From 87e82b15056f66956d583eab389713eeb76a63c4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 1 May 2025 20:15:24 +0200
Subject: [PATCH] fix(profile): modernise fuse-overlayfs.

fix  #726
---
 apparmor.d/profiles-a-f/fuse-overlayfs | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs
index da61184a3..91b279d20 100644
--- a/apparmor.d/profiles-a-f/fuse-overlayfs
+++ b/apparmor.d/profiles-a-f/fuse-overlayfs
@@ -10,14 +10,21 @@ include <tunables/global>
 profile fuse-overlayfs @{exec_path} {
   include <abstractions/base>
 
-  capability sys_admin,
+  capability chown,
   capability dac_override,
   capability dac_read_search,
-  capability chown,
+  capability fowner,
+  capability setfcap,
+  capability setuid,
+  capability sys_admin,
+
+  mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **,
+  mount fstype=fuse.overlayfs  options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/,
 
   @{exec_path} mr,
 
-  mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **,
+  @{bin}/mount          rix,
+  @{bin}/umount         rix,
 
   owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl,