charm-ceph-osd/files/apparmor/usr.bin.ceph-osd

# vim:syntax=apparmor
#include <tunables/global>

/usr/bin/ceph-osd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/python>

  /usr/bin/ceph-osd mr,

  capability setgid,
  capability setuid,
  capability dac_override,
  capability dac_read_search,

  network inet stream,
  network inet6 stream,

  /etc/ceph/* r,
  /var/lib/charm/*/ceph.conf r,

  owner @{PROC}/@{pids}/auxv r,
  owner @{PROC}/@{pids}/net/dev r,
  owner @{PROC}/@{pids}/task/*/comm rw,

  @{PROC}/loadavg r,
  @{PROC}/1/cmdline r,
  @{PROC}/partitions r,
  @{PROC}/sys/kernel/random/uuid r,

  /var/lib/ceph/** rwkl,
  /srv/ceph/** rwkl,

  /var/log/ceph/* rwk,

  /{,var/}run/ceph/* rwk,
  /{,var/}tmp/ r,

  /dev/ r,
  /dev/** rwk,
  /run/udev/data/* r,
  /sys/devices/** r,

  /run/blkid/blkid.tab r,

  /bin/dash rix,

  /usr/bin/lsb_release rix,
  /usr/share/distro-info/** r,
  /etc/lsb-release r,
  /etc/debian_version r,

  /usr/bin/sudo Px -> ceph-osd-sudo,
}

profile ceph-osd-sudo flags=(attach_disconnected) {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability audit_write,
  capability setgid,
  capability setuid,
  capability sys_resource,

  /usr/bin/sudo r,
  /usr/libexec/sudo/* mr,

  /etc/default/locale r,
  /etc/environment r,
  /etc/security/limits.d/ r,
  /etc/security/limits.d/* r,
  /etc/sudo.conf r,
  /etc/sudoers r,
  /etc/sudoers.d/ r,
  /etc/sudoers.d/* r,

  owner @{PROC}/1/limits r,
  owner @{PROC}/@{pids}/stat r,

  /usr/sbin/nvme Cx,
  /usr/sbin/smartctl Cx,

  profile /usr/sbin/nvme {
    #include <abstractions/base>

    /usr/sbin/nvme r,
  }

  profile /usr/sbin/smartctl {
    #include <abstractions/base>

    capability sys_admin,
    capability sys_rawio,

    /usr/sbin/smartctl r,
    /var/lib/smartmontools/** r,

    /dev/* r,
    /sys/devices/** r,
  }
}