-apparmor:
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
+	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-cgns
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
 	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
diff --git a/config/apparmor/profiles/lxc-default-cgns b/config/apparmor/profiles/lxc-default-cgns
new file mode 100644
index 000000000..ff599ef81
--- /dev/null
+++ b/config/apparmor/profiles/lxc-default-cgns
@@ -0,0 +1,12 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+
+  # the container may never be allowed to mount devpts.  If it does, it
+  # will remount the host's devpts.  We could allow it to do it with
+  # the newinstance option (but, right now, we don't).
+  deny mount fstype=devpts,
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
+}