Merge fusermount3: allow ro mounts on /cvmfs

CVMFS ( the [CernVM File System](cernvm.cern.ch)) is a read-only fs used to distribute software that is widely used in scientific computing (at CERN and beyond, for example by the [EESSI project](eessi.io)).

CVMFS historically uses the mountpoint /cvmfs, but the new fusermount3 profile doesn't allow that. It's not really possibly to move the mountpoint to /mnt/cvmfs, because the software installed on CVMFS often uses the absolute path /cvmfs/... for linking.

We've added a /etc/apparmor.d/local/fusermount3 to our packages, but it'd be much appreciated if this could be fixed upstream!

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1587
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>

profiles/apparmor.d/fusermount3

@@ -21,12 +21,14 @@ profile fusermount3 /usr/bin/fusermount3 {
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/**/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,
 
   umount @{HOME}/**/,
   umount /mnt/{,**/},
   umount @{run}/user/@{uid}/**/,
   umount /media/**/,
   umount /tmp/**/,
+  umount /cvmfs/**/,
 
   # Flatpak's default cache directory where it mounts a revokefs-fuse
   mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/,