#!/bin/sh
# 35-apparmor.sh — Load AppArmor LSM profiles

# Check for opt-out boot parameter
if [ "$KUBESOLO_NOAPPARMOR" = "1" ]; then
    log "AppArmor disabled via kubesolo.noapparmor boot parameter"
    return 0
fi

# Mount securityfs if not already mounted
if ! mountpoint -q /sys/kernel/security 2>/dev/null; then
    mount -t securityfs securityfs /sys/kernel/security 2>/dev/null || true
fi

# Check if AppArmor is available in the kernel
if [ ! -d /sys/kernel/security/apparmor ]; then
    log_warn "AppArmor not available in kernel — skipping profile loading"
    return 0
fi

# Check for apparmor_parser
if ! command -v apparmor_parser >/dev/null 2>&1; then
    log_warn "apparmor_parser not found — skipping profile loading"
    return 0
fi

# Load all profiles from /etc/apparmor.d/
PROFILE_DIR="/etc/apparmor.d"
if [ ! -d "$PROFILE_DIR" ]; then
    log_warn "No AppArmor profiles directory ($PROFILE_DIR) — skipping"
    return 0
fi

LOADED=0
FAILED=0

for profile in "$PROFILE_DIR"/*; do
    [ -f "$profile" ] || continue
    if apparmor_parser -r "$profile" 2>/dev/null; then
        LOADED=$((LOADED + 1))
    else
        log_warn "Failed to load AppArmor profile: $(basename "$profile")"
        FAILED=$((FAILED + 1))
    fi
done

log_ok "AppArmor: loaded $LOADED profiles ($FAILED failed)"