From a20409cf1e3c63386f56394d2b346cdfe40cde2f Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Thu, 20 Feb 2025 09:42:32 -0800
Subject: [PATCH] profiles: allow ro mounts in fusermount3 profile

These are needed by e.g. AppImages

Closes: https://bugs.launchpad.net/bugs/2098993
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 profiles/apparmor.d/fusermount3 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3
index d12cc00c2..c9d2bfca9 100644
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@@ -9,12 +9,19 @@ profile fusermount3 /usr/bin/fusermount3 {
   capability sys_admin,
   capability dac_read_search,
 
+  # Allow both rw and ro type mounts (e.g. AppImage uses ro)
   mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
   mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
   mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
  
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/*/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
+  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
+
   umount @{HOME}/**/,
   umount /mnt/{,**/},
   umount @{run}/user/@{uid}/*/,