Previously, Podman would print an error if you tried to run a container
with an AppArmor profile as a non-root user, e.g.
$ podman run --security-opt apparmor=my-profile ...
Error: Apparmor profile "my-profile" specified, but Apparmor is not
enabled on this system
In fact, the only thing that Podman needs root privileges for is reading
/sys/kernel/security/apparmor/profiles to see if the profile is already
loaded, which isn't strictly necessary.
This commit removes the 'IsLoaded()' check that occurs when you try to
specify an AppArmor profile as a non-root user, as well as the other
checks in pkg/apparmor/ for whether the program is running as UID 0. The
check for whether the AppArmor profile is loaded should now be deferred
to the container runtime at the point where it writes to either
/proc/self/attr/exec or /proc/self/attr/apparmor/exec, since the write
should fail if the profile is not loaded.
Closes#958.
Signed-off-by: kernelmethod <17100608+kernelmethod@users.noreply.github.com>
6994271ca4