Package: apparmor / 2.13.4-3

debian/Make-the-systemd-unit-a-no-op-in-containers-with-no-inter.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From: intrigeri <intrigeri@boum.org>
Date: Tue, 30 Oct 2018 16:46:52 +0000
Subject: Make the systemd unit a no-op in containers with no internal policy.

---
 parser/apparmor.systemd | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/parser/apparmor.systemd b/parser/apparmor.systemd
index aa81ca8..09d5792 100644
--- a/parser/apparmor.systemd
+++ b/parser/apparmor.systemd
@@ -71,6 +71,13 @@ fi
 
 case "$1" in
 	start)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_start
 		rc=$?
 		;;
@@ -79,6 +86,13 @@ case "$1" in
 		rc=$?
 		;;
 	restart|reload|force-reload)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_restart
 		rc=$?
 		;;