Restart entire container-manager script outside of AppArmor confinement

scripts/container-manager.sh

@@ -27,6 +27,11 @@ else
 	ARCH="$SNAP_ARCH-linux-gnu"
 fi
 
+# Re-exec outside of apparmor confinement
+if [ -d /sys/kernel/security/apparmor ] && [ "$(cat /proc/self/attr/current)" != "unconfined" ]; then
+	exec /usr/sbin/aa-exec -p unconfined -- "$0" "$@"
+fi
+
 start() {
 	# Make sure our setup path for the container rootfs
 	# is present as lxc is statically configured for
@@ -40,13 +45,6 @@ start() {
 	# Ensure FUSE support for user namespaces is enabled
 	echo Y | tee /sys/module/fuse/parameters/userns_mounts || echo "WARNING: kernel doesn't support fuse in user namespaces"
 
-	# Only try to use AppArmor when the kernel has support for it
-	AA_EXEC="$SNAP/usr/sbin/aa-exec -p unconfined --"
-	if [ ! -d /sys/kernel/security/apparmor ]; then
-		echo "WARNING: AppArmor support is not available!"
-		AA_EXEC=""
-	fi
-
 	# liblxc.so.1 is in $SNAP/lib
 	export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SNAP/liblxc"
 
@@ -77,7 +75,7 @@ start() {
 		EXTRA_ARGS="$EXTRA_ARGS --privileged"
 	fi
 
-	exec "$AA_EXEC" "$SNAP"/bin/anbox-wrapper.sh container-manager \
+	exec "$SNAP"/bin/anbox-wrapper.sh container-manager \
 		"$EXTRA_ARGS" \
 		--data-path="$DATA_PATH" \
 		--android-image="$ANDROID_IMG" \