feat(profiles): add multipath profiles

See #134

Signed-off-by: @cboltz

apparmor.d/profiles-m-r/multipath

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/multipath
+profile multipath @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/disks-write>
+
+  capability sys_admin,
+  capability sys_resource,
+
+  @{exec_path} mr,
+
+  /etc/multipath/bindings rwk,
+  /etc/multipath.conf r,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/ r,
+  @{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/** r,
+
+  @{PROC}/devices r,
+  @{PROC}/sys/fs/nr_open r,
+
+  include if exists <local/multipath>
+}

apparmor.d/profiles-m-r/multipathd

@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/multipathd
+profile multipathd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/disks-read>
+
+  capability ipc_lock,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_nice,
+  capability sys_resource,
+
+  network netlink raw,
+
+  unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
+
+  @{exec_path} mr,
+
+  /etc/multipath.conf r,
+  /etc/multipath/bindings rwk,
+  /etc/systemd/system/ r,
+
+  @{run}/multipathd.pid rwk,
+  @{run}/systemd/notify w,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+
+        @{PROC}/devices r,
+        @{PROC}/sys/fs/nr_open r,
+  owner @{PROC}/@{pid}/oom_score_adj w,
+
+  /dev/mapper/control rw,
+
+  include if exists <local/multipathd>
+}

apparmor.d/profiles-m-r/os-prober

@@ -35,7 +35,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   @{bin}/lvm               rPx,
   @{bin}/mkdir             rix,
   @{bin}/mktemp            rix,
-  @{bin}/multipath        rPUx,
+  @{bin}/multipath         rPx,
   @{bin}/readlink          rix,
   @{bin}/rm                rix,
   @{bin}/rmdir             rix,

dists/flags/main.flags

@@ -211,6 +211,8 @@ mke2fs complain
 ModemManager attach_disconnected,complain
 molly-guard complain
 mount attach_disconnected,complain
+multipath complain
+multipathd complain
 mutter-x11-frames complain
 nautilus complain
 needrestart attach_disconnected,complain