containerd
diff --git a/‎pkg/cri/server/apparmor.go‎
Lines changed: 48 additions & 0 deletions b/‎pkg/cri/server/apparmor.go‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎pkg/cri/server/apparmor_unsupported.go‎
Lines changed: 24 additions & 0 deletions b/‎pkg/cri/server/apparmor_unsupported.go‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎pkg/cri/server/helpers_linux.go‎
Lines changed: 6 additions & 2 deletions b/‎pkg/cri/server/helpers_linux.go‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go‎
Lines changed: 0 additions & 60 deletions b/‎vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go‎
Lines changed: 0 additions & 60 deletions
diff --git a/‎vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go‎
Lines changed: 0 additions & 20 deletions b/‎vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_disabled.go‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go‎
Lines changed: 0 additions & 93 deletions b/‎vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go‎
Lines changed: 0 additions & 93 deletions
diff --git a/‎vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go‎
Lines changed: 0 additions & 112 deletions b/‎vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go‎
Lines changed: 0 additions & 112 deletions
@@ -0,0 +1,48 @@
+// +build apparmor,linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package server
+
+import (
+	"io/ioutil"
+	"os"
+	"sync"
+)
+
+var (
+	appArmorSupported bool
+	checkAppArmor     sync.Once
+)
+
+// hostSupportsAppArmor returns true if apparmor is enabled for the host, if
+// apparmor_parser is enabled, and if we are not running docker-in-docker.
+//
+// It is a modified version of libcontainer/apparmor.IsEnabled(), which does not
+// check for apparmor_parser to be present, or if we're running docker-in-docker.
+func hostSupportsAppArmor() bool {
+	checkAppArmor.Do(func() {
+		// see https://github.com/docker/docker/commit/de191e86321f7d3136ff42ff75826b8107399497
+		if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
+			if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
+				buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
+				appArmorSupported = err == nil && len(buf) > 1 && buf[0] == 'Y'
+			}
+		}
+	})
+	return appArmorSupported
+}
@@ -0,0 +1,24 @@
+// +build !apparmor !linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package server
+
+//nolint: deadcode, unused
+func hostSupportsAppArmor() bool {
+	return false
+}
@@ -32,7 +32,6 @@ import (
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/pkg/seccomp"
 	"github.com/containerd/containerd/pkg/seutil"
-	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -141,8 +140,13 @@ func checkSelinuxLevel(level string) error {
 	return nil
 }
 
+// apparmorEnabled returns true if apparmor is enabled, supported by the host,
+// if apparmor_parser is installed, and if we are not running docker-in-docker.
 func (c *criService) apparmorEnabled() bool {
-	return runcapparmor.IsEnabled() && !c.config.DisableApparmor
+	if c.config.DisableApparmor {
+		return false
+	}
+	return hostSupportsAppArmor()
 }
 
 func (c *criService) seccompEnabled() bool {