[apparmor] Developing an Apparmor profile for PostgreSQL 10

Seth Arnold seth.arnold at canonical.com
Fri Mar 22 20:08:52 UTC 2019 

On Fri, Mar 22, 2019 at 10:07:49AM -0400, Espresso Beanies wrote:
> I'm trying to develop an Apparmor profile for PostgreSQL 10 based on the
> existing profile here (
> https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres)
> however when I go to generate the profile based on the postgres executable
> location, I get the following results:
> >
> >
> > # Last Modified: Fri Mar 22 09:59:25 2019
> > #include <tunables/global>
> > /usr/lib/postgresql/10/bin/postgres {
> >   #include <abstractions/base>
> >   /lib/x86_64-linux-gnu/ld-*.so mr,
> >   /usr/lib/postgresql/10/bin/postgres mr,
> >   owner /etc/postgresql/10/main/postgresql.conf r,
> > }
> 
> 
> There seems to be a number of things absent from the profile itself and
> since PostgreSQL 10, there also appear to be a number of new locations that
> contains resources that the program uses. I find these fun and I'd like to
> do more, but I want to make sure they're created properly.

Hello,

Yes, this new profile is missing quite a lot from the previous profile
that looks very important. However, I'm surprised it's even needed. The
version I retrieved from the URL you gave looks like it has an attachment
specification that should also match the filename you gave:


#include <tunables/global>

/usr/lib/postgresql/[0-9.]*/bin/postgres {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_keys>

  /etc/postgresql/** r,
  /usr/share/postgresql/** r,
  /var/lib/postgresql/** rwl,
  /{,var/}run/postgresql/** rw,
  owner @{PROC}/[0-9]*/oom_adj rw,
}

/usr/lib/postgresql/10/bin/postgres should match this, unless I'm missing
something too subtle for a Friday.

Did you have problems using the profile from the repository?

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190322/a39f2c8b/attachment.sig>

More information about the AppArmor mailing list