feat: add apparmor profile (#2087)

* feat: add apparmor profile

* fix: split commands

* Update ansible/tasks/setup-postgres.yml

* feat: bump version numbers

* fix: correct indent

* chore: add tests for apparmor

* chore: tests with superuser

* chore: additional apparmor tests

* chore: fix test for apparmor on service

---------

Co-authored-by: Douglas J Hunley <doug.hunley@gmail.com>

Author: staaldraad

ansible/files/postgresql_config/postgresql.service

@@ -24,6 +24,7 @@ LimitNOFILE=16384
 {% if supabase_internal is defined %}
 ReadOnlyPaths=/etc
 InaccessiblePaths=/root -/var/lib/supabase -/var/lib/supabase-admin-agent -/var/cache/supabase-admin-agent -/opt/saltstack -/etc/salt
+AppArmorProfile=-sbpostgres
 {% endif %}
 [Install]
 WantedBy=multi-user.target

ansible/files/postgresql_config/sbpostgres_apparmor

@@ -0,0 +1,202 @@
+#include <tunables/global>
+
+# ============================================
+# POSTGRES PROFILE - With Supabase specific restrictions
+# ============================================
+profile sbpostgres flags=(attach_disconnected) {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+    #include <abstractions/openssl>
+
+    # Parent binary access to self
+    /var/lib/postgresql/.nix-profile/bin/postgres mr,
+    /nix/store/*/bin/.postgres-wrapped mr,
+    /nix/store/*/bin/.postgres-wrapped ix,
+
+    # Wide open permissions for parent - to be tuned
+    # some of this is managed via systemd sandboxing already
+    /** rw,
+    owner /** m,
+    / wr,
+    /nix/store/** m,
+    /etc r,
+    /usr/local r,
+    # lock permission for pgroonga
+    /data/pgdata/pgroonga.log k,
+
+    # Systemd notification socket (for Type=notify services)
+    /run/systemd/notify w,
+    /{,var/}run/systemd/notify w,
+
+    # Allow disconnected paths (for mount namespaces)
+    @{run}/systemd/notify w,
+    /run/systemd/notify w,
+
+    # Full network access
+    network inet stream,
+    network inet6 stream,
+    network unix stream,
+
+    # All capabilities
+    capability,
+
+    # Libraries
+    /lib/aarch64-linux-gnu/*.so* mr,
+    /usr/lib/aarch64-linux-gnu/*.so* mr,
+    /nix/store/*/lib/*.so* mr,
+
+    # safe commands
+    /usr/bin/true  ix,
+    /usr/bin/false ix,
+    # kill needed for postgresql to reload itself
+    /bin/kill ix,
+
+    # When parent executes shell, transition to restricted profile
+    # This accounts for popen, which postgres uses for any child process
+    # Px = discrete profile transition (child gets different profile)
+    /bin/sh Pix -> postgres_shell,
+    /bin/bash Pix -> postgres_shell,
+    /bin/dash Pix -> postgres_shell,
+    /usr/bin/sh Pix -> postgres_shell,
+    /usr/bin/dash Pix -> postgres_shell,
+    /nix/store/*/bin/bash Pix -> postgres_shell,
+    /usr/lib/postgresql/bin/pgsodium_getkey.sh Pix -> postgres_shell,
+    /usr/bin/cat Pix -> postgres_shell,
+    /bin/cat Pix -> postgres_shell,
+    /usr/bin/admin-mgr Pix -> postgres_shell,
+    /nix/store/*/bin/wal-g-2 Pix -> postgres_shell,
+    /nix/store/*/bin/pgbackrest Pix -> postgres_shell,
+    /nix/store/*/bin/pg_dump ix,
+    /usr/bin/pgbackrest Pix -> pgbackrest_shell,
+    /usr/bin/nix Pix -> pgbackrest_shell,
+    /usr/bin/sudo Pix -> pgbackrest_shell,
+
+    profile postgres_shell {
+        #include <abstractions/base>
+
+        /usr/bin/* m,
+        /bin/* m,
+
+        # Shell binary
+        /usr/bin/sh mr,
+        /usr/bin/bash mr,
+        /usr/bin/dash mr,
+        /nix/store/*/bin/bash mr,
+
+        # Only allow specific commands to be executed from shell
+        /usr/bin/cat ix,
+
+        # pgbackrest needs nix and sudo
+        /usr/bin/nix ix,
+        /usr/bin/sudo ix,
+
+        # backup things
+        /usr/lib/postgresql/bin/pgsodium_getkey.sh ix,
+        /usr/bin/admin-mgr ix,
+        /nix/store/*/bin/.postgres-wrapped ix,
+        /nix/store/*/bin/wal-g-2 ix,
+        /nix/store/*/bin/pgbackrest ix,
+        /nix/store/*/bin/pg_dump ix,
+
+        # file path permissions
+        /** r,
+        /data/wal_fetch_dir/ rw,
+        /tmp/wal_fetch_dir/ rw,
+        /var/lib/postgresql/data rw,
+        /data/pgdata rw,
+        /data/latest-lsn-checkpoint-v2 rw,
+        /data/previous-lsn-checkpoint-v2 rw,
+        /var/lib/postgresql/data/recovery.signal rw,
+        /var/lib/postgresql/data/standby.signal rw,
+        /var/lib/pgbackrest rw,
+        /etc/pgbackrest/conf.d/** rw,
+        /var/spool/pgbackrest/** rw,
+        /var/log/pgbackrest/** rw,
+        /etc/** r,
+        /usr/local/** r,
+
+
+        deny /var/lib/supabase/** rwx,
+        deny /var/lib/supabase-admin-agent/** rwx,
+        deny /var/cache/supabase-admin-agent/** rwx,
+        deny /opt/saltstack/** rwx,
+        deny /etc/salt/** rwx,
+        deny /root wr,
+        deny /home/** wr,
+        # wal-g needs access to its own home directory
+        /home/wal-g/* wr,
+
+        # Libraries
+        /lib/aarch64-linux-gnu/*.so* mr,
+        /usr/lib/aarch64-linux-gnu/*.so* mr,
+        /nix/store/*/lib/*.so* mr,
+
+        # full network access
+        # could further break this up so that only backup
+        # tools have network access
+        network,
+
+        # Block everything else
+        deny /** x,
+    }
+
+    profile pgbackrest_shell {
+        #include <abstractions/base>
+
+        /usr/bin/* m,
+        /bin/* m,
+
+        # Shell binary
+        /usr/bin/sh mr,
+        /usr/bin/bash mr,
+        /usr/bin/dash mr,
+        /nix/store/*/bin/bash mr,
+
+        # pgbackrest needs nix and sudo
+        /usr/bin/nix ix,
+        /usr/bin/sudo ix,
+        /bin/bash ix,
+
+        /usr/bin/admin-mgr ix,
+        /nix/store/*/bin/.postgres-wrapped ix,
+        /nix/store/*/bin/pgbackrest ix,
+
+        # file path permissions
+        /** r,
+        /data/wal_fetch_dir/ rw,
+        /tmp/wal_fetch_dir/ rw,
+        /var/lib/postgresql/data rw,
+        /data/pgdata rw,
+        /data/latest-lsn-checkpoint-v2 rw,
+        /data/previous-lsn-checkpoint-v2 rw,
+        /var/lib/postgresql/data/recovery.signal rw,
+        /var/lib/postgresql/data/standby.signal rw,
+        /var/lib/pgbackrest rw,
+        /etc/pgbackrest/conf.d/** rw,
+        /var/spool/pgbackrest/** rw,
+        /var/log/pgbackrest/** rw,
+        /etc/** r,
+        /usr/local/** r,
+
+        deny /var/lib/supabase/** rwx,
+        deny /var/lib/supabase-admin-agent/** rwx,
+        deny /var/cache/supabase-admin-agent/** rwx,
+        deny /opt/saltstack/** rwx,
+        deny /etc/salt/** rwx,
+        deny /root wr,
+        deny /home/** wr,
+
+        # Libraries
+        /lib/aarch64-linux-gnu/*.so* mr,
+        /usr/lib/aarch64-linux-gnu/*.so* mr,
+        /nix/store/*/lib/*.so* mr,
+
+        # full network access
+        # could further break this up so that only backup
+        # tools have network access
+        network,
+
+        # Block everything else
+        deny /** x,
+    }
+}

ansible/tasks/setup-postgres.yml

@@ -286,6 +286,22 @@
       when:
         - (is_psql_oriole or is_psql_17)
 
+- name: copy PG apparmor profile
+  ansible.builtin.copy:
+    dest: '/etc/apparmor.d/sbpostgres'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: 'files/postgresql_config/sbpostgres_apparmor'
+
+- name: parse apparmor sbpostgres profile
+  ansible.builtin.command:
+    cmd: '/usr/sbin/apparmor_parser -r /etc/apparmor.d/sbpostgres'
+
+- name: reload apparmor with sbpostgres profile
+  ansible.builtin.command:
+    cmd: '/usr/sbin/aa-enforce sbpostgres'
+
 - name: copy PG and optimizations systemd units
   ansible.builtin.template:
     dest: "/etc/systemd/system/{{ systemd_svc_item | basename }}"
@@ -376,7 +392,7 @@
     dest: '/var/lib/postgresql/.bashrc'
     line: "{{ lang_item }}"
   become: true
-  loop: 
+  loop:
     - 'export LOCALE_ARCHIVE=/usr/lib/locale/locale-archive'
     - 'export LANG="en_US.UTF-8"'
     - 'export LANGUAGE="en_US.UTF-8"'

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.063-orioledb"
-  postgres17: "17.6.1.106"
-  postgres15: "15.14.1.106"
+  postgresorioledb-17: "17.6.0.064-orioledb"
+  postgres17: "17.6.1.107"
+  postgres15: "15.14.1.107"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.25.1