apparmor: Misc fixes for lbaasv2 profile

Ensure that profiles are correctly applied in network
namespace using profile flag.

Allow lbaasv2 agent binary to read /proc/*/stat to support
monitoring of haproxy instances.

Change-Id: Ifc3388e894db998bfad8e5998a02120222d9e3ae
Closes-Bug: 1770040
This commit is contained in:
James Page 2018-05-14 09:24:43 +01:00
parent 47b025fe14
commit 6e3e557a0a

View File

@ -2,7 +2,7 @@
# Mode: {{aa_profile_mode}} # Mode: {{aa_profile_mode}}
#include <tunables/global> #include <tunables/global>
/usr/bin/neutron-lbaasv2-agent { /usr/bin/neutron-lbaasv2-agent flags=(attach_disconnected) {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/python> #include <abstractions/python>
#include <abstractions/nameservice> #include <abstractions/nameservice>
@ -52,4 +52,7 @@
owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/ns/net r, owner @{PROC}/@{pid}/ns/net r,
# Allow subprocess stat for management of haproxy instances
# which are owned by 'nobody'
@{PROC}/*/stat r,
} }