fix: allow SAA execution from postgres AppArmor confinement

Remove explicit `deny /** x,` from postgres_shell and pgbackrest_shell
sub-profiles — the deny keyword has absolute precedence in AppArmor,
overriding all specific ix allow rules and blocking SAA execution with
exit 126.

Add SAA to the parent sbpostgres profile with Pix -> postgres_shell so
that the archive_command path (shell staying in sbpostgres due to Pix
fallback) can exec SAA and transition it into postgres_shell. Also add
/nix/store/*/bin/sh to the shell transition rules to cover nix-built
postgres popen() behaviour.

Author: Crispy1975

ansible/files/postgresql_config/sbpostgres_apparmor

@@ -71,6 +71,14 @@ profile sbpostgres flags=(attach_disconnected) {
     /usr/bin/nix Pix -> pgbackrest_shell,
     /usr/bin/sudo Pix -> pgbackrest_shell,
 
+    # nix-built postgres popen() may use a nix store sh instead of /bin/sh
+    /nix/store/*/bin/sh Pix -> postgres_shell,
+
+    # SAA called directly from sbpostgres context (e.g. shell Pix fallback)
+    /opt/supabase-admin-agent/supabase-admin-agent Pix -> postgres_shell,
+    /opt/supabase-admin-agent/supabase-admin-agent-linux-arm64 Pix -> postgres_shell,
+    /opt/supabase-admin-agent/supabase-admin-agent-linux-amd64 Pix -> postgres_shell,
+
     profile postgres_shell {
         #include <abstractions/base>
 
@@ -93,6 +101,9 @@ profile sbpostgres flags=(attach_disconnected) {
         # backup things
         /usr/lib/postgresql/bin/pgsodium_getkey.sh ix,
         /usr/bin/admin-mgr ix,
+        /opt/supabase-admin-agent/supabase-admin-agent ix,
+        /opt/supabase-admin-agent/supabase-admin-agent-linux-arm64 ix,
+        /opt/supabase-admin-agent/supabase-admin-agent-linux-amd64 ix,
         /nix/store/*/bin/.postgres-wrapped ix,
         /nix/store/*/bin/wal-g-2 ix,
         /nix/store/*/bin/pgbackrest ix,
@@ -136,8 +147,6 @@ profile sbpostgres flags=(attach_disconnected) {
         # tools have network access
         network,
 
-        # Block everything else
-        deny /** x,
     }
 
     profile pgbackrest_shell {
@@ -196,7 +205,5 @@ profile sbpostgres flags=(attach_disconnected) {
         # tools have network access
         network,
 
-        # Block everything else
-        deny /** x,
     }
 }