From 53df40b8ac3b95eab40ed8e4ffe41f9c4f52d2eb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 22 Aug 2025 20:40:36 +0200
Subject: [PATCH] feat(profile) gvfs: more dbus integration.

---
 apparmor.d/groups/gvfs/gvfsd-dnssd   |  5 +++++
 apparmor.d/groups/gvfs/gvfsd-http    |  1 +
 apparmor.d/groups/gvfs/gvfsd-network | 10 ++++++++++
 apparmor.d/groups/gvfs/gvfsd-recent  |  5 +++++
 apparmor.d/groups/gvfs/gvfsd-sftp    | 26 ++++++++++++++++++++++++++
 apparmor.d/groups/gvfs/gvfsd-wsdd    | 13 ++++++++++++-
 6 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd
index 6c61dbba4..ab786106c 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@@ -38,6 +38,11 @@ profile gvfsd-dnssd @{exec_path} {
        member=Introspect
        peer=(name=@{busname}, label=gnome-shell),
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   owner @{run}/user/@{uid}/gvfsd/ rw,
diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http
index 5812c8a6e..f51ef2afe 100644
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@@ -11,6 +11,7 @@ include <tunables/global>
 profile gvfsd-http @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/dconf-write>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network
index cd64d81ad..1af0a2b37 100644
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@@ -32,6 +32,16 @@ profile gvfsd-network @{exec_path} {
        member={MountLocation,LookupMount,RegisterMount}
        peer=(name="@{busname}", label=gvfsd),
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
+  dbus send bus=session path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member=GetConnection
+       peer=(name=@{busname}),
+
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent
index 042b66a68..1219c8cbd 100644
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@@ -33,6 +33,11 @@ profile gvfsd-recent @{exec_path} {
        member=RegisterMount
        peer=(name="@{busname}", label=gvfsd),
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   # Full access to user's data
diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp
index 157af621c..76bb55e98 100644
--- a/apparmor.d/groups/gvfs/gvfsd-sftp
+++ b/apparmor.d/groups/gvfs/gvfsd-sftp
@@ -10,10 +10,36 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp
 profile gvfsd-sftp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/consoles>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
 
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
+
+  dbus receive bus=session path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member=GetConnection
+       peer=(name=@{busname}, label=gnome-extension-gsconnect),
+  dbus receive bus=session path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member=GetConnection
+       peer=(name=@{busname}, label=nautilus),
+
+  dbus receive bus=session path=/org/gtk/vfs/mountable
+       interface=org.gtk.vfs.Mountable
+       member=Mount
+       peer=(name=:*, label=gvfsd),
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
+       interface=org.gtk.vfs.Spawner
+       member=Spawned
+       peer=(name=:*, label=gvfsd),
+  dbus send bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=RegisterMount
+       peer=(name=:*, label=gvfsd),
+
   @{exec_path} mr,
 
   @{bin}/ssh  rPx,
diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd
index 209971ac2..0dee4e73b 100644
--- a/apparmor.d/groups/gvfs/gvfsd-wsdd
+++ b/apparmor.d/groups/gvfs/gvfsd-wsdd
@@ -13,6 +13,7 @@ profile gvfsd-wsdd @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/nameservice-strict>
 
   network netlink raw,
 
@@ -31,9 +32,19 @@ profile gvfsd-wsdd @{exec_path} {
        member=RegisterMount
        peer=(name="@{busname}", label=gvfsd),
 
+  dbus receive bus=session path=/org/gtk/vfs/Daemon
+       interface=org.gtk.vfs.Daemon
+       member=GetConnection
+       peer=(name=@{busname}, label=gvfsd-network),
+
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
-  @{bin}/env r,
+  @{bin}/env mr,
   @{bin}/wsdd rPx,
 
         @{run}/mount/utab r,