mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-03 16:04:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge profiles: allow ro mounts in fusermount3 profile

Browse source 
These are needed by e.g. AppImages

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1556
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2025-02-20 18:07:58 +00:00
commit 45a945acd3
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
profiles/apparmor.d/fusermount3
View file

@ -9,12 +9,19 @@ profile fusermount3 /usr/bin/fusermount3 {
capability sys_admin,
capability dac_read_search,
# Allow both rw and ro type mounts (e.g. AppImage uses ro)
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/,
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/*/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
umount @{HOME}/**/,
umount /mnt/{,**/},
umount @{run}/user/@{uid}/*/,