From fecb4dbca6645341359e367e80d70a5e222f13be Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 11 Sep 2025 23:06:35 +0200
Subject: [PATCH] feat(profile): update flatpak profiles.

---
 apparmor.d/groups/flatpak/flatpak                | 13 +++++++++++++
 apparmor.d/groups/flatpak/flatpak-portal         |  1 +
 apparmor.d/groups/flatpak/flatpak-session-helper |  5 +++++
 apparmor.d/groups/flatpak/flatpak-system-helper  |  1 +
 4 files changed, 20 insertions(+)

diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak
index e73408a0a..bd749db40 100644
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@@ -40,6 +40,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   signal send peer=flatpak-app,
 
+  unix type=seqpacket peer=(label=flatpak-system-helper),
+  unix type=stream    peer=(label=flatpak//fusermount),
+
   #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
   #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper
   #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
@@ -47,6 +50,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
   #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
 
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=ReloadConfig
+       peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined),
+
+  dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper
+       interface=org.freedesktop.Flatpak.SystemHelper
+       member=GetRevokefsFd
+       peer=(name=org.freedesktop.Flatpak.SystemHelper),
+
   @{exec_path} mr,
 
   @{bin}/bwrap               rPx -> flatpak-app,
diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal
index fdbdb9189..97f9f4911 100644
--- a/apparmor.d/groups/flatpak/flatpak-portal
+++ b/apparmor.d/groups/flatpak/flatpak-portal
@@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/mime>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper
index 162e3b448..8a8f5afb7 100644
--- a/apparmor.d/groups/flatpak/flatpak-session-helper
+++ b/apparmor.d/groups/flatpak/flatpak-session-helper
@@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=session name=org.freedesktop.Flatpak
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   @{shells_path}                       rUx -> user_unconfined,
diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper
index cdfef1bad..0bd74bdcb 100644
--- a/apparmor.d/groups/flatpak/flatpak-system-helper
+++ b/apparmor.d/groups/flatpak/flatpak-system-helper
@@ -34,6 +34,7 @@ profile flatpak-system-helper @{exec_path} {
   unix type=seqpacket peer=(label=unconfined),
 
   #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
 
   @{exec_path} mr,