Revert #1572

pkg/apparmor/apparmor.go

@@ -2,22 +2,21 @@ package apparmor
 
 import (
 	"errors"
+
+	"github.com/containers/common/version"
 )
 
 const (
 	// ProfilePrefix is used for version-independent presence checks.
 	ProfilePrefix = "containers-default-"
 
-	// Default AppArmor profile used by containers; by default this is set to unconfined.
-	// To override this, distros should supply their own profile and specify it in a default
-	// containers.conf.
-	// See the following issues for more information:
-	// - https://github.com/containers/common/issues/958
-	// - https://github.com/containers/podman/issues/15874
-	Profile = "unconfined"
+	// Profile default name
+	Profile = ProfilePrefix + version.Version
 )
 
 var (
 	// ErrApparmorUnsupported indicates that AppArmor support is not supported.
 	ErrApparmorUnsupported = errors.New("AppArmor is not supported")
+	// ErrApparmorRootless indicates that AppArmor support is not supported in rootless mode.
+	ErrApparmorRootless = errors.New("AppArmor is not supported in rootless mode")
 )

pkg/apparmor/apparmor_linux.go

@@ -17,6 +17,7 @@ import (
 	"text/template"
 
 	"github.com/containers/common/pkg/apparmor/internal/supported"
+	"github.com/containers/storage/pkg/unshare"
 	runcaa "github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/sirupsen/logrus"
 )
@@ -82,6 +83,10 @@ func macroExists(m string) bool {
 // InstallDefault generates a default profile and loads it into the kernel
 // using 'apparmor_parser'.
 func InstallDefault(name string) error {
+	if unshare.IsRootless() {
+		return ErrApparmorRootless
+	}
+
 	p := profileData{
 		Name: name,
 	}
@@ -142,9 +147,12 @@ func DefaultContent(name string) ([]byte, error) {
 }
 
 // IsLoaded checks if a profile with the given name has been loaded into the
-// kernel. This function checks for the existence of a profile by reading
-// /sys/kernel/security/apparmor/profiles, and hence requires root permissions.
+// kernel.
 func IsLoaded(name string) (bool, error) {
+	if name != "" && unshare.IsRootless() {
+		return false, fmt.Errorf("cannot load AppArmor profile %q: %w", name, ErrApparmorRootless)
+	}
+
 	file, err := os.Open("/sys/kernel/security/apparmor/profiles")
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
@@ -239,13 +247,24 @@ func parseAAParserVersion(output string) (int, error) {
 // CheckProfileAndLoadDefault checks if the specified profile is loaded and
 // loads the DefaultLibpodProfile if the specified on is prefixed by
 // DefaultLipodProfilePrefix.  This allows to always load and apply the latest
-// default AppArmor profile. If it's a default profile, return
-// DefaultLipodProfilePrefix, otherwise the specified one.
+// default AppArmor profile.  Note that AppArmor requires root.  If it's a
+// default profile, return DefaultLipodProfilePrefix, otherwise the specified
+// one.
 func CheckProfileAndLoadDefault(name string) (string, error) {
 	if name == "unconfined" {
 		return name, nil
 	}
 
+	// AppArmor is not supported in rootless mode as it requires root
+	// privileges.  Return an error in case a specific profile is specified.
+	if unshare.IsRootless() {
+		if name != "" {
+			return "", fmt.Errorf("cannot load AppArmor profile %q: %w", name, ErrApparmorRootless)
+		}
+		logrus.Debug("Skipping loading default AppArmor profile (rootless mode)")
+		return "", nil
+	}
+
 	// Check if AppArmor is disabled and error out if a profile is to be set.
 	if !runcaa.IsEnabled() {
 		if name == "" {
@@ -259,6 +278,13 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 	} else if !strings.HasPrefix(name, ProfilePrefix) {
 		// If the specified name is not a default one, ignore it and return the
 		// name.
+		isLoaded, err := IsLoaded(name)
+		if err != nil {
+			return "", fmt.Errorf("verify if profile %s is loaded: %w", name, err)
+		}
+		if !isLoaded {
+			return "", fmt.Errorf("AppArmor profile %q specified but not loaded", name)
+		}
 		return name, nil
 	}
 

pkg/apparmor/internal/supported/supported.go

@@ -41,6 +41,9 @@ func NewAppArmorVerifier() *ApparmorVerifier {
 // - AppArmor is disabled by the host system
 // - the `apparmor_parser` binary is not discoverable
 func (a *ApparmorVerifier) IsSupported() error {
+	if a.impl.UnshareIsRootless() {
+		return errors.New("AppAmor is not supported on rootless containers")
+	}
 	if !a.impl.RuncIsEnabled() {
 		return errors.New("AppArmor not supported by the host system")
 	}