github.com/vincentwoo/docker@v0.7.3-0.20160116130405-82401a4b13c0/docs/security/apparmor.md

github.com/vincentwoo/docker@v0.7.3-0.20160116130405-82401a4b13c0/docs/security/apparmor.md (about)

     1  <!-- [metadata]>
     2  +++
     3  title = "AppArmor security profiles for Docker"
     4  description = "Enabling AppArmor in Docker"
     5  keywords = ["AppArmor, security, docker, documentation"]
     6  [menu.main]
     7  parent= "smn_secure_docker"
     8  +++
     9  <![end-metadata]-->
    10  
    11  # AppArmor security profiles for Docker
    12  
    13  AppArmor (Application Armor) is a Linux security module that protects an
    14  operating system and its applications from security threats. To use it, a system
    15  administrator associates an AppArmor security profile with each program. Docker
    16  expects to find an AppArmor policy loaded and enforced.
    17  
    18  Docker automatically loads container profiles. A profile for the Docker Engine
    19  itself also exists and is installed with the official *.deb* packages in
    20  `/etc/apparmor.d/docker` file.
    21  
    22  
    23  ## Understand the policies
    24  
    25  The `docker-default` profile is the default for running containers. It is
    26  moderately protective while providing wide application compatibility. The
    27  profile is the following:
    28  
    29  ```
    30  #include <tunables/global>
    31  
    32  
    33  profile docker-default flags=(attach_disconnected,mediate_deleted) {
    34  
    35    #include <abstractions/base>
    36  
    37  
    38    network,
    39    capability,
    40    file,
    41    umount,
    42  
    43    deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
    44    deny @{PROC}/sysrq-trigger rwklx,
    45    deny @{PROC}/mem rwklx,
    46    deny @{PROC}/kmem rwklx,
    47    deny @{PROC}/kcore rwklx,
    48  
    49    deny mount,
    50  
    51    deny /sys/[^f]*/** wklx,
    52    deny /sys/f[^s]*/** wklx,
    53    deny /sys/fs/[^c]*/** wklx,
    54    deny /sys/fs/c[^g]*/** wklx,
    55    deny /sys/fs/cg[^r]*/** wklx,
    56    deny /sys/firmware/efi/efivars/** rwklx,
    57    deny /sys/kernel/security/** rwklx,
    58  }
    59  ```
    60  
    61  When you run a container, it uses the `docker-default` policy unless you
    62  override it with the `security-opt` option. For example, the following
    63  explicitly specifies the default policy:
    64  
    65  ```bash
    66  $ docker run --rm -it --security-opt apparmor:docker-default hello-world
    67  ```
    68  
    69  ## Contributing to AppArmor code in Docker
    70  
    71  Advanced users and package managers can find a profile for `/usr/bin/docker`
    72  underneath
    73  [contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
    74  in the Docker Engine source repository.