From 0d124065b9b9077be160e4d622a37a15e95a297d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 22 Nov 2023 20:52:25 +0000
Subject: [PATCH] build: enforce the use on the default profile on full mode.

---
 cmd/prebuild/main.go  |  1 +
 pkg/prebuild/build.go | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index f7767c63..a3c51514 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -47,6 +47,7 @@ func aaPrebuild() error {
 
 	if full {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy)
+		prebuild.Builds = append(prebuild.Builds, prebuild.BuildFullSystemPolicy)
 	} else {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd)
 	}
diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go
index 0cdb64c6..9ebd4cb9 100644
--- a/pkg/prebuild/build.go
+++ b/pkg/prebuild/build.go
@@ -19,10 +19,13 @@ var Builds = []BuildFunc{
 }
 
 var (
-	regAttachments   = regexp.MustCompile(`(profile .* @{exec_path})`)
-	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
-	regProfileHeader = regexp.MustCompile(` {`)
-	regAbi4To3       = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
+	regAttachments      = regexp.MustCompile(`(profile .* @{exec_path})`)
+	regFlags            = regexp.MustCompile(`flags=\(([^)]+)\)`)
+	regProfileHeader    = regexp.MustCompile(` {`)
+	regFullSystemPolicy = util.ToRegexRepl([]string{
+		`r(PU|U)x,`, `rPx,`,
+	})
+	regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
 		`abi/3.0`, `abi/4.0`,
 		`# userns,`, `userns,`,
 	})
@@ -91,3 +94,10 @@ func BuildABI3(profile string) string {
 	}
 	return profile
 }
+
+func BuildFullSystemPolicy(profile string) string {
+	for _, full := range regFullSystemPolicy {
+		profile = full.Regex.ReplaceAllString(profile, full.Repl)
+	}
+	return profile
+}