From bb53886211aa31b2788e45abaae9d77fce4600a8 Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Thu, 29 Feb 2024 08:17:30 -0300
Subject: [PATCH] profiles: add nautilus unconfined profile

Nautilus uses user namespaces to load thumbnails, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123

Although nautilus has extensions that would allow opening a terminal
from the nautilus interface, they do not inherit nautilus' AppArmor
label, therefore the use of unconfined does not allow arbitrary use of
unprivileged user namespaces using the nautilus label.

https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.

Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.

Fixes: https://bugs.launchpad.net/bugs/2047256
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 profiles/apparmor.d/nautilus | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 profiles/apparmor.d/nautilus

diff --git a/profiles/apparmor.d/nautilus b/profiles/apparmor.d/nautilus
new file mode 100644
index 000000000..d4031a0ea
--- /dev/null
+++ b/profiles/apparmor.d/nautilus
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile nautilus /usr/bin/nautilus flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides.  See local/README for details.
+  include if exists <local/nautilus>
+}