[Pkg-clamav-devel] Bug#903834: marked as done (clamav-freshclam: AppArmor denies access to /proc//status)

[Debian Bug Tracking System]

Your message dated Fri, 11 Jan 2019 22:04:58 +0000
with message-id <e1gi4vc-000ets...@fasolo.debian.org>
and subject line Bug#903834: fixed in clamav 0.101.1+dfsg-1
has caused the Debian Bug report #903834,
regarding clamav-freshclam: AppArmor denies access to /proc/<pid>/status
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
903834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: clamav-freshclam
Version: 0.100.0+dfsg-0+deb9u2
Severity: minor
Control: user pkg-apparmor-t...@lists.alioth.debian.org 
Control: usertag -1 platform

Dear Maintainer,

I've discovered DENIED message that appears (apparently) only first time
after clamav is installed:

```
type=AVC msg=audit(1531663533.125:198): apparmor="DENIED"
operation="open" profile="/usr/bin/freshclam" name="/proc/3306/status"
pid=3306 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119
ouid=0 

type=SYSCALL msg=audit(1531663533.125:198): arch=c000003e
syscall=2 success=no exit=-13 a0=7f6e643331d9 a1=0 a2=1b6 a3=0 items=0
ppid=3250 pid=3306 auid=4294967295 uid=119 gid=123 euid=119 suid=119
fsuid=119 egid=123 sgid=123 fsgid=123 tty=(none) ses=4294967295
comm="freshclam" exe="/usr/bin/freshclam" key=(null) 

type=PROCTITLE
msg=audit(1531663533.125:198):
proctitle=2F7573722F62696E2F6672657368636C616D002D64002D2D666F726567726F756E643D74727565
```

That's puzzling as `/etc/apparmor.d/usr.bin.freshclam` does contain
relevant rule:

```
# fgrep -e status /etc/apparmor.d/usr.bin.freshclam 
  owner @{PROC}/[0-9]*/status r,
```

Here's clamav-freshcmal and auditd combined log:

```
journalctl | fgrep -e audit -e freshclam
Jul 15 17:05:05 debian9kde audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=clamav-freshclam comm="systemd" 
exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ClamAV 
update process started at Sun Jul 15 17:05:05 2018
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ^Your 
ClamAV installation is OUTDATED!
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ^Local 
version: 0.100.0 Recommended version: 0.100.1
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> DON'T 
PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Jul 15 17:05:05 debian9kde audit[3259]: AVC apparmor="STATUS" 
operation="profile_replace" name="/usr/bin/freshclam" pid=3259 
comm="apparmor_parser"
Jul 15 17:05:05 debian9kde audit[3259]: SYSCALL arch=c000003e syscall=1 
success=yes exit=31929 a0=7 a1=55c91c13af40 a2=7cb9 a3=0 items=0 ppid=3258 
pid=3259 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts3 ses=3 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
Jul 15 17:05:05 debian9kde audit: PROCTITLE 
proctitle=61707061726D6F725F706172736572002D72002D54002D57002F6574632F61707061726D6F722E642F7573722E62696E2E6672657368636C616D
Jul 15 17:05:06 debian9kde audit[2936]: USER_END pid=2936 uid=0 auid=1000 ses=3 
msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? 
terminal=/dev/pts/2 res=success'
Jul 15 17:05:06 debian9kde audit[2936]: CRED_DISP pid=2936 uid=0 auid=1000 
ses=3 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? 
terminal=/dev/pts/2 res=success'
Jul 15 17:05:16 debian9kde freshclam[3250]: Sun Jul 15 17:05:16 2018 -> 
Downloading main.cvd [100%]
Jul 15 17:05:23 debian9kde freshclam[3250]: Sun Jul 15 17:05:23 2018 -> 
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jul 15 17:05:28 debian9kde freshclam[3250]: Sun Jul 15 17:05:28 2018 -> 
Downloading daily.cvd [100%]
Jul 15 17:05:32 debian9kde freshclam[3250]: Sun Jul 15 17:05:32 2018 -> 
daily.cvd updated (version: 24755, sigs: 2014160, f-level: 63, builder: neo)
Jul 15 17:05:33 debian9kde freshclam[3250]: Sun Jul 15 17:05:33 2018 -> 
Downloading bytecode.cvd [100%]
Jul 15 17:05:33 debian9kde audit[3306]: AVC apparmor="DENIED" operation="open" 
profile="/usr/bin/freshclam" name="/proc/3306/status" pid=3306 comm="freshclam" 
requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Jul 15 17:05:33 debian9kde audit[3306]: SYSCALL arch=c000003e syscall=2 
success=no exit=-13 a0=7f6e643331d9 a1=0 a2=1b6 a3=0 items=0 ppid=3250 pid=3306 
auid=4294967295 uid=119 gid=123 euid=119 suid=119 fsuid=119 egid=123 sgid=123 
fsgid=123 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" 
key=(null)
Jul 15 17:05:33 debian9kde audit: PROCTITLE 
proctitle=2F7573722F62696E2F6672657368636C616D002D64002D2D666F726567726F756E643D74727565
Jul 15 17:05:33 debian9kde freshclam[3250]: Sun Jul 15 17:05:33 2018 -> 
bytecode.cvd updated (version: 324, sigs: 89, f-level: 63, builder: neo)
Jul 15 17:05:37 debian9kde freshclam[3250]: Sun Jul 15 17:05:37 2018 -> 
Database updated (6580498 signatures) from db.local.clamav.net (IP: 
104.16.185.138)
Jul 15 17:05:37 debian9kde freshclam[3250]: Sun Jul 15 17:05:37 2018 -> 
!NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf
```

Please note that there is "profile_replace" audit message that happens
during freshclam startup. Maybe that's the culprint?

To reproduce, I just have to purge and reinstall clamav:

```
sudo apt purge --autoremove clamav
sudo apt install clamav
sudo tail -f /var/log/audit/audit.log | fgrep -eDENIED
```

I wait for about 30 seconds to see DENIED message.

It seems to reproduce only once after initial installation.

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 162692
-rw-r--r-- 1 clamav clamav    185246 Jul 15 17:05 bytecode.cvd
-rw-r--r-- 1 clamav clamav  48503040 Jul 15 17:05 daily.cvd
-rw-r--r-- 1 clamav clamav 117892267 Jul 15 17:05 main.cvd
-rw------- 1 clamav clamav        52 Jul 15 17:05 mirrors.dat

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages clamav-freshclam depends on:
ii  clamav-base            0.100.0+dfsg-0+deb9u2
ii  debconf [debconf-2.0]  1.5.61
ii  dpkg                   1.18.25
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u3
ii  libclamav7             0.100.0+dfsg-0+deb9u2
ii  libssl1.1              1.1.0f-3+deb9u2
ii  logrotate              3.11.0-0.1
ii  lsb-base               9.20161125
ii  procps                 2:3.3.12-3+deb9u1
ii  ucf                    3.0036
ii  zlib1g                 1:1.2.8.dfsg-5

clamav-freshclam recommends no packages.

Versions of packages clamav-freshclam suggests:
ii  apparmor     2.11.0-3+deb9u2
pn  clamav-docs  <none>

-- debconf information:
  clamav-freshclam/internet_interface:
  clamav-freshclam/PrivateMirror:
  clamav-freshclam/LogRotate: true
  clamav-freshclam/Bytecode: true
  clamav-freshclam/proxy_user:
  clamav-freshclam/local_mirror: db.local.clamav.net
  clamav-freshclam/autoupdate_freshclam: daemon
  clamav-freshclam/update_interval: 24
  clamav-freshclam/NotifyClamd: true
  clamav-freshclam/http_proxy:
  clamav-freshclam/SafeBrowsing: false

--- End Message ---

--- Begin Message ---

Source: clamav
Source-Version: 0.101.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 11 Jan 2019 23:00:17 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav libclamav-dev libclamav9 clamav-daemon 
clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source
Version: 0.101.1+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Description:
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav9 - anti-virus utility for Unix - library
Closes: 903834 913020 917648
Changes:
 clamav (0.101.1+dfsg-1) experimental; urgency=medium
 .
   [ Scott Kitterman ]
   * Update debian/copyright
   * Add Build-Depends-Package to libclamav9.symbols
   * Update clamav-docs.doc-base for re-organized documentation
   * Add lintian override for source-is-missing on test file that happens
     to have long line length
   * Drop build-depends on electric-fence, upstream no longer ships the
     relevant tests that used it
 .
   [ Sebastian Andrzej Siewior ]
   * Import 0.101.1
     - update symbol file
     - add back the json/curl configure options (don't rely on autodetect).
   * Add abstractions/openssl to apparmor's profile. Thanks to intrigeri for
     the help (Closes: #913020).
   * Load the apparmor profile before starting the daemon. Thanks to intrigeri
     for the help (Closes: #903834).
   * Add attach_disconnected to freshclam's apparmor profile to hopefully get
     it properly working in overlayfs enviroment. Thanks to Vincas Dargis
     (Closes: #917648).
Checksums-Sha1:
 13d5c544b7a5a640e252b819644592768fe6d9c8 2786 clamav_0.101.1+dfsg-1.dsc
 0db5f62275b81d9fea65fe07990a75d64a32769f 4987424 
clamav_0.101.1+dfsg.orig.tar.xz
 e543d5404e32180eb71cb440dbbca0b268c1a633 217068 
clamav_0.101.1+dfsg-1.debian.tar.xz
 293e4556427ea2adfaaaa5271cd4b9a44dddbc3d 7381 
clamav_0.101.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 5114babda4101d6a80158fa8ce93594ec61167bd3d1f3f13927dab8a202827cb 2786 
clamav_0.101.1+dfsg-1.dsc
 6eaf574a3bca2fa82e10fcb3c67b7d832e0947b5c4f726683e8b77096bb3ee69 4987424 
clamav_0.101.1+dfsg.orig.tar.xz
 10e2fcf862edf39a14afd1f1b82293c2464b0a2de88750bfa9e42c532301af87 217068 
clamav_0.101.1+dfsg-1.debian.tar.xz
 5574662aa2940002b59c47d6fdccbd429b57dd3f53e2e20243f3d3768cc7ef5e 7381 
clamav_0.101.1+dfsg-1_source.buildinfo
Files:
 5f67bce056424796eb36cff3816b5e22 2786 utils optional clamav_0.101.1+dfsg-1.dsc
 1dfbc80ac21cc4c6e3077ccd33684d10 4987424 utils optional 
clamav_0.101.1+dfsg.orig.tar.xz
 5887144b664773cd0e0e922f7ececfa9 217068 utils optional 
clamav_0.101.1+dfsg-1.debian.tar.xz
 facfa4ba8afbc0e584c06d50b41ca428 7381 utils optional 
clamav_0.101.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAlw5EncACgkQBWQfF1cS
+lsE5gwApM53JeM6rfCZNEOORs71kusogvu+QIAwrxUom/553InFG6PiaAfJGIGP
1f5WGLet6g5DNJWlULgiSqU6as0yJfXTd7+hL6ouEu6Gop0DweO3TPox5KJzNMWJ
WIl2avP6QBC10h84u0/uH4eIp90dVbMxBNUMwjegvLyWz8rSv0QszmUfLtMw7vCH
8KlwYKB9W5tlGFKBIL8ROp5MQD0FAVVOPikEYQL9Z3rUjOn2n9l4IsjIL09zzN6q
pIURA7UbACHy/SOYloPDXU9m3CKQf7YGEuEMmSsrRbttMCqQdDI5NJ1oFcQ+IuIf
PO/ciRO3wtbRXt6sDp2mnMaO9gqaeZHAoWY9W/aPpUR/HjLFgKOsJbab786L5vMC
LxhV44N/pqPQQGv2dYl7TlFcDNcAHqZ3fKdxvI1HUW9YuRuVkS/iGM6e0zKO+uSX
LmXgBxz/FSHQ5JWYuoIdoqJE6SkqgUHzvbO2v8dCfnqNu5Q3wE59nGETgs1H+yzc
3+NSlXzd
=FZmy
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel