Back to feed
Dev.to
Dev.to
6/17/2026
Stop Leaving Containers Exposed: Practical AppArmor Profiles for Podman and Docker on Linux

Stop Leaving Containers Exposed: Practical AppArmor Profiles for Podman and Docker on Linux

Short summary

AppArmor enforces mandatory access control at the application level, preventing compromised container processes from accessing the host even when running as root inside the container. The post walks through generating profiles with aa-genprof, testing in complain mode, debugging with aa-logprof, and enforcing in production. This provides practical, human-readable security controls that work with both Podman and Docker.

  • AppArmor provides Linux mandatory access control (MAC) for container host protection
  • aa-genprof and aa-logprof automate profile generation with audit logging
  • Combine with --cap-drop=ALL and seccomp profiles for defense-in-depth security

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more