abi , include @{fuse_types} = {fuse,fuse.*,fuseblk,fusectl} profile fusermount3 /usr/bin/fusermount3 { include include capability sys_admin, capability dac_read_search, # Allow both rw and ro type mounts (e.g. AppImage uses ro) #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW # Below broad mount flags should be revisited once we have rule delegation mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/, mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /mnt/{,**/}, mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{run}/user/@{uid}/**/, mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /media/**/, mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /tmp/**/, # Cern VM fs is special and only uses these exact flags mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/, umount @{HOME}/**/, umount /mnt/{,**/}, umount @{run}/user/@{uid}/**/, umount /media/**/, umount /tmp/**/, umount /cvmfs/**/, # Flatpak's default cache directory where it mounts a revokefs-fuse mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/, mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/, umount /var/tmp/flatpak-cache-*/**/, # flatpak-builder uses rofiles-fuse mount fstype=fuse.rofiles-fuse options=(nosuid,nodev,rw) {rofiles-fuse,/dev/fuse} -> /var/tmp/test-flatpak-*/**/, umount /var/tmp/test-flatpak-*/**/, /dev/fuse rw, # needed since libfuse 3.17.1-rc0 (LP: #2111845) /usr/bin/mount ix, /usr/bin/umount ix, @{etc_ro}/fuse.conf r, @{PROC}/@{pid}/{mounts,mountinfo} r, @{exec_path} mr, include if exists } # vim:ft=apparmor