pkg/apparmor: fix when AA is disabled

Do not try to load the default profile when AppArmor is disabled on the host. Fixes: containers#3331 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg · Jun 14, 2019 · 63ee15d · 63ee15d
1 parent 1322b41
commit 63ee15d
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go
@@ -225,10 +225,16 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 		}
 	}
 
-	if name != "" && !runcaa.IsEnabled() {
-		return "", fmt.Errorf("profile %q specified but AppArmor is disabled on the host", name)
+	// Check if AppArmor is disabled and error out if a profile is to be set.
+	if !runcaa.IsEnabled() {
+		if name == "" {
+			return "", nil
+		} else {
+			return "", fmt.Errorf("profile %q specified but AppArmor is disabled on the host", name)
+		}
 	}
 
+
 	// If the specified name is not empty or is not a default libpod one,
 	// ignore it and return the name.
 	if name != "" && !strings.HasPrefix(name, DefaultLipodProfilePrefix) {