apparmor: fix version checks to work properly

Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).

Signed-off-by: Aleksa Sarai <asarai@suse.com>

2 files changed, 6 insertions, 8 deletions

diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
index 46178886e6..ab139a860a 100644
--- a/profiles/apparmor/apparmor.go
+++ b/profiles/apparmor/apparmor.go
@@ -30,10 +30,8 @@ type profileData struct {
 	Imports []string
 	// InnerImports defines the apparmor functions to import in the profile.
 	InnerImports []string
-	// MajorVersion is the apparmor_parser major version.
-	MajorVersion int
-	// MinorVersion is the apparmor_parser minor version.
-	MinorVersion int
+	// Version is the {major, minor, patch} version of apparmor_parser as a single number.
+	Version int
 }
 
 // generateDefault creates an apparmor profile from ProfileData.
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
index d52748c2bf..2e2594a1e3 100644
--- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go
@@ -38,13 +38,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
+{{if ge .Version 208000}}
   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
   ptrace (trace,read) peer=docker-default,
-{{end}}{{end}}
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{end}}
+{{if ge .Version 209000}}
   # docker daemon confinement requires explict allow rule for signal
   signal (receive) set=(kill,term) peer={{.ExecPath}},
-{{end}}{{end}}
+{{end}}
 }
 `