# Last Modified: Thu Mar 31 18:53:33 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>

/usr/bin/nova-api {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/libvirt-qemu>
  #include <abstractions/python>
  #include <abstractions/wutmp>

  capability audit_write,
  capability net_admin,
  capability net_raw,
  capability sys_resource,

  network inet raw,


  /bin/* rix,
  /etc/default/locale r,
  /etc/environment r,
  /etc/nova/** r,
  /etc/sudoers r,
  /etc/sudoers.d/ r,
  /etc/sudoers.d/90-cloud-init-users r,
  /etc/sudoers.d/90-cloudimg-ubuntu r,
  /etc/sudoers.d/README r,
  /etc/sudoers.d/nova_sudoers r,
  /lib{,32,64}/** mr,
  /run/lock/nova/nova-iptables wk,
  /sbin/ldconfig rix,
  /sbin/ldconfig.real rix,
  /sbin/xtables-multi rix,
  /tmp/ r,
  /tmp/** rwk,
  /usr/bin/ r,
  /usr/bin/** rix,
  /usr/lib{,32,64}/** mr,
  /var/lib/nova/** rw,
  /var/log/nova/nova-api.log w,
  /var/tmp/ r,
  /var/tmp/** rwk,
{% if ubuntu_release <= '12.04' %}
  /proc/*/fd/ r,
  /proc/*/mounts r,
  /proc/*/net/ip_tables_names r,
  /proc/*/stat r,
  /proc/*/status r,
{% else %}
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/net/ip_tables_names r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/status r,
{% endif %}
}