Merge pull request #33250 from cyphar/apparmor-readonly-root-fix

apparmor: make pkg/aaparser work on read-only root

daemon/apparmor_default.go

@@ -28,7 +28,7 @@ func ensureDefaultAppArmorProfile() error {
 
 		// Load the profile.
 		if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
+			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
 		}
 	}
 

pkg/aaparser/aaparser.go

@@ -22,10 +22,11 @@ func GetVersion() (int, error) {
 	return parseVersion(output)
 }
 
-// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
-// replace the profile.
+// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
 func LoadProfile(profilePath string) error {
-	_, err := cmd("", "-r", profilePath)
+	_, err := cmd("", "-Kr", profilePath)
 	return err
 }