feat(profile): update gvfs profiles.

apparmor.d/groups/gvfs/gvfsd

@@ -37,6 +37,7 @@ profile gvfsd @{exec_path} {
 
   @{sh_path}              rix,
   @{lib}/{,gvfs/}gvfsd-*  rpx,
+  @{bin}/pkexec           rCx -> pkexec,
 
   /usr/share/gvfs/{,**} r,
 
@@ -45,6 +46,17 @@ profile gvfsd @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    ptrace read peer=gvfsd,
+
+    @{lib}/{,gvfs/}gvfsd-admin rPx,
+
+    include if exists <local/gvfsd_pkexec>
+  }
+
   include if exists <local/gvfsd>
 }
 

apparmor.d/groups/gvfs/gvfsd-admin

@@ -10,9 +10,27 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin
 profile gvfsd-admin @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability setuid,
 
   @{exec_path} mr,
 
+  /usr/share/mime/mime.cache r,
+
+  @{MOUNTS}/{,**} rw,
+
+  @{run}/mount/utab r,
+  @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+
+  @{PROC}/@{pid}/fdinfo/@{int} r,
+  @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/stat r,
+
   include if exists <local/gvfsd-admin>
 }
 

apparmor.d/groups/gvfs/gvfsd-http

@@ -23,6 +23,8 @@ profile gvfsd-http @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
+  unix type=stream peer=(label=gnome-shell),
+
   #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable