The following issue takes place in Debian Jessie (under Vagrant):

The docker documentation claims that an apparmor profile is automatically placed in /etc/apparmor.d/docker, yet when I list the contents of this directory, it it is not to be found.

Contents of /etc/apparmor.d:

abstractions
cache
disable
force-complain
local
tunables

Docker version information

$ docker version
Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:02:53 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:02:53 2016
 OS/Arch:      linux/amd64

From this GitHub discussion I understand that the apparmor profile is not stored explicitly anymore since Docker v1.13:

Prior to Docker 1.13, it stored the AppArmor Profile in /etc/apparmor.d/docker-default (which was overwritten when Docker started, so users couldn't modify it. Docker devs added the --security-opt to let users specify a profile. After v1.13, Docker now generates docker-default in tmpfs, uses apparmor_parser to load it into kernel, then deletes the file. All of the AppArmor utils (aa-* on Ubuntu) expect a file parameter, and /sys/kernel/security/apparmor/policy/profiles/* only has cached binaries.

The nearest I can figure, newer versions of docker seem to require a container to have an apparmor security profile. This means most containers I pull from the internet don't run unless I add --security-opt apparmor=unconfined to the docker run command.