3edc88f76d
Will attempt to load profiles automatically. If loading fails but the profiles are already loaded, execution will continue. A hard failure will only occur if Docker cannot load the profiles *and* they have not already been loaded via some other means. Also introduces documentation for AppArmor. Signed-off-by: Eric Windisch <eric@windisch.us>
1.5 KiB
AppArmor security profiles for Docker
AppArmor (Application Armor) is a security module that allows a system administrator to associate a security profile with each program. Docker expects to find an AppArmor policy loaded and enforced.
Container profiles are loaded automatically by Docker. A profile for the Docker Engine itself also exists and is installed with the official .deb packages. Advanced users and package managers may find the profile for /usr/bin/docker underneath contrib/apparmor in the Docker Engine source repository.
Understand the policies
The docker-default profile the default for running
containers. It is moderately protective while
providing wide application compatability.
The docker-unconfined profile is intended for
privileged applications and is the default when runing
a container with the --privileged flag.
The system's standard unconfined profile inherits all
system-wide policies, applying path-based policies
intended for the host system inside of containers.
This was the default for privileged containers
prior to Docker 1.8.
Overriding the profile for a container
Users may override the AppArmor profile using the
security-opt option (per-container).
For example, the following explicitly specifies the default policy:
$ docker run --rm -it --security-opt apparmor:docker-default hello-world