From 9544ce1d18ce3560c346a5f002c4a9fcb7afd1ac Mon Sep 17 00:00:00 2001
From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Date: Thu, 25 Jul 2024 11:40:19 +0530
Subject: [PATCH] Add apparmor profile for pgAdmin when installing on Debian
 based OS

---
 pkg/debian/build.sh            | 15 +++++++++++++++
 pkg/debian/pgadmin4-aa-profile | 12 ++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 pkg/debian/pgadmin4-aa-profile

diff --git a/pkg/debian/build.sh b/pkg/debian/build.sh
index a8ec35557..2af2a7752 100755
--- a/pkg/debian/build.sh
+++ b/pkg/debian/build.sh
@@ -68,6 +68,10 @@ fakeroot dpkg-deb --build "${SERVERROOT}" "${DISTROOT}/${APP_NAME}-server_${APP_
 echo "Creating the desktop package..."
 mkdir "${DESKTOPROOT}/DEBIAN"
 
+cat << EOF > "${DESKTOPROOT}/DEBIAN/conffiles"
+/etc/apparmor.d/pgadmin4
+EOF
+
 cat << EOF > "${DESKTOPROOT}/DEBIAN/control"
 Package: ${APP_NAME}-desktop
 Version: ${APP_LONG_VERSION}
@@ -79,6 +83,17 @@ Maintainer: pgAdmin Development Team <pgadmin-hackers@postgresql.org>
 Description: The desktop user interface for pgAdmin. pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
 EOF
 
+cat << EOF > "${DESKTOPROOT}/DEBIAN/postinst"
+#!/bin/sh
+
+systemctl restart apparmor.service
+EOF
+
+chmod 755 "${DESKTOPROOT}/DEBIAN/postinst"
+
+mkdir -p "${DESKTOPROOT}/etc/apparmor.d"
+cp "${SOURCEDIR}/pkg/debian/pgadmin4-aa-profile" "${DESKTOPROOT}/etc/apparmor.d/pgadmin4"
+
 # Build the Debian package for the desktop
 chmod -R u+rwX,go+rX,go-w "${DESKTOPROOT}"
 fakeroot dpkg-deb --build "${DESKTOPROOT}" "${DISTROOT}/${APP_NAME}-desktop_${APP_LONG_VERSION}_${OS_ARCH}.deb"
diff --git a/pkg/debian/pgadmin4-aa-profile b/pkg/debian/pgadmin4-aa-profile
new file mode 100644
index 000000000..28876a7eb
--- /dev/null
+++ b/pkg/debian/pgadmin4-aa-profile
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile pgadmin4 /usr/pgadmin4/bin/pgadmin4 flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/pgadmin4>
+}