network,
  capability,
  file,

  # The following 3 entries are only supported by recent apparmor versions.
  # Comment them if the apparmor parser doesn't recognize them.
  dbus,
  signal,
  ptrace,

  # currently blocked by apparmor bug
  mount -> /usr/lib/*/lxc/{**,},
  mount -> /usr/lib/lxc/{**,},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=(rw, slave) -> /,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
  mount -> /var/lib/lxc/{**,},

  # required for some pre-mount hooks (like the new lxc-start-ephemeral)
  mount fstype=overlayfs,
  mount fstype=aufs,
  mount fstype=ecryptfs,

  # all umounts are under the original root's /mnt, but right now we
  # can't allow those umounts after pivot_root.  So allow all umounts
  # right now.  They'll be restricted for the container at least.
  umount,
  #umount /mnt/{**,},

  # This may look a bit redundant, however it appears we need all of
  # them if we want things to work properly on all combinations of kernel
  # and userspace parser...
  pivot_root /usr/lib/lxc/,
  pivot_root /usr/lib/*/lxc/,
  pivot_root /usr/lib/lxc/**,
  pivot_root /usr/lib/*/lxc/**,

  change_profile -> lxc-*,
  change_profile -> unconfined,