** Description changed: + [Impact] + + After installing clamav on Ubuntu bionic, the clamav-freshclam unit is + started. This service is responsible for automating the update process + of virus databases. + + In order to perform its job, clamav-freshclam links against libssl and + uses it to validate SSL certificates when updating its virus + definitions. This means that it also needs to be able to read the file + /etc/ssl/openssl.cnf. + + The current clamav shipped in Ubuntu bionic does not contain the proper + directives necessary to instruct apparmor that clamav-freshclam (and + clamd) are allowed to open the file /etc/ssl/openssl.cnf, which ends up + with apparmor blocking the operation. + + Fortunately, clamav-freshclam is able to proceed and finish the + operation without problems, but the warning can be misleading to a user + and give the impression that no certificate validation is being + performed, for example. + + The fix is very simple and contained: we just need to add the proper + openssl abstractions to the clamav-freshclam and clamd apparmor + profiles. This makes sure that both processes will be able to properly + read the /etc/ssl/openssl.cnf file, and no warning will be generated by + apparmor. + + [Test Case] + + In order to reproduce the bug, one can do: + + $ multipass launch -n clamav-bug1839767 bionic + $ multipass shell clamav-bug1839767 + + When inside the VM: + + $ sudo apt install clamav + $ sudo systemctl restart clamav-freshclam.service + + Restarting the service is not strictly required, but guarantees that it + will indeed try to open the /etc/ssl/openssl.cnf file. Now, we can grep + for the warning message: + + $ sudo dmesg | grep DENIED | grep freshclam + [ 60.177762] audit: type=1400 audit(1588102725.538:18): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=1864 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 + [ 60.201982] audit: type=1400 audit(1588102725.566:19): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=1864 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 + + [Regression Potential] + + This change is trivial and self-contained, and as such it is not likely + to cause regressions on current setups. + + An obvious potential (albeit unlikely) issue is the fact that we will be + introducing a package built using the current libraries and headers that + are available in bionic today, instead of the ones available back when + the current release of clamav was built. + + Another issue might arise if the user has edited the clamav-freshclam + and/or clamd apparmor profiles by hand in order to mitigate the warning + on their systems. An upgrade problem could happen in this case if dpkg + has problems replacing the user-modified file by the new file shipped by + the package, especially because dh-apparmor is not available on bionic + (and therefore is not used by clamav). + + [Original Description] + A similar bug seems to have been reported before but keeps returning. I'm seeing it on an new install of bionic server 18.04 clamav version: 0.100.3+dfsg-0ubuntu0.18.04.1 kern.log keeps reporting the following after installing clamav and clamav-daemon: kernel: [ 10.851831] audit: type=1400 audit(1565467797.334:27): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=962 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 kernel: [ 10.897174] audit: type=1400 audit(1565467797.382:28): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/etc/ssl/openssl.cnf" pid=1101 comm="clamd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0 - Similar to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1778812 Only seems like freshclam and clamd now need access to /etc/ssl/openssl.cnf Looking at /etc/apparmor.d/usr.bin.freshclam I have: - @{PROC}/filesystems r, - owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + owner @{PROC}/[0-9]*/status r, Do we need to add: - /etc/ssl/openssl.cnf r, + /etc/ssl/openssl.cnf r, To both usr.bin.freshclam and usr.bin.clamd ?
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839767 Title: apparmor DENIED freshclam and clamd access to openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1839767/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
