lxc: Only enable apparmor if the profile is currently loaded

author Alessandro Astone <ales.astone@gmail.com>

Fri, 18 Nov 2022 16:32:14 +0000 (17:32 +0100)

committer Alessandro Astone <ales.astone@gmail.com>

Fri, 18 Nov 2022 16:33:13 +0000 (17:33 +0100)
author Alessandro Astone <ales.astone@gmail.com>
Fri, 18 Nov 2022 16:32:14 +0000 (17:32 +0100)
committer Alessandro Astone <ales.astone@gmail.com>
Fri, 18 Nov 2022 16:33:13 +0000 (17:33 +0100)
diff --git a/tools/helpers/lxc.py b/tools/helpers/lxc.py

index e1a81e04ddb0396c41c75b002a8e9c5df58940f3..fdea1fdf601f0eaf16c7b0c62fe8e4568ffd77e3 100644 (file)
--- a/tools/helpers/lxc.py
+++ b/tools/helpers/lxc.py
@@ -134,7 +134,11 @@ def get_apparmor_status(args):
          enabled = (tools.helpers.run.user(args, ["aa-status", "--quiet"], check=False) == 0)
      if not enabled and shutil.which("systemctl"):
          enabled = (tools.helpers.run.user(args, ["systemctl", "is-active", "-q", "apparmor"], check=False) == 0)
-    enabled &= os.path.exists(os.path.join("/etc/apparmor.d/lxc", LXC_APPARMOR_PROFILE))
+    try:
+        with open("/sys/kernel/security/apparmor/profiles", "r") as f:
+            enabled &= (LXC_APPARMOR_PROFILE in f.read())
+    except:
+        enabled = False
      return enabled
  
  def set_lxc_config(args):
author	Alessandro Astone <ales.astone@gmail.com>
	Fri, 18 Nov 2022 16:32:14 +0000 (17:32 +0100)
committer	Alessandro Astone <ales.astone@gmail.com>
	Fri, 18 Nov 2022 16:33:13 +0000 (17:33 +0100)