From c41b443548ecd91c16539924fb432dca8a6519b2 Mon Sep 17 00:00:00 2001
From: Felipe Reyes <felipe.reyes@canonical.com>
Date: Thu, 12 Oct 2023 11:50:30 -0300
Subject: [PATCH] AppArmor policy update for NVMeoF

When using NVMeoF feature with nova-compute apparmor in enforce
mode, nova-compute is denied from running /usr/sbin/nvme and
/usr/sbin/blkid, and reading /etc/nvme/hostnqn.

Change-Id: Ia23fbf341d5b7ad469337d8a0c65c18ec519a891
Closes-Bug: #2039161
(cherry picked from commit 0f9c730817b4f175e617ab5ce362bf9ff5157092)
(cherry picked from commit 557c47f37baa83e96f5618ae0a46a554897977b4)
---
 templates/usr.bin.nova-compute | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute
index 807c1bb4..5762473c 100644
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -166,4 +166,7 @@
   /etc/magic r,
   /sys/devices/virtual/dmi/** r,
   /usr/sbin/dmidecode rix,
+  /usr/sbin/blkid rix,
+  /usr/sbin/nvme rix,
+  /etc/nvme/hostnqn r,
 }