From cf0f464391df509e752c6010964efe2aca10ef89 Mon Sep 17 00:00:00 2001 From: Nobuto Murata Date: Fri, 24 Jun 2022 23:22:54 +0900 Subject: [PATCH] AppArmor policy update for os-brick and iSCSI In iSCSI usecases including cinder-lvm, os-brick requires lock files such as: - /run/lock/nova/os-brick-connect_volume - /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1 and lsscsi requires following access to compose a rescan command such as "/sys/bus/scsi/drivers/sd/2:0:0:0/rescan": - /dev/ - /sys/bus/scsi/devices/ Closes-Bug: #1979812 Related-Bug: #1939390 Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1 --- templates/usr.bin.nova-compute | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute index 651aaa1b..427bb72a 100644 --- a/templates/usr.bin.nova-compute +++ b/templates/usr.bin.nova-compute @@ -31,6 +31,7 @@ deny /* w, /bin/* rix, + /dev/ r, /dev/disk/** r, /dev/disk/by-id/* r, /dev/mapper/control wr, @@ -77,7 +78,7 @@ /run/libvirt/libvirt-sock rw, /run/lock/iscsi/ rw, /run/lock/iscsi/** rwl, - /run/lock/nova/nova-iptables wk, + /run/lock/nova/* wk, /run/lock/qemu-nbd-nbd* w, /run/openvswitch/db.sock rw, /run/uuidd/request rw, @@ -96,6 +97,7 @@ /{usr/,}sbin/e2label rix, /{usr/,}sbin/tune2fs rix, /sys/block/ r, + /sys/bus/scsi/devices/ r, /sys/class/fc_host/{,**} r, /sys/class/iscsi_host/ r, /sys/class/iscsi_session/ r,