PKG-40 telemetry writing is blocked by AppArmor after update

percona · Jun 27, 2024 · 3daa680 · 3daa680
1 parent e16519a
commit 3daa680
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 33 deletions.
diff --git a/build-ps/debian/extra/apparmor.d/old_apparmor b/build-ps/debian/extra/apparmor.d/old_apparmor
@@ -0,0 +1,80 @@
+#include <tunables/global>
+
+/usr/sbin/mysqld flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/mysql>
+  #include <abstractions/winbind>
+
+# Allow system resource access
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/node/ r,
+  /sys/devices/system/node/** r,
+  /proc/*/status r,
+  capability sys_resource,
+  capability dac_override,
+  capability setuid,
+  capability setgid,
+  capability sys_nice,
+
+# Allow network access
+  network tcp,
+
+  /etc/hosts.allow r,
+  /etc/hosts.deny r,
+
+# Allow config access
+  /etc/mysql/** r,
+
+# Allow pid, socket, socket lock file access
+  /var/run/mysqld/mysqld.pid rw,
+  /var/run/mysqld/mysqld.sock rw,
+  /var/run/mysqld/mysqld.sock.lock rw,
+  /var/run/mysqld/mysqlx.sock rw,
+  /var/run/mysqld/mysqlx.sock.lock rw,
+  /run/mysqld/mysqld.pid rw,
+  /run/mysqld/mysqld.sock rw,
+  /run/mysqld/mysqld.sock.lock rw,
+  /run/mysqld/mysqlx.sock rw,
+  /run/mysqld/mysqlx.sock.lock rw,
+
+# Allow systemd notify messages
+  /{,var/}run/systemd/notify w,
+
+# Allow execution of server binary
+  /usr/sbin/mysqld mr,
+  /usr/sbin/mysqld-debug mr,
+
+# Allow plugin access
+  /usr/lib/mysql/plugin/ r,
+  /usr/lib/mysql/plugin/*.so* mr,
+
+# Allow error msg and charset access
+  /usr/share/mysql/ r,
+  /usr/share/mysql/** r,
+  /usr/share/mysql-@MYSQL_BASE_VERSION@/ r,
+  /usr/share/mysql-@MYSQL_BASE_VERSION@/** r,
+
+# Allow data dir access
+  /var/lib/mysql/ r,
+  /var/lib/mysql/** rwk,
+
+# Allow data files dir access
+  /var/lib/mysql-files/ r,
+  /var/lib/mysql-files/** rwk,
+
+# Allow keyring dir access
+  /var/lib/mysql-keyring/ r,
+  /var/lib/mysql-keyring/** rwk,
+
+# Allow log file access
+  /var/log/mysql/ r,
+  /var/log/mysql/** rw,
+
+# Allow access to openssl config
+  /etc/ssl/openssl.cnf r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.mysqld>
+}
diff --git a/...ebian/extra/apparmor.d/usr.sbin.mysqld.in → ...bian/extra/apparmor.d/usr.sbin.mysqld.in2 b/...ebian/extra/apparmor.d/usr.sbin.mysqld.in → ...bian/extra/apparmor.d/usr.sbin.mysqld.in2
diff --git a/build-ps/debian/percona-server-server.install b/build-ps/debian/percona-server-server.install
@@ -23,7 +23,8 @@ debian/extra/mysql.cnf  etc/mysql/
 debian/extra/mysqld.cnf /etc/mysql/mysql.conf.d/
 
 # AppArmor profile
-debian/extra/apparmor.d/usr.sbin.mysqld.in etc/apparmor.d/
+debian/extra/apparmor.d/usr.sbin.mysqld.in2 etc/apparmor.d/
+debian/extra/apparmor.d/old_apparmor etc/apparmor.d/
 debian/extra/apparmor.d/local/usr.sbin.mysqld.in etc/apparmor.d/local/
 
 # debug binary

diff --git a/build-ps/debian/percona-server-server.postinst b/build-ps/debian/percona-server-server.postinst
@@ -132,24 +132,32 @@ case "$1" in
 
 		PROFILE_ACTION="Use NEW AppArmor profile"
 		# If the existing AppArmor module/local profile is the proper file, we back it up
-		if [ -f "/etc/apparmor.d/usr.sbin.mysqld" -o -f "/etc/apparmor.d/local/usr.sbin.mysqld" ]; then
-			db_input high percona-server-server/existing_profile_file || true
-			db_go
-			db_get percona-server-server/existing_profile_file && PROFILE_ACTION=${RET}
-		fi
-		if [ "${PROFILE_ACTION}" = "Use NEW AppArmor profile" ]; then
-			DATE=`date +%Y-%m-%d-%H:%m:%S`
-			mkdir -p /etc/apparmor.d/mysqld_apparmor_backup
-			mkdir -p /etc/apparmor.d/local/mysqld_apparmor_backup
-			cp /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/mysqld_apparmor_backup/usr.sbin.mysqld_$DATE.bak 2> /dev/null || true
-			cp /etc/apparmor.d/local/usr.sbin.mysqld /etc/apparmor.d/local/mysqld_apparmor_backup/usr.sbin.mysqld_$DATE.bak 2> /dev/null || true
-
-			mv -f /etc/apparmor.d/usr.sbin.mysqld.in /etc/apparmor.d/usr.sbin.mysqld
+		if [ -f "/etc/apparmor.d/usr.sbin.mysqld" ]; then
+			 if ! diff -q /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/old_apparmor >/dev/null; then
+                                sed -i 's:  # Site-specific additions and overrides. See local/README for details.::' /etc/apparmor.d/usr.sbin.mysqld
+                                sed -i 's:  #include <local/usr.sbin.mysqld>::' /etc/apparmor.d/usr.sbin.mysqld
+                                sed -i '$ s/}//' /etc/apparmor.d/usr.sbin.mysqld
+                                echo "# Allow access to PS telemetry directory" >> /etc/apparmor.d/usr.sbin.mysqld
+                                echo "  /usr/local/percona/telemetry/ps/ rw," >> /etc/apparmor.d/usr.sbin.mysqld
+                                echo "  /usr/local/percona/telemetry/ps/** rw," >> /etc/apparmor.d/usr.sbin.mysqld
+                                echo "" >> /etc/apparmor.d/usr.sbin.mysqld
+                                echo "  # Site-specific additions and overrides. See local/README for details." >> /etc/apparmor.d/usr.sbin.mysqld
+                                echo "  #include <local/usr.sbin.mysqld>" >> /etc/apparmor.d/usr.sbin.mysqld
+                                echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
+				sed -r -i ':a; /^\s*$/ {N;ba}; s/( *\n *){2,}/\n/' /etc/apparmor.d/usr.sbin.mysqld
+                                rm -f /etc/apparmor.d/usr.sbin.mysqld.in2
+                        else
+                                mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld
+                        fi
+		else
+			mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld 2> /dev/null || true
+                fi
+		if [ -f "/etc/apparmor.d/local/usr.sbin.mysqld" ]; then
+			rm -f /etc/apparmor.d/local/usr.sbin.mysqld.in
+		else
 			mv -f /etc/apparmor.d/local/usr.sbin.mysqld.in /etc/apparmor.d/local/usr.sbin.mysqld
-
 		fi
-		rm -f /etc/apparmor.d/usr.sbin.mysqld.in
-		rm -f /etc/apparmor.d/local/usr.sbin.mysqld.in
+                rm -f /etc/apparmor.d/old_apparmor
 		if aa-status --enabled 2>/dev/null; then
 			apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld 2>/dev/null || true
 		fi
@@ -193,24 +201,29 @@ EOF
 			echo "Please use etc/mysql/mysql.conf.d for any custom configuration settings"
 		fi
 		update-alternatives --force --install /etc/mysql/my.cnf my.cnf "/etc/mysql/mysql.cnf" 300
-
-		# If it's a updated version of apparmor profile, install the new one and take a backup of the old profile
-		if [ -f "/etc/apparmor.d/usr.sbin.mysqld.in" -o -f "/etc/apparmor.d/usr.sbin.mysqld.in.dpkg-dist" ]; then
-			DATE=`date +%Y-%m-%d-%H:%m:%S`
-			mkdir -p /etc/apparmor.d/mysqld_apparmor_backup
-			cp /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/mysqld_apparmor_backup/usr.sbin.mysqld_$DATE.bak 2> /dev/null || true
-                        echo "WARNING: /etc/apparmor.d/usr.sbin.mysqld moved to /etc/apparmor.d/mysqld_apparmor_backup/usr.sbin.mysqld_$DATE.bak"
-                        echo "Updated version will be installed in /etc/apparmor.d/usr.sbin.mysqld"
-                        echo "Please use /etc/apparmor.d/local/usr.sbin.mysqld for any custom configuration settings"
-			if [ -f "etc/apparmor.d/usr.sbin.mysqld.in" ]; then
-				mv -f /etc/apparmor.d/usr.sbin.mysqld.in /etc/apparmor.d/usr.sbin.mysqld
+		if [ -f "/etc/apparmor.d/usr.sbin.mysqld" ]; then
+			if ! diff -q /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/old_apparmor >/dev/null; then
+				sed -i 's:  # Site-specific additions and overrides. See local/README for details.::' /etc/apparmor.d/usr.sbin.mysqld
+				sed -i 's:  #include <local/usr.sbin.mysqld>::' /etc/apparmor.d/usr.sbin.mysqld
+				sed -i '$ s/}//' /etc/apparmor.d/usr.sbin.mysqld
+				echo "# Allow access to PS telemetry directory" >> /etc/apparmor.d/usr.sbin.mysqld
+				echo "  /usr/local/percona/telemetry/ps/ rw," >> /etc/apparmor.d/usr.sbin.mysqld
+				echo "  /usr/local/percona/telemetry/ps/** rw," >> /etc/apparmor.d/usr.sbin.mysqld
+				echo "" >> /etc/apparmor.d/usr.sbin.mysqld
+				echo "  # Site-specific additions and overrides. See local/README for details." >> /etc/apparmor.d/usr.sbin.mysqld
+				echo "  #include <local/usr.sbin.mysqld>" >> /etc/apparmor.d/usr.sbin.mysqld
+				echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
+				sed -r -i ':a; /^\s*$/ {N;ba}; s/( *\n *){2,}/\n/'  /etc/apparmor.d/usr.sbin.mysqld
+				rm -f /etc/apparmor.d/usr.sbin.mysqld.in2
 			else
-				mv -f /etc/apparmor.d/usr.sbin.mysqld.in.dpkg-dist /etc/apparmor.d/usr.sbin.mysqld
+				mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld
 			fi
-			if aa-status --enabled 2>/dev/null; then
-				apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld 2>/dev/null || true
-			fi
-		fi
+                fi
+		rm -f /etc/apparmor.d/old_apparmor
+		mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld 2> /dev/null || true
+		if aa-status --enabled 2>/dev/null; then
+			apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld 2>/dev/null || true
+                fi
 	fi
 	chmod +x /etc/init.d/mysql || true
 	;;