apparmor/profiles/apparmor.d/fusermount3

abi <abi/4.0>,
include <tunables/global>

@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}
profile fusermount3 /usr/bin/fusermount3 {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  capability sys_admin,
  capability dac_read_search,

  # Allow both rw and ro type mounts (e.g. AppImage uses ro)
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
 
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/*/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,

  umount @{HOME}/**/,
  umount /mnt/{,**/},
  umount @{run}/user/@{uid}/*/,
  umount /media/**/,
  umount /tmp/**/,

  /dev/fuse rw,

  @{etc_ro}/fuse.conf r,
  @{PROC}/@{pid}/mounts r,

  /usr/bin/fusermount3 mr,

  include if exists <local/fusermount3>
}

# vim:syntax=apparmor
initial fusermount3 profile 2025-01-30 09:24:32 -05:00			`abi <abi/4.0>,`
			`include <tunables/global>`

revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}`
			`profile fusermount3 /usr/bin/fusermount3 {`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00			`include <abstractions/base>`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`include <abstractions/nameservice-strict>`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00
			`capability sys_admin,`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`capability dac_read_search,`

profiles: allow ro mounts in fusermount3 profile These are needed by e.g. AppImages Closes: https://bugs.launchpad.net/bugs/2098993 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-20 09:42:32 -08:00			`# Allow both rw and ro type mounts (e.g. AppImage uses ro)`
modification to use / instead of 2025-02-07 09:51:30 -05:00			`mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,`
mnt mount rule change 2025-02-10 10:38:02 -05:00			`mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/,`
modification to use / instead of 2025-02-07 09:51:30 -05:00			`mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00
profiles: allow ro mounts in fusermount3 profile These are needed by e.g. AppImages Closes: https://bugs.launchpad.net/bugs/2098993 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-02-20 09:42:32 -08:00			`mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},`
			`mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/*/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,`
			`mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,`

modification to use / instead of 2025-02-07 09:51:30 -05:00			`umount @{HOME}/**/,`
mnt mount rule change 2025-02-10 10:38:02 -05:00			`umount /mnt/{,**/},`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`umount @{run}/user/@{uid}/*/,`
modification to use / instead of 2025-02-07 09:51:30 -05:00			`umount /media/**/,`
			`umount /tmp/**/,`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00
			`/dev/fuse rw,`

revised fusermount3 profile 2025-02-06 16:11:10 -05:00			`@{etc_ro}/fuse.conf r,`
initial fusermount3 profile 2025-01-30 09:24:32 -05:00			`@{PROC}/@{pid}/mounts r,`

			`/usr/bin/fusermount3 mr,`

			`include if exists <local/fusermount3>`
			`}`
revised fusermount3 profile 2025-02-06 16:11:10 -05:00
			`# vim:syntax=apparmor`