83d0ad0238
Add support for application of apparmor profiles to neutron and nova daemons that run on neutron-gateway units. By default this is disabled but may be enabled by setting the aa-profile-mode option to ether 'complain' or 'enforce'. Note that the apparmor profiles do not try to reproduce the permissions required for all operations that may be undertaken using oslo.rootwrap; daemons are granted permission to run 'sudo' without any apparmor based restrictions. Change-Id: Ibe568a46ee4c1f1148c162f0f0b2907153770efe
50 lines
1.1 KiB
Plaintext
50 lines
1.1 KiB
Plaintext
# Last Modified: Fri Apr 1 16:26:34 2016
|
|
# Mode: {{aa_profile_mode}}
|
|
#include <tunables/global>
|
|
|
|
/usr/bin/nova-metadata-api {
|
|
#include <abstractions/base>
|
|
#include <abstractions/python>
|
|
#include <abstractions/nameservice>
|
|
|
|
/usr/bin/nova-metadata-api r,
|
|
|
|
/sbin/ldconfig* rix,
|
|
|
|
/{,usr/}bin/ r,
|
|
/{,usr/}bin/** rix,
|
|
|
|
/etc/nova/** r,
|
|
/var/lib/nova/** rwk,
|
|
/var/log/nova/** rwk,
|
|
/{,var/}run/nova/** rwk,
|
|
/{,var/}run/lock/nova/** rwk,
|
|
|
|
# Allow unconfined sudo to support oslo.rootwrap
|
|
# profile makes no attempt to restrict this as this
|
|
# is limited by the appropriate rootwrap configuration.
|
|
/usr/bin/sudo Ux,
|
|
|
|
# Allow ip to run unrestricted for unpriviledged commands
|
|
/{,s}bin/ip Ux,
|
|
|
|
/tmp/* rw,
|
|
/var/tmp/* a,
|
|
|
|
# Required for parsing of managed process cmdline arguments
|
|
/proc/*/cmdline r,
|
|
|
|
# Required for assessment of current state of networking
|
|
/proc/sys/net/** r,
|
|
|
|
{% if ubuntu_release <= '12.04' %}
|
|
/proc/*/mounts r,
|
|
/proc/*/status r,
|
|
/proc/*/ns/net r,
|
|
{% else %}
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
owner @{PROC}/@{pid}/status r,
|
|
owner @{PROC}/@{pid}/ns/net r,
|
|
{% endif %}
|
|
}
|