smack ( on host ) + apparmor ( on docker ) - possible ?

Casey Schaufler casey at
Thu Apr 25 15:52:00 UTC 2019

On 4/24/2019 9:37 PM, shrawan kumar wrote:
> Dear Casey ,
> For one of my embedded project ,?? the requirement is to run a set of 
> process under *Docker* and each process inside Docker needs to be 
> sandboxed using *AppArmour*. However, the host from where Docker is 
> launched is *Smack* enabled . We are using *smack* as default security 
> on host .
> Is the above combination possible ?

With the current upstream kernel, no. You can't run more
than one "major" security module at a time. As of 5.1 you
will have more flexibility, but still not enough for Smack
and AppArmor to coexist. Development is underway for the
next phase of module stacking, which will be proposed for
5.3 and can be found:


With this patch set you can run Smack and AppArmor together.
What I don't know is how you would configure AppArmor so that
you can sub-configure your containers. I've added John Johansen
to the thread. He is the AppArmor expert who has been working
on AppArmor namespaces.

To the best of my knowledge no one has done what you want,
but supporting your configuration is an explicit goal. We
would be more than happy to help you in your efforts.

> Thanks and Regards
> Shrawan

More information about the Linux-security-module-archive mailing list