github.com/wulonghui/docker@v1.8.0-rc2/docs/security/apparmor.md (about)

     1  AppArmor security profiles for Docker
     2  --------------------------------------
     3  
     4  AppArmor (Application Armor) is a security module that allows a system
     5  administrator to associate a security profile with each program. Docker
     6  expects to find an AppArmor policy loaded and enforced.
     7  
     8  Container profiles are loaded automatically by Docker. A profile
     9  for the Docker Engine itself also exists and is installed
    10  with the official *.deb* packages. Advanced users and package
    11  managers may find the profile for */usr/bin/docker* underneath
    12  [contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
    13  in the Docker Engine source repository.
    14  
    15  
    16  Understand the policies
    17  ------------------------
    18  
    19  The `docker-default` profile the default for running
    20  containers. It is moderately protective while
    21  providing wide application compatability.
    22  
    23  The `docker-unconfined` profile is intended for
    24  privileged applications and is the default when runing
    25  a container with the *--privileged* flag.
    26  
    27  The system's standard `unconfined` profile inherits all
    28  system-wide policies, applying path-based policies
    29  intended for the host system inside of containers.
    30  This was the default for privileged containers
    31  prior to Docker 1.8.
    32  
    33  
    34  Overriding the profile for a container
    35  ---------------------------------------
    36  
    37  Users may override the AppArmor profile using the
    38  `security-opt` option (per-container).
    39  
    40  For example, the following explicitly specifies the default policy:
    41  
    42  ```
    43  $ docker run --rm -it --security-opt apparmor:docker-default hello-world
    44  ```
    45