diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount
new file mode 100644
index 000000000..659eee99d
--- /dev/null
+++ b/apparmor.d/abstractions/app/fusermount
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should
+# be defined in the calling profile.
+
+  abi <abi/4.0>,
+
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability sys_admin,  # To mount anything
+
+  @{bin}/fusermount{,3} mr,
+
+  @{etc_ro}/fuse{,3}.conf r,
+
+  @{PROC}/@{pid}/mounts r,
+
+  /dev/fuse rw,
+
+  include if exists <abstractions/app/fusermount.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/bluetooth/obexautofs b/apparmor.d/groups/bluetooth/obexautofs
index e50fadddf..980349086 100644
--- a/apparmor.d/groups/bluetooth/obexautofs
+++ b/apparmor.d/groups/bluetooth/obexautofs
@@ -36,20 +36,13 @@ profile obexautofs @{exec_path} {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/,
     mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/,
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
-    @{PROC}/@{pid}/mounts r,
-
-    /dev/fuse rw,
+    umount @{HOME}/*/,
+    umount @{HOME}/*/*/,
 
     include if exists <local/obexautofs_fusermount>
   }
diff --git a/apparmor.d/groups/bluetooth/obexfs b/apparmor.d/groups/bluetooth/obexfs
index 5a9d0dfbf..e486349d3 100644
--- a/apparmor.d/groups/bluetooth/obexfs
+++ b/apparmor.d/groups/bluetooth/obexfs
@@ -27,26 +27,17 @@ profile obexfs @{exec_path} {
 
   /dev/fuse rw,
 
-
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    # To mount anything:
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     network bluetooth stream,
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
-    /dev/fuse rw,
-
     mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/,
     mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/,
 
-    @{PROC}/@{pid}/mounts r,
+    umount @{HOME}/*/,
+    umount @{HOME}/*/*/,
 
     include if exists <local/obexfs_fusermount>
   }
diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak
index 99ed33745..42d9fd9c3 100644
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@@ -144,22 +144,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/nameservice-strict>
-
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
-    @{PROC}/@{pids}/mounts r,
-
-    /dev/fuse rw,
-
     include if exists <local/flatpak_fusermount>
   }
 
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index a0c1902e7..de362990a 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -63,10 +63,11 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
 
   profile fusermount flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/app/fusermount>
 
-    capability sys_admin,
     capability dac_read_search,
+    capability dac_override,
+    capability setuid,
 
     mount options=(rw, rprivate) -> /,
     mount options=(rw, rbind) @{run}/user/@{uid}/ -> /,
@@ -76,16 +77,13 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
 
     unix (send receive) type=stream peer=(label=xdg-document-portal),
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse{,3}.conf r,
+    @{bin}/mount          rix,
+    @{bin}/umount         rix,
 
     owner @{run}/user/@{uid}/doc/ rw,
 
-    @{PROC}/@{pids}/mounts r,
-
-          /dev/fuse rw,
-    @{att}/dev/tty@{int} rw,
+    @{run}/mount/utab r,
+    @{run}/mount/utab.* rwk,
 
     include if exists <local/xdg-document-portal_fusermount>
   }
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 601e6b6df..dd872c53a 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -164,21 +164,11 @@ profile gnome-software @{exec_path} {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
-    @{PROC}/@{pids}/mounts r,
-
-    /dev/fuse rw,
-
     include if exists <local/gnome-software_fusermount>
   }
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index 375040ec3..bb19d5454 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -40,24 +40,17 @@ profile gvfsd-fuse @{exec_path} {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/app/fusermount>
 
-    capability dac_read_search,
-    capability sys_admin,  # To mount anything
+    capability setuid,
 
     mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
     umount @{run}/user/@{uid}/**/,
 
     unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse),
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse{,3}.conf r,
-    /etc/machine-id r,
-
-    @{PROC}/@{pid}/mounts r,
-
-    /dev/fuse rw,
+    @{bin}/mount          rix,
+    @{bin}/umount         rix,
 
     include if exists <local/gvfsd-fuse_fusermount>
   }
diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs
index f7c635dd4..12e7d8930 100644
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@@ -31,9 +31,7 @@ profile sshfs @{exec_path} flags=(complain) {
 
   profile fusermount flags=(complain) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
     mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
@@ -51,14 +49,6 @@ profile sshfs @{exec_path} flags=(complain) {
 
     unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
-    @{PROC}/@{pid}/mounts r,
-
-    /dev/fuse rw,
-
     include if exists <local/sshfs_fusermount>
   }
 
diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount
index 64f25e181..d445df0e2 100644
--- a/apparmor.d/profiles-a-f/archivemount
+++ b/apparmor.d/profiles-a-f/archivemount
@@ -24,33 +24,19 @@ profile archivemount @{exec_path} {
   owner @{HOME}/*/ r,
   owner @{HOME}/*/*/ r,
 
-  mount fstype=fuse.archivemount -> @{HOME}/*/,
-  mount fstype=fuse.archivemount -> @{HOME}/*/*/,
-
-  /dev/fuse rw,
-
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    # To mount anything:
-    capability sys_admin,
-
-    @{bin}/fusermount{,3} mr,
+    include <abstractions/app/fusermount>
 
     mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/,
     mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/,
 
-    /dev/fuse rw,
+    umount @{HOME}/*/,
+    umount @{HOME}/*/*/,
 
-    /etc/fuse.conf r,
-
-    owner @{HOME}/ r,
     /**.{tar,tar.gz,zip} r,
     /**.{TAR,TAR.GZ,ZIP} r,
 
-    @{PROC}/@{pid}/mounts r,
-
     include if exists <local/archivemount_fusermount>
   }
 
diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
index a53c135ca..ff3f8b43a 100644
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@@ -95,10 +95,7 @@ profile borg @{exec_path} {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/nameservice-strict>
-
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/,
     mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/,
@@ -106,17 +103,9 @@ profile borg @{exec_path} {
     umount @{MOUNTS}/,
     umount @{MOUNTS}/*/,
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
     @{MOUNTS}/ r,
     @{MOUNTS}/*/ r,
 
-    @{PROC}/@{pids}/mounts r,
-
-    /dev/fuse rw,
-
     include if exists <local/borg_fusermount>
   }
 
diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso
index ed2bcc936..75d19a0d5 100644
--- a/apparmor.d/profiles-a-f/fuseiso
+++ b/apparmor.d/profiles-a-f/fuseiso
@@ -36,27 +36,17 @@ profile fuseiso @{exec_path} {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    # To mount anything:
-    capability sys_admin,
-
-    capability dac_read_search,
+    include <abstractions/app/fusermount>
 
     mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/,
     mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/,
     mount fstype={fuse,fuse.fuseiso} -> @{user_cache_dirs}/**/,
 
-    @{bin}/fusermount{,3} mr,
+    umount @{HOME}/*/,
+    umount @{HOME}/*/*/,
+    umount @{user_cache_dirs}/**/,
 
-    /etc/fuse.conf r,
-
-    # Image files to be mounted
-    owner @{user_img_dirs}/{,**} r,
-
-    @{PROC}/@{pid}/mounts r,
-
-    /dev/fuse rw,
+    owner @{user_img_dirs}/{,**} r, # Image files to be mounted
 
     include if exists <local/fuseiso_fusermount>
   }
diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount
index 2bad1d773..3df041e64 100644
--- a/apparmor.d/profiles-a-f/fusermount
+++ b/apparmor.d/profiles-a-f/fusermount
@@ -10,10 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/fusermount{,3}
 profile fusermount @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
-
-  capability dac_read_search,
-  capability sys_admin,
+  include <abstractions/app/fusermount>
 
   # Be able to mount ISO images
   mount fstype={fuse,fuse.*} -> @{HOME}/*/,
@@ -36,7 +33,6 @@ profile fusermount @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/fuse.conf r,
   /etc/machine-id r,
 
   /var/tmp/flatpak-cache-*/*/ r,
@@ -51,10 +47,6 @@ profile fusermount @{exec_path} {
 
   @{run}/user/@{uid}/doc/ r,
 
-  @{PROC}/@{pid}/mounts r,
-
-  /dev/fuse rw,
-
   include if exists <local/fusermount>
 }
 
diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs
index eb51b1239..618ac14e7 100644
--- a/apparmor.d/profiles-g-l/jmtpfs
+++ b/apparmor.d/profiles-g-l/jmtpfs
@@ -18,8 +18,7 @@ profile jmtpfs @{exec_path} {
 
   @{bin}/fusermount{,3} rCx -> fusermount,
 
-  owner @{tmp}/tmp* rw,
-  owner @{tmp}/#@{int} rw,
+  /etc/magic r,
 
   # Mount points
   owner @{HOME}/*/ r,
@@ -27,36 +26,20 @@ profile jmtpfs @{exec_path} {
 
   owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw,
 
-  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
-  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
-  mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/,
-
-  /etc/magic r,
-
-  /dev/fuse rw,
-
+  owner @{tmp}/tmp* rw,
+  owner @{tmp}/#@{int} rw,
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    # To mount anything:
-    capability sys_admin,
-
-    #
-    capability dac_read_search,
-
-    @{bin}/fusermount{,3} mr,
+    include <abstractions/app/fusermount>
 
     mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
     mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
     mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/,
 
-    /etc/fuse.conf r,
-
-    /dev/fuse rw,
-
-    @{PROC}/@{pid}/mounts r,
+    umount @{HOME}/*/,
+    umount @{HOME}/*/*/,
+    umount @{user_cache_dirs}/*/*/,
 
     include if exists <local/jmtpfs_fusermount>
   }
diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs
index dab3593b6..aaf34d49c 100644
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@@ -38,10 +38,7 @@ profile s3fs @{exec_path} {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    capability dac_read_search,
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     network inet stream,
     network inet6 stream,
@@ -52,19 +49,11 @@ profile s3fs @{exec_path} {
     umount @{MOUNTS}/,
     umount @{MOUNTS}/*/,
 
-    @{bin}/fusermount{,3} mr,
-
-    /etc/fuse.conf r,
-
     @{MOUNTS}/ r,
     @{MOUNTS}/*/ r,
 
     owner @{tmp}/s3fstmp.* rw,
 
-    @{PROC}/@{pids}/mounts r,
-
-    /dev/fuse rw,
-
     include if exists <local/s3fs_fusermount>
   }
 
diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage
index 76f11b9d1..88c44287d 100755
--- a/apparmor.d/profiles-s-z/wechat-appimage
+++ b/apparmor.d/profiles-s-z/wechat-appimage
@@ -69,27 +69,14 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) {
 
   profile fusermount {
     include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/nameservice-strict>
-
-    capability dac_override,
-    capability dac_read_search,
-    capability sys_admin,
+    include <abstractions/app/fusermount>
 
     mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/,
 
     umount @{tmp}/.mount_wechat@{word6}/,
 
-    @{bin}/fusermount{,3} mr,
-
     @{lib_dirs}/wechat-appimage.AppImage r,
 
-    @{PROC}/@{pid}/mounts r,
-
-    /etc/fuse.conf r,
-
-    /dev/fuse rw,
-
     include if exists <local/wechat-appimage_fusermount>
   }