apparmor-basic-profiles: open-code the same checks as aa-status --enabled

This means we can do them without python3 installed, such as on target images.

Bug: https://bugs.apertis.org/show_bug.cgi?id=513
Differential Revision: https://phabricator.apertis.org/D494
Reviewed-by: pwith

apparmor/automated/run-test.sh

@@ -43,8 +43,31 @@ _watch_audit_logs() {
 
 # Check whether apparmor is enabled
 test_apparmor_enabled() {
-    [[ -d /etc/apparmor.d ]] || return 1
-    sudo aa-status --enabled || return 1
+    if ! [ -d /etc/apparmor.d ]; then
+        whine "AppArmor profile directory not found"
+        return 1
+    fi
+
+    if ! [ -e /sys/module/apparmor ]; then
+        whine "AppArmor module not loaded"
+        return 1
+    fi
+
+    if ! [ -e /sys/kernel/security/apparmor/profiles ]; then
+        whine "AppArmor profiles list not available"
+        return 1
+    fi
+
+    if ! sudo grep . /sys/kernel/security/apparmor/profiles > /dev/null; then
+        whine "Did not find anything in the AppArmor profile set"
+        return 1
+    fi
+
+    if [ "$DEBUG" != 0 ]; then
+        echo "# AppArmor profiles loaded:"
+        sudo env LC_ALL=C sort /sys/kernel/security/apparmor/profiles | \
+            sed -e 's/^/#  /'
+    fi
 }
 
 # Check if profiles are being parsed correctly

debian/changelog

@@ -9,6 +9,9 @@ apertis-tests (1:0.20150917.0) UNRELEASED; urgency=medium
     from chaiwala-tests
   * apparmor-basic-profiles: show more diagnostics when run with --debug,
     and do so in LAVA
+  * apparmor-basic-profiles: open-code the same checks as aa-status --enabled
+    so that we can do them without python3 installed, such as on target
+    images (Apertis: #513)
 
  -- Simon McVittie <simon.mcvittie@collabora.co.uk>  Thu, 17 Sep 2015 14:11:17 +0100