contrib/apparmor: expose LoadDefaultProfile

Expected to be used by nerdctl: 6026ae740a/internal_oci_hook.go (L170-L180)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

contrib/apparmor/apparmor.go

@@ -41,33 +41,41 @@ func WithProfile(profile string) oci.SpecOpts {
 // for the container.  It is only generated if a profile under that name does not exist.
 func WithDefaultProfile(name string) oci.SpecOpts {
 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
-		yes, err := isLoaded(name)
+		if err := LoadDefaultProfile(name); err != nil {
-		if err != nil {
 			return err
 		}
-		if yes {
-			s.Process.ApparmorProfile = name
-			return nil
-		}
-		p, err := loadData(name)
-		if err != nil {
-			return err
-		}
-		f, err := ioutil.TempFile(os.Getenv("XDG_RUNTIME_DIR"), p.Name)
-		if err != nil {
-			return err
-		}
-		defer f.Close()
-		path := f.Name()
-		defer os.Remove(path)
-
-		if err := generate(p, f); err != nil {
-			return err
-		}
-		if err := load(path); err != nil {
-			return errors.Wrapf(err, "load apparmor profile %s", path)
-		}
 		s.Process.ApparmorProfile = name
 		return nil
 	}
 }
+
+// LoadDefaultProfile ensures the default profile to be loaded with the given name.
+// Returns nil error if the profile is already loaded.
+func LoadDefaultProfile(name string) error {
+	yes, err := isLoaded(name)
+	if err != nil {
+		return err
+	}
+	if yes {
+		return nil
+	}
+	p, err := loadData(name)
+	if err != nil {
+		return err
+	}
+	f, err := ioutil.TempFile(os.Getenv("XDG_RUNTIME_DIR"), p.Name)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	path := f.Name()
+	defer os.Remove(path)
+
+	if err := generate(p, f); err != nil {
+		return err
+	}
+	if err := load(path); err != nil {
+		return errors.Wrapf(err, "load apparmor profile %s", path)
+	}
+	return nil
+}