diff --git a/.docker/Makefile b/.docker/Makefile
index c481e10b..36acd69a 100644
--- a/.docker/Makefile
+++ b/.docker/Makefile
@@ -10,7 +10,7 @@ ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 NPROC:=$(shell nproc)
 
 COMMON_RUN_OPTS=-it --rm \
-		--cap-add SYS_ADMIN --device /dev/fuse --privileged \
+		--cap-add SYS_ADMIN --device /dev/fuse \
 		--mount type=bind,source="$(ROOT_DIR)"/..,target=/workspace,readonly \
 		--mount type=bind,source="$(ROOT_DIR)"/../@docker-ccache,target=/ccache \
 		--mount type=bind,source="$(ROOT_DIR)"/../@docker-home,target=/home/mhx \
diff --git a/.github/workflows/docker-run-build.yml b/.github/workflows/docker-run-build.yml
index 34fa2337..7b714259 100644
--- a/.github/workflows/docker-run-build.yml
+++ b/.github/workflows/docker-run-build.yml
@@ -64,8 +64,8 @@ jobs:
 
       - name: Run Build
         run: |
-          docker run --rm \
-            --cap-add SYS_ADMIN --device /dev/fuse --privileged \
+          docker run --rm --init \
+            --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined \
             --mount type=bind,source=${GITHUB_WORKSPACE},target=/workspace,readonly \
             --mount type=bind,source=${{ runner.temp }},target=/tmp-runner \
             --mount type=bind,source=${HOME}/github-ccache,target=/ccache \