From c44e93d856dabea18d2c17f8b169dac32a6467bb Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Tue, 30 Oct 2018 16:46:52 +0000
Subject: [PATCH] Make the systemd unit a no-op in containers with no internal
 policy

---
 parser/apparmor.systemd | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/parser/apparmor.systemd b/parser/apparmor.systemd
index aa81ca8bb..09d579245 100644
--- a/parser/apparmor.systemd
+++ b/parser/apparmor.systemd
@@ -71,6 +71,13 @@ fi
 
 case "$1" in
 	start)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_start
 		rc=$?
 		;;
@@ -79,6 +86,13 @@ case "$1" in
 		rc=$?
 		;;
 	restart|reload|force-reload)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_restart
 		rc=$?
 		;;