diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index fe24ff32b..9452f6608 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -60,13 +60,6 @@
   mount fstype=fuse,
   mount fstype=fuse.*,
 
-  # allow bind mount of /lib/init/fstab for lxcguest
-  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
-
-  # allow bind mounts of /run/{,lock} to /var/run/{,lock}
-  mount options=(rw, bind) /run/ -> /var/run/,
-  mount options=(rw, bind) /run/lock/ -> /var/lock/,
-
   # deny access under /proc/bus to avoid e.g. messing with pci devices directly
   deny @{PROC}/bus/** wklx,
 
@@ -100,6 +93,37 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
+  # allow paths to be made shared, rshared, private or rprivate
+  mount options=(rw,shared) -> /,
+  mount options=(rw,shared) -> /**,
+
+  mount options=(rw,rshared) -> /,
+  mount options=(rw,rshared) -> /**,
+
+  mount options=(rw,private) -> /,
+  mount options=(rw,private) -> /**,
+
+  mount options=(rw,rprivate) -> /,
+  mount options=(rw,rprivate) -> /**,
+
+  # allow bind-mounts of anything except /proc, /sys and /dev
+  mount options=(rw,bind) /[^spd]*{,/**},
+  mount options=(rw,bind) /d[^e]*{,/**},
+  mount options=(rw,bind) /de[^v]*{,/**},
+  mount options=(rw,bind) /dev/.[^l]*{,/**},
+  mount options=(rw,bind) /dev/.l[^x]*{,/**},
+  mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+  mount options=(rw,bind) /dev/.lxc?*{,/**},
+  mount options=(rw,bind) /dev/[^.]*{,/**},
+  mount options=(rw,bind) /dev?*{,/**},
+  mount options=(rw,bind) /p[^r]*{,/**},
+  mount options=(rw,bind) /pr[^o]*{,/**},
+  mount options=(rw,bind) /pro[^c]*{,/**},
+  mount options=(rw,bind) /proc?*{,/**},
+  mount options=(rw,bind) /s[^y]*{,/**},
+  mount options=(rw,bind) /sy[^s]*{,/**},
+  mount options=(rw,bind) /sys?*{,/**},
+
   # generated by: lxc-generate-aa-rules.py container-rules.base
   deny /proc/sys/[^kn]*{,/**} wklx,
   deny /proc/sys/k[^e]*{,/**} wklx,
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 550625c15..68db43db4 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -60,13 +60,6 @@
   mount fstype=fuse,
   mount fstype=fuse.*,
 
-  # allow bind mount of /lib/init/fstab for lxcguest
-  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
-
-  # allow bind mounts of /run/{,lock} to /var/run/{,lock}
-  mount options=(rw, bind) /run/ -> /var/run/,
-  mount options=(rw, bind) /run/lock/ -> /var/lock/,
-
   # deny access under /proc/bus to avoid e.g. messing with pci devices directly
   deny @{PROC}/bus/** wklx,
 
@@ -100,3 +93,34 @@
   # deny reads from debugfs
   deny /sys/kernel/debug/{,**} rwklx,
 
+  # allow paths to be made shared, rshared, private or rprivate
+  mount options=(rw,shared) -> /,
+  mount options=(rw,shared) -> /**,
+
+  mount options=(rw,rshared) -> /,
+  mount options=(rw,rshared) -> /**,
+
+  mount options=(rw,private) -> /,
+  mount options=(rw,private) -> /**,
+
+  mount options=(rw,rprivate) -> /,
+  mount options=(rw,rprivate) -> /**,
+
+  # allow bind-mounts of anything except /proc, /sys and /dev
+  mount options=(rw,bind) /[^spd]*{,/**},
+  mount options=(rw,bind) /d[^e]*{,/**},
+  mount options=(rw,bind) /de[^v]*{,/**},
+  mount options=(rw,bind) /dev/.[^l]*{,/**},
+  mount options=(rw,bind) /dev/.l[^x]*{,/**},
+  mount options=(rw,bind) /dev/.lx[^c]*{,/**},
+  mount options=(rw,bind) /dev/.lxc?*{,/**},
+  mount options=(rw,bind) /dev/[^.]*{,/**},
+  mount options=(rw,bind) /dev?*{,/**},
+  mount options=(rw,bind) /p[^r]*{,/**},
+  mount options=(rw,bind) /pr[^o]*{,/**},
+  mount options=(rw,bind) /pro[^c]*{,/**},
+  mount options=(rw,bind) /proc?*{,/**},
+  mount options=(rw,bind) /s[^y]*{,/**},
+  mount options=(rw,bind) /sy[^s]*{,/**},
+  mount options=(rw,bind) /sys?*{,/**},
+