Public bug reported: docker supports loading custom apparmor profiles that can be different for each container [1] by using the option "--security-opt apparmor=<your_profile>".
However, this does not work with the docker snap because the docker snapd interface only allows sending signals to a profile named "docker- default" (the default profile for docker containers), so if the name of the profile is different, you cannot stop the container using the docker cli. You get denials when trying to send the kill signal to the container. Allowing the docker snap to handle custom apparmor profiles for the containers would allow further confinement of the payloads. [1] https://docs.docker.com/engine/security/apparmor/ ** Affects: docker (Ubuntu) Importance: Undecided Status: New ** Affects: snapd (Ubuntu) Importance: Undecided Status: New ** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882894 Title: docker snap does not support custom apparmor profiles per container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker/+bug/1882894/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
