containers · mtrmac · Apr 24, 2026 · Apr 23, 2026 · kolyshkin · Apr 24, 2026
diff --git a/common/go.mod b/common/go.mod
@@ -27,7 +27,6 @@ require (
 	github.com/opencontainers/cgroups v0.0.6
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/opencontainers/runc v1.4.2
 	github.com/opencontainers/runtime-spec v1.3.0
 	github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8
 	github.com/opencontainers/selinux v1.13.1

diff --git a/common/go.sum b/common/go.sum
@@ -200,8 +200,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/opencontainers/runc v1.4.2 h1:/AEjjXuVH9lTRl9ZyUFQj7oWBM7Xv00qFV6Vx9q5N3o=
-github.com/opencontainers/runc v1.4.2/go.mod h1:ufk5PTTsy5pnGBAvTh50e+eqGk01pYH2YcVxh557Qlk=
 github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8 h1:2NAWFjN0PmdIe3XojVL9wf3lJ1//VqAgc7MOSYHQslE=

diff --git a/common/pkg/apparmor/apparmor_linux.go b/common/pkg/apparmor/apparmor_linux.go
@@ -15,7 +15,6 @@ import (
 	"strings"
 	"text/template"
 
-	runcaa "github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/sirupsen/logrus"
 	"go.podman.io/common/pkg/apparmor/internal/supported"
 	"go.podman.io/storage/pkg/fileutils"
@@ -271,7 +270,7 @@ func CheckProfileAndLoadDefault(name string) (string, error) {
 	}
 
 	// Check if AppArmor is disabled and error out if a profile is to be set.
-	if !runcaa.IsEnabled() {
+	if !supported.IsEnabledOnHost() {
 		if name == "" {
 			return "", nil
 		}

diff --git a/common/pkg/apparmor/internal/supported/supported.go b/common/pkg/apparmor/internal/supported/supported.go
@@ -1,3 +1,5 @@
+//go:build linux
+
 package supported
 
 import (
@@ -8,8 +10,8 @@ import (
 	"path/filepath"
 	"sync"
 
-	runcaa "github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/sirupsen/logrus"
+	"go.podman.io/storage/pkg/fileutils"
 	"go.podman.io/storage/pkg/unshare"
 )
 
@@ -102,7 +104,7 @@ func (d *defaultVerifier) UnshareIsRootless() bool {
 }
 
 func (d *defaultVerifier) RuncIsEnabled() bool {
-	return runcaa.IsEnabled()
+	return IsEnabledOnHost()
 }
 
 func (d *defaultVerifier) OsStat(name string) (os.FileInfo, error) {
@@ -112,3 +114,19 @@ func (d *defaultVerifier) OsStat(name string) (os.FileInfo, error) {
 func (d *defaultVerifier) ExecLookPath(file string) (string, error) {
 	return exec.LookPath(file)
 }
+
+var isEnabledOnHost = sync.OnceValue(func() bool {
+	if err := fileutils.Exists("/sys/kernel/security/apparmor"); err != nil {
+		return false
+	}
+	buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled")
+	if err != nil {
+		return false
+	}
+	return len(buf) >= 1 && buf[0] == 'Y'
+})
+
+// IsEnabled returns true if apparmor is enabled for the host.
+func IsEnabledOnHost() bool {
+	return isEnabledOnHost()
+}
diff --git a/vendor/github.com/opencontainers/runc/LICENSE b/vendor/github.com/opencontainers/runc/LICENSE
diff --git a/vendor/github.com/opencontainers/runc/NOTICE b/vendor/github.com/opencontainers/runc/NOTICE
diff --git a/vendor/github.com/opencontainers/runc/internal/linux/doc.go b/vendor/github.com/opencontainers/runc/internal/linux/doc.go
diff --git a/vendor/github.com/opencontainers/runc/internal/linux/eintr.go b/vendor/github.com/opencontainers/runc/internal/linux/eintr.go