Difficulty: Beginner
Estimated Time: 10 minutes

In this scenario, you will learn how to install and apply AppArmor profiles.

In the second step of the scenario, you will learn how to create and customise your own AppArmor profile by using Bane, a tool created by Jess Frazelle

Don’t stop now! The next scenario will only take about 10 minutes to complete.

Bane - AppArmor Profile Generator

Step 1 of 2

AppArmor

AppArmor Nginx Profile

cat docker-nginx

This is a profile designed for the nginx Container.

Parse

Use the parser to install the profile on the machine

sudo apparmor_parser -r -W docker-nginx

Run With Profile

Once installed, it can be assigned to a container.

docker run --security-opt apparmor=docker-nginx -d --name apparmor-nginx nginx

View Status

View the status of the AppArmor policies. Notice how nginx is in enforce mode.

aa-status

Test

Execute Into Container: docker exec -it apparmor-nginx bash

Try the following commands:

touch ~/thing
touch /bin/ps
sh

These will fail because the Profile blocks them.