set SFS_MOUNTPOINT in is_container_with_internal_policy()
is_container_with_internal_policy() is called independently of apparmor_*() in the systemd unit and potentially other consumers of rc.apparmor.functions. When the unit and rc.apparmor.functions functions were rewritten, they were written so that SFS_MOUNTPOINT was only set in is_apparmor_loaded(), but this is only called in apparmor_start(), remove_profiles(), apparmor_kill(), apparmor_restart(), apparmor_try_restart() and apparmor_status() and not is_container_with_internal_policy().
While it is clear that is_container_with_internal_policy() is meant to be called before apparmor_start(), is is unclear why SFS_MOUNTPOINT is only defined in is_apparmor_loaded(). There are several ways to fix this:
- update is_container_with_internal_policy() to call is_apparmor_loaded()
- identify the callers of is_container_with_internal_policy() and have them call is_apparmor_loaded()
- reorganize the code to remove duplicate calls and assignments
- define SFS_MOUNTPOINT along with SECURITYFS and MODULE, at the top level
- also define SFS_MOUNTPOINT in is_container_with_internal_policy()
'1' would result in redundant calls in many common cases since the systemd unit would call is_apparmor_loaded() both in is_container_with_internal_policy() and prior to other calls.
'2' would like break consumers of rc.apparmor.funcions, like Ubuntu's profile-load.
'3' is perhaps ok, but requires more effort and is regression-prone.
'4' seems the simplest, most correct fix
'5' is what this patch implements, which is as simple as '4' but tries to maintain the original author's intent of when to set SFS_MOUNTPOINT.
Nominate for 2.13.