build: enforce the use on the default profile on full mode.

cmd/prebuild/main.go

@@ -47,6 +47,7 @@ func aaPrebuild() error {
 
 	if full {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy)
+		prebuild.Builds = append(prebuild.Builds, prebuild.BuildFullSystemPolicy)
 	} else {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetDefaultSystemd)
 	}

pkg/prebuild/build.go

@@ -22,6 +22,9 @@ var (
 	regAttachments      = regexp.MustCompile(`(profile .* @{exec_path})`)
 	regFlags            = regexp.MustCompile(`flags=\(([^)]+)\)`)
 	regProfileHeader    = regexp.MustCompile(` {`)
+	regFullSystemPolicy = util.ToRegexRepl([]string{
+		`r(PU|U)x,`, `rPx,`,
+	})
 	regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
 		`abi/3.0`, `abi/4.0`,
 		`# userns,`, `userns,`,
@@ -91,3 +94,10 @@ func BuildABI3(profile string) string {
 	}
 	return profile
 }
+
+func BuildFullSystemPolicy(profile string) string {
+	for _, full := range regFullSystemPolicy {
+		profile = full.Regex.ReplaceAllString(profile, full.Repl)
+	}
+	return profile
+}