diff --git a/src/core/apparmor-setup.c b/src/core/apparmor-setup.c index c7bb9bf158..97ff70bffc 100644 --- a/src/core/apparmor-setup.c +++ b/src/core/apparmor-setup.c @@ -20,16 +20,10 @@ int mac_apparmor_setup(void) { int r; if (!mac_apparmor_use()) { - log_debug("Skipping AppArmor initialization: not supported by the kernel or disabled."); + log_debug("Skipping AppArmor initialization: not supported by the kernel, is disabled or libapparmor is not installed."); return 0; } - r = dlopen_libapparmor(); - if (ERRNO_IS_NEG_NOT_SUPPORTED(r)) - return 0; - if (r < 0) - return log_error_errno(r, "Failed to load libapparmor: %m"); - /* To honor LSM stacking, check per-LSM subdirectory first, and then the generic one as fallback. */ FOREACH_STRING(current_file, "/proc/self/attr/apparmor/current", "/proc/self/attr/current") { r = read_one_line_file(current_file, ¤t_profile); diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 7943fdf8b7..bebb2f45a0 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -5751,12 +5751,7 @@ int exec_invoke( use_smack = mac_smack_use(); #endif #if HAVE_APPARMOR - if (mac_apparmor_use()) { - r = dlopen_libapparmor(); - if (r < 0 && !ERRNO_IS_NEG_NOT_SUPPORTED(r)) - log_warning_errno(r, "Failed to load libapparmor, ignoring: %m"); - use_apparmor = r >= 0; - } + use_apparmor = mac_apparmor_use(); #endif } diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c index 2878517fe9..74a03817bd 100644 --- a/src/shared/apparmor-util.c +++ b/src/shared/apparmor-util.c @@ -5,6 +5,7 @@ #include "alloc-util.h" #include "apparmor-util.h" #include "fileio.h" +#include "log.h" #include "parse-util.h" #if HAVE_APPARMOR @@ -38,18 +39,31 @@ int dlopen_libapparmor(void) { DLSYM_ARG(aa_policy_cache_replace_all), DLSYM_ARG(aa_policy_cache_unref)); } -#endif bool mac_apparmor_use(void) { static int cached_use = -1; + int r; - if (cached_use < 0) { - _cleanup_free_ char *p = NULL; + if (cached_use >= 0) + return cached_use; - cached_use = - read_one_line_file("/sys/module/apparmor/parameters/enabled", &p) >= 0 && - parse_boolean(p) > 0; + _cleanup_free_ char *p = NULL; + r = read_one_line_file("/sys/module/apparmor/parameters/enabled", &p); + if (r < 0) { + if (r != -ENOENT) + log_debug_errno(r, "Failed to read /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m"); + return (cached_use = false); } - return cached_use; + r = parse_boolean(p); + if (r < 0) + log_debug_errno(r, "Failed to parse /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m"); + if (r <= 0) + return (cached_use = false); + + if (dlopen_libapparmor() < 0) + return (cached_use = false); + + return (cached_use = true); } +#endif diff --git a/src/shared/apparmor-util.h b/src/shared/apparmor-util.h index c3f97ceaaf..06d6bf30e2 100644 --- a/src/shared/apparmor-util.h +++ b/src/shared/apparmor-util.h @@ -21,10 +21,12 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(aa_features*, sym_aa_features_unref, aa_ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(aa_policy_cache*, sym_aa_policy_cache_unref, aa_policy_cache_unrefp, NULL); int dlopen_libapparmor(void); +bool mac_apparmor_use(void); #else static inline int dlopen_libapparmor(void) { return -EOPNOTSUPP; } +static inline bool mac_apparmor_use(void) { + return false; +} #endif - -bool mac_apparmor_use(void);