From f826e1dbeac7f968b789b36c077558c67b6d090b Mon Sep 17 00:00:00 2001 From: Ryan Lee Date: Tue, 27 May 2025 15:40:21 -0400 Subject: [PATCH] Allow noexec mounts in fusermount3 profile The permissive flags should be revisited once we have rule delegation Signed-off-by: Ryan Lee --- profiles/apparmor.d/fusermount3 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3 index 39c99eced..7e34ac8f8 100644 --- a/profiles/apparmor.d/fusermount3 +++ b/profiles/apparmor.d/fusermount3 @@ -11,11 +11,12 @@ profile fusermount3 /usr/bin/fusermount3 { # Allow both rw and ro type mounts (e.g. AppImage uses ro) #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW - mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> @{HOME}/**/, - mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /mnt/{,**/}, - mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> @{run}/user/@{uid}/**/, - mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /media/**/, - mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,sync) -> /tmp/**/, + # Below broad mount flags should be revisited once we have rule delegation + mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/, + mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /mnt/{,**/}, + mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{run}/user/@{uid}/**/, + mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /media/**/, + mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /tmp/**/, # Cern VM fs is special and only uses these exact flags mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,