From 28ee94c4a5fa62974ee52c4bcf801e0fa5926a0d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Mar 2022 18:15:33 +0000
Subject: [PATCH] s3fs: rework the profile.

---
 apparmor.d/profiles-s-z/s3fs | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs
index 97ad37fc..f26e24bc 100644
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@@ -24,16 +24,45 @@ profile s3fs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount rPx,
+  /{usr/,}bin/fusermount{,3}  rCx -> fusermount,
 
+  /etc/mime.types r,
   /etc/passwd-s3fs r,
 
   owner @{HOME}/.passwd-s3fs r,
-  owner /tmp/* rw,
 
-  @{PROC}/sys/kernel/random/boot_id r,
+  owner @{MOUNTS}/*/ r,
+  owner @{MOUNTS}/*/*/ r,
+  owner /tmp/* rw,
 
   /dev/fuse rw,
 
+  profile fusermount {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    capability sys_admin,
+
+    network inet stream,
+    network inet6 stream,
+
+    /{usr/,}bin/fusermount{,3} mr,
+
+    /etc/fuse.conf r,
+
+    @{MOUNTS}/*/ r,
+    @{MOUNTS}/*/*/ r,
+
+    mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
+    mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/,
+  
+    umount @{MOUNTS}/*/,
+    umount @{MOUNTS}/*/*/,
+  
+    @{PROC}/@{pids}/mounts r,
+
+    /dev/fuse rw,
+  }
+
   include if exists <local/s3fs>
 }
\ No newline at end of file