From 273485217c79e3931c441c109f8d822e764a1875 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 20:08:21 +0100
Subject: [PATCH] build: add the task to automatically attach disconnected
 path.

Not yet enabled on build, as the profiles still require some testing.
---
 pkg/prebuild/builder/attach.go | 65 ++++++++++++++++++++++++++++++++++
 pkg/prebuild/cli/cli.go        |  7 +++-
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 pkg/prebuild/builder/attach.go

diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go
new file mode 100644
index 00000000..6fd70029
--- /dev/null
+++ b/pkg/prebuild/builder/attach.go
@@ -0,0 +1,65 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package builder
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+)
+
+var (
+	regProfile = regexp.MustCompile(`profile ([^ ]+)`)
+)
+
+type ReAttach struct {
+	prebuild.Base
+}
+
+func init() {
+	RegisterBuilder(&ReAttach{
+		Base: prebuild.Base{
+			Keyword: "attach",
+			Msg:     "Re-attach disconnect path",
+		},
+	})
+}
+
+// Apply will re-attach the disconnected path
+//   - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag
+//   - Add the attached/base abstraction in the profile
+//   - For compatibility, non disconnected profile will have the @{att} variable set to /
+func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
+	var insert string
+	var origin = "profile " + opt.Name
+
+	if strings.Contains(profile, "attach_disconnected") {
+		insert = "@{att} = /att/" + opt.Name + "/\n"
+		profile = strings.Replace(profile,
+			"attach_disconnected",
+			"attach_disconnected,attach_disconnected.path=@{att}", -1,
+		)
+
+		old := "include if exists <local/" + opt.Name + ">"
+		new := "include <abstractions/attached/base>\n  " + old
+		profile = strings.Replace(profile, old, new, 1)
+
+		for _, match := range regProfile.FindAllStringSubmatch(profile, -1) {
+			name := match[1]
+			if name == opt.Name {
+				continue
+			}
+			old = "include if exists <local/" + opt.Name + "_" + name + ">"
+			new = "include <abstractions/attached/base>\n    " + old
+			profile = strings.Replace(profile, old, new, 1)
+		}
+
+	} else {
+		insert = "@{att} = /\n"
+	}
+
+	return strings.Replace(profile, origin, insert+origin, 1), nil
+}
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index 932851d0..2821d52c 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -88,8 +88,13 @@ func Prebuild() {
 	if abi != nilABI {
 		prebuild.ABI = abi
 	}
-	if prebuild.ABI == 3 {
+	switch prebuild.ABI {
+	case 3:
 		builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
+	case 4:
+		// builder.Register("attach") // Re-attach disconnect path
+	default:
+		logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
 	}
 
 	if file != "" {