Skip to content

Commit 7fc7846

Browse files
fieshfiesh
authored
fix: Only update AppArmor profile if not chroot'ed (#8843)
1 parent e0c1a19 commit 7fc7846

File tree

3 files changed

+13
-2
lines changed

3 files changed

+13
-2
lines changed

.changeset/kind-items-clean.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"app-builder-lib": patch
3+
---
4+
5+
fix: Only update AppArmor profile if not chroot'ed

packages/app-builder-lib/templates/linux/after-install.tpl

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,10 @@ if test -d "/etc/apparmor.d"; then
4242
if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then
4343
cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET"
4444

45-
if hash apparmor_parser 2>/dev/null; then
45+
# Updating the current AppArmor profile is not possible and probably not meaningful in a chroot'ed environment.
46+
# Use cases are for example environments where images for clients are maintained.
47+
# There, AppArmor might correctly be installed, but live updating makes no sense.
48+
if ! { [ -x '/usr/bin/ischroot' ] && /usr/bin/ischroot; } && hash apparmor_parser 2>/dev/null; then
4649
# Extra flags taken from dh_apparmor:
4750
# > By using '-W -T' we ensure that any abstraction updates are also pulled in.
4851
# https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport

test/snapshots/linux/debTest.js.snap

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -568,7 +568,10 @@ if test -d "/etc/apparmor.d"; then
568568
if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then
569569
cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET"
570570
571-
if hash apparmor_parser 2>/dev/null; then
571+
# Updating the current AppArmor profile is not possible and probably not meaningful in a chroot'ed environment.
572+
# Use cases are for example environments where images for clients are maintained.
573+
# There, AppArmor might correctly be installed, but live updating makes no sense.
574+
if ! { [ -x '/usr/bin/ischroot' ] && /usr/bin/ischroot; } && hash apparmor_parser 2>/dev/null; then
572575
# Extra flags taken from dh_apparmor:
573576
# > By using '-W -T' we ensure that any abstraction updates are also pulled in.
574577
# https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport

0 commit comments

Comments
 (0)