# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}{s,}bin/mount profile mount @{exec_path} flags=(attach_disconnected) { include include include include include capability chown, capability dac_read_search, capability setgid, capability setuid, capability sys_admin, capability sys_rawio, mount, network inet stream, network inet6 stream, ptrace (read) peer=k3s, signal (receive) set=(term, kill), @{exec_path} mr, /{usr/,}{s,}bin/lowntfs-3g rPx, /{usr/,}{s,}bin/mount.* rPx, /{usr/,}bin/ntfs-3g rPx, /{usr/,}bin/sshfs rPx, /etc/fstab r, /var/lib/snapd/snaps/*.snap r, # Mount points @{HOME}/ rw, @{HOME}/*/ rw, @{HOME}/*/*/ rw, @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, @{MOUNTS}/*/*/ rw, /media/cdrom[0-9]/ r, # Mount iso/img files owner @{user_img_dirs}/{,**} rwk, @{run}/ r, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, /tmp/sanity-squashfs-[0-9]* rw, /tmp/syscheck-squashfs-[0-9]* rw, @{PROC}/@{pid}/mountinfo r, # The special /dev/loop-control file can be used to create and destroy loop # devices or to find the first available loop device. /dev/loop-control rw, include if exists }