Merge pull request #27420 from givensuman/T-27095-add-apparmor-quadlet-key

openshift-merge-bot[bot] · web-flow · commit 4609271590dd · 2025-11-06T11:23:35.000Z
Add AppArmor key to quadlet containers
diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
@@ -305,6 +305,7 @@ Valid options for `[Container]` are listed below:
 | AddDevice=/dev/foo                   | --device /dev/foo                                    |
 | AddHost=example\.com:192.168.10.11   | --add-host example.com:192.168.10.11                 |
 | Annotation="XYZ"                     | --annotation "XYZ"                                   |
+| AppArmor="alternate-profile"         | --security-opt apparmor=alternate-profile            |
 | AutoUpdate=registry                  | --label "io.containers.autoupdate=registry"          |
 | CgroupsMode=no-conmon                | --cgroups=no-conmon                                  |
 | ContainerName=name                   | --name name                                          |
@@ -428,6 +429,10 @@ similar to `Environment`.
 
 This key can be listed multiple times.
 
+### `AppArmor=`
+
+Sets the apparmor confinement profile for the container. A value of `unconfined` turns off apparmor confinement.
+
 ### `AutoUpdate=`
 
 Indicates whether the container will be auto-updated ([podman-auto-update(1)](podman-auto-update.1.md)). The following values are supported:
diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
@@ -62,6 +62,7 @@ const (
 	KeyAddHost               = "AddHost"
 	KeyAllTags               = "AllTags"
 	KeyAnnotation            = "Annotation"
+	KeyAppArmor              = "AppArmor"
 	KeyArch                  = "Arch"
 	KeyArtifact              = "Artifact"
 	KeyAuthFile              = "AuthFile"
@@ -248,6 +249,7 @@ var (
 				KeyAddDevice:             true,
 				KeyAddHost:               true,
 				KeyAnnotation:            true,
+				KeyAppArmor:              true,
 				KeyAutoUpdate:            true,
 				KeyCgroupsMode:           true,
 				KeyContainerName:         true,
@@ -775,6 +777,11 @@ func ConvertContainer(container *parser.UnitFile, unitsInfoMap map[string]*UnitI
 		podman.add("--security-opt", fmt.Sprintf("label=level:%s", securityLabelLevel))
 	}
 
+	apparmor, hasApparmor := container.Lookup(ContainerGroup, KeyAppArmor)
+	if hasApparmor && len(apparmor) > 0 {
+		podman.add("--security-opt", fmt.Sprintf("apparmor=%s", apparmor))
+	}
+
 	devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice)
 	for _, device := range devices {
 		if device[0] == '-' {
diff --git a/test/e2e/quadlet/apparmor.container b/test/e2e/quadlet/apparmor.container
@@ -0,0 +1,6 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args "--security-opt" "apparmor=someprofilename"
+
+[Container]
+Image=localhost/imagename
+AppArmor=someprofilename
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
@@ -896,6 +896,7 @@ BOGUS=foo
 		runSuccessQuadletTestCase,
 		Entry("Basic container", "basic.container"),
 		Entry("annotation.container", "annotation.container"),
+		Entry("apparmor.container", "apparmor.container"),
 		Entry("autoupdate.container", "autoupdate.container"),
 		Entry("basepodman.container", "basepodman.container"),
 		Entry("capabilities.container", "capabilities.container"),
