From f3d209e42a0abaabb0a34491b645f653fc035f16 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 19 Aug 2025 22:58:46 +0200
Subject: [PATCH] feat(profile): ensure nautilus can access root files.

---
 apparmor.d/groups/gvfs/gvfsd-admin | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin
index 4f845f316..e1b16cac3 100644
--- a/apparmor.d/groups/gvfs/gvfsd-admin
+++ b/apparmor.d/groups/gvfs/gvfsd-admin
@@ -22,14 +22,15 @@ profile gvfsd-admin @{exec_path} {
 
   /usr/share/mime/mime.cache r,
 
-  @{MOUNTS}/{,**} rw,
-
-  @{run}/mount/utab r,
-  @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
-
-  @{PROC}/@{pid}/fdinfo/@{int} r,
-  @{PROC}/@{pid}/mountinfo r,
-  @{PROC}/@{pid}/stat r,
+  #aa:lint ignore=too-wide
+  # Full access to system's data, but no write access to sensitive system directories
+  / r,
+  /*/ r,
+  /*/** rw,
+  deny @{sys}/** w,
+  deny @{PROC}/** w,
+  deny @{efi}/** w,
+  deny /dev/** w,
 
   include if exists <local/gvfsd-admin>
 }