stefantalpalaru
commented
3 years ago The profile is loaded into the kernel that is inside the container by docker.
There is no kernel inside the container, which is why it's a container and not a full virtual machine - it runs on the host's kernel.
That said, if any AppArmor user wants to provide and maintain such a security profile, we'll happily accept it.
yorickdowne
Please supply an AppArmor profile for Nimbus
You know your application best and what it requires from the OS. Being able to easily "lock it down" inside a container to those paths it needs would be a boon to security.
What is AppArmor?
See https://docs.docker.com/engine/security/apparmor/ . AppArmor security profiles define what can and cannot be done inside a container, specific to the application running within. The profile is loaded for the container by docker. AppArmor helps secure applications against threats.
For good
Containerization is more than a consistent build environment: Done right, it can be a security boon. Help me build secure-by-default containers by providing an AppArmor profile for your application.
Bonus credit
Do beacon, validator and slasher need different things from the OS? If so, custom AppArmor profiles for each one could even be a thing. But, start with one profile for all three.