diff --git a/templates/usr.bin.neutron-dhcp-agent b/templates/usr.bin.neutron-dhcp-agent index 0ba0441b..c7fcb03f 100644 --- a/templates/usr.bin.neutron-dhcp-agent +++ b/templates/usr.bin.neutron-dhcp-agent @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/neutron-dhcp-agent r, @@ -37,6 +38,7 @@ /{,s}bin/ip Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -47,6 +49,9 @@ /proc/version r, + # neutron-dhcp-agent needs to keep track of dnsmaq processes + /proc/*/stat r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, @@ -54,6 +59,7 @@ {% else %} owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/ns/net r, {% endif %} } diff --git a/templates/usr.bin.neutron-l3-agent b/templates/usr.bin.neutron-l3-agent index b9c197fe..351a3b22 100644 --- a/templates/usr.bin.neutron-l3-agent +++ b/templates/usr.bin.neutron-l3-agent @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/neutron-l3-agent r, @@ -35,6 +36,7 @@ /{,s}bin/ip Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -45,6 +47,9 @@ /proc/version r, + # neutron-dhcp-agent needs to keep track of ns-metadata-proxy processes + /proc/*/stat r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, @@ -52,6 +57,7 @@ {% else %} owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/ns/net r, {% endif %} } diff --git a/templates/usr.bin.neutron-lbaasv2-agent b/templates/usr.bin.neutron-lbaasv2-agent index 8763ce3a..ac02f9ad 100644 --- a/templates/usr.bin.neutron-lbaasv2-agent +++ b/templates/usr.bin.neutron-lbaasv2-agent @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/neutron-lbaas-agent r, @@ -17,12 +18,16 @@ /usr/bin/** rix, /etc/neutron/** r, + /etc/magic r, /etc/mime.types r, /var/lib/neutron/** rwk, /var/log/neutron/** rwk, /{,var/}run/neutron/** rwk, /{,var/}run/lock/neutron/** rwk, + /usr/share/file/magic.mgc r, + /usr/share/file/magic/ r, + # Allow unconfined sudo to support oslo.rootwrap # profile makes no attempt to restrict this as this # is limited by the appropriate rootwrap configuration. @@ -32,6 +37,7 @@ /{,s}bin/ip Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -44,5 +50,6 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/ns/net r, } diff --git a/templates/usr.bin.neutron-metadata-agent b/templates/usr.bin.neutron-metadata-agent index c6159c78..1935e406 100644 --- a/templates/usr.bin.neutron-metadata-agent +++ b/templates/usr.bin.neutron-metadata-agent @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/neutron-metadata-agent r, @@ -33,6 +34,7 @@ /{,s}bin/ip Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -50,6 +52,7 @@ {% else %} owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/ns/net r, {% endif %} } diff --git a/templates/usr.bin.neutron-metering-agent b/templates/usr.bin.neutron-metering-agent index ed0e921f..91a5f9d9 100644 --- a/templates/usr.bin.neutron-metering-agent +++ b/templates/usr.bin.neutron-metering-agent @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/neutron-metering-agent r, @@ -34,6 +35,7 @@ /{,s}bin/ip Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -51,6 +53,7 @@ {% else %} owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/ns/net r, {% endif %} } diff --git a/templates/usr.bin.neutron-openvswitch-agent b/templates/usr.bin.neutron-openvswitch-agent index bc4bc614..9ed3593d 100644 --- a/templates/usr.bin.neutron-openvswitch-agent +++ b/templates/usr.bin.neutron-openvswitch-agent @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/neutron-openvswitch-agent r, @@ -39,6 +40,7 @@ /{,s}bin/ps Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -52,6 +54,7 @@ {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, + /proc/*/stat r, /proc/*/ns/net r, {% else %} owner @{PROC}/@{pid}/mounts r, diff --git a/templates/usr.bin.nova-api-metadata b/templates/usr.bin.nova-api-metadata index ae6be018..42115f40 100644 --- a/templates/usr.bin.nova-api-metadata +++ b/templates/usr.bin.nova-api-metadata @@ -6,6 +6,7 @@ #include #include #include + #include /usr/bin/nova-metadata-api r, @@ -29,6 +30,7 @@ /{,s}bin/ip Ux, /tmp/* rw, + /tmp/** rw, /var/tmp/* a, # Required for parsing of managed process cmdline arguments @@ -44,6 +46,7 @@ {% else %} owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/ns/net r, {% endif %} }