Commit afbec87e authored by Christian Boltz's avatar Christian Boltz Committed by Sandro Knauß
Browse files

Add attach_disconnected flag to postgresql profile

Testing on openSUSE Tumbleweed resulted in the following denial:

apparmor="DENIED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="postgresql_akonadi" name="" pid=15531 comm="postgres" requested_mask="wr" denied_mask="wr"

Add the attach_disconnected flag to convert this to a denial we can
handle:

apparmor="DENIED" operation="file_mmap" profile="postgresql_akonadi" name="/" pid=11096 comm="postgres" requested_mask="wr" denied_mask="wr"

... and finally  deny / rw,  because allowing it would be insane and
everything works with the deny rule added.
parent 629a9f9e
......@@ -4,7 +4,7 @@
@{postgresqlpath} = /usr/ /usr/lib/postgresql/*/ /usr/lib/postgresql*[0-9]/ /opt/pgsql*/
profile postgresql_akonadi {
profile postgresql_akonadi flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
......@@ -17,6 +17,8 @@ profile postgresql_akonadi {
signal receive set=kill peer=/usr/bin/akonadiserver,
signal receive set=term peer=/usr/bin/akonadiserver,
deny / rw, # disconnected path
/etc/passwd r,
/{usr/,}bin/{b,d}ash mrix,
/{usr/,}bin/locale mrix,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment