From 8d71574e4d61a2ddf98026c3ece6654ca5faa124 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 5 Apr 2025 21:31:51 +0200
Subject: [PATCH] build: improve the use of attached/base.

---
 apparmor.d/abstractions/attached/base     |  2 ++
 apparmor.d/abstractions/attached/consoles |  2 ++
 pkg/prebuild/builder/attach.go            | 21 ++++++---------------
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
index 4fcfe2665..c69a442c1 100644
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@@ -7,6 +7,8 @@
 
   abi <abi/4.0>,
 
+  include if exists <abstractions/base>
+
   @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,
   @{att}/@{run}/systemd/journal/stdout rw,
diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles
index 82c3c3f7a..b6e72c877 100644
--- a/apparmor.d/abstractions/attached/consoles
+++ b/apparmor.d/abstractions/attached/consoles
@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
+  # Do not use it manually, it is automatically included in profiles when it is required.
+
   abi <abi/4.0>,
 
   # There are the common ways to refer to consoles
diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go
index ca3d1dc48..c1b27143e 100644
--- a/pkg/prebuild/builder/attach.go
+++ b/pkg/prebuild/builder/attach.go
@@ -30,7 +30,8 @@ func init() {
 
 // Apply will re-attach the disconnected path
 //   - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag
-//   - Add the attached/base abstraction in the profile
+//   - Replace the base abstraction by attached/base
+//   - Replace the consoles abstraction by attached/consoles
 //   - For compatibility, non disconnected profile will have the @{att} variable set to /
 func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
 	var insert string
@@ -42,25 +43,15 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
 			"attach_disconnected",
 			"attach_disconnected,attach_disconnected.path=@{att}",
 		)
+		profile = strings.ReplaceAll(profile,
+			"include <abstractions/base>",
+			"include <abstractions/attached/base>",
+		)
 		profile = strings.ReplaceAll(profile,
 			"include <abstractions/consoles>",
 			"include <abstractions/attached/consoles>",
 		)
 
-		old := "include if exists <local/" + opt.Name + ">"
-		new := "include <abstractions/attached/base>\n  " + old
-		profile = strings.Replace(profile, old, new, 1)
-
-		for _, match := range regProfile.FindAllStringSubmatch(profile, -1) {
-			name := match[1]
-			if name == opt.Name {
-				continue
-			}
-			old = "include if exists <local/" + opt.Name + "_" + name + ">"
-			new = "include <abstractions/attached/base>\n    " + old
-			profile = strings.Replace(profile, old, new, 1)
-		}
-
 	} else {
 		insert = "@{att} = /\n"
 	}