Docker ignores AppArmor

Not sure if that’s bad practice but this is kind of an X-post from this GitHub comment.

Recently I’ve discovered that Docker from the Docker package in stable seems to not make use of AppArmor at all. Regardless if I explicitly specify an AppArmor profile for a container or just start it with the default settings, the contained process always ends up with the unconfined profile.

Here’s a small reproducer:

$ sudo docker run --rm -it -d --name alp alpine sh
[...]
$ # Should output "docker-default":
$ cat /proc/$(sudo docker inspect alp -f "{{.State.Pid}}")/attr/apparmor/current
unconfined

Running aa-status shows that the “docker-default” profile is not loaded but the same also happens with already loaded AppArmor profiles.

$ # "myprofile" is an existing AppArmor profile.
$ sudo docker run --rm -it -d --name alp --security-opt apparmor=myprofile alpine sh
[...]
$ # Should output "myprofile":
$ cat /proc/$(sudo docker inspect alp -f "{{.State.Pid}}")/attr/apparmor/current
unconfined

I’ve tried building the Docker package with the apparmor flag and adding the AppArmor tools to the $PATH of the Docker service (see the GitHub comment), to no avail.

Does anyone have an idea what the problem here could be?

1 Like

Probably a dumb question, but just to make sure: Do you have apparmor enabled in the kernel? That is security.apparmor.enable = true;.

Not a dumb question but yep, I have it enabled. modprobe apparmor also exits with 0.