Run Docker container with AppArmor profile

On systems hardened with AppArmor, Docker can enforce AppArmor profiles on containers.

By default, it automatically generates and applies a profile for containers named docker-default that is created in tmpfs and then loaded in the kernel.

However, this behavior can be overridden by specifying a custom profile (already loaded in the kernel) with the flag --security-opt in the docker run command:

docker run --security-opt apparmor={{ profile }} {{image }}

Profiles are applied on containers and not on the Docker Engine daemon.

Real example for loaded profile named docker-nginx:

docker run --security-opt apparmor=docker-nginx -d nginx