Public bug reported:
Ubuntu 18.04 + clamav-* 0.100.3+dfsg-0ubuntu0.18.04.1
The auditd log info below[1][2] shows what I believe to be a bug in the
0.100.3 AppArmor profiles included with the Ubuntu packages "clamav-
daemon" and "clamav-freshclam". The included profiles do not allow the
proper execution of clamd.
jblaine@ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.sbin.clamd
clamav-daemon: /etc/apparmor.d/usr.sbin.clamd
jblaine@ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.bin.freshclam
clamav-freshclam: /etc/apparmor.d/usr.bin.freshclam
jblaine@ub18test:~$
Specifically, the denied items[1][2] appear to disallow OnAccess
scanning:
1. clamd complains that it needs to run as root:
Sep 4 11:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init failed:
Operation not permitted
Sep 4 11:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be started by
root
2. clamd *is* running as root (required for OnAccess scanning,
configured this way intentionally by me):
root 55172 1 81 16:33 ? 00:00:44 /usr/sbin/clamd
--foreground=true
If I disable the clamd AppArmor profile and restart the service, the
OnAccess scanning works:
jblaine@ub18test:~$ sudo ln -s /etc/apparmor.d/usr.sbin.clamd
/etc/apparmor.d/disable/
jblaine@ub18test:~$ sudo sudo apparmor_parser -R
/etc/apparmor.d/usr.sbin.clamd
jblaine@ub18test:~$ sudo systemctl restart clamav-daemon
jblaine@ub18test:~$
...
Sep 4 12:19:21 ub18test clamd[4299]: ScanOnAccess: preventing access
attempts on malicious files.
Sep 4 12:19:21 ub18test clamd[4299]: ScanOnAccess: Max file size limited to
104857600 bytes
Sep 4 12:19:21 ub18test clamd[4299]: ScanOnAccess: Protecting directory
'/home' (and all sub-directories)
Regards,
Jeff Blaine
FOOTNOTES:
1. clamd issues found in auditd log:
node=ub18test type=AVC msg=audit(1567542270.923:11512):
apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
pid=54842 comm="clamd" capability=2 capname="dac_read_search"
node=ub18test type=AVC msg=audit(1567542271.039:11517):
apparmor="DENIED" operation="open" profile="/usr/sbin/clamd"
name="/etc/ssl/openssl.cnf" pid=54858 comm="clamd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
node=ub18test type=AVC msg=audit(1567542315.684:11521):
apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
pid=54858 comm="clamd" capability=21 capname="sys_admin"
2. freshclam issues found in auditd log:
node=ub18test type=AVC msg=audit(1567543073.345:97): apparmor="DENIED"
operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=736 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED"
operation="capable" profile="/usr/bin/freshclam" pid=736
comm="freshclam" capability=2 capname="dac_read_search"
node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED"
operation="capable" profile="/usr/bin/freshclam" pid=736
comm="freshclam" capability=1 capname="dac_override"
** Affects: clamav (Ubuntu)
Importance: Undecided
Status: New
** Tags: onaccess
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842695
Title:
ClamAV AppArmor profiles are incorrect in 0.100.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
