apparmor/profiles/apparmor.d/fusermount3

abi <abi/4.0>,
include <tunables/global>

@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}
profile fusermount3 /usr/bin/fusermount3 {
  include <abstractions/base>
  include <abstractions/nameservice>

  capability sys_admin,
  capability dac_read_search,

  # Allow both rw and ro type mounts (e.g. AppImage uses ro)
  #MS_DIRSYNC, MS_NOATIME, MS_NODIRATIME, MS_NOEXEC, MS_SYNCHRONOUS, MS_NOSYMFOLLOW
  # Below broad mount flags should be revisited once we have rule delegation
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> @{run}/user/@{uid}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev) options in (ro,rw,noatime,dirsync,nodiratime,noexec,sync) -> /tmp/**/,
  # Cern VM fs is special and only uses these exact flags
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /cvmfs/**/,

  umount @{HOME}/**/,
  umount /mnt/{,**/},
  umount @{run}/user/@{uid}/**/,
  umount /media/**/,
  umount /tmp/**/,
  umount /cvmfs/**/,

  # Flatpak's default cache directory where it mounts a revokefs-fuse
  mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/,
  mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/,
  umount /var/tmp/flatpak-cache-*/**/,

  # flatpak-builder uses rofiles-fuse
  mount fstype=fuse.rofiles-fuse options=(nosuid,nodev,rw) {rofiles-fuse,/dev/fuse} -> /var/tmp/test-flatpak-*/**/,
  umount /var/tmp/test-flatpak-*/**/,

  /dev/fuse rw,

  # needed since libfuse 3.17.1-rc0 (LP: #2111845)
  /usr/bin/mount ix,
  /usr/bin/umount ix,

  @{etc_ro}/fuse.conf r,
  @{PROC}/@{pid}/{mounts,mountinfo} r,

  @{exec_path} mr,

  include if exists <local/fusermount3>
}

# vim:ft=apparmor