Securing Docker containers is crucial for protecting your applications and infrastructure. Two powerful tools for enhancing container security are AppArmor and Seccomp. Let's explore how to use them effectively.
π‘οΈ Understanding AppArmor
AppArmor (Application Armor) is a Linux kernel security module that allows you to restrict the capabilities of individual applications. It works by defining profiles that specify which system resources an application can access. For Docker containers, this means you can limit what a container can do, reducing the potential damage from a compromised container.
Creating an AppArmor Profile
First, you need to create an AppArmor profile for your container. Here's an example profile:
# /etc/apparmor.d/docker-nginx
profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
#include
# deny write access to /etc except for specific files
deny /etc/** w,
/etc/nginx/nginx.conf w,
/etc/ssl/openssl.cnf w,
# allow read access to /var/www/html
/var/www/html/** r,
# allow network access
network inet tcp,
network inet udp,
# deny ptrace
deny ptrace,
}
This profile restricts the container to:
- π« Denying write access to most of
/etc.
- β
Allowing read access to
/var/www/html.
- π Allowing network access.
- π Denying
ptrace (process tracing).
Loading the AppArmor Profile
Load the profile using the following command:
sudo apparmor_parser -r /etc/apparmor.d/docker-nginx
Running a Container with AppArmor
When running your Docker container, specify the AppArmor profile:
docker run --security-opt "apparmor=docker-nginx" -d -p 80:80 nginx
π Understanding Seccomp
Seccomp (secure computing mode) is another Linux kernel security feature that reduces the attack surface of a process by limiting the system calls it can make. Docker uses Seccomp profiles to restrict the syscalls a container can execute.
Using the Default Seccomp Profile
Docker has a default Seccomp profile that blocks many potentially dangerous syscalls. To use it, simply run your container without specifying any Seccomp options:
docker run -d -p 80:80 nginx
This automatically applies the default Seccomp profile.
Creating a Custom Seccomp Profile
For more granular control, you can create a custom Seccomp profile in JSON format. Hereβs an example:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"read",
"write",
"openat",
"close",
"fstat",
"lstat",
"poll",
"lseek",
"mmap",
"mprotect",
"munmap",
"brk",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"ioctl",
"pread64",
"pwrite64",
"readv",
"writev",
"access",
"pipe",
"dup",
"dup2",
"nanosleep",
"exit",
"exit_group",
"getpid",
"getppid",
"time",
"arch_prctl",
"futex",
"set_tid_address",
"set_robust_list",
"clock_gettime",
"restart_syscall",
"kill"
],
"action": "SCMP_ACT_ALLOW",
"args": []
}
]
}
This profile defines the allowed syscalls. Any syscall not in this list will be blocked.
Running a Container with a Custom Seccomp Profile
To use your custom Seccomp profile, specify it when running the container:
docker run --security-opt "seccomp=profile.json" -d -p 80:80 nginx
π‘ Best Practices
- β
Least Privilege: Only grant the necessary permissions and syscalls.
- π Regularly Update: Keep your profiles updated with the latest security recommendations.
- π§ͺ Test Thoroughly: Ensure your profiles don't break the functionality of your applications.
By using AppArmor and Seccomp, you can significantly improve the security posture of your Docker containers, reducing the risk of exploitation and protecting your systems from potential threats. π
silverladybug156
β’ Feb 08, 2026