From 1d7a9c6765df573865052e1e90a9b5e154be3d4a Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Mon, 5 May 2025 16:39:09 -0700
Subject: [PATCH] profiles: expand set of flags allowed for fusermount3

fuse_overlayfs requires noatime, but we should also allow more flags than
just that to preempt future breakage from flags not included in the rules.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 profiles/apparmor.d/fusermount3 | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3
index c45ff422f..f159a1b31 100644
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@@ -10,17 +10,13 @@ profile fusermount3 /usr/bin/fusermount3 {
   capability dac_read_search,
 
   # Allow both rw and ro type mounts (e.g. AppImage uses ro)
-  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
-  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
-  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/**/,
-  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
-  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
- 
-  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
-  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
-  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/**/,
-  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
-  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
+  #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW
+  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> @{HOME}/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /mnt/{,**/},
+  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> @{run}/user/@{uid}/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /media/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /tmp/**/,
+  # Cern VM fs is special and only uses these exact flags
   mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,
 
   umount @{HOME}/**/,