Add AppArmor key to quadlet .container files

Fixes: #27095 Signed-off-by: givensuman <givensuman@duck.com>
2025-11-28 17:18:58 +08:00 · 2025-10-30 21:02:20 -04:00
parent 23e6a89d36
commit e7b50c33df
4 changed files with 19 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@@ -305,6 +305,7 @@ Valid options for `[Container]` are listed below:
 | AddDevice=/dev/foo                   | --device /dev/foo                                    |
 | AddHost=example\.com:192.168.10.11   | --add-host example.com:192.168.10.11                 |
 | Annotation="XYZ"                     | --annotation "XYZ"                                   |
 | AppArmor="alternate-profile"         | --security-opt apparmor=alternate-profile            |
 | AutoUpdate=registry                  | --label "io.containers.autoupdate=registry"          |
 | CgroupsMode=no-conmon                | --cgroups=no-conmon                                  |
 | ContainerName=name                   | --name name                                          |
@@ -428,6 +429,10 @@ similar to `Environment`.
 This key can be listed multiple times.
 ### `AppArmor=`
 Sets the apparmor confinement profile for the container. A value of `unconfined` turns off apparmor confinement.
 ### `AutoUpdate=`
 Indicates whether the container will be auto-updated ([podman-auto-update(1)](podman-auto-update.1.md)). The following values are supported:
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@@ -62,6 +62,7 @@ const (
 	KeyAddHost               = "AddHost"
 	KeyAllTags               = "AllTags"
 	KeyAnnotation            = "Annotation"
 	KeyAppArmor              = "AppArmor"
 	KeyArch                  = "Arch"
 	KeyArtifact              = "Artifact"
 	KeyAuthFile              = "AuthFile"
@@ -248,6 +249,7 @@ var (
 				KeyAddDevice:             true,
 				KeyAddHost:               true,
 				KeyAnnotation:            true,
 				KeyAppArmor:              true,
 				KeyAutoUpdate:            true,
 				KeyCgroupsMode:           true,
 				KeyContainerName:         true,
@@ -775,6 +777,11 @@ func ConvertContainer(container *parser.UnitFile, unitsInfoMap map[string]*UnitI
 		podman.add("--security-opt", fmt.Sprintf("label=level:%s", securityLabelLevel))
 	}
 	apparmor, hasApparmor := container.Lookup(ContainerGroup, KeyAppArmor)
 	if hasApparmor && len(apparmor) > 0 {
 		podman.add("--security-opt", fmt.Sprintf("apparmor=%s", apparmor))
 	}
 	devices := container.LookupAllStrv(ContainerGroup, KeyAddDevice)
 	for _, device := range devices {
 		if device[0] == '-' {
--- a/test/e2e/quadlet/apparmor.container
+++ b/test/e2e/quadlet/apparmor.container
@@ -0,0 +1,6 @@
 ## assert-podman-final-args localhost/imagename
 ## assert-podman-args "--security-opt" "apparmor=someprofilename"
 [Container]
 Image=localhost/imagename
 AppArmor=someprofilename
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@@ -896,6 +896,7 @@ BOGUS=foo
 		runSuccessQuadletTestCase,
 		Entry("Basic container", "basic.container"),
 		Entry("annotation.container", "annotation.container"),
 		Entry("apparmor.container", "apparmor.container"),
 		Entry("autoupdate.container", "autoupdate.container"),
 		Entry("basepodman.container", "basepodman.container"),
 		Entry("capabilities.container", "capabilities.container"),