mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 13:28:19 +00:00
Code Issues Releases Wiki Activity

Merge profiles: expand set of flags allowed for fusermount3

Browse Source 
fuse_overlayfs requires noatime, but we should also allow more flags than
just that to preempt future breakage from flags not included in the rules.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1673
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-05-08 11:04:06 +00:00
commit eda0461d58
1 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
profiles/apparmor.d/fusermount3
View File

@ -10,17 +10,13 @@ profile fusermount3 /usr/bin/fusermount3 {
capability dac_read_search,
# Allow both rw and ro type mounts (e.g. AppImage uses ro)
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
#MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW
mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> @{HOME}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /mnt/{,**/},
mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> @{run}/user/@{uid}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /media/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /tmp/**/,
# Cern VM fs is special and only uses these exact flags
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,
umount @{HOME}/**/,