Can I confine an executable inside a Docker container using a host apparmor profile?

I'm trying to containerize an application that currently uses apparmor to confine Python. This allows sandboxing of user-submitted code. How can I get docker and apparmor to play well together?

It's easy to use --security-opt apparmor=... to confine an entire Docker container, but that doesn't keep user code separate from trusted application code within the container. I can even target paths within the container's filesystem, but all of the executables in the container have the same confinement or lack thereof.

Is there a way to create an apparmor profile that says "/app/sandbox/python is only allowed to access /app/sandbox/data", with both of those paths relative to the container's filesystem?

is a duplicate

This question has been asked before and has already been answered. It should be marked as a duplicate.

Please enter the URL of the proposed duplicate in the details field below.

not constructive

This question cannot be answered in a way that is helpful to anyone. It's not possible to learn something from possible answers, except for the solution for the specific problem of the asker.

Communities

Can I confine an executable inside a Docker container using a host apparmor profile?

0 comment threads

0 answers