I believe the "perfect" solution would be to implement a child profile, that would allow only to
launch browsers, as as far as I can see, only links (not attachments) are opened with this new gio
helper.
Consider:
```
...
/usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop Cx ->
gio_launch_desktop,
...
profile gio_launch_desktop {
#include <abstractions/base>
#include <abstractions/ubuntu-browsers>
/usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop mr,
}
```
Though sadly, AppArmor does not support transition from child profile ("profile transition not
found") to child profile (nested child), as these `ubuntu-x` helpers implemented by transitioning
into `sanitized_helper` child profile.
I guess I'll try to propose a child profile with "backported" ubuntu-browsers
abstraction:
```
profile gio_launch_desktop {
#include <abstractions/base>
/usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop mr,
#Backported form abstractions/ubuntu-browsers
#TODO: fix when nested child profiles are possible and use that abstraction
directly
...
/usr/bin/chromium{,-browser} PUx,
/usr/lib{,64}/chromium{,-browser}/chromium{,-browser} Pux,
/usr/bin/firefox PUx,
/usr/lib{,64}/firefox*/firefox* PUx,
...
}
```
Or alternatively we could use:
```
/usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop Cx ->
sanitized_helper,
```
Even if we could use `ubuntu-browsers` as a child-child profile, there's another issue that there's
no way to specify `Px|Cx->sanitized_helper` - i.e. to either use "proper" profile, OR use
sanitized_helper (or other mechanism for environment scrubbing) as fallback.
These two features - nested child profiles (or similar alternaive), and fallback profile transitions
(or similar alternative), would really help to confine these kind of complex GUI applications...
