Fix apparmor host check to include aa-parser

[apostasie]

Fix #3945

[apostasie]

@AkihiroSuda this is minor/corner-case, as outlined by @dancavallaro, but it is still a regression.
Suggesting we have this for 2.0.4.

[apostasie]

@dancavallaro it should be noted that things will still be somewhat "weird", even with the patch.

In your specific circumstances (kernel enabled, no userland tool), nerdctl info will still happily report apparmor as a security option, and if the profile was loaded already, you may still run containers with it.

What the patch does is prevent (the problem you reported) loading profile for a container, which is the only place hostSupports (or aa-parser) is needed.

Finally, this patch will not prevent you from calling nerdctl apparmor load, which will loudly error complaining about aa_parser not being here (which is... fine).

I think this is fine (given this is indeed a corner case), but the whole thing is a bit shaky IMHO.

[apostasie]

@AkihiroSuda your suggestions integrated with latest push.

I do always have a mild panic attack whenever I fiddle with logic involving /sys/module.
Verified working of course locally, but wanted to make sure we are 100% comfortable with the new logic here.

(now going to grab coffee outside to cure my kernel anxiety)

[dancavallaro]

@apostasie I totally hear you. I'm already installing apparmor-utils as a workaround, and I've verified that explicitly setting apparmor=0 on the kernel command line resolves the real issue (since finally /sys/module/apparmor/parameters/enabled will say N).

Definitely agree that this is all pretty hairy, but thanks for the quick fix!

[apostasie]

Definitely agree that this is all pretty hairy, but thanks for the quick fix!

Well, I am operating under the assumption that @AkihiroSuda will tolerate me here as long as I live by the motto: "you broke it, you better fix it", so, better act fast to sweep my mistakes under the carpet. 🤣🤣🤣