From 483c0c107d611502578e12d9355004644f715e0f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 15 Aug 2025 18:22:07 +0200
Subject: [PATCH] build: enable re-attach disconnected path by default

Ignored on Ubuntu 25.04 and abi3.0
---
 apparmor.d/tunables/multiarch.d/system |  5 ++--
 pkg/prebuild/cli/cli.go                | 11 +++++++-
 pkg/prebuild/prepare/attach.go         | 37 ++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 pkg/prebuild/prepare/attach.go

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0eae0fde3..06cb42000 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -69,8 +69,9 @@
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
-# Attachment path for attach_disconnected.path flag.
-# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
+# Default attachment path when re-attached path disconnected path is ignored.
+# Disabled on abi3 and Ubuntu 25.04+
+# See https://apparmor.pujol.io/development/internal/#re-attached-path
 @{att}=/
 
 alias // -> /,
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index 000aa65f9..237b0f0f8 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -108,7 +108,16 @@ func Configure() {
 	case 3:
 		builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
 	case 4:
-		// builder.Register("attach") // Re-attach disconnected path
+		// Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak
+		// that fully prevent profiles compilation with re-attached paths.
+		// See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730
+		if prebuild.Distribution != "ubuntu" {
+			builder.Register("attach")
+			prepare.Register("attach")
+		} else if prebuild.Release["VERSION_CODENAME"] == "noble" {
+			builder.Register("attach")
+			prepare.Register("attach")
+		}
 	default:
 		logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
 	}
diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go
new file mode 100644
index 000000000..a87ff9071
--- /dev/null
+++ b/pkg/prebuild/prepare/attach.go
@@ -0,0 +1,37 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package prepare
+
+import (
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+)
+
+type ReAttach struct {
+	prebuild.Base
+}
+
+func init() {
+	RegisterTask(&ReAttach{
+		Base: prebuild.Base{
+			Keyword: "attach",
+			Msg:     "Configure tunable for re-attached path",
+		},
+	})
+}
+
+func (p ReAttach) Apply() ([]string, error) {
+	res := []string{}
+
+	// Remove the @{att} tunable that is going to be defined in profile header
+	path := prebuild.RootApparmord.Join("tunables/multiarch.d/system")
+	out, err := path.ReadFileAsString()
+	if err != nil {
+		return res, err
+	}
+	out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/")
+	return res, path.WriteFile([]byte(out))
+}