Giving a process cap_sys_admin is effectively giving it root, which is something we don't want to do. This means there is no good way to support OnAccess by default.
Allowing cap_sys_admin via AppArmor also kind of defeats the purpose of AppArmor, as the capability is so wide, so I doubt the change will be integrated in the default AppArmor profile. Unfortunately there is no good solution here. The best we can do is to document that OnAccess needs root (= cap_sys_admin) and what is the best way to implement this setup. Running the daemon with uid=0 is certainly not the right thing to do for a number of reasons. Giving cap_sys_admin to /usr/sbin/clamd could work, but we need to ensure the setting will survive the package upgrades. (I gave a shot to `setcap cap_sys_admin+ep /usr/sbin/clamd` and it still failed to run fanotify_init(), but I'm pretty sure this is feasible.) ** Summary changed: - ClamAV AppArmor profiles are incorrect in 0.100.3 + ClamAV AppArmor profiles do not allow OnAccess scanning -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842695 Title: ClamAV AppArmor profiles do not allow OnAccess scanning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
