From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 20 Nov 2025 13:09:15 +0000 (+0100)
Subject: apparmor: move dlopen() into mac_apparmor_use() check
X-Git-Tag: v259-rc2~56^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3b3eea2e56d7904ace7dd72c8520933ebef843e;p=thirdparty%2Fsystemd.git

apparmor: move dlopen() into mac_apparmor_use() check

This mirrors what we do for mac_selinux_use(), which also loads
libselinux.
---

diff --git a/src/core/apparmor-setup.c b/src/core/apparmor-setup.c
index c7bb9bf158a..97ff70bffcb 100644
--- a/src/core/apparmor-setup.c
+++ b/src/core/apparmor-setup.c
@@ -20,16 +20,10 @@ int mac_apparmor_setup(void) {
         int r;
 
         if (!mac_apparmor_use()) {
-                log_debug("Skipping AppArmor initialization: not supported by the kernel or disabled.");
+                log_debug("Skipping AppArmor initialization: not supported by the kernel, is disabled or libapparmor is not installed.");
                 return 0;
         }
 
-        r = dlopen_libapparmor();
-        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
-                return 0;
-        if (r < 0)
-                return log_error_errno(r, "Failed to load libapparmor: %m");
-
         /* To honor LSM stacking, check per-LSM subdirectory first, and then the generic one as fallback. */
         FOREACH_STRING(current_file, "/proc/self/attr/apparmor/current", "/proc/self/attr/current") {
                 r = read_one_line_file(current_file, &current_profile);
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 7943fdf8b7f..bebb2f45a0f 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5751,12 +5751,7 @@ int exec_invoke(
                 use_smack = mac_smack_use();
 #endif
 #if HAVE_APPARMOR
-                if (mac_apparmor_use()) {
-                        r = dlopen_libapparmor();
-                        if (r < 0 && !ERRNO_IS_NEG_NOT_SUPPORTED(r))
-                                log_warning_errno(r, "Failed to load libapparmor, ignoring: %m");
-                        use_apparmor = r >= 0;
-                }
+                use_apparmor = mac_apparmor_use();
 #endif
         }
 
diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
index 2878517fe97..b29534c4716 100644
--- a/src/shared/apparmor-util.c
+++ b/src/shared/apparmor-util.c
@@ -5,6 +5,7 @@
 #include "alloc-util.h"
 #include "apparmor-util.h"
 #include "fileio.h"
+#include "log.h"
 #include "parse-util.h"
 
 #if HAVE_APPARMOR
@@ -42,14 +43,28 @@ int dlopen_libapparmor(void) {
 
 bool mac_apparmor_use(void) {
         static int cached_use = -1;
+        int r;
 
-        if (cached_use < 0) {
-                _cleanup_free_ char *p = NULL;
+        if (cached_use >= 0)
+                return cached_use;
 
-                cached_use =
-                        read_one_line_file("/sys/module/apparmor/parameters/enabled", &p) >= 0 &&
-                        parse_boolean(p) > 0;
+        _cleanup_free_ char *p = NULL;
+        r = read_one_line_file("/sys/module/apparmor/parameters/enabled", &p);
+        if (r < 0) {
+                if (r != -ENOENT)
+                        log_debug_errno(r, "Failed to read /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
+                return (cached_use = false);
         }
 
-        return cached_use;
+        r = parse_boolean(p);
+        if (r <= 0) {
+                if (r < 0)
+                        log_debug_errno(r, "Failed to parse /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
+                return (cached_use = false);
+        }
+
+        if (dlopen_libapparmor() < 0)
+                return (cached_use = false);
+
+        return (cached_use = true);
 }