From 02ca445ae391064ec243fc98840cb1875190f875 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Fri, 31 Jan 2025 12:50:01 +0000
Subject: [PATCH] Only enforce valid profile

---
 .../apparmor/all_apparmor_profiles_enforced/bash/shared.sh   | 5 +++++
 .../tests/correct_apparmor_profiles_enforced.pass.sh         | 4 ++++
 .../tests/incorrect_apparmor_profiles_enforced.fail.sh       | 5 ++++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
index 34c275fbc41..07f50b279d8 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
@@ -5,7 +5,12 @@
 
 # Ensure all AppArmor Profiles are enforcing
 apparmor_parser -q -r /etc/apparmor.d/
+{{% if 'ubuntu' in product %}}
+# Current version of apparmor-utils has issue https://gitlab.com/apparmor/apparmor/-/issues/411 and we're waiting for https://gitlab.com/apparmor/apparmor/-/merge_requests/1218 to be landed on noble
+find /etc/apparmor.d -maxdepth 1 ! -type d -exec aa-enforce "{}" \;
+{{% else %}}
 aa-enforce /etc/apparmor.d/*
+{{% endif %}}
 
 {{% if 'ubuntu' in product %}}
 UNCONFINED=$(aa-status | grep "processes are unconfined" | awk '{print $1;}')
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
index 24247cabedf..983c18fa565 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
@@ -4,7 +4,11 @@
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/
 #Set all profiles in enforce mode
+{{% if 'ubuntu' in product %}}
+find /etc/apparmor.d -maxdepth 1 ! -type d -exec aa-enforce "{}" \;
+{{% else %}}
 aa-enforce /etc/apparmor.d/*
+{{% endif %}}
 
 # rsyslogd apparmor profile is disabled in focal and jammy.
 # Reloading the profile results in an unconfined process
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
index 40d2f3549f9..794486cbfec 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
@@ -4,8 +4,11 @@
 #Replace apparmor definitions and force profiles into compliant mode
 apparmor_parser -q -r  /etc/apparmor.d/ 
 #Set all profiles in complain mode
+{{% if 'ubuntu' in product %}}
+find /etc/apparmor.d -maxdepth 1 ! -type d -exec aa-complain "{}" \;
+{{% else %}}
 aa-complain /etc/apparmor.d/*
-
+{{% endif %}}
 # rsyslogd apparmor profile is disabled in focal and jammy.
 # Reloading the profile results in an unconfined process
 # which fails the SCE, so we need to restart the process manually.