Dev.to
6/17/2026
Stop Leaving Containers Exposed: Practical AppArmor Profiles for Podman and Docker on Linux
Short summary
AppArmor enforces mandatory access control at the application level, preventing compromised container processes from accessing the host even when running as root inside the container. The post walks through generating profiles with aa-genprof, testing in complain mode, debugging with aa-logprof, and enforcing in production. This provides practical, human-readable security controls that work with both Podman and Docker.
- •AppArmor provides Linux mandatory access control (MAC) for container host protection
- •aa-genprof and aa-logprof automate profile generation with audit logging
- •Combine with --cap-drop=ALL and seccomp profiles for defense-in-depth security
Generated with AI, which can make mistakes.
Is this a good recommendation for you?


