From 8d374ed8761dfd518e7d4f09e8ec699261d76b56 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 17 May 2025 22:25:27 +0200
Subject: [PATCH] feat(fsp): add tunables for the future systemd executor
 profiles.

---
 apparmor.d/tunables/multiarch.d/profiles | 2 ++
 pkg/prebuild/prepare/fsp.go              | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles
index e966623d4..92ab19fc9 100644
--- a/apparmor.d/tunables/multiarch.d/profiles
+++ b/apparmor.d/tunables/multiarch.d/profiles
@@ -9,7 +9,9 @@
 
 # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user`
 @{p_systemd}=unconfined
+@{p_systemd_executor}=unconfined
 @{p_systemd_user}=unconfined
+@{p_systemd_user_executor}=unconfined
 
 # Name of the dbus daemon profiles
 @{p_dbus_accessibility}=dbus-accessibility
diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go
index e46efe0e8..0d4c23076 100644
--- a/pkg/prebuild/prepare/fsp.go
+++ b/pkg/prebuild/prepare/fsp.go
@@ -40,7 +40,9 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 		return res, err
 	}
 	out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd")
+	out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor")
 	out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user")
+	out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor")
 	if err := path.WriteFile([]byte(out)); err != nil {
 		return res, err
 	}