charm-neutron-gateway/templates/usr.bin.nova-api-metadata
David Ames a59b4d606f Apparmor profiles for Queens
Apparmor profiles were limiting queens deployments of neutron-gateway
when aa-profile-mode was set to enforce. It led to failed instance
deployments due to neutron agents failing to execute their necessary
functions.

This change updates the profiles to be Queens ready.

Closes-Bug: #1761536

Change-Id: I2e08a2de9e4ae8139ab8e4be131631883652d029
2018-04-25 21:37:52 +00:00

53 lines
1.2 KiB
Plaintext

# Last Modified: Fri Apr 1 16:26:34 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>
/usr/bin/nova-metadata-api {
#include <abstractions/base>
#include <abstractions/python>
#include <abstractions/nameservice>
#include <abstractions/bash>
/usr/bin/nova-metadata-api r,
/sbin/ldconfig* rix,
/{,usr/}bin/ r,
/{,usr/}bin/** rix,
/etc/nova/** r,
/var/lib/nova/** rwk,
/var/log/nova/** rwk,
/{,var/}run/nova/** rwk,
/{,var/}run/lock/nova/** rwk,
# Allow unconfined sudo to support oslo.rootwrap
# profile makes no attempt to restrict this as this
# is limited by the appropriate rootwrap configuration.
/usr/bin/sudo Ux,
# Allow ip to run unrestricted for unpriviledged commands
/{,s}bin/ip Ux,
/tmp/* rw,
/tmp/** rw,
/var/tmp/* a,
# Required for parsing of managed process cmdline arguments
/proc/*/cmdline r,
# Required for assessment of current state of networking
/proc/sys/net/** r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,
/proc/*/ns/net r,
{% else %}
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/ns/net r,
{% endif %}
}