Skip to content

Commit adc443e

Browse files
committed
fix: align AppArmor profile with salt managed version
Sync sbpostgres_apparmor with the salt repo (PR #526, merged): - Add WAL dir rwkl entries to parent and both sub-profiles - Consolidate systemd notify to single /{,var/}run/systemd/notify rule - Add /usr/bin/kill and signal hup rule to parent - Add pg_archivecleanup ix to postgres_shell
1 parent c8d2a04 commit adc443e

1 file changed

Lines changed: 13 additions & 7 deletions

File tree

ansible/files/postgresql_config/sbpostgres_apparmor

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -24,14 +24,13 @@ profile sbpostgres flags=(attach_disconnected) {
2424
# lock permission for pgroonga
2525
/data/pgdata/pgroonga.log k,
2626

27+
# WAL directory - needs link permission for segment recycling
28+
/data/pgdata/pg_wal/** rwkl,
29+
/data/pgdata/pg_wal/ rw,
30+
2731
# Systemd notification socket (for Type=notify services)
28-
/run/systemd/notify w,
2932
/{,var/}run/systemd/notify w,
3033

31-
# Allow disconnected paths (for mount namespaces)
32-
@{run}/systemd/notify w,
33-
/run/systemd/notify w,
34-
3534
# Full network access
3635
network inet stream,
3736
network inet6 stream,
@@ -50,6 +49,8 @@ profile sbpostgres flags=(attach_disconnected) {
5049
/usr/bin/false ix,
5150
# kill needed for postgresql to reload itself
5251
/bin/kill ix,
52+
/usr/bin/kill ix,
53+
signal (send) set=(hup) peer=unconfined,
5354

5455
# When parent executes shell, transition to restricted profile
5556
# This accounts for popen, which postgres uses for any child process
@@ -79,7 +80,7 @@ profile sbpostgres flags=(attach_disconnected) {
7980
/opt/supabase-admin-agent/supabase-admin-agent-linux-arm64 Pix -> postgres_shell,
8081
/opt/supabase-admin-agent/supabase-admin-agent-linux-amd64 Pix -> postgres_shell,
8182

82-
profile postgres_shell {
83+
profile postgres_shell {
8384
#include <abstractions/base>
8485

8586
/usr/bin/* m,
@@ -108,13 +109,16 @@ profile sbpostgres flags=(attach_disconnected) {
108109
/nix/store/*/bin/wal-g-2 ix,
109110
/nix/store/*/bin/pgbackrest ix,
110111
/nix/store/*/bin/pg_dump ix,
112+
/nix/store/*/bin/pg_archivecleanup ix,
111113

112114
# file path permissions
113115
/** r,
114116
/data/wal_fetch_dir/ rw,
115117
/tmp/wal_fetch_dir/ rw,
116118
/var/lib/postgresql/data rw,
117119
/data/pgdata rw,
120+
/data/pgdata/pg_wal/** rwkl,
121+
/data/pgdata/pg_wal/ rw,
118122
/data/latest-lsn-checkpoint-v2 rw,
119123
/data/previous-lsn-checkpoint-v2 rw,
120124
/var/lib/postgresql/data/recovery.signal rw,
@@ -149,7 +153,7 @@ profile sbpostgres flags=(attach_disconnected) {
149153

150154
}
151155

152-
profile pgbackrest_shell {
156+
profile pgbackrest_shell {
153157
#include <abstractions/base>
154158

155159
/usr/bin/* m,
@@ -176,6 +180,8 @@ profile sbpostgres flags=(attach_disconnected) {
176180
/tmp/wal_fetch_dir/ rw,
177181
/var/lib/postgresql/data rw,
178182
/data/pgdata rw,
183+
/data/pgdata/pg_wal/** rwkl,
184+
/data/pgdata/pg_wal/ rw,
179185
/data/latest-lsn-checkpoint-v2 rw,
180186
/data/previous-lsn-checkpoint-v2 rw,
181187
/var/lib/postgresql/data/recovery.signal rw,

0 commit comments

Comments
 (0)