From ce5e5a15fb856c0b48a487b34d15fb0cf8694a8d Mon Sep 17 00:00:00 2001
From: Valentin Volkl <valentin.volkl@cern.ch>
Date: Thu, 20 Mar 2025 10:03:14 +0000
Subject: [PATCH 1/2] fusermount3: allow ro mounts on /cvmfs

---
 profiles/apparmor.d/fusermount3 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3
index c9d2bfca9..fba2e308d 100644
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@@ -21,6 +21,7 @@ profile fusermount3 /usr/bin/fusermount3 {
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/*/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,
 
   umount @{HOME}/**/,
   umount /mnt/{,**/},

From 616833d57d015e6ab19733be4719c9f1521cced1 Mon Sep 17 00:00:00 2001
From: Valentin Volkl <valentin.volkl@cern.ch>
Date: Thu, 20 Mar 2025 10:13:39 +0000
Subject: [PATCH 2/2] also umount?

---
 profiles/apparmor.d/fusermount3 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3
index fba2e308d..49bedaa2f 100644
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@@ -28,6 +28,7 @@ profile fusermount3 /usr/bin/fusermount3 {
   umount @{run}/user/@{uid}/*/,
   umount /media/**/,
   umount /tmp/**/,
+  umount /cvmfs/**/,
 
   /dev/fuse rw,