apparmor: apply default profile at container initialization

Apply the default AppArmor profile at container initialization to cover
all possible code paths (i.e., podman-{start,run}) before executing the
runtime.  This allows moving most of the logic into pkg/apparmor.

Also make the loading and application of the default AppArmor profile
versio-indepenent by checking for the `libpod-default-` prefix and
over-writing the profile in the run-time spec if needed.

The intitial run-time spec of the container differs a bit from the
applied one when having started the container, which results in
displaying a potentially outdated AppArmor profile when inspecting
a container.  To fix that, load the container config from the file
system if present and use it to display the data.

Fixes: #2107
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/pkg/apparmor/apparmor.go b/pkg/apparmor/apparmor.go
index 8b9f99477..45c029c07 100644
--- a/pkg/apparmor/apparmor.go
+++ b/pkg/apparmor/apparmor.go
@@ -2,11 +2,16 @@ package apparmor
 
 import (
 	"errors"
+	libpodVersion "github.com/containers/libpod/version"
 )
 
 var (
+	// DefaultLipodProfilePrefix is used for version-independent presence checks.
+	DefaultLipodProfilePrefix = "libpod-default" + "-"
 	// DefaultLibpodProfile is the name of default libpod AppArmor profile.
-	DefaultLibpodProfile = "libpod-default"
+	DefaultLibpodProfile = DefaultLipodProfilePrefix + libpodVersion.Version
 	// ErrApparmorUnsupported indicates that AppArmor support is not supported.
 	ErrApparmorUnsupported = errors.New("AppArmor is not supported")
+	// ErrApparmorRootless indicates that AppArmor support is not supported in rootless mode.
+	ErrApparmorRootless = errors.New("AppArmor is not supported in rootless mode")
 )