From 88555a12d09bef4701b9da739585d4c076179297 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 19 Nov 2023 11:19:24 +0000
Subject: [PATCH] feat(profiles): add initial userns rule.

Require apparmor 4 to be enabled.
---
 apparmor.d/abstractions/chromium    | 2 ++
 apparmor.d/groups/virt/virtiofsd    | 2 ++
 apparmor.d/profiles-s-z/slirp4netns | 2 ++
 apparmor.d/profiles-s-z/thunderbird | 2 ++
 pkg/prebuild/build.go               | 8 +++-----
 5 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium
index 083bb16c..0507fd86 100644
--- a/apparmor.d/abstractions/chromium
+++ b/apparmor.d/abstractions/chromium
@@ -31,6 +31,8 @@
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability setgid,
   capability setuid,
   capability sys_admin,
diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd
index 1eef0508..ac0ea5a4 100644
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@@ -10,6 +10,8 @@ include <tunables/global>
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
+  # userns,
+
   capability chown,
   capability dac_override,
   capability dac_read_search,
diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns
index 94dd1b3e..46b559da 100644
--- a/apparmor.d/profiles-s-z/slirp4netns
+++ b/apparmor.d/profiles-s-z/slirp4netns
@@ -10,6 +10,8 @@ include <tunables/global>
 profile slirp4netns @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  # userns,
+
   capability net_admin,
   capability setpcap,
   capability sys_admin,
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 0a5cd08f..511343b6 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -35,6 +35,8 @@ profile thunderbird @{exec_path} {
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
 
diff --git a/pkg/prebuild/build.go b/pkg/prebuild/build.go
index add73dfc..0cdb64c6 100644
--- a/pkg/prebuild/build.go
+++ b/pkg/prebuild/build.go
@@ -22,11 +22,9 @@ var (
 	regAttachments   = regexp.MustCompile(`(profile .* @{exec_path})`)
 	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
 	regProfileHeader = regexp.MustCompile(` {`)
-	regAbi4To3       = util.ToRegexRepl([]string{
-		`abi/4.0`, `abi/3.0`,
-		`(?m)^.*mqueue.*$`, ``,
-		`(?m)^.*userns.*$`, ``,
-		`(?m)^.*io_uring.*$`, ``,
+	regAbi4To3       = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
+		`abi/3.0`, `abi/4.0`,
+		`# userns,`, `userns,`,
 	})
 )