From 7274f98fa614064f63f02189b26019475b1af97a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 5 Feb 2022 20:57:49 +0000
Subject: [PATCH] Add s3fs profile.

---
 apparmor.d/profiles-s-z/s3fs | 39 ++++++++++++++++++++++++++++++++++++
 dists/flags/main.flags       |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/s3fs

diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs
new file mode 100644
index 00000000..97ad37fc
--- /dev/null
+++ b/apparmor.d/profiles-s-z/s3fs
@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/s3fs
+profile s3fs @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
+  mount fstype=fuse.s3fs -> @{MOUNTS}/*/*/,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/fusermount rPx,
+
+  /etc/passwd-s3fs r,
+
+  owner @{HOME}/.passwd-s3fs r,
+  owner /tmp/* rw,
+
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  /dev/fuse rw,
+
+  include if exists <local/s3fs>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 3a5eeb5e..ab29cbd5 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -104,6 +104,7 @@ pinentry-gtk-2 complain
 podman attach_disconnected,complain
 run-parts complain
 runuser complain
+s3fs complain
 seahorse complain
 slirp4netns attach_disconnected,complain
 spice-client-glib-usb-acl-helper complain