apparmor: move dlopen() into mac_apparmor_use() check

This mirrors what we do for mac_selinux_use(), which also loads
libselinux.

diff --git a/src/core/apparmor-setup.c b/src/core/apparmor-setup.c
index c7bb9bf158ad253f980765576905417986cab00e..97ff70bffcb0b2d728c183176d64bd4b643ed961 100644 (file)
--- a/src/core/apparmor-setup.c
+++ b/src/core/apparmor-setup.c
@@ -20,16 +20,10 @@ int mac_apparmor_setup(void) {
         int r;
 
         if (!mac_apparmor_use()) {
-                log_debug("Skipping AppArmor initialization: not supported by the kernel or disabled.");
+                log_debug("Skipping AppArmor initialization: not supported by the kernel, is disabled or libapparmor is not installed.");
                 return 0;
         }
 
-        r = dlopen_libapparmor();
-        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
-                return 0;
-        if (r < 0)
-                return log_error_errno(r, "Failed to load libapparmor: %m");
-
         /* To honor LSM stacking, check per-LSM subdirectory first, and then the generic one as fallback. */
         FOREACH_STRING(current_file, "/proc/self/attr/apparmor/current", "/proc/self/attr/current") {
                 r = read_one_line_file(current_file, &current_profile);

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 7943fdf8b7f7c4319245ff294eb93093761b1a06..bebb2f45a0f43876bc4e437911ac86b5a37c5ff8 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5751,12 +5751,7 @@ int exec_invoke(
                 use_smack = mac_smack_use();
 #endif
 #if HAVE_APPARMOR
-                if (mac_apparmor_use()) {
-                        r = dlopen_libapparmor();
-                        if (r < 0 && !ERRNO_IS_NEG_NOT_SUPPORTED(r))
-                                log_warning_errno(r, "Failed to load libapparmor, ignoring: %m");
-                        use_apparmor = r >= 0;
-                }
+                use_apparmor = mac_apparmor_use();
 #endif
         }
 

diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
index 2878517fe971b07256c91f85d27ae2a6d3b59dca..b29534c47161f259b1d28b9b6d5eda8863b15849 100644 (file)
--- a/src/shared/apparmor-util.c
+++ b/src/shared/apparmor-util.c
@@ -5,6 +5,7 @@
 #include "alloc-util.h"
 #include "apparmor-util.h"
 #include "fileio.h"
+#include "log.h"
 #include "parse-util.h"
 
 #if HAVE_APPARMOR
@@ -42,14 +43,28 @@ int dlopen_libapparmor(void) {
 
 bool mac_apparmor_use(void) {
         static int cached_use = -1;
+        int r;
 
-        if (cached_use < 0) {
-                _cleanup_free_ char *p = NULL;
+        if (cached_use >= 0)
+                return cached_use;
 
-                cached_use =
-                        read_one_line_file("/sys/module/apparmor/parameters/enabled", &p) >= 0 &&
-                        parse_boolean(p) > 0;
+        _cleanup_free_ char *p = NULL;
+        r = read_one_line_file("/sys/module/apparmor/parameters/enabled", &p);
+        if (r < 0) {
+                if (r != -ENOENT)
+                        log_debug_errno(r, "Failed to read /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
+                return (cached_use = false);
         }
 
-        return cached_use;
+        r = parse_boolean(p);
+        if (r <= 0) {
+                if (r < 0)
+                        log_debug_errno(r, "Failed to parse /sys/module/apparmor/parameters/enabled, assuming AppArmor is not available: %m");
+                return (cached_use = false);
+        }
+
+        if (dlopen_libapparmor() < 0)
+                return (cached_use = false);
+
+        return (cached_use = true);
 }