Update apparmor profiles for Jammy/Yoga

The apparmor profile is missing some updates for versions on Jammy/Yoga. Add read access to /proc/*/limits and some updates for sudo access. Additionally, needed to move /var/lib/contrail access rule to be alphabetically sorted. Change-Id: I9b7175470f84515fb15715324bf1d8887dd5791f
2022-04-08 20:27:59 -07:00 · 2022-04-08 20:27:59 -07:00 · 01c0ce8506
parent afe8ba719f
commit 01c0ce8506
1 changed files with 4 additions and 1 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -53,6 +53,7 @@
  /etc/qemu/firmware/{,**} r,
  /etc/ssh/ssh_config r,
  /etc/ssl/openssl.cnf r,
+  /etc/sudo.conf r,
  /etc/sudoers r,
  /etc/sudoers.d/ r,
  /etc/sudoers.d/* r,
@ -65,6 +66,7 @@
  /proc/sys/net/ipv6/conf/** w,
  /proc/*/task/*/comm wr,
  /proc/*/fd/ r,
+  /proc/*/limits r,
  /proc/*/net/ip_tables_names r,
  /proc/*/net/psched r,
  /proc/*/stat r,
@ -124,11 +126,12 @@
  /{usr/,}lib/udev/scsi_id PUx,
  /usr/bin/ r,
  /usr/bin/* rix,
+  /usr/libexec/sudo/* rm,
  /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,
  /usr/lib{,32,64}/** mrw,
  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
-  /var/lib/contrail/ports/* rw,
  /usr/share/qemu/firmware/{,**} r,
+  /var/lib/contrail/ports/* rw,
  /var/lib/nova/ r,
  /var/lib/nova/** rwk,
 {% if virt_type == 'lxd' %}