Upgrade Docker
curl -fsSL get.docker.com | bash
AppArmor Nginx Profile
cat docker-nginx
This is a profile designed for the nginx Container.
Parse
Use the parser to install the profile on the machine
sudo apparmor_parser -r -W docker-nginx
Run With Profile
Once installed, it can be assigned to a container.
docker run --security-opt apparmor=docker-nginx -d --name apparmor-nginx nginx
View Status
View the status of the AppArmor policies. Notice how nginx is in enforce mode.
aa-status
Test
Execute Into Container:
docker exec -it apparmor-nginx bash
Try the following commands:
touch ~/thing touch /bin/ps sh
The commands will fail because the Profile blocks them.
