From f4eeb0650ae548257e613c772e806b6b4748c4fa Mon Sep 17 00:00:00 2001
From: Billy Olsen <billy.olsen@gmail.com>
Date: Fri, 21 Jan 2022 15:52:36 -0700
Subject: [PATCH] Allow read access to firmware information

Update the apparmor profile for nova-compute to allow it to read the
firmware configuration information for qemu. This is necessary in order
to launch instances using UEFI when apparmor enforcement is enabled.

Closes-Bug: #1958686
Change-Id: I7d9152dcc684923600c40ff0227c3c3eaafa7574
---
 templates/usr.bin.nova-compute | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute
index b3353106..3369971f 100644
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -50,6 +50,7 @@
   /etc/multipath/bindings wrk,
   /etc/multipath/wwids wrk,
   /etc/nova/** r,
+  /etc/qemu/firmware/{,**} r,
   /etc/ssh/ssh_config r,
   /etc/ssl/openssl.cnf r,
   /etc/sudoers r,
@@ -126,6 +127,7 @@
   /usr/lib{,32,64}/** mrw,
   /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
   /var/lib/contrail/ports/* rw,
+  /usr/share/qemu/firmware/{,**} r,
   /var/lib/nova/ r,
   /var/lib/nova/** rwk,
 {% if virt_type == 'lxd' %}