From df67d1c3540b72f54034805e6a39bb934b3eb37c Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 14 Sep 2025 15:45:14 +0100
Subject: [PATCH] Relax security for sql_exporter to fix crash

---
 cookbooks/postgresql/recipes/default.rb    | 1 +
 cookbooks/prometheus/resources/exporter.rb | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/cookbooks/postgresql/recipes/default.rb b/cookbooks/postgresql/recipes/default.rb
index eae492f16..53a64fbd0 100644
--- a/cookbooks/postgresql/recipes/default.rb
+++ b/cookbooks/postgresql/recipes/default.rb
@@ -160,6 +160,7 @@ clusters.each do |name, details|
       options "--config.file=/etc/prometheus/exporters/sql_exporter.yml"
       environment "SQLEXPORTER_TARGET_DSN" => "postgres://prometheus:#{passwords['prometheus']}@/run/postgresql:#{details[:port]}/#{prometheus_database}"
       restrict_address_families "AF_UNIX"
+      memory_deny_write_execute false
       subscribes :restart, "template[/etc/prometheus/exporters/sql_exporter.yml]"
     end
   else
diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb
index d47b64751..8f88270c4 100644
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -39,6 +39,7 @@ property :private_devices, [true, false]
 property :private_users, [true, false]
 property :protect_clock, [true, false]
 property :restrict_address_families, [String, Array]
+property :memory_deny_write_execute, [true, false]
 property :remove_ipc, [true, false]
 property :system_call_filter, [String, Array]
 property :service, :kind_of => String
@@ -88,6 +89,7 @@ action :create do
     private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
     protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
     restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
+    memory_deny_write_execute new_resource.memory_deny_write_execute if new_resource.property_is_set?(:memory_deny_write_execute)
     remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc)
     system_call_filter new_resource.system_call_filter if new_resource.property_is_set?(:system_call_filter)
   end
-- 
2.39.5