Fix apparmor test not running

apostasie · apostasie · commit 2ecc39445615 · 2025-02-02T13:42:15.000-08:00
Signed-off-by: apostasie &lt;spam_blackhole@farcloser.world&gt;
diff --git a/Dockerfile.d/test-integration-rootless.sh b/Dockerfile.d/test-integration-rootless.sh
@@ -16,6 +16,10 @@
 
 set -eux -o pipefail
 if [[ "$(id -u)" = "0" ]]; then
+  # Ensure securityfs is mounted for apparmor to work
+  if ! mountpoint -q /sys/kernel/security; then
+    mount -tsecurityfs securityfs /sys/kernel/security
+  fi
 	if [ -e /sys/kernel/security/apparmor/profiles ]; then
 		# Load the "nerdctl-default" profile for TestRunApparmor
 		nerdctl apparmor load
diff --git a/hack/test-integration.sh b/hack/test-integration.sh
@@ -19,6 +19,13 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)"
 readonly root
 
+if [[ "$(id -u)" = "0" ]]; then
+  # Ensure securityfs is mounted for apparmor to work
+  if ! mountpoint -q /sys/kernel/security; then
+    mount -tsecurityfs securityfs /sys/kernel/security
+  fi
+fi
+
 readonly timeout="60m"
 readonly retries="2"
 readonly needsudo="${WITH_SUDO:-}"
diff --git a/pkg/apparmorutil/apparmorutil_linux.go b/pkg/apparmorutil/apparmorutil_linux.go
@@ -25,10 +25,26 @@ import (
 
 	"github.com/moby/sys/userns"
 
-	"github.com/containerd/containerd/v2/pkg/apparmor"
 	"github.com/containerd/log"
 )
 
+var (
+	appArmorSupported bool
+	checkAppArmor     sync.Once
+)
+
+// hostSupports returns true if apparmor is enabled for the host
+func hostSupports() bool {
+	checkAppArmor.Do(func() {
+		// see https://github.com/opencontainers/runc/blob/0d49470392206f40eaab3b2190a57fe7bb3df458/libcontainer/apparmor/apparmor_linux.go
+		if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
+			buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
+			appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
+		}
+	})
+	return appArmorSupported
+}
+
 // CanLoadNewProfile returns whether the current process can load a new AppArmor profile.
 //
 // CanLoadNewProfile needs root.
@@ -37,7 +53,7 @@ import (
 //
 // Related: https://gitlab.com/apparmor/apparmor/-/blob/v3.0.3/libraries/libapparmor/src/kernel.c#L311
 func CanLoadNewProfile() bool {
-	return !userns.RunningInUserNS() && os.Geteuid() == 0 && apparmor.HostSupports()
+	return !userns.RunningInUserNS() && os.Geteuid() == 0 && hostSupports()
 }
 
 var (
