[Impact] After installing clamav on Ubuntu bionic, the clamav-freshclam unit is started. This service is responsible for automating the update process of virus databases.
In order to perform its job, clamav-freshclam links against libssl and uses it to validate SSL certificates when updating its virus definitions. This means that it also needs to be able to read the file /etc/ssl/openssl.cnf. The current clamav shipped in Ubuntu bionic does not contain the proper directives necessary to instruct apparmor that clamav-freshclam (and clamd) are allowed to open the file /etc/ssl/openssl.cnf, which ends up with apparmor blocking the operation. Fortunately, clamav-freshclam is able to proceed and finish the operation without problems, but the warning can be misleading to a user and give the impression that no certificate validation is being performed, for example. The fix is very simple and contained: we just need to add the proper openssl abstractions to the clamav-freshclam and clamd apparmor profiles. This makes sure that both processes will be able to properly read the /etc/ssl/openssl.cnf file, and no warning will be generated by apparmor. [Test Case] In order to reproduce the bug, one can do: $ multipass launch -n clamav-bug1839767 bionic $ multipass shell clamav-bug1839767 When inside the VM: $ sudo apt install clamav $ sudo systemctl restart clamav-freshclam.service Restarting the service is not strictly required, but guarantees that it will indeed try to open the /etc/ssl/openssl.cnf file. Now, we can grep for the warning message: $ sudo dmesg | grep DENIED | grep freshclam [ 60.177762] audit: type=1400 audit(1588102725.538:18): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=1864 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 [ 60.201982] audit: type=1400 audit(1588102725.566:19): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=1864 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 [Regression Potential] This change is trivial and self-contained, and as such it is not likely to cause regressions on current setups. An obvious potential (albeit unlikely) issue is the fact that we will be introducing a package built using the current libraries and headers that are available in bionic today, instead of the ones available back when the current release of clamav was built. Another issue might arise if the user has edited the clamav-freshclam and/or clamd apparmor profiles by hand in order to mitigate the warning on their systems. An upgrade problem could happen in this case if dpkg has problems replacing the user-modified file by the new file shipped by the package, especially because dh-apparmor is not available on bionic (and therefore is not used by clamav). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839767 Title: apparmor DENIED freshclam and clamd access to openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1839767/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
