Merge fusermount3: allow ro mounts on /cvmfs

CVMFS ( the [CernVM File System](cernvm.cern.ch)) is a read-only fs used to distribute software that is widely used in scientific computing (at CERN and beyond, for example by the [EESSI project](eessi.io)). CVMFS historically uses the mountpoint /cvmfs, but the new fusermount3 profile doesn't allow that. It's not really possibly to move the mountpoint to /mnt/cvmfs, because the software installed on CVMFS often uses the absolute path /cvmfs/... for linking. We've added a /etc/apparmor.d/local/fusermount3 to our packages, but it'd be much appreciated if this could be fixed upstream! MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1587 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 10:07:12 +00:00 · 2025-04-13 07:26:38 +00:00 · 2025-04-13 07:26:38 +00:00 · ccf1b25d3d
commit ccf1b25d3d
parent f34a7d0b28 616833d57d
1 changed files with 2 additions and 0 deletions
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@ -21,12 +21,14 @@ profile fusermount3 /usr/bin/fusermount3 {
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,

  umount @{HOME}/**/,
  umount /mnt/{,**/},
  umount @{run}/user/@{uid}/**/,
  umount /media/**/,
  umount /tmp/**/,
+  umount /cvmfs/**/,

  # Flatpak's default cache directory where it mounts a revokefs-fuse
  mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/,