From ba217a261ed39ad0ec20e909a89ac3618c8fd180 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 22 Aug 2025 18:15:38 +0200
Subject: [PATCH] feat(profile): update flatpak profiles.

---
 apparmor.d/groups/flatpak/flatpak        | 9 ++++-----
 apparmor.d/groups/flatpak/flatpak-app    | 4 ++++
 apparmor.d/groups/flatpak/flatpak-portal | 6 ++++++
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak
index 4122e8055..c540b9db8 100644
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@@ -40,14 +40,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   signal send peer=flatpak-app,
 
-  #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
   #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
+  #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper
   #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
 
-  dbus send bus=session path=/org/freedesktop/portal/documents
-       interface=org.freedesktop.portal.Documents
-       member=GetMountPoint
-       peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"),
+  #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
+  #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
 
   @{exec_path} mr,
 
@@ -138,6 +136,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
     @{bin}/gpgconf    mr,
     @{bin}/gpgsm      mr,
     @{bin}/gpg-agent  rix,
+    @{lib}/gnupg/scdaemon rix,
 
     @{HOME}/@{XDG_GPG_DIR}/*.conf r,
 
diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app
index f2cd0295a..e8fe195fb 100644
--- a/apparmor.d/groups/flatpak/flatpak-app
+++ b/apparmor.d/groups/flatpak/flatpak-app
@@ -48,6 +48,10 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   signal receive set=(int term) peer=flatpak-portal,
   signal receive set=(int term) peer=flatpak-session-helper,
 
+  unix type=seqpacket peer=(label=dbus-session),
+  # unix type=seqpacket peer=(label=unconfined),
+  unix type=seqpacket peer=(label=xdg-dbus-proxy),
+
   @{bin}/**                            rmix,
   @{lib}/**                            rmix,
   /app/**                              rmix,
diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal
index ac1e41894..b86f0a4fd 100644
--- a/apparmor.d/groups/flatpak/flatpak-portal
+++ b/apparmor.d/groups/flatpak/flatpak-portal
@@ -10,6 +10,7 @@ include <tunables/global>
 profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
@@ -22,6 +23,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   @{bin}/flatpak rPx,