Created
November 18, 2025 01:44
-
-
Save williamzujkowski/f993c6734ca5258f56bea2a1254056ba to your computer and use it in GitHub Desktop.
Docker AppArmor Security Profiles - Nginx, PostgreSQL, and More
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Docker AppArmor Security Profiles | |
| # Custom restrictive profiles for common containers | |
| # ======================================== | |
| # Nginx Container Profile (Highly Restrictive) | |
| # ======================================== | |
| # /etc/apparmor.d/docker-nginx-restricted | |
| #include <tunables/global> | |
| profile docker-nginx-restricted flags=(attach_disconnected,mediate_deleted) { | |
| #include <abstractions/base> | |
| # Network access (HTTP/HTTPS only) | |
| network inet stream, | |
| network inet6 stream, | |
| # Nginx configuration and logs | |
| /etc/nginx/** r, | |
| /var/log/nginx/** w, | |
| /var/cache/nginx/** rw, | |
| /var/run/nginx.pid rw, | |
| /usr/share/nginx/** r, | |
| # SSL certificates | |
| /etc/ssl/certs/** r, | |
| /etc/letsencrypt/** r, | |
| # Temporary files | |
| /tmp/** rw, | |
| /var/tmp/** rw, | |
| # Deny critical system access | |
| deny /root/** rw, | |
| deny /home/** rw, | |
| deny /etc/shadow r, | |
| deny /etc/passwd w, | |
| deny /etc/sudoers r, | |
| deny /proc/sys/** w, | |
| deny /sys/** w, | |
| deny /boot/** rw, | |
| # Deny dangerous capabilities | |
| deny capability sys_admin, | |
| deny capability sys_module, | |
| deny capability sys_rawio, | |
| deny capability sys_ptrace, | |
| deny capability sys_boot, | |
| # Allow only necessary capabilities | |
| capability setuid, | |
| capability setgid, | |
| capability net_bind_service, | |
| capability dac_override, | |
| } | |
| # ======================================== | |
| # PostgreSQL Container Profile | |
| # ======================================== | |
| # /etc/apparmor.d/docker-postgres-restricted | |
| #include <tunables/global> | |
| profile docker-postgres-restricted flags=(attach_disconnected,mediate_deleted) { | |
| #include <abstractions/base> | |
| # Network access (PostgreSQL port) | |
| network inet stream, | |
| network inet6 stream, | |
| # PostgreSQL data and config | |
| /var/lib/postgresql/** rw, | |
| /etc/postgresql/** r, | |
| /var/log/postgresql/** w, | |
| /var/run/postgresql/** rw, | |
| # Deny system access | |
| deny /proc/sys/** w, | |
| deny /sys/** w, | |
| deny /etc/shadow r, | |
| deny /etc/passwd w, | |
| # Capabilities | |
| deny capability sys_admin, | |
| deny capability sys_module, | |
| capability setuid, | |
| capability setgid, | |
| capability chown, | |
| capability dac_override, | |
| } | |
| # ======================================== | |
| # Deployment Commands | |
| # ======================================== | |
| # Load profiles | |
| sudo apparmor_parser -r -W /etc/apparmor.d/docker-nginx-restricted | |
| sudo apparmor_parser -r -W /etc/apparmor.d/docker-postgres-restricted | |
| # Run containers with profiles | |
| docker run -d \ | |
| --name nginx \ | |
| --security-opt apparmor=docker-nginx-restricted \ | |
| -p 80:80 \ | |
| nginx:latest | |
| docker run -d \ | |
| --name postgres \ | |
| --security-opt apparmor=docker-postgres-restricted \ | |
| -e POSTGRES_PASSWORD=secret \ | |
| -v pgdata:/var/lib/postgresql/data \ | |
| postgres:16 | |
| # Verify profile loaded | |
| docker exec nginx cat /proc/self/attr/current | |
| # Output: docker-nginx-restricted (enforce) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment