Get apparmor working on docker container

Question

I am playing with apparmor and docker on Ubuntu 16.04 and I can get it to run on a container... sometimes

Docker version 18.03.0-ce, build 0520e24

$ docker run -it ubuntu bash

Results in a docker container running ubuntu 16.04 as expected

$ sudo aa-status

shows that docker-default is active on a container

and running $ cat /proc/sysrq-trigger inside the container via bash returns the predicted "permission denied" because it is blocked by default-docker apparmor profile as per the following guide: https://cloud.google.com/container-optimized-os/docs/how-to/secure-apparmor#creating_a_custom_security_profile

Following that up with a

$ docker run -it --security-opt apparmor=unconfined ubuntu bash

returns expected results for $ sudo aa-status and $ cat /proc/sysrq-trigger returns cat: /proc/sysrq-trigger: Input/output error

Everything is fine up to this point, but now if I run the container in detached mode, the apparmor profile stops working (ref: https://docs.docker.com/engine/security/apparmor/#resources-for-writing-profiles)

I am able to build the apparmor profile and see it running with aa-status but when I exec into the container, nothing is blocked. It doesnt work for the nginx container, and I have tried with other containers. But it wont block anything if I run in a detached state $ docker run -d ubuntu tail -f /dev/null regardless how I apply --security-opt.

Can anyone explain how apparmor works with docker and why this is the case?

Thank you!

Answer 1

I found that apparmor works with docker 1.13.1 and there is a bug fix planned for the next release: docker 18.03.1

ref: https://github.com/moby/moby/pull/36466