11.2.4 Security Profiles
A focused guide to Security Profiles, connecting core concepts with practical Docker and container operations.
Security profiles are kernel-enforced policy mechanisms — seccomp, AppArmor, SELinux — that restrict what system calls, file accesses, or other operations a container's process is permitted to perform, providing an additional layer of mandatory access control beyond Docker's own capability and user-based restrictions.
Why Security Profiles Provide a Different Kind of Restriction
Where capabilities and non-root execution limit privilege in terms of traditional Unix permission concepts, security profiles operate at a lower, more granular level, restricting specific system calls or file paths regardless of the process's nominal privilege level.
docker run --security-opt seccomp=default.json myapp:1.0
This applies a seccomp profile restricting which system calls the container's process is permitted to make, a restriction operating independently of (and in addition to) capability-based controls.
Docker's Default Seccomp Profile
Docker applies a default seccomp profile automatically, blocking a substantial number of system calls not typically needed by ordinary containerized applications, without requiring any explicit configuration.
docker run myapp:1.0
This container already benefits from Docker's default seccomp profile, even without any explicit --security-opt flag.
Why Custom Profiles Provide Even Tighter Restriction
A custom seccomp or AppArmor profile, tailored to a specific application's actual needs, can restrict further beyond Docker's general-purpose default.
docker run --security-opt seccomp=custom-profile.json myapp:1.0
Why Security Profiles Complement Rather Than Replace Other Practices
Security profiles address a different layer of potential risk than capabilities or non-root execution — using them together provides more comprehensive, layered protection than relying on any single mechanism alone.
docker run --user 1000:1000 --cap-drop=ALL --security-opt seccomp=custom-profile.json myapp:1.0
Why Security Profiles Matter
These kernel-enforced mechanisms provide an important, additional layer of mandatory access control, restricting specific low-level operations in ways that complement Docker's higher-level capability and user-based security controls.