In this scenario, you will learn how to install and apply AppArmor profiles.
In the second step of the scenario, you will learn how to create and customise your own AppArmor profile by using Bane, a tool created by Jess Frazelle
Steps
Bane - AppArmor Profile Generator
AppArmor
Upgrade Docker
curl -fsSL get.docker.com | bash
AppArmor Nginx Profile
cat docker-nginx
This is a profile designed for the nginx Container.
Parse
Use the parser to install the profile on the machine
sudo apparmor_parser -r -W docker-nginx
Run With Profile
Once installed, it can be assigned to a container.
docker run --security-opt apparmor=docker-nginx -d --name apparmor-nginx nginx
View Status
View the status of the AppArmor policies. Notice how nginx is in enforce mode.
aa-status
Test
Execute Into Container:
docker exec -it apparmor-nginx bash
Try the following commands:
touch ~/thing touch /bin/ps sh
The commands will fail because the Profile blocks them.
