Configure apparmor for dnsmasq

Instead of trying to disable apparmor for dnsmasq as a whole,
let's instead supply overrides to perform apparmor configuration
to launch dnsmasq inside of the namespace by neutron.

Change-Id: I6bd046cf5e302028a8d641fe3bd97209b7ba6fcf

handlers/main.yml

@@ -13,6 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Reload apparmor
+  ansible.builtin.service:
+    name: apparmor
+    state: reloaded
+
 - name: Stop services
   ansible.builtin.service:
     name: "{{ item.service_name }}"

tasks/neutron_apparmor.yml

@@ -28,6 +28,21 @@
     enabled: true
     state: "started"
 
+- name: "Place required apparmor overrides"
+  ansible.builtin.copy:
+    content: "{{ item['content'] }}"
+    dest: "/etc/apparmor.d/local/{{ item['profile'] }}"
+    mode: "0644"
+    owner: root
+    group: root
+  loop: "{{ neutron_apparmor_profile_overrides }}"
+  loop_control:
+    label: "{{ item['profile'] }}"
+  when:
+    - item.condition | default(true)
+  notify:
+    - Reload apparmor
+
 - name: "Disable apparmor profile"
   ansible.builtin.shell: |
     # empty line to workaround bug in EnvVarsInCommandRule.py lint test
@@ -52,5 +67,3 @@
       process: "haproxy"
     - profile: "bin.ping"
       process: "ping"
-    - profile: "usr.sbin.dnsmasq"
-      process: "dnsmasq"

vars/debian.yml

@@ -51,6 +51,19 @@ neutron_apparmor_distro_packages:
   - apparmor-profiles
   - apparmor-utils
 
+neutron_apparmor_profile_overrides:
+  - profile: "usr.sbin.dnsmasq"
+    content: |
+        /etc/neutron/dnsmasq-neutron.conf r,
+        /openstack/venvs/neutron-*/etc/neutron/dnsmasq-neutron.conf r,
+        /var/lib/neutron/dhcp/*/leases rw,
+        /var/lib/neutron/dhcp/*/pid rw,
+        /var/lib/neutron/dhcp/*/host r,
+        /var/lib/neutron/dhcp/*/addn_hosts r,
+        /var/lib/neutron/dhcp/*/opts r,
+        /var/lib/neutron/dhcp/*/leases rw,
+    condition: "{{ (neutron_dhcp | bool and neutron_services['neutron-dhcp-agent']['group'] in group_names) }}"
+
 neutron_distro_packages:
   - conntrack
   - dnsmasq-base