Allow nova-compute to read through cpu attributes

LXD requires access to CPU attributes that are currently not allowed in AppArmor profile. This change allows access to those attributes. It also adds virt_type to NovaComputeAppArmor context. It then uses this to provide nova-compute with access to LXD's socket. Change-Id: I78d18dcf37f6195ea1ceec1029ddfac44a4a1b33 Closes-Bug: 1675803
2017-03-24 16:07:09 +01:00 · 2017-03-24 16:07:09 +01:00 · d673f94097
commit d673f94097
parent c5448acb58
2 changed files with 5 additions and 0 deletions
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@ -643,6 +643,7 @@ class NovaComputeAppArmorContext(context.AppArmorContext):
        super(NovaComputeAppArmorContext, self).__call__()
        if not self.ctxt:
            return self.ctxt
+        self._ctxt.update({'virt_type': config('virt-type')})
        self._ctxt.update({'aa_profile': self.aa_profile})
        return self.ctxt

--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -50,6 +50,7 @@
  /sbin/xtables-multi rix,
  /sys/block/ r,
  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/** r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/** r,
  /sys/devices/virtual/block/nbd*/ r,
@ -61,6 +62,9 @@
  /usr/lib{,32,64}/** mrw,
  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
  /var/lib/nova/** rwk,
+{% if virt_type == 'lxd' %}
+  /var/lib/lxd/unix.socket rw,
+{% endif %}
  /var/log/nova/nova-compute.log w,
  /var/run/libvirt/* rw,
  /var/run/libvirt/libvirt-sock rw,