From 117e63d88fc2b782111c8b98885a26869bc1be93 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 14 Jun 2024 20:50:17 +0100
Subject: [PATCH] fix: ensure filter directive get cleaned on build.

---
 apparmor.d/abstractions/authentication.d/complete | 1 +
 pkg/prebuild/directive/core.go                    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete
index 57ffc77f2..a6a4e3757 100644
--- a/apparmor.d/abstractions/authentication.d/complete
+++ b/apparmor.d/abstractions/authentication.d/complete
@@ -11,3 +11,4 @@
   @{lib}/security-misc/pam_faillock_not_if_x rPx,
   @{lib}/security-misc/pam-abort-on-locked-password rPx,
   @{lib}/security-misc/pam-info rPx,
+
diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go
index 53176b01d..d14dd4861 100644
--- a/pkg/prebuild/directive/core.go
+++ b/pkg/prebuild/directive/core.go
@@ -65,7 +65,7 @@ func NewOption(file *paths.Path, match []string) *Option {
 // Useful to remove directive text applied on some condition only
 func (o *Option) Clean(profile string) string {
 	reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`)
-	return reg.ReplaceAllString(profile, "")
+	return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1)
 }
 
 func RegisterDirective(d Directive) {