From 03acee59394f6171cbf430eb63685fdc377a860f Mon Sep 17 00:00:00 2001 From: Julia Sarris Date: Thu, 6 Feb 2025 16:11:10 -0500 Subject: [PATCH] revised fusermount3 profile --- profiles/apparmor.d/fusermount3 | 34 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3 index 4e78a9484..3eb723615 100644 --- a/profiles/apparmor.d/fusermount3 +++ b/profiles/apparmor.d/fusermount3 @@ -1,32 +1,34 @@ abi , include -profile /usr/bin/fusermount3 { +@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl} +profile fusermount3 /usr/bin/fusermount3 { include - include + include capability sys_admin, + capability dac_read_search, - audit mount, - audit umount, - - mount fstype=fuse options=(nosuid) -> /home/*/mounts/, - mount fstype=fuseblk options=(nosuid) -> /home/*/mounts/, - mount fstype=fuse options=(nosuid) -> /run/user/*/mounts/, - mount fstype=fuseblk options=(nosuid) -> /run/user/*/mounts/, - mount fstype=fuse options=(nosuid) -> /mnt/, - mount fstype=fuseblk options=(nosuid) -> /mnt/, - mount fstype=fuse options=(nosuid) -> /media/, - mount fstype=fuseblk options=(nosuid) -> /media/, + mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/{**,}, + mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{**,}, + mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/, + mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/*/*/, + mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/{**,}, + + umount @{HOME}/{**,}, + umount /mnt/{**,}, + umount @{run}/user/@{uid}/*/, + umount /media/*/*/, + umount /tmp/{**,}, /dev/fuse rw, - # Allow reading of fuse configuration files - @{etc_rw}/fuse.conf r, + @{etc_ro}/fuse.conf r, @{PROC}/@{pid}/mounts r, - # Allow only read and execute permissions for the binary itself /usr/bin/fusermount3 mr, include if exists } + +# vim:syntax=apparmor