charm-neutron-gateway/templates/usr.bin.nova-api-metadata
David Ames 83d0ad0238 Add apparmor template for neutron services
Add support for application of apparmor profiles to
neutron and nova daemons that run on neutron-gateway
units.

By default this is disabled but may be enabled by setting
the aa-profile-mode option to ether 'complain' or 'enforce'.

Note that the apparmor profiles do not try to reproduce the
permissions required for all operations that may be undertaken
using oslo.rootwrap; daemons are granted permission to run
'sudo' without any apparmor based restrictions.

Change-Id: Ibe568a46ee4c1f1148c162f0f0b2907153770efe
2016-09-28 23:06:50 +00:00

50 lines
1.1 KiB
Plaintext

# Last Modified: Fri Apr 1 16:26:34 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>
/usr/bin/nova-metadata-api {
#include <abstractions/base>
#include <abstractions/python>
#include <abstractions/nameservice>
/usr/bin/nova-metadata-api r,
/sbin/ldconfig* rix,
/{,usr/}bin/ r,
/{,usr/}bin/** rix,
/etc/nova/** r,
/var/lib/nova/** rwk,
/var/log/nova/** rwk,
/{,var/}run/nova/** rwk,
/{,var/}run/lock/nova/** rwk,
# Allow unconfined sudo to support oslo.rootwrap
# profile makes no attempt to restrict this as this
# is limited by the appropriate rootwrap configuration.
/usr/bin/sudo Ux,
# Allow ip to run unrestricted for unpriviledged commands
/{,s}bin/ip Ux,
/tmp/* rw,
/var/tmp/* a,
# Required for parsing of managed process cmdline arguments
/proc/*/cmdline r,
# Required for assessment of current state of networking
/proc/sys/net/** r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,
/proc/*/ns/net r,
{% else %}
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/ns/net r,
{% endif %}
}