abi <abi/4.0>,
include <tunables/global>

@{fuse_types} = {fuse,fuse.*,fuseblk,fusectl}
profile fusermount3 /usr/bin/fusermount3 {
  include <abstractions/base>
  include <abstractions/nameservice>

  capability sys_admin,
  capability dac_read_search,

  # Allow both rw and ro type mounts (e.g. AppImage uses ro)
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> @{run}/user/@{uid}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,rw) -> /tmp/**/,
 
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{HOME}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /mnt/{,**/},
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> @{run}/user/@{uid}/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /media/**/,
  mount fstype=@{fuse_types} options=(nosuid,nodev,ro) -> /tmp/**/,

  umount @{HOME}/**/,
  umount /mnt/{,**/},
  umount @{run}/user/@{uid}/**/,
  umount /media/**/,
  umount /tmp/**/,

  # Flatpak's default cache directory where it mounts a revokefs-fuse
  # The second revokefs rule cannot be parsed by aa-logprof currently
  mount fstype=fuse options=(nosuid,nodev,rw) /dev/fuse -> /var/tmp/flatpak-cache-*/**/,
  mount fstype=fuse.revokefs-fuse options=(nosuid,nodev,rw) revokefs-fuse -> /var/tmp/flatpak-cache-*/**/,
  umount /var/tmp/flatpak-cache-*/**/,

  /dev/fuse rw,

  @{etc_ro}/fuse.conf r,
  @{PROC}/@{pid}/mounts r,

  /usr/bin/fusermount3 mr,

  include if exists <local/fusermount3>
}

# vim:syntax=apparmor
