Allow read access to firmware information

Update the apparmor profile for nova-compute to allow it to read the firmware configuration information for qemu. This is necessary in order to launch instances using UEFI when apparmor enforcement is enabled. Closes-Bug: #1958686 Change-Id: I7d9152dcc684923600c40ff0227c3c3eaafa7574
2022-01-21 15:52:36 -07:00 · 2022-01-21 15:52:36 -07:00 · f4eeb0650a
commit f4eeb0650a
parent 330086cb71
1 changed files with 2 additions and 0 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -50,6 +50,7 @@
  /etc/multipath/bindings wrk,
  /etc/multipath/wwids wrk,
  /etc/nova/** r,
+  /etc/qemu/firmware/{,**} r,
  /etc/ssh/ssh_config r,
  /etc/ssl/openssl.cnf r,
  /etc/sudoers r,
@ -126,6 +127,7 @@
  /usr/lib{,32,64}/** mrw,
  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
  /var/lib/contrail/ports/* rw,
+  /usr/share/qemu/firmware/{,**} r,
  /var/lib/nova/ r,
  /var/lib/nova/** rwk,
 {% if virt_type == 'lxd' %}