From 6e3e557a0a097d79f0eaac9453e45e142fa1a24e Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Mon, 14 May 2018 09:24:43 +0100
Subject: [PATCH] apparmor: Misc fixes for lbaasv2 profile

Ensure that profiles are correctly applied in network
namespace using profile flag.

Allow lbaasv2 agent binary to read /proc/*/stat to support
monitoring of haproxy instances.

Change-Id: Ifc3388e894db998bfad8e5998a02120222d9e3ae
Closes-Bug: 1770040
---
 templates/usr.bin.neutron-lbaasv2-agent | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/templates/usr.bin.neutron-lbaasv2-agent b/templates/usr.bin.neutron-lbaasv2-agent
index ac02f9ad..99fa551c 100644
--- a/templates/usr.bin.neutron-lbaasv2-agent
+++ b/templates/usr.bin.neutron-lbaasv2-agent
@@ -2,7 +2,7 @@
 # Mode: {{aa_profile_mode}}
 #include <tunables/global>
 
-/usr/bin/neutron-lbaasv2-agent {
+/usr/bin/neutron-lbaasv2-agent flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
@@ -52,4 +52,7 @@
   owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
+  # Allow subprocess stat for management of haproxy instances
+  # which are owned by 'nobody'
+  @{PROC}/*/stat r,
 }