Misc updates to apparmor profile

Minor refactoring and updates for DENIED messages seen during 'complain' testing with filestore and bluestore based OSD's with journals, db and wal devices. Tested with Ceph Luminous on 18.04 including data generation using rados bench and pg resizing from 8 -> 256 during testing. Change-Id: I705eacfe4d464b96dde25495eecb95db30423b66
2018-05-15 14:01:12 +01:00 · 2018-05-15 14:01:12 +01:00 · 5c1a304e0e
parent de283cdad2
commit 5c1a304e0e
1 changed files with 17 additions and 14 deletions
--- a/files/apparmor/usr.bin.ceph-osd
+++ b/files/apparmor/usr.bin.ceph-osd
@ -1,5 +1,4 @@
 # vim:syntax=apparmor
-# Author: Chris Holcombe <xfactor973 at gmail_com>
 #include <tunables/global>

 /usr/bin/ceph-osd {
@ -18,25 +17,29 @@
  network inet6 stream,

  /etc/ceph/* r,
-
-  @{PROC}/@{pids}/auxv r,
-  @{PROC}/@{pids}/net/dev r,
-  @{PROC}/loadavg r,
-
-  /run/ceph/* rw,
-  /srv/ceph/** rwkl,
-  /tmp/ r,
-  /var/lib/ceph/** rwk,
-  /var/lib/ceph/osd/** l,
  /var/lib/charm/*/ceph.conf r,
+
+  owner @{PROC}/@{pids}/auxv r,
+  owner @{PROC}/@{pids}/net/dev r,
+  owner @{PROC}/@{pids}/task/*/comm rw,
+
+  @{PROC}/loadavg r,
+  @{PROC}/1/cmdline r,
+  @{PROC}/partitions r,
+  @{PROC}/sys/kernel/random/uuid r,
+
+  /var/lib/ceph/** rwkl,
+  /srv/ceph/** rwkl,
+
  /var/log/ceph/* rwk,
-  /var/run/ceph/* rwk,
-  /var/tmp/ r,
+
+  /{,var/}run/ceph/* rwk,
+  /{,var/}tmp/ r,

  /dev/ r,
  /dev/** rw,
  /sys/devices/** r,
-  /proc/partitions r,
+
  /run/blkid/blkid.tab r,

  /bin/dash rix,