From a59b4d606fcdf647b89906b437fb4e79d74481ee Mon Sep 17 00:00:00 2001
From: David Ames <david.ames@canonical.com>
Date: Wed, 25 Apr 2018 21:35:40 +0000
Subject: [PATCH] Apparmor profiles for Queens

Apparmor profiles were limiting queens deployments of neutron-gateway
when aa-profile-mode was set to enforce. It led to failed instance
deployments due to neutron agents failing to execute their necessary
functions.

This change updates the profiles to be Queens ready.

Closes-Bug: #1761536

Change-Id: I2e08a2de9e4ae8139ab8e4be131631883652d029
---
 templates/usr.bin.neutron-dhcp-agent        | 6 ++++++
 templates/usr.bin.neutron-l3-agent          | 6 ++++++
 templates/usr.bin.neutron-lbaasv2-agent     | 7 +++++++
 templates/usr.bin.neutron-metadata-agent    | 3 +++
 templates/usr.bin.neutron-metering-agent    | 3 +++
 templates/usr.bin.neutron-openvswitch-agent | 3 +++
 templates/usr.bin.nova-api-metadata         | 3 +++
 7 files changed, 31 insertions(+)

diff --git a/templates/usr.bin.neutron-dhcp-agent b/templates/usr.bin.neutron-dhcp-agent
index 0ba0441b..c7fcb03f 100644
--- a/templates/usr.bin.neutron-dhcp-agent
+++ b/templates/usr.bin.neutron-dhcp-agent
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/neutron-dhcp-agent r,
 
@@ -37,6 +38,7 @@
   /{,s}bin/ip Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -47,6 +49,9 @@
 
   /proc/version r,
 
+  # neutron-dhcp-agent needs to keep track of dnsmaq processes
+  /proc/*/stat r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,
@@ -54,6 +59,7 @@
 {% else %}
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
 {% endif %}
 }
diff --git a/templates/usr.bin.neutron-l3-agent b/templates/usr.bin.neutron-l3-agent
index b9c197fe..351a3b22 100644
--- a/templates/usr.bin.neutron-l3-agent
+++ b/templates/usr.bin.neutron-l3-agent
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/neutron-l3-agent r,
 
@@ -35,6 +36,7 @@
   /{,s}bin/ip Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -45,6 +47,9 @@
 
   /proc/version r,
 
+  # neutron-dhcp-agent needs to keep track of ns-metadata-proxy processes
+  /proc/*/stat r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,
@@ -52,6 +57,7 @@
 {% else %}
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
 {% endif %}
 }
diff --git a/templates/usr.bin.neutron-lbaasv2-agent b/templates/usr.bin.neutron-lbaasv2-agent
index 8763ce3a..ac02f9ad 100644
--- a/templates/usr.bin.neutron-lbaasv2-agent
+++ b/templates/usr.bin.neutron-lbaasv2-agent
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/neutron-lbaas-agent r,
 
@@ -17,12 +18,16 @@
   /usr/bin/** rix,
 
   /etc/neutron/** r,
+  /etc/magic r,
   /etc/mime.types r,
   /var/lib/neutron/** rwk,
   /var/log/neutron/** rwk,
   /{,var/}run/neutron/** rwk,
   /{,var/}run/lock/neutron/** rwk,
 
+  /usr/share/file/magic.mgc r,
+  /usr/share/file/magic/ r,
+
   # Allow unconfined sudo to support oslo.rootwrap
   # profile makes no attempt to restrict this as this
   # is limited by the appropriate rootwrap configuration.
@@ -32,6 +37,7 @@
   /{,s}bin/ip Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -44,5 +50,6 @@
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
 }
diff --git a/templates/usr.bin.neutron-metadata-agent b/templates/usr.bin.neutron-metadata-agent
index c6159c78..1935e406 100644
--- a/templates/usr.bin.neutron-metadata-agent
+++ b/templates/usr.bin.neutron-metadata-agent
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/neutron-metadata-agent r,
 
@@ -33,6 +34,7 @@
   /{,s}bin/ip Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -50,6 +52,7 @@
 {% else %}
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
 {% endif %}
 }
diff --git a/templates/usr.bin.neutron-metering-agent b/templates/usr.bin.neutron-metering-agent
index ed0e921f..91a5f9d9 100644
--- a/templates/usr.bin.neutron-metering-agent
+++ b/templates/usr.bin.neutron-metering-agent
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/neutron-metering-agent r,
 
@@ -34,6 +35,7 @@
   /{,s}bin/ip Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -51,6 +53,7 @@
 {% else %}
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
 {% endif %}
 }
diff --git a/templates/usr.bin.neutron-openvswitch-agent b/templates/usr.bin.neutron-openvswitch-agent
index bc4bc614..9ed3593d 100644
--- a/templates/usr.bin.neutron-openvswitch-agent
+++ b/templates/usr.bin.neutron-openvswitch-agent
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/neutron-openvswitch-agent r,
 
@@ -39,6 +40,7 @@
   /{,s}bin/ps Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -52,6 +54,7 @@
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,
+  /proc/*/stat r,
   /proc/*/ns/net r,
 {% else %}
   owner @{PROC}/@{pid}/mounts r,
diff --git a/templates/usr.bin.nova-api-metadata b/templates/usr.bin.nova-api-metadata
index ae6be018..42115f40 100644
--- a/templates/usr.bin.nova-api-metadata
+++ b/templates/usr.bin.nova-api-metadata
@@ -6,6 +6,7 @@
   #include <abstractions/base>
   #include <abstractions/python>
   #include <abstractions/nameservice>
+  #include <abstractions/bash>
 
   /usr/bin/nova-metadata-api r,
 
@@ -29,6 +30,7 @@
   /{,s}bin/ip Ux,
 
   /tmp/* rw,
+  /tmp/** rw,
   /var/tmp/* a,
 
   # Required for parsing of managed process cmdline arguments
@@ -44,6 +46,7 @@
 {% else %}
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/ns/net r,
 {% endif %}
 }