From 8ead7a983706bc9ac7647a7b017d08b7bc1aadaa Mon Sep 17 00:00:00 2001
From: "Artyom V. Poptsov" <poptsov.artyom@gmail.com>
Date: Fri, 6 Mar 2026 15:55:19 +0300
Subject: [PATCH] etc: apparmor.d: Fix "guix-daemon/guix-builder" policy.

Currently Guix daemon would always fail to build packages that require
execution of programs and scripts in "/tmp" directory (e.g. in "bootstrap"
phase) on foreign distributions that use AppArmor as it denies such requests
due to policy restrictions.  This patch fixes "guix-daemon" AppArmor policy by
allowing execution of programs in "/tmp" for "guix-builder".

See <https://codeberg.org/guix/guix/issues/6501>

* etc/apparmor.d/guix-daemon: Fix permissions for guix-daemon/guix-builder.

Change-Id: Ib6a33fcc035011d7045da03346f3afeb598b7d7a
Signed-off-by: Efraim Flashner <efraim@flashner.co.il>
---
 etc/apparmor.d/guix-daemon | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/apparmor.d/guix-daemon b/etc/apparmor.d/guix-daemon
index cb1ee92685..9ca9792030 100644
--- a/etc/apparmor.d/guix-daemon
+++ b/etc/apparmor.d/guix-daemon
@@ -51,7 +51,7 @@ profile guix-daemon @{guix_storedir}/*-{guix-daemon,guix}-*/bin/guix-daemon flag
 
     @{guix_storedir}/** rwlmkux,
 
-    owner /tmp/** rw,
+    owner /tmp/** rwux,
 
     @{PROC}/@{pid}/fd/ r,