From 8569ed03056ce39e0dc163747089ed4b60b1b9b1 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com>
Date: Sun, 22 Jul 2018 17:45:36 +0200
Subject: AppArmor: runtime check if it's enabled on the host

Check at runtime if AppArmor is enabled on the host.

Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

Closes: #1128
Approved by: mheon
---
 cmd/podman/create.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'cmd')

diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 6a70e3f43..f147081d4 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -196,7 +196,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 		}
 	}
 
-	if config.ApparmorProfile == "" {
+	if config.ApparmorProfile == "" && apparmor.IsEnabled() {
 		// Unless specified otherwise, make sure that the default AppArmor
 		// profile is installed.  To avoid redundantly loading the profile
 		// on each invocation, check if it's loaded before installing it.
@@ -231,7 +231,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 			logrus.Infof("Sucessfully loaded AppAmor profile '%s'", profile)
 			config.ApparmorProfile = profile
 		}
-	} else {
+	} else if config.ApparmorProfile != "" {
+		if !apparmor.IsEnabled() {
+			return fmt.Errorf("profile specified but AppArmor is disabled on the host")
+		}
+
 		isLoaded, err := apparmor.IsLoaded(config.ApparmorProfile)
 		if err != nil {
 			switch err {
-- 
cgit v1.2.3-54-g00ecf