apparmor: don't load/set profile in privileged mode

Commit 27f9e23a0b9e already prevents setting the profile when creating
the spec but we also need to avoid loading and setting the profile when
creating the container.

Fixes: #3112
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

libpod/container_internal_linux.go

@@ -25,7 +25,7 @@ import (
 	"github.com/containers/libpod/pkg/lookup"
 	"github.com/containers/libpod/pkg/resolvconf"
 	"github.com/containers/libpod/pkg/rootless"
-	"github.com/cyphar/filepath-securejoin"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@@ -188,11 +188,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	}
 
 	// Apply AppArmor checks and load the default profile if needed.
-	updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
+	if !c.config.Privileged {
-	if err != nil {
+		updatedProfile, err := apparmor.CheckProfileAndLoadDefault(c.config.Spec.Process.ApparmorProfile)
-		return nil, err
+		if err != nil {
+			return nil, err
+		}
+		g.SetProcessApparmorProfile(updatedProfile)
 	}
-	g.SetProcessApparmorProfile(updatedProfile)
 
 	if err := c.makeBindMounts(); err != nil {
 		return nil, err