# vim:syntax=apparmor # ------------------------------------------------------------------ # # Copyright (C) 2020-2021 Mikhail Morfikov # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ abi , include @{exec_path} = /{usr/,}bin/fusermount{,3} profile fusermount @{exec_path} { include include # To mount anything: # fusermount: mount failed: Operation not permitted capability sys_admin, # This is needed when mounting MTP devices via some file manager: # fusermount: mount failed: Permission denied capability dac_read_search, # For obexfs network bluetooth stream, @{exec_path} mr, # Where to mount ISO files owner @{HOME}/*/ rw, owner @{HOME}/*/*/ rw, owner @{HOME}/.cache/**/ rw, # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, mount fstype={fuse,fuse.*} -> @{HOME}/*/*/, mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/, mount fstype={fuse,fuse.*} -> /media/*/, mount fstype={fuse,fuse.*} -> /media/*/*/, # For MTP mount -> /, # For AppImage mount fstype={fuse,fuse.*} -> /tmp/.mount_*/, # For GVFS mount fstype={fuse,fuse.*} -> @{run}/user/[0-9]*/gvfs/, # Be able to unmount the ISO images umount @{HOME}/*/, umount @{HOME}/*/*/, umount @{HOME}/.cache/**/, umount /media/*/, umount /tmp/.mount_*/, umount @{run}/user/[0-9]*/**/, # Image files to be mounted owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk, owner /media/*/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner /media/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, # AppImage files owner @{HOME}/**.AppImage r, owner /media/*/**.AppImage r, /etc/fuse.conf r, /dev/fuse rw, @{PROC}/@{pid}/mounts r, include if exists }