Update docker

docker.md

@@ -28,6 +28,8 @@ eg.
 
 The flags `attach_disconnected` and `mediate_deleted` are present in Docker's default profile to help with, respectively, container-host shared resources and deleted files still being present in the overlay file system, so they should be present on custom profiles applied to Docker containers.
 
+Apparmor profiles applied to a Docker container will not block commands launched via `docker exec` from running, even if the profile does not allow the specified binary to execute. However, further actions of the specified binary will be restricted according to the profile.
+
 Profile transitioning inside a Docker container is still wonky, but transitioning to child profiles seems to work properly. TODO: needs more testing
 
 Docker provides a different mechanism for limiting the Linux capabilities used by a container, described [here](https://docs.docker.com/engine/security/#linux-kernel-capabilities), so AppArmor profiles for Docker containers can include the line `capabilities,` for a container that needs them and let Docker handle the capabilities filtering. Alternatively, not allowing capabilities on a profile in complain mode can make it easier to identify the capabilities that a container needs.