AppArmor policy update for os-brick and iSCSI

In iSCSI usecases including cinder-lvm, os-brick requires lock files such as: - /run/lock/nova/os-brick-connect_volume - /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1 and lsscsi requires following access to compose a rescan command such as "/sys/bus/scsi/drivers/sd/2:0:0:0/rescan": - /dev/ - /sys/bus/scsi/devices/ Closes-Bug: #1979812 Related-Bug: #1939390 Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1
2022-06-24 23:22:54 +09:00 · 2022-06-24 23:22:54 +09:00 · cf0f464391
parent 06856f151c
commit cf0f464391
1 changed files with 3 additions and 1 deletions
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@ -31,6 +31,7 @@
  deny /* w,

  /bin/* rix,
+  /dev/ r,
  /dev/disk/** r,
  /dev/disk/by-id/* r,
  /dev/mapper/control wr,
@ -77,7 +78,7 @@
  /run/libvirt/libvirt-sock rw,
  /run/lock/iscsi/ rw,
  /run/lock/iscsi/** rwl,
-  /run/lock/nova/nova-iptables wk,
+  /run/lock/nova/* wk,
  /run/lock/qemu-nbd-nbd* w,
  /run/openvswitch/db.sock rw,
  /run/uuidd/request rw,
@ -96,6 +97,7 @@
  /{usr/,}sbin/e2label rix,
  /{usr/,}sbin/tune2fs rix,
  /sys/block/ r,
+  /sys/bus/scsi/devices/ r,
  /sys/class/fc_host/{,**} r,
  /sys/class/iscsi_host/ r,
  /sys/class/iscsi_session/ r,