apparmor: move dlopen() into mac_apparmor_use() check

This mirrors what we do for mac_selinux_use(), which also loads libselinux.
2026-04-14 16:37:19 +09:00 · 2025-11-20 14:09:15 +01:00
parent 8137c6bf2d
commit c3b3eea2e5
3 changed files with 23 additions and 19 deletions
--- a/src/core/apparmor-setup.c
+++ b/src/core/apparmor-setup.c
@@ -20,16 +20,10 @@ int mac_apparmor_setup(void) {
        int r;

        if (!mac_apparmor_use()) {
-                log_debug("Skipping AppArmor initialization: not supported by the kernel or disabled.");
+                log_debug("Skipping AppArmor initialization: not supported by the kernel, is disabled or libapparmor is not installed.");
                return 0;
        }

-        r = dlopen_libapparmor();
-        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
-                return 0;
-        if (r < 0)
-                return log_error_errno(r, "Failed to load libapparmor: %m");
-
        /* To honor LSM stacking, check per-LSM subdirectory first, and then the generic one as fallback. */
        FOREACH_STRING(current_file, "/proc/self/attr/apparmor/current", "/proc/self/attr/current") {
                r = read_one_line_file(current_file, &current_profile);
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5751,12 +5751,7 @@ int exec_invoke(
                use_smack = mac_smack_use();
 #endif
 #if HAVE_APPARMOR
-                if (mac_apparmor_use()) {
-                        r = dlopen_libapparmor();
-                        if (r < 0 && !ERRNO_IS_NEG_NOT_SUPPORTED(r))
-                                log_warning_errno(r, "Failed to load libapparmor, ignoring: %m");
-                        use_apparmor = r >= 0;
-                }
+                use_apparmor = mac_apparmor_use();
 #endif
        }

--- a/src/shared/apparmor-util.c
+++ b/src/shared/apparmor-util.c
@@ -5,6 +5,7 @@
 #include "alloc-util.h"
 #include "apparmor-util.h"
 #include "fileio.h"
+#include "log.h"
 #include "parse-util.h"

 #if HAVE_APPARMOR
@@ -42,14 +43,28 @@ int dlopen_libapparmor(void) {

 bool mac_apparmor_use(void) {
        static int cached_use = -1;
+        int r;

-        if (cached_use < 0) {
-                _cleanup_free_ char *p = NULL;
+        if (cached_use >= 0)
+                return cached_use;

-                cached_use =
-                        read_one_line_file("/sys/module/apparmor/parameters/enabled", &p) >= 0 &&
-                        parse_boolean(p) > 0;
+        _cleanup_free_ char *p = NULL;
+        r = read_one_line_file("/sys/module/apparmor/parameters/enabled", &p);
+        if (r < 0) {
+                if (r != -ENOENT)
+                        log_debug_errno(r, "Failed to read /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
+                return (cached_use = false);
        }

-        return cached_use;
+        r = parse_boolean(p);
+        if (r <= 0) {
+                if (r < 0)
+                        log_debug_errno(r, "Failed to parse /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
+                return (cached_use = false);
+        }
+
+        if (dlopen_libapparmor() < 0)
+                return (cached_use = false);
+
+        return (cached_use = true);
 }