From 9d2aca794504042fa300acd197546714dcfbaf59 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Wed, 11 Jun 2025 17:41:00 -0300 Subject: [PATCH 1/2] profiles: add ix permissions for mount and umount on fusermount3 profile After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail due to a missing x permission for /usr/bin/mount. After looking at the source code for fusermount, I noticed that it does call /bin/mount and /bin/umount in certain cases. These uses were already there in previous versions of libfuse but I'm still not sure why it hasn't triggered before. To reproduce it: sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img After the test fails, enter the vm by ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost You can reproduce the test by running cd /tmp/autopkgtest.*/build.*/src/ /tmp/autopkgtest.*/build.*/src/debian/tests/test Note that ix for mount and umount were enough to make the autopkgtest failures to start passing, but there could be issues in the future regarding the use of fs specific mount binaries like /usr/sbin/mount.fuse Fixes: http://bugs.launchpad.net/bugs/2111845 Signed-off-by: Georgia Garcia --- profiles/apparmor.d/fusermount3 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3 index 7e34ac8f8..fd653db03 100644 --- a/profiles/apparmor.d/fusermount3 +++ b/profiles/apparmor.d/fusermount3 @@ -34,8 +34,12 @@ profile fusermount3 /usr/bin/fusermount3 { /dev/fuse rw, + # needed since libfuse 3.17.1-rc0 (LP: #2111845) + /usr/bin/mount ix, + /usr/bin/umount ix, + @{etc_ro}/fuse.conf r, - @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/{mounts,mountinfo} r, @{exec_path} mr, From af396a46ee54fc5dc91e4c8481775c6aebc17009 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Thu, 12 Jun 2025 11:37:48 -0300 Subject: [PATCH 2/2] profiles: add mount permissions to fusermount3 needed by flatpak-builder There were failures in the flatpak-build autopkgtests due to missing mount permissions: [ 60.822732] audit: type=1400 audit(1749737394.684:168): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="fusermount3" name="/var/tmp/test-flatpak-uuKcEE/.flatpak-builder/rofiles/rofiles-JxeDhQ/" pid=3150 comm="fusermount3" fstype="fuse.rofiles-fuse" srcname="rofiles-fuse" flags="rw, nosuid, nodev" [ 60.825556] audit: type=1400 audit(1749737394.686:169): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="fusermount3" name="/var/tmp/test-flatpak-uuKcEE/.flatpak-builder/rofiles/rofiles-JxeDhQ/" pid=3151 comm="fusermount3" fstype="fuse" srcname="/dev/fuse" flags="rw, nosuid, nodev" [ 918.564687] audit: type=1400 audit(1749738252.435:186): apparmor="DENIED" operation="umount" class="mount" profile="fusermount3" name="/var/tmp/test-flatpak-AI4MsP/.flatpak-builder/rofiles/rofiles-vIM7ok/" pid=7093 comm="fusermount" Signed-off-by: Georgia Garcia --- profiles/apparmor.d/fusermount3 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3 index fd653db03..39e348714 100644 --- a/profiles/apparmor.d/fusermount3 +++ b/profiles/apparmor.d/fusermount3 @@ -32,6 +32,10 @@ profile fusermount3 /usr/bin/fusermount3 { mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/, umount /var/tmp/flatpak-cache-*/**/, + # flatpak-builder uses rofiles-fuse + mount fstype=fuse.rofiles-fuse options=(nosuid,nodev,rw) {rofiles-fuse,/dev/fuse} -> /var/tmp/test-flatpak-*/**/, + umount /var/tmp/test-flatpak-*/**/, + /dev/fuse rw, # needed since libfuse 3.17.1-rc0 (LP: #2111845)