✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.4.2 AppArmor Profile

A focused guide to AppArmor Profile, connecting core concepts with practical Docker and container operations.

An AppArmor profile restricts a container's process according to a defined policy specifying which files, network operations, and capabilities it's permitted to access, providing mandatory access control on Linux systems where AppArmor is available, distinct from and complementary to seccomp's system call filtering.

Docker's Default AppArmor Profile

On systems with AppArmor enabled, Docker applies a default profile automatically, providing baseline restrictions without requiring explicit configuration.

docker run myapp:1.0

On an AppArmor-enabled host, this container already runs under Docker's default AppArmor profile.

Applying a Custom AppArmor Profile

A custom profile, tailored to a specific application, can be loaded and applied to provide more precisely scoped restrictions.

apparmor_parser -r -W /etc/apparmor.d/custom-myapp-profile
docker run --security-opt apparmor=custom-myapp-profile myapp:1.0

profile custom-myapp-profile {
  /app/** r,
  /app/logs/** rw,
  network inet tcp,
}

A profile like this might restrict the container to reading most of its application directory while only allowing writes to a specific logs subdirectory, alongside permitting only specific network operations.

Why AppArmor Restricts File and Network Access Specifically

Where seccomp focuses on system call filtering, AppArmor's policy model centers more specifically on file path and network access permissions, providing a complementary, differently scoped layer of restriction.

docker run --security-opt apparmor=docker-default myapp:1.0

Explicitly specifying Docker's default profile makes this otherwise implicit protection visible and deliberate.

Why AppArmor Availability Depends on the Host

AppArmor is specifically a Linux kernel security module, available on certain distributions (Ubuntu and Debian, notably) but not universally present across every Linux distribution Docker might run on.

aa-status

Checking AppArmor's status on a given host confirms whether this particular security mechanism is actually available and active there.

Why AppArmor Profiles Matter

AppArmor provides an important, complementary layer of mandatory access control focused on file and network access, valuable alongside seccomp's system call restrictions for building a more comprehensive container security posture on systems where it's available.

Related content