From 7aae9f0dd7a14bfd37246992f1c11a4c96bd8e21 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 24 Aug 2025 23:30:54 +0200
Subject: [PATCH] build: add stacked-dbus builder

Resolve peer label variable in dbus rules. It create a full dbus rule by item in a variable when it is used a peer label.

For ubuntu with apparmor 4.1+

See https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190
---
 pkg/prebuild/builder/stacked-dbus.go | 105 +++++++++++++++++++++++++++
 pkg/prebuild/cli/cli.go              |  18 +++--
 2 files changed, 116 insertions(+), 7 deletions(-)
 create mode 100644 pkg/prebuild/builder/stacked-dbus.go

diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go
new file mode 100644
index 000000000..d572e9d31
--- /dev/null
+++ b/pkg/prebuild/builder/stacked-dbus.go
@@ -0,0 +1,105 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package builder
+
+import (
+	"slices"
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/aa"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+)
+
+var (
+	resolve = map[string][]string{
+		`"@{p_dbus_system}"`:  {"dbus-system", "dbus-system//&unconfined"},
+		`"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"},
+	}
+)
+
+// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190
+type StackedDbus struct {
+	prebuild.Base
+}
+
+func init() {
+	RegisterBuilder(&StackedDbus{
+		Base: prebuild.Base{
+			Keyword: "stacked-dbus",
+			Msg:     "Fix: resolve peer label variable in dbus rules",
+		},
+	})
+}
+
+func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) {
+	var raw string
+	paragraphs := []string{}
+	rulesByParagraph := aa.ParaRules{}
+
+	switch kind {
+	case aa.ProfileKind:
+		f := &aa.AppArmorProfileFile{}
+		nb, err := f.Parse(profile)
+		if err != nil {
+			return nil, nil, err
+		}
+		lines := strings.Split(profile, "\n")
+		raw = strings.Join(lines[nb:], "\n")
+
+	case aa.AbstractionKind, aa.TunableKind:
+		raw = profile
+	}
+	raw = profile
+
+	r, par, err := aa.ParseRules(raw)
+	if err != nil {
+		return nil, nil, err
+	}
+	rulesByParagraph = append(rulesByParagraph, r...)
+	paragraphs = append(paragraphs, par...)
+	return rulesByParagraph, paragraphs, nil
+}
+
+func (b StackedDbus) Apply(opt *Option, profile string) (string, error) {
+	kind := aa.KindFromPath(opt.File)
+	if kind == aa.TunableKind {
+		return profile, nil
+	}
+
+	toResolve := []string{}
+	for k := range resolve {
+		toResolve = append(toResolve, k)
+	}
+
+	rulesByParagraph, paragraphs, err := parse(kind, profile) //
+	if err != nil {
+		return "", err
+	}
+	for idx, rules := range rulesByParagraph {
+		changed := false
+		newRules := aa.Rules{}
+		for _, rule := range rules {
+			switch rule := rule.(type) {
+			case *aa.Dbus:
+				if slices.Contains(toResolve, rule.PeerLabel) {
+					changed = true
+					for _, label := range resolve[rule.PeerLabel] {
+						newRule := *rule
+						newRule.PeerLabel = label
+						newRules = append(newRules, &newRule)
+					}
+				} else {
+					newRules = append(newRules, rule)
+				}
+			default:
+				newRules = append(newRules, rule)
+			}
+		}
+		if changed {
+			profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n")
+		}
+	}
+	return profile, nil
+}
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index ab221e485..8abfb4323 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -108,16 +108,20 @@ func Configure() {
 	case 3:
 		builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
 	case 4:
-		// Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak
-		// that fully prevent profiles compilation with re-attached paths.
-		// See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730
-		if prebuild.Distribution != "ubuntu" {
-			builder.Register("attach")
-			prepare.Register("attach")
-		} else if prebuild.Release["VERSION_CODENAME"] == "noble" {
+		// Re-attach disconnected path
+		if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 {
+			// Ignored on ubuntu 25.04+ due to a memory leak that fully prevent
+			// profiles compilation with re-attached paths.
+			// See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730
+
+			// Use stacked-dbus builder to resolve dbus rules
+			builder.Register("stacked-dbus")
+
+		} else {
 			builder.Register("attach")
 			prepare.Register("attach")
 		}
+
 	default:
 		logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
 	}