From 0b7cba99e9cacf4acc8cac794b6506b53bfa4727 Mon Sep 17 00:00:00 2001
From: Nobuto Murata <nobuto.murata@canonical.com>
Date: Fri, 20 Oct 2023 23:12:10 +0900
Subject: [PATCH] Allow ceph device scrape-health-metrics

Ceph has a function to collect health metrics through smartctl or nvme
command out of the box. And it relies on sudo spawned from the ceph-osd
process so it needs to be considered in the apparmor policy.

[/etc/sudoers.d/ceph-smartctl in ceph-base package]
> ## allow ceph daemons (which run as user ceph) to collect device
> ## health metrics
>
> ceph ALL=NOPASSWD: /usr/sbin/smartctl -x --json=o /dev/*
> ceph ALL=NOPASSWD: /usr/sbin/nvme * smart-log-add --json /dev/*

Closes-Bug: #2031637
Change-Id: I981a5db0fd49eca83aa8a619f0cbd0d34a533842
---
 files/apparmor/usr.bin.ceph-osd | 52 +++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/files/apparmor/usr.bin.ceph-osd b/files/apparmor/usr.bin.ceph-osd
index 95846077..960dad95 100644
--- a/files/apparmor/usr.bin.ceph-osd
+++ b/files/apparmor/usr.bin.ceph-osd
@@ -38,6 +38,7 @@
 
   /dev/ r,
   /dev/** rwk,
+  /run/udev/data/* r,
   /sys/devices/** r,
 
   /run/blkid/blkid.tab r,
@@ -48,4 +49,55 @@
   /usr/share/distro-info/** r,
   /etc/lsb-release r,
   /etc/debian_version r,
+
+  /usr/bin/sudo Px -> ceph-osd-sudo,
+}
+
+profile ceph-osd-sudo flags=(attach_disconnected) {
+  #include <abstractions/authentication>
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+
+  capability audit_write,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  /usr/bin/sudo r,
+  /usr/libexec/sudo/* mr,
+
+  /etc/default/locale r,
+  /etc/environment r,
+  /etc/security/limits.d/ r,
+  /etc/security/limits.d/* r,
+  /etc/sudo.conf r,
+  /etc/sudoers r,
+  /etc/sudoers.d/ r,
+  /etc/sudoers.d/* r,
+
+  owner @{PROC}/1/limits r,
+  owner @{PROC}/@{pids}/stat r,
+
+  /usr/sbin/nvme Cx,
+  /usr/sbin/smartctl Cx,
+
+  profile /usr/sbin/nvme {
+    #include <abstractions/base>
+
+    /usr/sbin/nvme r,
+  }
+
+  profile /usr/sbin/smartctl {
+    #include <abstractions/base>
+
+    capability sys_admin,
+    capability sys_rawio,
+
+    /usr/sbin/smartctl r,
+    /var/lib/smartmontools/** r,
+
+    /dev/* r,
+    /sys/devices/** r,
+  }
 }