revised fusermount3 profile

profiles/apparmor.d/fusermount3

@@ -1,32 +1,34 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile /usr/bin/fusermount3 {
+@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}
+profile fusermount3 /usr/bin/fusermount3 {
   include <abstractions/base>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
+  capability dac_read_search,
 
-  audit mount, 
-  audit umount,
-
-  mount fstype=fuse options=(nosuid) -> /home/*/mounts/,
-  mount fstype=fuseblk options=(nosuid) -> /home/*/mounts/,
-  mount fstype=fuse options=(nosuid) -> /run/user/*/mounts/,
-  mount fstype=fuseblk options=(nosuid) -> /run/user/*/mounts/,
-  mount fstype=fuse options=(nosuid) -> /mnt/,
-  mount fstype=fuseblk options=(nosuid) -> /mnt/,
-  mount fstype=fuse options=(nosuid) -> /media/,
-  mount fstype=fuseblk options=(nosuid) -> /media/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/{**,},
+  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{**,},
+  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/*/*/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/{**,},
+ 
+  umount @{HOME}/{**,},
+  umount /mnt/{**,},
+  umount @{run}/user/@{uid}/*/,
+  umount /media/*/*/,
+  umount /tmp/{**,},
 
   /dev/fuse rw,
 
-  # Allow reading of fuse configuration files
-  @{etc_rw}/fuse.conf r,
+  @{etc_ro}/fuse.conf r,
   @{PROC}/@{pid}/mounts r,
 
-  # Allow only read and execute permissions for the binary itself
   /usr/bin/fusermount3 mr,
 
   include if exists <local/fusermount3>
 }
+
+# vim:syntax=apparmor