From 1118d2ffc5bdde1def44447be76715d55f10bd5a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 16 Jun 2025 23:17:45 +0200
Subject: [PATCH] build: use the base-strict abstraction automatically.

---
 apparmor.d/abstractions/attached/base | 6 +++---
 pkg/prebuild/builder/attach.go        | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
index 4c35d915d..e394c5b99 100644
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@@ -8,14 +8,14 @@
 
   abi <abi/4.0>,
 
-  include <abstractions/base>
+  include <abstractions/base-strict>
 
   @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,
   @{att}/@{run}/systemd/journal/stdout rw,
 
-  deny /apparmor/.null rw,
-  deny @{att}/apparmor/.null rw,
+  /apparmor/.null rw,
+  @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>
 
diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go
index f7f0c9bed..aeafcbf7d 100644
--- a/pkg/prebuild/builder/attach.go
+++ b/pkg/prebuild/builder/attach.go
@@ -49,6 +49,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
 
 	} else {
 		insert = "@{att} = /\n"
+		profile = strings.ReplaceAll(profile,
+			"include <abstractions/base>",
+			"include <abstractions/base-strict>",
+		)
 	}
 
 	return strings.Replace(profile, origin, insert+origin, 1), nil