Merge pull request moby#5373 from jarqvi/chore/apparmor

Return error when AppArmor is unsupported and profile specified

Author: tonistiigi

executor/oci/spec_linux.go

@@ -11,6 +11,7 @@ import (
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/oci"
+	"github.com/containerd/containerd/pkg/apparmor"
 	cdseccomp "github.com/containerd/containerd/pkg/seccomp"
 	"github.com/containerd/continuity/fs"
 	"github.com/docker/docker/pkg/idtools"
@@ -72,6 +73,11 @@ func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string, selinuxB
 			opts = append(opts, withDefaultProfile())
 		}
 		if apparmorProfile != "" {
+			// If AppArmor is not supported but a profile was specified, return an error
+			if !apparmor.HostSupports() {
+				return nil, errors.New("AppArmor is not supported on this host, but the profile '" + apparmorProfile + "' was specified")
+			}
+
 			opts = append(opts, oci.WithApparmorProfile(apparmorProfile))
 		}
 		opts = append(opts, func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {

vendor/github.com/containerd/containerd/pkg/apparmor/apparmor.go

@@ -286,6 +286,7 @@ github.com/containerd/containerd/metadata/boltutil
 github.com/containerd/containerd/mount
 github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/oci
+github.com/containerd/containerd/pkg/apparmor
 github.com/containerd/containerd/pkg/cap
 github.com/containerd/containerd/pkg/cleanup
 github.com/containerd/containerd/pkg/deprecation