apparmor/profiles/apparmor.d/fusermount3

abi <abi/4.0>,
include <tunables/global>

@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}
profile fusermount3 /usr/bin/fusermount3 {
  include <abstractions/base>
  include <abstractions/nameservice>

  capability sys_admin,
  capability dac_read_search,

  # Allow both rw and ro type mounts (e.g. AppImage uses ro)
  #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW
  # Below broad mount flags should be revisited once we have rule delegation
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{run}/user/@{uid}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /tmp/**/,
  # Cern VM fs is special and only uses these exact flags
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,

  umount @{HOME}/**/,
  umount /mnt/{,**/},
  umount @{run}/user/@{uid}/**/,
  umount /media/**/,
  umount /tmp/**/,
  umount /cvmfs/**/,

  # Flatpak's default cache directory where it mounts a revokefs-fuse
  mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/,
  mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/,
  umount /var/tmp/flatpak-cache-*/**/,

  # flatpak-builder uses rofiles-fuse
  mount fstype=fuse.rofiles-fuse options=(nosuid,nodev,rw) {rofiles-fuse,/dev/fuse} -> /var/tmp/test-flatpak-*/**/,
  umount /var/tmp/test-flatpak-*/**/,

  /dev/fuse rw,

  # needed since libfuse 3.17.1-rc0 (LP: #2111845)
  /usr/bin/mount ix,
  /usr/bin/umount ix,

  @{etc_ro}/fuse.conf r,
  @{PROC}/@{pid}/{mounts,mountinfo} r,

  @{exec_path} mr,

  include if exists <local/fusermount3>
}

# vim:ft=apparmor
initial fusermount3 profile 2025-01-30 09:24:32 -05:00			`abi <abi/4.0>,`
			`include <tunables/global>`

revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}`
			`profile fusermount3 /usr/bin/fusermount3 {`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00			`include <abstractions/base>`
fusermount3: Include full nameservice rules for SSSD users audit: type=1400 audit(1744218886.059:4484): apparmor="DENIED" operation="open" class="file" profile="fusermount3" name="/var/lib/sss/mc/passwd" pid=19539 comm="fusermount3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 audit: type=1400 audit(1744218886.059:4485): apparmor="DENIED" operation="open" class="file" profile="fusermount3" name="/var/lib/sss/mc/passwd" pid=19539 comm="fusermount3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 audit: type=1400 audit(1744218886.059:4486): apparmor="DENIED" operation="connect" class="file" profile="fusermount3" name="/var/lib/sss/pipes/nss" pid=19539 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Fixes: http://bugs.launchpad.net/bugs/2106311 2025-04-10 11:14:58 +02:00			`include <abstractions/nameservice>`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00
			`capability sys_admin,`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`capability dac_read_search,`

profiles: allow ro mounts in fusermount3 profile These are needed by e.g. AppImages Closes: https://bugs.launchpad.net/bugs/2098993 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-20 09:42:32 -08:00			`# Allow both rw and ro type mounts (e.g. AppImage uses ro)`
profiles: expand set of flags allowed for fusermount3 fuse_overlayfs requires noatime, but we should also allow more flags than just that to preempt future breakage from flags not included in the rules. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-05-05 16:39:09 -07:00			`#MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW`
Allow noexec mounts in fusermount3 profile The permissive flags should be revisited once we have rule delegation Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-05-27 15:40:21 -04:00			`# Below broad mount flags should be revisited once we have rule delegation`
			`mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /mnt/{,**/},`
			`mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{run}/user/@{uid}/**/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /media/**/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /tmp/**/,`
profiles: expand set of flags allowed for fusermount3 fuse_overlayfs requires noatime, but we should also allow more flags than just that to preempt future breakage from flags not included in the rules. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-05-05 16:39:09 -07:00			`# Cern VM fs is special and only uses these exact flags`
fusermount3: allow ro mounts on /cvmfs 2025-03-20 10:03:14 +00:00			`mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,`
profiles: allow ro mounts in fusermount3 profile These are needed by e.g. AppImages Closes: https://bugs.launchpad.net/bugs/2098993 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-20 09:42:32 -08:00
modification to use / instead of 2025-02-07 09:51:30 -05:00			`umount @{HOME}/**/,`
mnt mount rule change 2025-02-10 10:38:02 -05:00			`umount /mnt/{,**/},`
profiles: allow fusermount3 to (u)mount nested subdirs of @{run}/user/@{uid} This is needed to fix the gnome-remote-desktop daemon, which mounts in a directory like /run/user/119/gnome-remote-desktop/cliprdr-ABm0Gd/. Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103889 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-03-24 12:12:22 -07:00			`umount @{run}/user/@{uid}/**/,`
modification to use / instead of 2025-02-07 09:51:30 -05:00			`umount /media/**/,`
			`umount /tmp/**/,`
also umount? 2025-03-20 10:13:39 +00:00			`umount /cvmfs/**/,`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00
profiles: allow fusermount3 to mount in directories used by flatpak Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-27 10:24:09 -08:00			`# Flatpak's default cache directory where it mounts a revokefs-fuse`
			`mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-/*/,`
			`mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-/*/,`
			`umount /var/tmp/flatpak-cache-/*/,`

profiles: add mount permissions to fusermount3 needed by flatpak-builder There were failures in the flatpak-build autopkgtests due to missing mount permissions: [ 60.822732] audit: type=1400 audit(1749737394.684:168): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="fusermount3" name="/var/tmp/test-flatpak-uuKcEE/.flatpak-builder/rofiles/rofiles-JxeDhQ/" pid=3150 comm="fusermount3" fstype="fuse.rofiles-fuse" srcname="rofiles-fuse" flags="rw, nosuid, nodev" [ 60.825556] audit: type=1400 audit(1749737394.686:169): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="fusermount3" name="/var/tmp/test-flatpak-uuKcEE/.flatpak-builder/rofiles/rofiles-JxeDhQ/" pid=3151 comm="fusermount3" fstype="fuse" srcname="/dev/fuse" flags="rw, nosuid, nodev" [ 918.564687] audit: type=1400 audit(1749738252.435:186): apparmor="DENIED" operation="umount" class="mount" profile="fusermount3" name="/var/tmp/test-flatpak-AI4MsP/.flatpak-builder/rofiles/rofiles-vIM7ok/" pid=7093 comm="fusermount" Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2025-06-12 11:37:48 -03:00			`# flatpak-builder uses rofiles-fuse`
			`mount fstype=fuse.rofiles-fuse options=(nosuid,nodev,rw) {rofiles-fuse,/dev/fuse} -> /var/tmp/test-flatpak-/*/,`
			`umount /var/tmp/test-flatpak-/*/,`

initial fusermount3 profile 2025-01-30 09:24:32 -05:00			`/dev/fuse rw,`

profiles: add ix permissions for mount and umount on fusermount3 profile After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail due to a missing x permission for /usr/bin/mount. After looking at the source code for fusermount, I noticed that it does call /bin/mount and /bin/umount in certain cases. These uses were already there in previous versions of libfuse but I'm still not sure why it hasn't triggered before. To reproduce it: sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img After the test fails, enter the vm by ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost You can reproduce the test by running cd /tmp/autopkgtest./build./src/ /tmp/autopkgtest./build./src/debian/tests/test Note that ix for mount and umount were enough to make the autopkgtest failures to start passing, but there could be issues in the future regarding the use of fs specific mount binaries like /usr/sbin/mount.fuse Fixes: http://bugs.launchpad.net/bugs/2111845 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2025-06-11 17:41:00 -03:00			`# needed since libfuse 3.17.1-rc0 (LP: #2111845)`
			`/usr/bin/mount ix,`
			`/usr/bin/umount ix,`

revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`@{etc_ro}/fuse.conf r,`
profiles: add ix permissions for mount and umount on fusermount3 profile After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail due to a missing x permission for /usr/bin/mount. After looking at the source code for fusermount, I noticed that it does call /bin/mount and /bin/umount in certain cases. These uses were already there in previous versions of libfuse but I'm still not sure why it hasn't triggered before. To reproduce it: sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img After the test fails, enter the vm by ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost You can reproduce the test by running cd /tmp/autopkgtest./build./src/ /tmp/autopkgtest./build./src/debian/tests/test Note that ix for mount and umount were enough to make the autopkgtest failures to start passing, but there could be issues in the future regarding the use of fs specific mount binaries like /usr/sbin/mount.fuse Fixes: http://bugs.launchpad.net/bugs/2111845 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2025-06-11 17:41:00 -03:00			`@{PROC}/@{pid}/{mounts,mountinfo} r,`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00
profiles: update the rest of the profiles to use @{exec_path} Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-04-28 13:17:49 -07:00			`@{exec_path} mr,`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00
			`include if exists <local/fusermount3>`
			`}`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00
chore: fix vim modelines - set filetype, instead of syntax, in vim modelines - replace filetype of subdomain with apparmor - move modelines in the first or last five lines of each file so that vim can recognize them 2025-05-04 23:00:29 +09:00			`# vim:ft=apparmor`