[apparmor] Developing an Apparmor profile for PostgreSQL 10

Jacek wampir990 at gmail.com
Sat Mar 23 09:29:14 UTC 2019 

HI

It's my current profile for Postgresql-11.1 running on Gentoo Linux, where

/media/bazy/db/postgresql*/  is custom locations for SQL datadir.

> # Last Modified: Thu Jan 17 18:26:07 2019
> #include <tunables/global>
>
> profile postgres /usr/lib{32,64,}/postgresql-1*/bin/postgres
flags=(attach_disconnected) {
> #include <abstractions/base>
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
> #include <abstractions/openssl>
> #include <abstractions/postgresql>
> #include <abstractions/private-files>
> #include <abstractions/ssl_certs>
> #include <abstractions/ssl_keys>
> #include <abstractions/sslcerty>
>
> capability dac_override,
> capability dac_read_search,
> capability setgid,
> capability setuid,
> capability sys_chroot,
>
> network inet dgram,
> network inet stream,
> network inet6 dgram,
> network inet6 stream,
>
> signal,
>
> unix (create, send, receive ),
> unix (getattr, getopt, setopt, shutdown),
>
> /** r,
> /dev/null rw,
> /dev/zero rw,
> /etc/postgresql-*/ r,
> /etc/postgresql-*/** r,
> /etc/ssl/postgresql/* r,
> /lib{,32,64}/ld-*.so mr,
> /lib{,32,64}/libc-*.so mr,
> /lib{,32,64}/libdl-*.so mr,
> /lib{,32,64}/libm-*.so mr,
> /lib{,32,64}/libnss_files-*.so mr,
> /lib{,32,64}/libpam.so.* mr,
> /lib{,32,64}/libpthread-*.so mr,
> /lib{,32,64}/libresolv-*.so mr,
> /lib{,32,64}/librt-*.so mr,
> /lib{,32,64}/libz.so* mr,
> /media/bazy/db/postgresql*/ rw,
> /media/bazy/db/postgresql*/** rwlk,
> /usr/lib{,32,64}/binutils/** mr,
> /usr/lib{,32,64}/gcc/** mr,
> /usr/lib{,32,64}/gconv/gconv-modules.cache mr,
> /usr/lib{,32,64}/libcrypto.so* mr,
> /usr/lib{,32,64}/libicudata.so.* mr,
> /usr/lib{,32,64}/libicuuc.so.* mr,
> /usr/lib{,32,64}/libssl.so* mr,
> /usr/lib{,32,64}/libxml2.so.* mr,
> /usr/lib{,32,64}/locale/** mr,
> /usr/lib{,32,64}/postgresql-*/** mrix,
> /usr/share/locale/** mr,
> /usr/share/postgresql-*/** mr,
> /var/log/postgresql/* w,
> /{,var/}run/postgresql rw,
> /{,var/}run/postgresql/** rwk,
> @{PROC}/@{pid}/net/if_inet6 r,
> @{PROC}/@{pid}/net/ipv6_route r,
> @{PROC}/filesystems r,
> @{PROC}/sys/vm/overcommit_memory r,
> owner / rw,
> owner /dev/shm/PostgreSQL.* mrwlk,
> owner /tmp/** rwk,
> owner @{PROC}/@{pid}/cmdline r,
> owner @{PROC}/@{pid}/fd/ r,
> owner @{PROC}/@{pid}/fd/* r,
> owner @{PROC}/@{pid}/maps r,
> owner @{PROC}/@{pid}/mountinfo r,
> owner @{PROC}/@{pid}/stat r,
> owner @{PROC}/@{pid}/statm r,
> owner @{PROC}/@{pid}/status r,
> owner @{PROC}/@{pid}/task/[0-9]*/stat r,
>
> }

Postgresql is run by daemontools:

>root      6895  0.0  0.0   4224   760 ?        S    06:55   0:00
supervise postgresql11
>postgres 17476  0.0  0.3  90732 28264 ?        S    07:08   0:00
/usr/bin/postmaster11 -D /etc/postgresql-11
--data-directory=/media/bazy/db/postgresql/data11 -N 512 -B 1024
>postgres 17483  0.0  0.0  52988  2668 ?        Ss   07:08   0:00
postgres: logger  
>postgres 17485  0.0  0.0  90732  3148 ?        Ss   07:08   0:00
postgres: checkpointer  
>postgres 17486  0.0  0.0  90868  3148 ?        Ss   07:08   0:00
postgres: background writer  
>postgres 17487  0.0  0.0  90732  4440 ?        Ss   07:08   0:00
postgres: walwriter  
>postgres 17488  0.0  0.0  91540  5912 ?        Ss   07:08   0:00
postgres: autovacuum launcher  
>postgres 17489  0.0  0.0  55084  2636 ?        Ss   07:08   0:00
postgres: stats collector  
>postgres 17490  0.0  0.0  91376  5920 ?        Ss   07:08   0:00
postgres: logical replication launcher 


Cheers


W dniu 22.03.2019 o 15:07, Espresso Beanies pisze:
> I'm trying to develop an Apparmor profile for PostgreSQL 10 based on
> the existing profile here
> (https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres)
> however when I go to generate the profile based on the postgres
> executable location, I get the following results:
>
>
>     # Last Modified: Fri Mar 22 09:59:25 2019
>     #include <tunables/global>
>     /usr/lib/postgresql/10/bin/postgres {
>       #include <abstractions/base>
>       /lib/x86_64-linux-gnu/ld-*.so mr,
>       /usr/lib/postgresql/10/bin/postgres mr,
>       owner /etc/postgresql/10/main/postgresql.conf r,
>     }
>
>
> There seems to be a number of things absent from the profile itself
> and since PostgreSQL 10, there also appear to be a number of new
> locations that contains resources that the program uses. I find these
> fun and I'd like to do more, but I want to make sure they're created
> properly.
>
> Thanks! 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190323/5ce9f1c2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190323/5ce9f1c2/attachment-0001.sig>

More information about the AppArmor mailing list