Not sure if that’s bad practice but this is kind of an X-post from this GitHub comment.
Recently I’ve discovered that Docker from the Docker package in stable seems to not make use of AppArmor at all. Regardless if I explicitly specify an AppArmor profile for a container or just start it with the default settings, the contained process always ends up with the unconfined
profile.
Here’s a small reproducer:
$ sudo docker run --rm -it -d --name alp alpine sh
[...]
$ # Should output "docker-default":
$ cat /proc/$(sudo docker inspect alp -f "{{.State.Pid}}")/attr/apparmor/current
unconfined
Running aa-status
shows that the “docker-default” profile is not loaded but the same also happens with already loaded AppArmor profiles.
$ # "myprofile" is an existing AppArmor profile.
$ sudo docker run --rm -it -d --name alp --security-opt apparmor=myprofile alpine sh
[...]
$ # Should output "myprofile":
$ cat /proc/$(sudo docker inspect alp -f "{{.State.Pid}}")/attr/apparmor/current
unconfined
I’ve tried building the Docker package with the apparmor
flag and adding the AppArmor tools to the $PATH
of the Docker service (see the GitHub comment), to no avail.
Does anyone have an idea what the problem here could be?