[Bug 1842695] Re: ClamAV AppArmor profiles do not allow OnAccess scanning
Trying to revive some old bugs that seem forgotten for too long. I think the discussion came to a point where: 1. The apparmor rule that would need to be added is clear 2. Adding it by default is considered not safe 3. The fix therefore can only be to ensure users that want to use it this way are aware - Paride mentioned adding things to docs The packages readme already mentions that in general (but not the specific case) "If your system uses apparmor, please note that the shipped enforcing profile works with the default installation, and changes in your configuration may require changes to the installed apparmor profile. ..." - I have not found any mention of ScanOnAccess in the man page or the HTML docs 4. It is definitely desirable to add this apparmor rule in a way not revoked by package upgrades That can be done with the common pattern of local overrides. See /etc/apparmor.d/local/README For this case to allow it would be like: echo "capability sys_admin," >> /etc/apparmor.d/local/usr.sbin.clamd As others outlined before "just allowing it by default" seems no option. And maybe because no one felt as if "we could do much" the activity dropped. But we should consider adding a hint how to easily do so (see #4 above) to documentation (IMHO in descending usefulness): - Add comment about ScanOnAccess and apparmor in /etc/clamav/clamd.conf - man page add section about apparmor (as people look there first) - Readme.debian (as example along the already existing entry about apparmor) Debian uses apparmor as well now, it might be worth to do the changes there directly so that everyone benefits. That task is small (bitesize) but also low prio - so that is how I'd retriage the bug for now. ** Tags added: bitesize ** Changed in: clamav (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842695 Title: ClamAV AppArmor profiles do not allow OnAccess scanning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1842695] Re: ClamAV AppArmor profiles do not allow OnAccess scanning
Well this bug now affects at least two persons as I am also encountering it on ubuntu 20.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842695 Title: ClamAV AppArmor profiles do not allow OnAccess scanning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1842695] Re: ClamAV AppArmor profiles do not allow OnAccess scanning
Let me slightly revise what legovini wrote (and appologies to legovini who was just passing on my less than adequate explanation). It is true that giving cap sys_admin is effectively giving a process root. That doesn't mean we don't do it, but we do it very carefully, and only after review of the use cases. It is also true that there is no good solution to separate out the root functionality that cap sys_admin grants because the kernel conflates several different permissions under cap sys_admin. The apparmor confinement will still apply even after granting cap sys_admin. But it is somewhat weakened. Just how much will depend on other parts of the profile. And having the profile will be better than not having it as even weakened it can split appart some of the broad permissions granted by cap sys_admin. There is no point in having broken packages due to security, it just upsets users and leads to users turning off security which is the worst possible result. So the question is how useful is clamav when not using OnAccess mode? If we are going to allow OnAccess, Is it by default, or an optional configuration? And what is the best way to allow cap sys_admin? If necessary the apparmor profile can be updated to allow cap sys_admin, however it is certainly more desirable (from a security perspective) to make it optional behind a tunnable or have it commented out by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842695 Title: ClamAV AppArmor profiles do not allow OnAccess scanning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs