build: enforce the use on the default profile on full mode.

cmd/prebuild/main.go

@@ -47,6 +47,7 @@ func aaPrebuild() error {
 
 	if full {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy)
+		prebuild.Builds = append(prebuild.Builds, prebuild.BuildFullSystemPolicy)
 	} else {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd)
 	}

pkg/prebuild/build.go

@@ -19,10 +19,13 @@ var Builds = []BuildFunc{
 }
 
 var (
-	regAttachments   = regexp.MustCompile(`(profile .* @{exec_path})`)
+	regAttachments      = regexp.MustCompile(`(profile .* @{exec_path})`)
-	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
+	regFlags            = regexp.MustCompile(`flags=\(([^)]+)\)`)
-	regProfileHeader = regexp.MustCompile(` {`)
+	regProfileHeader    = regexp.MustCompile(` {`)
-	regAbi4To3       = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
+	regFullSystemPolicy = util.ToRegexRepl([]string{
+		`r(PU|U)x,`, `rPx,`,
+	})
+	regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
 		`abi/3.0`, `abi/4.0`,
 		`# userns,`, `userns,`,
 	})
@@ -91,3 +94,10 @@ func BuildABI3(profile string) string {
 	}
 	return profile
 }
+
+func BuildFullSystemPolicy(profile string) string {
+	for _, full := range regFullSystemPolicy {
+		profile = full.Regex.ReplaceAllString(profile, full.Repl)
+	}
+	return profile
+}