[king_phil]

Funny thing about docker container security, bug that has not been fixed for ages: a custom AppArmor profile is only applied on the first container start, but for no later restart.

Yes, the container runs in the "unconfined" profile after a restart.

https://github.com/moby/moby/issues/38075

[zapita]

That’s disingenuous. In this issue, the maintainers clearly explain that running your container as privileged is supposed to disable all confinement by apparmor. The bug is that the custom apparmor profile is sometimes applied, when it should never be. This is not a security issue in any way since the container is already privileged.

[king_phil]

But in a privileged container you could still take away capabilites and/or permissions with an apparmor profile. Sometimes that happens, sometimes it does not. And when it does not, you have no way of knowing.

[zapita]

> But in a privileged container you could still take away capabilites and/or permissions with an apparmor profile.

Right, what you want is “privileged except for XYZ”, which is not supported by Docker. That’s a missing feature which is not the same as a bug. Calling it a security bug is even more misleading.

> Sometimes that happens, sometimes it does not. And when it does not, you have no way of knowing.

Right, it should fail every time. That is a bug. But it’s not security bug, and fixing that bug won’t give you the feature you want, it will just make it clearer that the feature is not supported.