# Last Modified: Tue Apr  5 22:19:53 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>

/usr/bin/nova-compute {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>
  #include <abstractions/python>
  #include <abstractions/wutmp>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability net_admin,
  capability net_raw,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_resource,
  capability sys_module,

  network inet raw,
  network inet stream,

  deny /* w,

  /bin/* rix,
  /dev/nbd* rw,
  /dev/tty rw,
  /dev/pts/* r,
  /dev/sd* r,
  /etc/default/locale r,
  /etc/environment r,
  /etc/iscsi/initiatorname.iscsi r,
  /etc/machine-id r,
  /etc/mtab rw,
  /etc/nova/** r,
  /etc/ssh/ssh_config r,
  /etc/ssl/openssl.cnf r,
  /etc/sudoers r,
  /etc/sudoers.d/ r,
  /etc/sudoers.d/* r,
  /proc/*/cmdline r,
  /proc/sys/net/ipv6/conf/** w,
  /proc/*/task/*/comm wr,
  /proc/*/fd/ r,
  /proc/*/net/ip_tables_names r,
  /proc/*/net/psched r,
  /proc/*/stat r,
  /proc/uptime r,
  /proc/version r,
  /run/libvirt/libvirt-sock rw,
  /run/lock/nova/nova-iptables wk,
  /run/lock/qemu-nbd-nbd* w,
  /run/openvswitch/db.sock rw,
  /sbin/blockdev rix,
  /sbin/brctl rix,
  /sbin/ldconfig rix,
  /sbin/ldconfig.real rix,
  /sbin/mkfs rix,
  /sbin/mkfs.fat rix,
  /sbin/hdparm rix,
  /sbin/xtables-multi rix,
  /sys/block/ r,
  /sys/class/fc_host/{,**} r,
  /sys/devices/pci*/** r,
  /sys/devices/pci/** r,
  /sys/devices/pci*/**/scan rw,
  /sys/devices/pci*/**/delete rw,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/** r,
  /sys/devices/virtual/block/nbd*/ r,
  /sys/devices/virtual/net/** w,
  /tmp/{,**} rw,
  /{usr/,}lib/udev/scsi_id PUx,
  /usr/bin/ r,
  /usr/bin/* rix,
  /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,
  /usr/lib{,32,64}/** mrw,
  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw,
  /var/lib/nova/** rwk,
{% if virt_type == 'lxd' %}
  /var/lib/lxd/unix.socket rw,
{% endif %}
  /var/log/nova/nova-compute.log w,
  /var/log/nova/privsep-helper.log w,
  /var/run/libvirt/* rw,
  /var/run/libvirt/libvirt-sock rw,
  /var/run/openvswitch/db.sock rw,
  /var/tmp/{,**} rw,
{% if ubuntu_release <= '12.04' %}
  /proc/*/mounts r,
  /proc/*/status r,
{% else %}
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/status r,
{% endif %}
  /var/lib/charm/*/ceph.conf r,
  /etc/ceph/* r,
}