From e02bf03ccaf009b0adaa35c09edcab9bb0426217 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 14 Feb 2024 23:58:18 +0000
Subject: [PATCH] feat(tunable): add new system_user variable.

---
 apparmor.d/tunables/multiarch.d/system | 1 +
 pkg/prebuild/prepare.go                | 1 +
 2 files changed, 2 insertions(+)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index e3e97f718..6c9bf2dd5 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -56,6 +56,7 @@
 
 # Name of the systemd profile: unconfined || systemd
 @{systemd}=unconfined
+@{systemd_user}=unconfined
 
 # Udev data dynamic assignment ranges
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go
index 82390c7f3..d16f38f70 100644
--- a/pkg/prebuild/prepare.go
+++ b/pkg/prebuild/prepare.go
@@ -206,6 +206,7 @@ func SetFullSystemPolicy() ([]string, error) {
 		return res, err
 	}
 	out := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1)
+	out = strings.Replace(out, "@{systemd_user}=unconfined", "@{systemd_user}=systemd-user", -1)
 	if err := path.WriteFile([]byte(out)); err != nil {
 		return res, err
 	}