#!/bin/bash

# If apparmor or apparmor-utils are not installed, then this test fails.
dpkg-query --show --showformat='${db:Status-Status}' "apparmor" 2>/dev/null | grep -q '^installed$'
if [ $? -ne 0 ]; then
    exit ${XCCDF_RESULT_FAIL}
fi

# if number of apparmor profiles loaded not the same as enforced profiles, then it fails.
loaded_profiles=$(/usr/sbin/aa-status --profiled)
enforced_profiles=$(/usr/sbin/aa-status --enforced)
if [ ${loaded_profiles} -ne ${enforced_profiles} ]; then
    exit $XCCDF_RESULT_FAIL
fi

unconfined=$(/usr/sbin/aa-status | grep "processes are unconfined" | awk '{print $1;}')
if [ $unconfined -ne 0 ]; then
    exit $XCCDF_RESULT_FAIL
fi

exit $XCCDF_RESULT_PASS