Apparmor profiles for Queens
Apparmor profiles were limiting queens deployments of neutron-gateway when aa-profile-mode was set to enforce. It led to failed instance deployments due to neutron agents failing to execute their necessary functions. This change updates the profiles to be Queens ready. Closes-Bug: #1761536 Change-Id: I2e08a2de9e4ae8139ab8e4be131631883652d029
This commit is contained in:
David Ames
parent
2441950f44
commit
a59b4d606f
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/neutron-dhcp-agent r,
|
||||
|
||||
@ -37,6 +38,7 @@
|
||||
/{,s}bin/ip Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -47,6 +49,9 @@
|
||||
|
||||
/proc/version r,
|
||||
|
||||
# neutron-dhcp-agent needs to keep track of dnsmaq processes
|
||||
/proc/*/stat r,
|
||||
|
||||
{% if ubuntu_release <= '12.04' %}
|
||||
/proc/*/mounts r,
|
||||
/proc/*/status r,
|
||||
@ -54,6 +59,7 @@
|
||||
{% else %}
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/ns/net r,
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/neutron-l3-agent r,
|
||||
|
||||
@ -35,6 +36,7 @@
|
||||
/{,s}bin/ip Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -45,6 +47,9 @@
|
||||
|
||||
/proc/version r,
|
||||
|
||||
# neutron-dhcp-agent needs to keep track of ns-metadata-proxy processes
|
||||
/proc/*/stat r,
|
||||
|
||||
{% if ubuntu_release <= '12.04' %}
|
||||
/proc/*/mounts r,
|
||||
/proc/*/status r,
|
||||
@ -52,6 +57,7 @@
|
||||
{% else %}
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/ns/net r,
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/neutron-lbaas-agent r,
|
||||
|
||||
@ -17,12 +18,16 @@
|
||||
/usr/bin/** rix,
|
||||
|
||||
/etc/neutron/** r,
|
||||
/etc/magic r,
|
||||
/etc/mime.types r,
|
||||
/var/lib/neutron/** rwk,
|
||||
/var/log/neutron/** rwk,
|
||||
/{,var/}run/neutron/** rwk,
|
||||
/{,var/}run/lock/neutron/** rwk,
|
||||
|
||||
/usr/share/file/magic.mgc r,
|
||||
/usr/share/file/magic/ r,
|
||||
|
||||
# Allow unconfined sudo to support oslo.rootwrap
|
||||
# profile makes no attempt to restrict this as this
|
||||
# is limited by the appropriate rootwrap configuration.
|
||||
@ -32,6 +37,7 @@
|
||||
/{,s}bin/ip Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -44,5 +50,6 @@
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/ns/net r,
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/neutron-metadata-agent r,
|
||||
|
||||
@ -33,6 +34,7 @@
|
||||
/{,s}bin/ip Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -50,6 +52,7 @@
|
||||
{% else %}
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/ns/net r,
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/neutron-metering-agent r,
|
||||
|
||||
@ -34,6 +35,7 @@
|
||||
/{,s}bin/ip Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -51,6 +53,7 @@
|
||||
{% else %}
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/ns/net r,
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/neutron-openvswitch-agent r,
|
||||
|
||||
@ -39,6 +40,7 @@
|
||||
/{,s}bin/ps Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -52,6 +54,7 @@
|
||||
{% if ubuntu_release <= '12.04' %}
|
||||
/proc/*/mounts r,
|
||||
/proc/*/status r,
|
||||
/proc/*/stat r,
|
||||
/proc/*/ns/net r,
|
||||
{% else %}
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/bash>
|
||||
|
||||
/usr/bin/nova-metadata-api r,
|
||||
|
||||
@ -29,6 +30,7 @@
|
||||
/{,s}bin/ip Ux,
|
||||
|
||||
/tmp/* rw,
|
||||
/tmp/** rw,
|
||||
/var/tmp/* a,
|
||||
|
||||
# Required for parsing of managed process cmdline arguments
|
||||
@ -44,6 +46,7 @@
|
||||
{% else %}
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/status r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/ns/net r,
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user