From b3f15c09cd94f5a92544b7b8c7eb4e74ef8e76d3 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.com>
Date: Fri, 10 Jul 2020 17:47:22 +0200
Subject: [PATCH] Don't setup AppArmor provile for privileged pods

This is essentially db218e7162c2 forward-ported to specgen

Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
---
 cmd/podman/common/specgen.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index eca0da32b3..96aeb08f4b 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -525,8 +525,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
 				s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1])
 				s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=")
 			case "apparmor":
-				s.ContainerSecurityConfig.ApparmorProfile = con[1]
-				s.Annotations[define.InspectAnnotationApparmor] = con[1]
+				if !c.Privileged {
+					s.ContainerSecurityConfig.ApparmorProfile = con[1]
+					s.Annotations[define.InspectAnnotationApparmor] = con[1]
+				}
 			case "seccomp":
 				s.SeccompProfilePath = con[1]
 				s.Annotations[define.InspectAnnotationSeccomp] = con[1]