[Pkg-clamav-devel] Bug#903834: clamav-freshclam: AppArmor denies access to /procp/<pid>/status

Vincas Dargis vindrg at gmail.com
Sun Jul 15 15:28:53 BST 2018 

Package: clamav-freshclam
Version: 0.100.0+dfsg-0+deb9u2
Severity: minor
Control: user pkg-apparmor-team at lists.alioth.debian.org 
Control: usertag -1 platform

Dear Maintainer,

I've discovered DENIED message that appears (apparently) only first time
after clamav is installed:

```
type=AVC msg=audit(1531663533.125:198): apparmor="DENIED"
operation="open" profile="/usr/bin/freshclam" name="/proc/3306/status"
pid=3306 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119
ouid=0 

type=SYSCALL msg=audit(1531663533.125:198): arch=c000003e
syscall=2 success=no exit=-13 a0=7f6e643331d9 a1=0 a2=1b6 a3=0 items=0
ppid=3250 pid=3306 auid=4294967295 uid=119 gid=123 euid=119 suid=119
fsuid=119 egid=123 sgid=123 fsgid=123 tty=(none) ses=4294967295
comm="freshclam" exe="/usr/bin/freshclam" key=(null) 

type=PROCTITLE
msg=audit(1531663533.125:198):
proctitle=2F7573722F62696E2F6672657368636C616D002D64002D2D666F726567726F756E643D74727565
```

That's puzzling as `/etc/apparmor.d/usr.bin.freshclam` does contain
relevant rule:

```
# fgrep -e status /etc/apparmor.d/usr.bin.freshclam 
  owner @{PROC}/[0-9]*/status r,
```

Here's clamav-freshcmal and auditd combined log:

```
journalctl | fgrep -e audit -e freshclam
Jul 15 17:05:05 debian9kde audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=clamav-freshclam comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ClamAV update process started at Sun Jul 15 17:05:05 2018
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ^Your ClamAV installation is OUTDATED!
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ^Local version: 0.100.0 Recommended version: 0.100.1
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Jul 15 17:05:05 debian9kde audit[3259]: AVC apparmor="STATUS" operation="profile_replace" name="/usr/bin/freshclam" pid=3259 comm="apparmor_parser"
Jul 15 17:05:05 debian9kde audit[3259]: SYSCALL arch=c000003e syscall=1 success=yes exit=31929 a0=7 a1=55c91c13af40 a2=7cb9 a3=0 items=0 ppid=3258 pid=3259 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=3 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
Jul 15 17:05:05 debian9kde audit: PROCTITLE proctitle=61707061726D6F725F706172736572002D72002D54002D57002F6574632F61707061726D6F722E642F7573722E62696E2E6672657368636C616D
Jul 15 17:05:06 debian9kde audit[2936]: USER_END pid=2936 uid=0 auid=1000 ses=3 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jul 15 17:05:06 debian9kde audit[2936]: CRED_DISP pid=2936 uid=0 auid=1000 ses=3 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jul 15 17:05:16 debian9kde freshclam[3250]: Sun Jul 15 17:05:16 2018 -> Downloading main.cvd [100%]
Jul 15 17:05:23 debian9kde freshclam[3250]: Sun Jul 15 17:05:23 2018 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jul 15 17:05:28 debian9kde freshclam[3250]: Sun Jul 15 17:05:28 2018 -> Downloading daily.cvd [100%]
Jul 15 17:05:32 debian9kde freshclam[3250]: Sun Jul 15 17:05:32 2018 -> daily.cvd updated (version: 24755, sigs: 2014160, f-level: 63, builder: neo)
Jul 15 17:05:33 debian9kde freshclam[3250]: Sun Jul 15 17:05:33 2018 -> Downloading bytecode.cvd [100%]
Jul 15 17:05:33 debian9kde audit[3306]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/3306/status" pid=3306 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Jul 15 17:05:33 debian9kde audit[3306]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f6e643331d9 a1=0 a2=1b6 a3=0 items=0 ppid=3250 pid=3306 auid=4294967295 uid=119 gid=123 euid=119 suid=119 fsuid=119 egid=123 sgid=123 fsgid=123 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" key=(null)
Jul 15 17:05:33 debian9kde audit: PROCTITLE proctitle=2F7573722F62696E2F6672657368636C616D002D64002D2D666F726567726F756E643D74727565
Jul 15 17:05:33 debian9kde freshclam[3250]: Sun Jul 15 17:05:33 2018 -> bytecode.cvd updated (version: 324, sigs: 89, f-level: 63, builder: neo)
Jul 15 17:05:37 debian9kde freshclam[3250]: Sun Jul 15 17:05:37 2018 -> Database updated (6580498 signatures) from db.local.clamav.net (IP: 104.16.185.138)
Jul 15 17:05:37 debian9kde freshclam[3250]: Sun Jul 15 17:05:37 2018 -> !NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf
```

Please note that there is "profile_replace" audit message that happens
during freshclam startup. Maybe that's the culprint?

To reproduce, I just have to purge and reinstall clamav:

```
sudo apt purge --autoremove clamav
sudo apt install clamav
sudo tail -f /var/log/audit/audit.log | fgrep -eDENIED
```

I wait for about 30 seconds to see DENIED message.

It seems to reproduce only once after initial installation.

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 162692
-rw-r--r-- 1 clamav clamav    185246 Jul 15 17:05 bytecode.cvd
-rw-r--r-- 1 clamav clamav  48503040 Jul 15 17:05 daily.cvd
-rw-r--r-- 1 clamav clamav 117892267 Jul 15 17:05 main.cvd
-rw------- 1 clamav clamav        52 Jul 15 17:05 mirrors.dat

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages clamav-freshclam depends on:
ii  clamav-base            0.100.0+dfsg-0+deb9u2
ii  debconf [debconf-2.0]  1.5.61
ii  dpkg                   1.18.25
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u3
ii  libclamav7             0.100.0+dfsg-0+deb9u2
ii  libssl1.1              1.1.0f-3+deb9u2
ii  logrotate              3.11.0-0.1
ii  lsb-base               9.20161125
ii  procps                 2:3.3.12-3+deb9u1
ii  ucf                    3.0036
ii  zlib1g                 1:1.2.8.dfsg-5

clamav-freshclam recommends no packages.

Versions of packages clamav-freshclam suggests:
ii  apparmor     2.11.0-3+deb9u2
pn  clamav-docs  <none>

-- debconf information:
  clamav-freshclam/internet_interface:
  clamav-freshclam/PrivateMirror:
  clamav-freshclam/LogRotate: true
  clamav-freshclam/Bytecode: true
  clamav-freshclam/proxy_user:
  clamav-freshclam/local_mirror: db.local.clamav.net
  clamav-freshclam/autoupdate_freshclam: daemon
  clamav-freshclam/update_interval: 24
  clamav-freshclam/NotifyClamd: true
  clamav-freshclam/http_proxy:
  clamav-freshclam/SafeBrowsing: false

More information about the Pkg-clamav-devel mailing list