Apparmor status incorrectly detected on Arch/Manjaro

[rrichardson]

/kind bug

Description

When running --security-opt apparmor=unconfined I get this error:
Error: Apparmor profile "unconfined" specified, but Apparmor is not enabled on this system

However, Apparmor is enabled on my system

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.

So I'm guessing perhaps I am missing some flag that allows podman or the container to detect this?
This is the command I'm executing.. Actually it's kind 0.8.1 that is executing it

I'm running Manjaro/Arch linux : Linux ricktop 5.4.60-2-MANJARO #1 SMP PREEMPT Sat Aug 22 14:35:41 UTC 2020 x86_64 GNU/Linux

Steps to reproduce the issue:

1. Enable Apparmor

2. Run podman run --security-opt apparmor=unconfined fedora-minimal cat /proc/self/uid_map

Describe the results you received:

Error: Apparmor profile "unconfined" specified, but Apparmor is not enabled on this system

Describe the results you expected:
Something else.

Additional information you deem important (e.g. issue happens only occasionally):

This happens whether I run with or without --privileged and with or without sudo
So it seems like it's a sanity check that occurs fairly early on.

Output of podman version:

➜ podman version
Version:      2.0.4
API Version:  1
Go Version:   go1.14.6
Git Commit:   cab27868766a3b01ac14ff46180af8644c41d1cd
Built:        Fri Jul 31 15:31:25 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.20, commit: 13244db638cf987c415298a3c23393ae5abeb885'
  cpus: 12
  distribution:
    distribution: manjaro
    version: unknown
  eventLogger: file
  hostname: ricktop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
  kernel: 5.4.60-2-MANJARO
  linkmode: dynamic
  memFree: 25732403200
  memTotal: 33511178240
  ociRuntime:
    name: runc
    package: Unknown
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc92
      commit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
      spec: 1.0.2-dev
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
  swapFree: 17179865088
  swapTotal: 17179865088
  uptime: 35m 30.08s
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  configFile: /home/rick/.config/containers/storage.conf
  containerStore:
    number: 7
    paused: 0
    running: 0
    stopped: 7
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fusermount3 version: 3.9.3
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/rick/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 2
  runRoot: /run/user/1000/containers
  volumePath: /home/rick/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 1596234685
  BuiltTime: Fri Jul 31 15:31:25 2020
  GitCommit: cab27868766a3b01ac14ff46180af8644c41d1cd
  GoVersion: go1.14.6
  OsArch: linux/amd64
  Version: 2.0.4

Package info (e.g. output of rpm -q podman or apt list podman):

➜ pacman -Q --info podman
Name            : podman
Version         : 2.0.4-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/libpod
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : cni-plugins  conmon  device-mapper  iptables  libseccomp  runc  slirp4netns  libsystemd  fuse-overlayfs  skopeo
Optional Deps   : podman-docker: for Docker-compatible CLI
                  btrfs-progs: support btrfs backend devices [installed]
                  catatonit: --init flag support
                  crun: support for unified cgroupsv2
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 88.45 MiB
Packager        : Morten Linderud <[email protected]>
Build Date      : Fri 31 Jul 2020 03:31:25 PM PDT
Install Date    : Fri 04 Sep 2020 04:20:31 PM PDT
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

No

Here is the complete command being executed by kind v 0.8.1

podman run --hostname test-control-plane --name test-control-plane --label io.x-k8s.kind.role=control-plane --privileged --security-opt seccomp=unconfined --security-opt apparmor=unconfined --tmpfs /tmp --tmpfs /run --volume /var --volume /lib/modules:/lib/modules:ro --detach --tty --label io.x-k8s.kind.cluster=test --publish=127.0.0.1:37155:6443/TCP kindest/node@sha256:7b27a6d0f2517ff88ba444025beae41491b016bc6af573ba467b70c5e8e0d85f

[rrichardson]

Note I just tested with 2.0.6 and got the same result.

[vrothberg]

Thanks for opening the issue, @rrichardson!

@saschagrunert, do you have cycles to look into this? I just got back from PTO and have around 1k more mails to go :^)

[saschagrunert]

Thanks for opening the issue, @rrichardson!

@saschagrunert, do you have cycles to look into this? I just got back from PTO and have around 1k more mails to go :^)

Yes sure 👍

[saschagrunert]

Fix is incoming in #7553