From 80cc72689702dce8896942a2d3e3f8a27d6defc5 Mon Sep 17 00:00:00 2001
From: shenmo <jifengshenmo@outlook.com>
Date: Tue, 7 May 2024 13:51:50 +0800
Subject: [PATCH] apparmor

---
 src/DEBIAN/control                   | 2 +-
 src/DEBIAN/postinst                  | 3 +--
 src/etc/apparmor.d/amber-ce-bookworm | 7 +++++++
 3 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 src/etc/apparmor.d/amber-ce-bookworm

diff --git a/src/DEBIAN/control b/src/DEBIAN/control
index 5a0bd1b..5e200f0 100755
--- a/src/DEBIAN/control
+++ b/src/DEBIAN/control
@@ -4,5 +4,5 @@ Section: misc
 Priority: optional
 Depends: bubblewrap,flatpak,zenity,policykit-1,gcc,systemd,procps
 Maintainer: shenmo <shenmo@spark-app.store>
-Architecture: arm64
+Architecture: amd64
 Description: bwrap wrapper for install and running debs inside a bookworm container
diff --git a/src/DEBIAN/postinst b/src/DEBIAN/postinst
index 0e0792e..b79ff81 100755
--- a/src/DEBIAN/postinst
+++ b/src/DEBIAN/postinst
@@ -19,7 +19,6 @@ systemctl enable ace-bookworm-auto-upgrade
 systemctl start ace-bookworm-auto-upgrade
 fi
 
-
-sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+systemctl reload apparmor
 
 true
diff --git a/src/etc/apparmor.d/amber-ce-bookworm b/src/etc/apparmor.d/amber-ce-bookworm
new file mode 100644
index 0000000..5555573
--- /dev/null
+++ b/src/etc/apparmor.d/amber-ce-bookworm
@@ -0,0 +1,7 @@
+abi <abi/4.0>,
+include <tunables/global>
+profile bwrap /usr/bin/bwrap flags=(unconfined) {
+userns,
+#Site-specific additions and overrides. See local/README for details.
+include if exists <local/bwrap>
+}