apparmor: Check if apparmor_parser is available

`hostSupports` doesn't check if the apparmor_parser is available.
It's possible in some environments that the apparmor will be enabled but
the tool to load the profile is not available which will cause the
ensureDefaultAppArmorProfile to fail completely.

This patch checks if the apparmor_parser is available. Otherwise the
function returns early, but still logs a warning to the daemon log.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>

daemon/apparmor_default.go

@@ -5,9 +5,12 @@ package daemon // import "github.com/docker/docker/daemon"
 
 import (
 	"fmt"
+	"os"
+	"sync"
 
 	"github.com/containerd/containerd/pkg/apparmor"
 	aaprofile "github.com/docker/docker/profiles/apparmor"
+	"github.com/sirupsen/logrus"
 )
 
 // Define constants for native driver
@@ -16,6 +19,11 @@ const (
 	defaultAppArmorProfile    = "docker-default"
 )
 
+var (
+	checkAppArmorOnce   sync.Once
+	isAppArmorAvailable bool
+)
+
 // DefaultApparmorProfile returns the name of the default apparmor profile
 func DefaultApparmorProfile() string {
 	if apparmor.HostSupports() {
@@ -25,7 +33,20 @@ func DefaultApparmorProfile() string {
 }
 
 func ensureDefaultAppArmorProfile() error {
-	if apparmor.HostSupports() {
+	checkAppArmorOnce.Do(func() {
+		if apparmor.HostSupports() {
+			// Restore the apparmor_parser check removed in containerd:
+			// https://github.com/containerd/containerd/commit/1acca8bba36e99684ee3489ea4a42609194ca6b9
+			// Fixes: https://github.com/moby/moby/issues/44900
+			if _, err := os.Stat("/sbin/apparmor_parser"); err == nil {
+				isAppArmorAvailable = true
+			} else {
+				logrus.Warn("AppArmor enabled on system but \"apparmor_parser\" binary is missing, so profile can't be loaded")
+			}
+		}
+	})
+
+	if isAppArmorAvailable {
 		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
 		if err != nil {
 			return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", defaultAppArmorProfile, err)