moby--moby/docs/security/apparmor.md

AppArmor security profiles for Docker
--------------------------------------

AppArmor (Application Armor) is a security module that allows a system
administrator to associate a security profile with each program. Docker
expects to find an AppArmor policy loaded and enforced.

Container profiles are loaded automatically by Docker. A profile
for the Docker Engine itself also exists and is installed
with the official *.deb* packages. Advanced users and package
managers may find the profile for */usr/bin/docker* underneath
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
in the Docker Engine source repository.


Understand the policies
------------------------

The `docker-default` profile the default for running
containers. It is moderately protective while
providing wide application compatability.

The `docker-unconfined` profile is intended for
privileged applications and is the default when runing
a container with the *--privileged* flag.

The system's standard `unconfined` profile inherits all
system-wide policies, applying path-based policies
intended for the host system inside of containers.
This was the default for privileged containers
prior to Docker 1.8.


Overriding the profile for a container
---------------------------------------

Users may override the AppArmor profile using the
`security-opt` option (per-container).

For example, the following explicitly specifies the default policy:

```
$ docker run --rm -it --security-opt apparmor:docker-default hello-world
```
Restore AppArmor profile generation Will attempt to load profiles automatically. If loading fails but the profiles are already loaded, execution will continue. A hard failure will only occur if Docker cannot load the profiles and they have not already been loaded via some other means. Also introduces documentation for AppArmor. Signed-off-by: Eric Windisch <eric@windisch.us> 2015-07-28 14:48:18 -04:00			`AppArmor security profiles for Docker`
			`--------------------------------------`

			`AppArmor (Application Armor) is a security module that allows a system`
			`administrator to associate a security profile with each program. Docker`
			`expects to find an AppArmor policy loaded and enforced.`

			`Container profiles are loaded automatically by Docker. A profile`
			`for the Docker Engine itself also exists and is installed`
			`with the official .deb packages. Advanced users and package`
			`managers may find the profile for /usr/bin/docker underneath`
			`[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)`
			`in the Docker Engine source repository.`


			`Understand the policies`
			`------------------------`

			The `docker-default` profile the default for running
			`containers. It is moderately protective while`
			`providing wide application compatability.`

			The `docker-unconfined` profile is intended for
			`privileged applications and is the default when runing`
			`a container with the --privileged flag.`

			The system's standard `unconfined` profile inherits all
			`system-wide policies, applying path-based policies`
			`intended for the host system inside of containers.`
			`This was the default for privileged containers`
			`prior to Docker 1.8.`


			`Overriding the profile for a container`
			`---------------------------------------`

			`Users may override the AppArmor profile using the`
			`security-opt` option (per-container).

			`For example, the following explicitly specifies the default policy:`

			```
			`$ docker run --rm -it --security-opt apparmor:docker-default hello-world`
			```