From 9395d9d389d5dbbe730d2c0b3c3200d59a182111 Mon Sep 17 00:00:00 2001
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
Date: Tue, 4 Jul 2017 15:40:43 +0200
Subject: [PATCH] add missing apparmor rules for nova-compute

In a restrictive mode those will prevent nodes from starting up.

Change-Id: I589d1e1d082f5c66adf641b4d748bffb25eb40b7
---
 templates/usr.bin.nova-compute | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute
index 09c1386d..bcce2f73 100644
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -21,6 +21,7 @@
   capability setuid,
   capability sys_admin,
   capability sys_resource,
+  capability sys_module,
 
   network inet raw,
   network inet stream,
@@ -30,23 +31,37 @@
   /bin/* rix,
   /dev/nbd* rw,
   /dev/tty rw,
+  /dev/pts/* r,
   /etc/default/locale r,
   /etc/environment r,
+  /etc/iscsi/initiatorname.iscsi r,
   /etc/machine-id r,
   /etc/mtab rw,
   /etc/nova/** r,
+  /etc/ssh/ssh_config r,
+  /etc/ssl/openssl.cnf r,
   /etc/sudoers r,
   /etc/sudoers.d/ r,
   /etc/sudoers.d/* r,
+  /proc/*/cmdline r,
+  /proc/sys/net/ipv6/conf/** w,
+  /proc/*/task/*/comm wr,
   /proc/*/fd/ r,
   /proc/*/net/ip_tables_names r,
   /proc/*/net/psched r,
   /proc/*/stat r,
+  /proc/uptime r,
+  /proc/version r,
   /run/libvirt/libvirt-sock rw,
   /run/lock/nova/nova-iptables wk,
   /run/lock/qemu-nbd-nbd* w,
+  /run/openvswitch/db.sock rw,
+  /sbin/brctl rix,
   /sbin/ldconfig rix,
   /sbin/ldconfig.real rix,
+  /sbin/mkfs rix,
+  /sbin/mkfs.fat rix,
+  /sbin/hdparm rix,
   /sbin/xtables-multi rix,
   /sys/block/ r,
   /sys/devices/system/cpu/ r,
@@ -54,8 +69,10 @@
   /sys/devices/system/node/ r,
   /sys/devices/system/node/** r,
   /sys/devices/virtual/block/nbd*/ r,
+  /sys/devices/virtual/net/** w,
   /tmp/* rw,
   /tmp/*/ rw,
+  /tmp/** rw,
   /usr/bin/ r,
   /usr/bin/* rix,
   /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,
@@ -66,8 +83,10 @@
   /var/lib/lxd/unix.socket rw,
 {% endif %}
   /var/log/nova/nova-compute.log w,
+  /var/log/nova/privsep-helper.log w,
   /var/run/libvirt/* rw,
   /var/run/libvirt/libvirt-sock rw,
+  /var/run/openvswitch/db.sock rw,
   /var/tmp/* w,
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,