adds missing entries in the apparmor profiles

Change-Id: I030ccdd267f67844ff2cea328ae1d3d0275c949b
2017-07-06 09:55:24 +02:00 · 2017-07-06 09:55:24 +02:00 · 4e4597e591
commit 4e4597e591
parent 36f4269596
5 changed files with 21 additions and 0 deletions
--- a/templates/usr.bin.neutron-dhcp-agent
+++ b/templates/usr.bin.neutron-dhcp-agent
@ -15,11 +15,16 @@
  /{,usr/}bin/** rix,

  /etc/neutron/** r,
+  /etc/magic r,
  /etc/mime.types r,
  /var/lib/neutron/** rwk,
  /var/log/neutron/** rwk,
  /{,var/}run/neutron/** rwk,
  /{,var/}run/lock/neutron/** rwk,
+  /run/uuidd/request rw,
+
+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,

  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
--- a/templates/usr.bin.neutron-l3-agent
+++ b/templates/usr.bin.neutron-l3-agent
@ -15,11 +15,16 @@
  /{,usr/}bin/** rix,

  /etc/neutron/** r,
+  /etc/magic r,
  /etc/mime.types r,
  /var/lib/neutron/** rwk,
  /var/log/neutron/** rwk,
  /{,var/}run/neutron/** rwk,
  /{,var/}run/lock/neutron/** rwk,
+  /run/uuidd/request rw,
+
+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,

  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
--- a/templates/usr.bin.neutron-metadata-agent
+++ b/templates/usr.bin.neutron-metadata-agent
@ -15,11 +15,14 @@
  /{,usr/}bin/** rix,

  /etc/neutron/** r,
+  /etc/magic r,
  /etc/mime.types r,
  /var/lib/neutron/** rwk,
  /var/log/neutron/** rwk,
  /{,var/}run/neutron/** rwk,
  /{,var/}run/lock/neutron/** rwk,
+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,

  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
--- a/templates/usr.bin.neutron-metering-agent
+++ b/templates/usr.bin.neutron-metering-agent
@ -15,12 +15,16 @@
  /{,usr/}bin/** rix,

  /etc/neutron/** r,
+  /etc/magic r,
  /etc/mime.types r,
  /var/lib/neutron/** rwk,
  /var/log/neutron/** rwk,
  /{,var/}run/neutron/** rwk,
  /{,var/}run/lock/neutron/** rwk,

+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,
+
  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
  # is limited by the appropriate rootwrap configuration.
--- a/templates/usr.bin.neutron-openvswitch-agent
+++ b/templates/usr.bin.neutron-openvswitch-agent
@ -15,6 +15,7 @@
  /{,usr/}bin/** rix,

  /etc/neutron/** r,
+  /etc/magic r,
  /etc/mime.types r,
  /etc/udev/udev.conf r,
  /var/lib/neutron/** rwk,
@ -25,6 +26,9 @@
  /run/uuidd/request rw,
  /sys/kernel/uevent_seqnum r,

+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,
+
  # Allow unconfined sudo to support oslo.rootwrap
  # profile makes no attempt to restrict this as this
  # is limited by the appropriate rootwrap configuration.