Use AppArmor to Restrict Container Actions

AppArmor is a Linux kernel security module that allows you to restrict a container's capabilities by defining "profiles." While Docker applies a default profile to all containers, creating a custom profile allows for much tighter security.

To understand how to create and apply a custom AppArmor profile, follow the steps below.

Ensure the tools are present and the service is running:

# Remove AppArmor if it is installed
apt-get purge \
  apparmor \
  apparmor-profiles \
  apparmor-utils

# install apparmor, profiles, and utils
sudo apt-get install \
  apparmor-utils \
  apparmor-profiles \
  apparmor-profiles-extra \
  vim-addon-manager

# reboot
reboot

Note that we define the name as docker-nginx inside the profile file, so we must use that same name when running the container. This file should be saved as /etc/apparmor.d/docker-nginx.

#include 

profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
  #include 

  network inet tcp,
  network inet udp,
  network inet icmp,
  deny network raw,   # This blocks 'ping' which requires RAW sockets
  deny network packet,

  file,
  umount,

  # Deny access to sensitive host directories
  deny /bin/** wl,
  deny /boot/** wl,
  deny /dev/** wl,
  deny /etc/** wl,
  deny /home/** wl,
  deny /root/** wl,
  deny /sys/** wl,

  # Allow Nginx to function
  /var/run/nginx.pid w,
  /usr/sbin/nginx ix,

  capability chown,
  capability dac_override,
  capability setuid,
  capability setgid,
  capability net_bind_service,
}

Painless Docker - 2nd Edition

A Comprehensive Guide to Mastering Docker and its Ecosystem

Enroll now to unlock all content and receive all future updates for free.

Unlock now ~~$31.99~~$25.59

Hurry! This limited time offer ends in:

To redeem this offer, copy the coupon code below and apply it at checkout:

Learn More

Previous Next