profiles: allow ro mounts in fusermount3 profile

These are needed by e.g. AppImages Closes: https://bugs.launchpad.net/bugs/2098993 Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-03-04 00:14:44 +01:00 · 2025-02-20 09:42:32 -08:00 · 2025-02-20 09:42:32 -08:00 · a20409cf1e
commit a20409cf1e
parent 125ef7a8cb
1 changed files with 7 additions and 0 deletions
--- a/profiles/apparmor.d/fusermount3
+++ b/profiles/apparmor.d/fusermount3
@ -9,12 +9,19 @@ profile fusermount3 /usr/bin/fusermount3 {
  capability sys_admin,
  capability dac_read_search,
  # Allow both rw and ro type mounts (e.g. AppImage uses ro)
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/*/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/*/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,
  umount @{HOME}/**/,
  umount /mnt/{,**/},
  umount @{run}/user/@{uid}/*/,