I'm trying to containerize an application that currently uses apparmor to confine Python. This allows sandboxing of user-submitted code. How can I get docker and apparmor to play well together?
Current non-containerized setup:
- Create a
- Create a Python virtualenv with its own copy of the
- Create and load an apparmor profile that only allows that
pythonto access a couple of directories
- Run the user code as
sandbox, using the confined
It's easy to use
--security-opt apparmor=... to confine an entire Docker container, but that doesn't keep user code separate from trusted application code within the container. I can even target paths within the container's filesystem, but all of the executables in the container have the same confinement or lack thereof.
Is there a way to create an apparmor profile that says "/app/sandbox/python is only allowed to access /app/sandbox/data", with both of those paths relative to the container's filesystem?