✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.4.4 Profile Customization

A focused guide to Profile Customization, connecting core concepts with practical Docker and container operations.

Profile customization is the practice of tailoring a seccomp, AppArmor, or SELinux profile specifically to an individual application's actual, narrower needs, rather than relying solely on Docker's general-purpose default profiles, achieving meaningfully tighter restriction for applications with particularly demanding security requirements.

Why a General-Purpose Default Leaves Room for Tightening

Docker's default profiles are designed to work reasonably well across a very broad range of applications, meaning they're necessarily less restrictive than a profile tailored to one specific application's actual, narrower behavior.

docker run --security-opt seccomp=default.json myapp:1.0

docker run --security-opt seccomp=myapp-custom.json myapp:1.0

The second, custom profile can restrict specifically to the system calls this one application actually uses, considerably narrower than the general-purpose default.

Determining an Application's Actual Behavior to Inform Customization

Observing an application's actual system call usage, file access patterns, or network behavior during normal operation provides the basis for building an accurately scoped custom profile.

strace -c -f -o syscalls.log docker run --rm myapp:1.0

Reviewing this kind of trace reveals exactly which system calls the application genuinely uses, informing a custom seccomp profile that permits only those specific calls.

Testing a Custom Profile Thoroughly Before Relying on It

A custom profile that's too restrictive can break legitimate application functionality — thorough testing across the application's actual range of behavior is essential before deploying a custom profile in production.

docker run --rm --security-opt seccomp=myapp-custom.json myapp:1.0 npm test
Maintaining a Custom Profile as the Application Evolves

An application's behavior can change over time as it's updated — a custom profile needs to be revisited and potentially adjusted alongside significant application changes, rather than being treated as a one-time, permanent configuration.

strace -c -f -o syscalls-updated.log docker run --rm myapp:2.0
Why Profile Customization Matters

For applications with genuinely demanding security requirements, investing in a custom, tightly scoped security profile provides meaningfully stronger restriction than Docker's general-purpose defaults alone, though this benefit comes with the ongoing maintenance cost of keeping the custom profile accurately aligned with the application's actual, evolving behavior.

Related content