<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>HI</p>
<p>It's my current profile for Postgresql-11.1 running on Gentoo
Linux, where <br>
</p>
<p> /media/bazy/db/postgresql*/ is custom locations for SQL
datadir. <br>
</p>
<p>> # Last Modified: Thu Jan 17 18:26:07 2019<br>
> #include <tunables/global><br>
> <br>
> profile postgres /usr/lib{32,64,}/postgresql-1*/bin/postgres
flags=(attach_disconnected) {<br>
> #include <abstractions/base><br>
> #include <abstractions/consoles><br>
> #include <abstractions/nameservice><br>
> #include <abstractions/openssl><br>
> #include <abstractions/postgresql><br>
> #include <abstractions/private-files><br>
> #include <abstractions/ssl_certs><br>
> #include <abstractions/ssl_keys><br>
> #include <abstractions/sslcerty><br>
> <br>
> capability dac_override,<br>
> capability dac_read_search,<br>
> capability setgid,<br>
> capability setuid,<br>
> capability sys_chroot,<br>
> <br>
> network inet dgram,<br>
> network inet stream,<br>
> network inet6 dgram,<br>
> network inet6 stream,<br>
> <br>
> signal,<br>
> <br>
> unix (create, send, receive ),<br>
> unix (getattr, getopt, setopt, shutdown),<br>
> <br>
> /** r,<br>
> /dev/null rw,<br>
> /dev/zero rw,<br>
> /etc/postgresql-*/ r,<br>
> /etc/postgresql-*/** r,<br>
> /etc/ssl/postgresql/* r,<br>
> /lib{,32,64}/ld-*.so mr,<br>
> /lib{,32,64}/libc-*.so mr,<br>
> /lib{,32,64}/libdl-*.so mr,<br>
> /lib{,32,64}/libm-*.so mr,<br>
> /lib{,32,64}/libnss_files-*.so mr,<br>
> /lib{,32,64}/libpam.so.* mr,<br>
> /lib{,32,64}/libpthread-*.so mr,<br>
> /lib{,32,64}/libresolv-*.so mr,<br>
> /lib{,32,64}/librt-*.so mr,<br>
> /lib{,32,64}/libz.so* mr,<br>
> /media/bazy/db/postgresql*/ rw,<br>
> /media/bazy/db/postgresql*/** rwlk,<br>
> /usr/lib{,32,64}/binutils/** mr,<br>
> /usr/lib{,32,64}/gcc/** mr,<br>
> /usr/lib{,32,64}/gconv/gconv-modules.cache mr,<br>
> /usr/lib{,32,64}/libcrypto.so* mr,<br>
> /usr/lib{,32,64}/libicudata.so.* mr,<br>
> /usr/lib{,32,64}/libicuuc.so.* mr,<br>
> /usr/lib{,32,64}/libssl.so* mr,<br>
> /usr/lib{,32,64}/libxml2.so.* mr,<br>
> /usr/lib{,32,64}/locale/** mr,<br>
> /usr/lib{,32,64}/postgresql-*/** mrix,<br>
> /usr/share/locale/** mr,<br>
> /usr/share/postgresql-*/** mr,<br>
> /var/log/postgresql/* w,<br>
> /{,var/}run/postgresql rw,<br>
> /{,var/}run/postgresql/** rwk,<br>
> @{PROC}/@{pid}/net/if_inet6 r,<br>
> @{PROC}/@{pid}/net/ipv6_route r,<br>
> @{PROC}/filesystems r,<br>
> @{PROC}/sys/vm/overcommit_memory r,<br>
> owner / rw,<br>
> owner /dev/shm/PostgreSQL.* mrwlk,<br>
> owner /tmp/** rwk,<br>
> owner @{PROC}/@{pid}/cmdline r,<br>
> owner @{PROC}/@{pid}/fd/ r,<br>
> owner @{PROC}/@{pid}/fd/* r,<br>
> owner @{PROC}/@{pid}/maps r,<br>
> owner @{PROC}/@{pid}/mountinfo r,<br>
> owner @{PROC}/@{pid}/stat r,<br>
> owner @{PROC}/@{pid}/statm r,<br>
> owner @{PROC}/@{pid}/status r,<br>
> owner @{PROC}/@{pid}/task/[0-9]*/stat r,<br>
> <br>
> }<br>
<br>
</p>
<p>Postgresql is run by daemontools:</p>
<p>>root 6895 0.0 0.0 4224 760 ? S 06:55
0:00 supervise postgresql11<br>
>postgres 17476 0.0 0.3 90732 28264 ? S 07:08
0:00 /usr/bin/postmaster11 -D /etc/postgresql-11
--data-directory=/media/bazy/db/postgresql/data11 -N 512 -B 1024<br>
>postgres 17483 0.0 0.0 52988 2668 ? Ss 07:08
0:00 postgres: logger <br>
>postgres 17485 0.0 0.0 90732 3148 ? Ss 07:08
0:00 postgres: checkpointer <br>
>postgres 17486 0.0 0.0 90868 3148 ? Ss 07:08
0:00 postgres: background writer <br>
>postgres 17487 0.0 0.0 90732 4440 ? Ss 07:08
0:00 postgres: walwriter <br>
>postgres 17488 0.0 0.0 91540 5912 ? Ss 07:08
0:00 postgres: autovacuum launcher <br>
>postgres 17489 0.0 0.0 55084 2636 ? Ss 07:08
0:00 postgres: stats collector <br>
>postgres 17490 0.0 0.0 91376 5920 ? Ss 07:08
0:00 postgres: logical replication launcher <br>
</p>
<p><br>
</p>
<p>Cheers<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">W dniu 22.03.2019 o 15:07, Espresso
Beanies pisze:<br>
</div>
<blockquote type="cite"
cite="mid:CAOeD169J-zEZRoYX4nZpRFWV81rjBX5k6x9Hka9jwLypLtUeiw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">I'm trying to develop an Apparmor profile for
PostgreSQL 10 based on the existing profile here (<a
href="https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres"
moz-do-not-send="true">https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres</a>)
however when I go to generate the profile based on the
postgres executable location, I get the following results:
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><br>
# Last Modified: Fri Mar 22 09:59:25 2019<br>
#include <tunables/global><br>
/usr/lib/postgresql/10/bin/postgres {<br>
#include <abstractions/base><br>
/lib/x86_64-linux-gnu/ld-*.so mr,<br>
/usr/lib/postgresql/10/bin/postgres mr,<br>
owner /etc/postgresql/10/main/postgresql.conf r,<br>
}</blockquote>
<div><br>
</div>
<div>There seems to be a number of things absent from the
profile itself and since PostgreSQL 10, there also appear to
be a number of new locations that contains resources that
the program uses. I find these fun and I'd like to do more,
but I want to make sure they're created properly.</div>
<div><br>
</div>
<div>Thanks! </div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
</body>
</html>