From d673f94097ac25656f473f6888b692af51950b47 Mon Sep 17 00:00:00 2001
From: Ante Karamatic <ante.karamatic@canonical.com>
Date: Fri, 24 Mar 2017 16:07:09 +0100
Subject: [PATCH] Allow nova-compute to read through cpu attributes

LXD requires access to CPU attributes that are currently not allowed
in AppArmor profile. This change allows access to those attributes.
It also adds virt_type to NovaComputeAppArmor context. It then uses
this to provide nova-compute with access to LXD's socket.

Change-Id: I78d18dcf37f6195ea1ceec1029ddfac44a4a1b33
Closes-Bug: 1675803
---
 hooks/nova_compute_context.py  | 1 +
 templates/usr.bin.nova-compute | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/hooks/nova_compute_context.py b/hooks/nova_compute_context.py
index b23061f5..500caade 100644
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@@ -643,6 +643,7 @@ class NovaComputeAppArmorContext(context.AppArmorContext):
         super(NovaComputeAppArmorContext, self).__call__()
         if not self.ctxt:
             return self.ctxt
+        self._ctxt.update({'virt_type': config('virt-type')})
         self._ctxt.update({'aa_profile': self.aa_profile})
         return self.ctxt
 
diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute
index 31f5ad45..09c1386d 100644
--- a/templates/usr.bin.nova-compute
+++ b/templates/usr.bin.nova-compute
@@ -50,6 +50,7 @@
   /sbin/xtables-multi rix,
   /sys/block/ r,
   /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/** r,
   /sys/devices/system/node/ r,
   /sys/devices/system/node/** r,
   /sys/devices/virtual/block/nbd*/ r,
@@ -61,6 +62,9 @@
   /usr/lib{,32,64}/** mrw,
   /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
   /var/lib/nova/** rwk,
+{% if virt_type == 'lxd' %}
+  /var/lib/lxd/unix.socket rw,
+{% endif %}
   /var/log/nova/nova-compute.log w,
   /var/run/libvirt/* rw,
   /var/run/libvirt/libvirt-sock rw,