apparmor: move dlopen() into mac_apparmor_use() check (#39826 )

This mirrors what we do for mac_selinux_use(), which also loads libselinux.
virt: debug log when inode_same() fails
2026-03-30 11:44:49 +02:00 · 2025-11-20 20:10:44 +01:00 · 2025-11-20 20:02:06 +01:00 · 2025-11-20 18:46:14 +01:00 · 2025-11-20 14:21:56 +01:00 · 2025-11-20 14:19:56 +01:00
8 changed files with 28 additions and 26 deletions
--- a/mkosi/mkosi.tools.conf/mkosi.conf.d/debian-ubuntu.conf
+++ b/mkosi/mkosi.tools.conf/mkosi.conf.d/debian-ubuntu.conf
@ -12,7 +12,6 @@ PrepareScripts=%D/mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.prep
 Packages=
        clang-tools
        gh
        iwyu
        lcov
        mypy
        shellcheck
--- a/mkosi/mkosi.tools.conf/mkosi.conf.d/fedora.conf
+++ b/mkosi/mkosi.tools.conf/mkosi.conf.d/fedora.conf
@ -5,7 +5,6 @@ Distribution=fedora
 [Content]
 Packages=
        iwyu
        lcov
        gh
        ruff
--- a/mkosi/mkosi.tools.conf/mkosi.conf.d/opensuse.conf
+++ b/mkosi/mkosi.tools.conf/mkosi.conf.d/opensuse.conf
@ -11,7 +11,6 @@ PrepareScripts=%D/mkosi/mkosi.images/build/mkosi.conf.d/opensuse/mkosi.prepare
 Packages=
        clang-tools
        gh
        include-what-you-use
        lcov
        mypy
        python3-ruff
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@ -830,7 +830,7 @@ int running_in_chroot(void) {
                        return -ENOSYS;
        }
        if (r < 0)
-                return r;
+                return log_debug_errno(r, "Failed to check if /proc/1/root and / are the same inode: %m");
        return r == 0;
 }
--- a/src/core/apparmor-setup.c
+++ b/src/core/apparmor-setup.c
@ -20,16 +20,10 @@ int mac_apparmor_setup(void) {
        int r;
        if (!mac_apparmor_use()) {
-                log_debug("Skipping AppArmor initialization: not supported by the kernel or disabled.");
+                log_debug("Skipping AppArmor initialization: not supported by the kernel, is disabled or libapparmor is not installed.");
                return 0;
        }
        r = dlopen_libapparmor();
        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
                return 0;
        if (r < 0)
                return log_error_errno(r, "Failed to load libapparmor: %m");
        /* To honor LSM stacking, check per-LSM subdirectory first, and then the generic one as fallback. */
        FOREACH_STRING(current_file, "/proc/self/attr/apparmor/current", "/proc/self/attr/current") {
                r = read_one_line_file(current_file, &current_profile);
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -5751,12 +5751,7 @@ int exec_invoke(
                use_smack = mac_smack_use();
 #endif
 #if HAVE_APPARMOR
-                if (mac_apparmor_use()) {
+                use_apparmor = mac_apparmor_use();
                        r = dlopen_libapparmor();
                        if (r < 0 && !ERRNO_IS_NEG_NOT_SUPPORTED(r))
                                log_warning_errno(r, "Failed to load libapparmor, ignoring: %m");
                        use_apparmor = r >= 0;
                }
 #endif
        }
--- a/src/shared/apparmor-util.c
+++ b/src/shared/apparmor-util.c
@ -5,6 +5,7 @@
 #include "alloc-util.h"
 #include "apparmor-util.h"
 #include "fileio.h"
 #include "log.h"
 #include "parse-util.h"
 #if HAVE_APPARMOR
@ -38,18 +39,31 @@ int dlopen_libapparmor(void) {
                        DLSYM_ARG(aa_policy_cache_replace_all),
                        DLSYM_ARG(aa_policy_cache_unref));
 }
 #endif
 bool mac_apparmor_use(void) {
        static int cached_use = -1;
        int r;
-        if (cached_use < 0) {
+        if (cached_use >= 0)
-                _cleanup_free_ char *p = NULL;
+                return cached_use;
-                cached_use =
+        _cleanup_free_ char *p = NULL;
-                        read_one_line_file("/sys/module/apparmor/parameters/enabled", &p) >= 0 &&
+        r = read_one_line_file("/sys/module/apparmor/parameters/enabled", &p);
-                        parse_boolean(p) > 0;
+        if (r < 0) {
                if (r != -ENOENT)
                        log_debug_errno(r, "Failed to read /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
                return (cached_use = false);
        }
-        return cached_use;
+        r = parse_boolean(p);
        if (r < 0)
                log_debug_errno(r, "Failed to parse /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
        if (r <= 0)
                return (cached_use = false);
        if (dlopen_libapparmor() < 0)
                return (cached_use = false);
        return (cached_use = true);
 }
 #endif
--- a/src/shared/apparmor-util.h
+++ b/src/shared/apparmor-util.h
@ -21,10 +21,12 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(aa_features*, sym_aa_features_unref, aa_
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(aa_policy_cache*, sym_aa_policy_cache_unref, aa_policy_cache_unrefp, NULL);
 int dlopen_libapparmor(void);
 bool mac_apparmor_use(void);
 #else
 static inline int dlopen_libapparmor(void) {
        return -EOPNOTSUPP;
 }
 static inline bool mac_apparmor_use(void) {
        return false;
 }
 #endif
 bool mac_apparmor_use(void);
Author	SHA1	Message	Date
Zbigniew Jędrzejewski-Szmek	f295cfa1a7	apparmor: move dlopen() into mac_apparmor_use() check (#39826 ) This mirrors what we do for mac_selinux_use(), which also loads libselinux.	2025-11-20 20:10:44 +01:00
Luca Boccassi	4902a7f18d	virt: debug log when inode_same() fails If this fails with an error there's no log messages and tests typically don't log it either as they just check, so add a message to aid in debugging	2025-11-20 20:02:06 +01:00
Daan De Meyer	6629107404	mkosi: Drop IWYU We use clang-tidy's include checker, so let's stop installing IWYU.	2025-11-20 18:46:14 +01:00
Lennart Poettering	b5dbe7179b	apparmor-util: shortcut mac_apparmor_use() if compile-time disabled	2025-11-20 14:21:56 +01:00
Lennart Poettering	c3b3eea2e5	apparmor: move dlopen() into mac_apparmor_use() check This mirrors what we do for mac_selinux_use(), which also loads libselinux.	2025-11-20 14:19:56 +01:00