From 0f9c730817b4f175e617ab5ce362bf9ff5157092 Mon Sep 17 00:00:00 2001
From: Felipe Reyes <felipe.reyes@canonical.com>
Date: Thu, 12 Oct 2023 11:50:30 -0300
Subject: [PATCH] AppArmor policy update for NVMeoF

When using NVMeoF feature with nova-compute apparmor in enforce
mode, nova-compute is denied from running /usr/sbin/nvme and
/usr/sbin/blkid, and reading /etc/nvme/hostnqn.

Change-Id: Ia23fbf341d5b7ad469337d8a0c65c18ec519a891
Closes-Bug: #2039161
---
 templates/usr.bin.nova-compute | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute
index 00fa39ed..450bb85b 100644
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -164,4 +164,7 @@
   /etc/magic r,
   /sys/devices/virtual/dmi/** r,
   /usr/sbin/dmidecode rix,
+  /usr/sbin/blkid rix,
+  /usr/sbin/nvme rix,
+  /etc/nvme/hostnqn r,
 }