[apparmor] [PATCH profiles] enhance postgresql profile

Christian Boltz apparmor at cboltz.de
Thu Jun 11 11:22:03 UTC 2015


Hello,

Am Mittwoch, 10. Juni 2015 schrieb Kees Cook:
> This allows postgresql to run on 14.04 and later. Additionally adds
> the abstraction needed for client communication.


> === added file 'ubuntu/14.04/abstractions/pgsql'
> --- ubuntu/14.04/abstractions/pgsql	1970-01-01 00:00:00 +0000
> +++ ubuntu/14.04/abstractions/pgsql	2015-06-11 04:15:18 +0000
> @@ -0,0 +1,1 @@
> +   /{,var/}run/postgresql/.s.PGSQL.* rw,

I'd prefer to have this in the AppArmor bzr repo and tarball (instead of 
the Ubuntu-specific repo) so that all distributions have it available.

> === modified file 'ubuntu/14.04/usr.lib.postgresql.bin.postgres'
> --- ubuntu/14.04/usr.lib.postgresql.bin.postgres	2013-10-21 13:21:37
> +0000 +++ ubuntu/14.04/usr.lib.postgresql.bin.postgres	2015-06-11
> 04:13:10 +0000 @@ -2,7 +2,8 @@
> 
>  #include <tunables/global>
> 
> -/usr/lib/postgresql/[0-9.]*/bin/postgres {
> +# https://bugs.launchpad.net/apparmor/+bug/1317555
> +profile postgresql /usr/lib/postgresql/[0-9.]*/bin/postgres {

Unless you want/need to cover hidden directories, you probably might 
want to use .../[0-9]*/...

>    #include <abstractions/base>
>    #include <abstractions/nameservice>
>    #include <abstractions/ssl_keys>
> @@ -12,5 +13,5 @@
>    /var/lib/postgresql/** rwl,
>    /{,var/}run/postgresql/** rw,
> 
> -  owner @{PROC}/[0-9]*/oom_adj rw,
> +  owner @{PROC}/[0-9]*/oom_{score_,}adj rw,

@{PROC}/@{pid}/... ?

>  }
> 

The changes look good (except the details above), but without knowing 
PostgreSQL, I'll let someone else the chance to send the ack ;-)


Regards,

Christian Boltz
-- 
I've asked Miklos for his take on this patch. It could be that
I'll get laughed out of the room. It at least works, though.
[Jeff Mahoney in https://bugzilla.novell.com/728774#c67]




More information about the AppArmor mailing list