# Mask /sys/kernel/security so dockerd's apparmor.HostSupports() returns false.
# Needed because this is an Incus container with restricted apparmor visibility.
[Service]
ExecStartPre=/bin/sh -c 'test -e /sys/kernel/security/apparmor && mount -t tmpfs -o size=1M tmpfs /sys/kernel/security || true'