chore: return an error when AppArmor is unsupported and profile specifie

Signed-off-by: MohammadHasan Akbari <[email protected]>

executor/oci/spec_linux.go

@@ -12,6 +12,7 @@ import (
  "github.com/containerd/containerd/mount"
  "github.com/containerd/containerd/oci"
  cdseccomp "github.com/containerd/containerd/pkg/seccomp"
+ "github.com/containerd/containerd/pkg/apparmor"
  "github.com/containerd/continuity/fs"
  "github.com/docker/docker/pkg/idtools"
  "github.com/docker/docker/profiles/seccomp"
@@ -72,6 +73,11 @@ func generateSecurityOpts(mode pb.SecurityMode, apparmorProfile string, selinuxB
  opts = append(opts, withDefaultProfile())
  }
  if apparmorProfile != "" {
+ // If AppArmor is not supported but a profile was specified, return an error
+ if !apparmor.HostSupports() {
+ return nil, errors.New("AppArmor is not supported on this host, but the profile '" + apparmorProfile + "' was specified")
+ }
+
  opts = append(opts, oci.WithApparmorProfile(apparmorProfile))
  }
  opts = append(opts, func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {

vendor/modules.txt

@@ -286,6 +286,7 @@ github.com/containerd/containerd/metadata/boltutil
 github.com/containerd/containerd/mount
 github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/oci
+github.com/containerd/containerd/pkg/apparmor
 github.com/containerd/containerd/pkg/cap
 github.com/containerd/containerd/pkg/cleanup
 github.com/containerd/containerd/pkg/deprecation