[apparmor] How extensively does AppArmor lock down Docker containers?

[Sam Ghods]

We are evaluating moving from CentOS/SELinux/Docker to
Ubuntu/AppArmor/Docker and had a question regarding AppArmor.

Docker's SELinux policy specifically uses Multi Category Security (MCS) to
enforce that each individual container on a system can only access the
files on the host labeled for that specific container (more details: article
<https://opensource.com/business/14/9/security-for-docker>, presentation
<https://www.youtube.com/watch?v=a9lE9Urr6AQ>). That is, if two Docker
containers A and B are spun up on a single host, the default SELinux
security policy that comes with Docker will actually enforce that in the
event of a breakout, the linux process in container A will not be able to
access the files belonging to container B. Not only that, but the only way
files can be mounted into a container from the host is if the volumes are
suffixed with ":Z", thus telling Docker to make sure to add the relevant
MCS labels to the files on the host in that path so that the container can
access them.

On the contrary, I cannot find any references to a similar mechanism in
AppArmor. Instead, Docker's default AppArmor profile
<https://docs.docker.com/engine/security/apparmor/> seems to primarily be
about denying access to specific filesystem paths and host resources, not
about denying access between containers.

My question is, if we use Docker's default AppArmor profile, will we get
the same effective protection as using SELinux as described above? Will
AppArmor block access from one container to another container's files? If
yes, how does it accomplish it?

-- 
Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161023/6e22a314/attachment.html>