[pkg-apparmor] PostgreSQL AppArmor profiles

Christian Boltz apparmor-debian at cboltz.de
Mon Sep 7 17:22:03 BST 2020 

Hello,

Am Sonntag, 6. September 2020, 21:31:45 CEST schrieb Sandro Knauß:
> Christian is trying to replace the Akonadi internal postgres service
> with a system wide service. Is that correct?

No ;-)

There are two unrelated things in this discussion:

a) the need to update the pstgresql_akonadi AppArmor profile when using 
   the internal postgres service (= this mail)

b) Sedat switched to using the system wide postgres (not relevant for 
   the AppArmor profile, except that it of course avoids the profile for 
   the internal postgres service)

> (This in itself is not really supported by Akonadi; normally Akonadi
> is taking care about starting and stopping the database itself). So
> what is the advantage of starting/stopping postgres outside of
> Akonadi?

I use Akonadi with my system-wide MySQL, so let me answer from my POV:
It avoids running another MySQL instance (I have a system-wide MySQL 
running anyway), and my _impression_ (no hard facts) is that it works a 
bit more stable than with the Akonadi-internal MySQL. I can only guess, 
but maybe the internal MySQL gets stopped the hard way on logout if the 
regular stop takes too long?

Again: This is only my impression, I don't have hard facts.

> > > BEFORE: profile postgresql_akonadi {
> > > AFTER: profile postgresql_akonadi flags=(attach_disconnected) {
> > 
> > Right, the   flags=(attach_disconnected)   addition is the correct
> > fix.
> What does this flag do? 

The starting point was this message:

[Thu Sep  3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28):
apparmor="DENIED" operation="file_mmap" info="Failed name lookup -
disconnected path" error=-13 profile="postgresql_akonadi" name=""
pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr"
fsuid=1000 ouid=1000

As you can see, the message in this specific case is about   name=""

The simplified explanation is that with attach_disconnected, this will 
become   name="/"   - attach_disconnected prepends a   /   to paths that 
aren't connected to the root filesystem namespace.

> Does this mean, that every postgres service I
> start will be run under this profile? 

No.

> Or can AppArmour distinguish
> between the system wide postgresql at 12-main.service and the akonadi
> one (akonadi-dileks)? 

Yes, because the akonadi profile probably (at least I guess so, I don't 
use Debian and never looked at the Akonadi profile) has a rule saying
    /usr/bin/postgresql Cx -> postgresql_akonadi,
which means "if akonadi executes postgres, use the postgresql_akonadi 
child profile".

For the system-wide postgresql, the "if akonadi executes postgres" 
condition won't match ;-)

> Because keep in mind the profile
> postgresql_akonadi should only be added to this instance that is
> connected to akonadi and not the other postgres clusters. The idea of
> the profiles is that the non Akonadi instances of postgres and mysql
> don't get any akonadi profile attached.

Right, and this won't change with the added flag.


Regards,

Christian Boltz
-- 
One piece of advice: if you maintain a C&C server (which is both a
really bad idea and a criminal act and as such, strongly discouraged),
always use a strong password.
It's very unprofessional if your server is cracked this easily.
[http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/
SophosInsideABlackHole.pdf]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200907/0b8566e5/attachment.sig>

More information about the pkg-apparmor-team mailing list