[pkg-apparmor] Bug#884707: apparmor breaks clamdscan

intrigeri intrigeri at debian.org
Mon Dec 18 15:41:59 UTC 2017 

Control: affects -1 clamav-daemon

Hi,

(fully quoting so that it's easier for clamav-daemon maintainers to
get into the loop)

Francois Gouget:
> Package: apparmor
> Version: 2.11.1-4
> Severity: important

> Dear Maintainer,

> After upgrading from apparmor 2.11.1-2 to 2.11.1-4 I cannot use clamdscan anymore;

> $ ll -d /bin /bin/true
> drwxr-xr-x 2 root root 4,0K déc.  14 18:26 /bin
> -rwxr-xr-x 1 root root  31K oct.   2 19:51 /bin/true
> $ clamdscan /bin/true
> /bin/true: Can't open file or directory ERROR

Can you please provide the corresponding AppArmor denial logs you'll
find in the Journal or in kern.log?

In the clamav-daemon's README.Debian I see:

  APPARMOR PROFILES
  
  If your system uses apparmor, please note that the shipped enforcing profile
  works with the default installation, and changes in your configuration may
  require changes to the installed apparmor profile. Please see
  https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
  software.

  In particular, clamav-daemon runs as it's own user and is confined from
  accessing all but a limited set of files.  These include the home directory
  of the user calling clamav-daemon, but not system files.  If you want to
  scan files outside of your home directory, the apparmor profile will need to
  be updated.

  The freshclam utility is also protected by an enforcing profile. If you
  want to add files to the /etc/clamav/onerrorexecute.d,
  /etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories,
  appropriate rules need to be added to the apparmor profile.

  Please see https://wiki.debian.org/AppArmor for information and
  documentation on modifying apparmor profiles.

So it seems intended to not allow reading files anywhere on
the system.

clamav-daemon maintainers, can you confirm this is expected behavior?


> ----------- SCAN SUMMARY -----------
> Infected files: 0
> Total errors: 1
> Time: 0.004 sec (0 m 0 s)

> Such a command should have been successful.
> As far as I can tell this error is caused by
> /etc/apparmor.d/usr.sbin.clamd which, IMO, puts undue restrictions on
> the Clam-AV operations.

> Note that I did not install apparmor by choice: it was brought in by
> linux-image-4.13. It's not like I asked for it but it appears now I will
> have to learn how to fix its configuration :-(

Yes, we're running an experiment about enabling AppArmor by default in
testing/sid since a couple months. I'm sorry it causes trouble for
you, but we're learning about issues we could never have guessed
without having users of Debian testing/sid actually try it.

> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386

> Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)

> Versions of packages apparmor depends on:
> ii  debconf [debconf-2.0]  1.5.65
> ii  libc6                  2.25-3
> ii  lsb-base               9.20170808
> ii  python3                3.6.3-2

> apparmor recommends no packages.

> Versions of packages apparmor suggests:
> pn  apparmor-profiles        <none>
> pn  apparmor-profiles-extra  <none>
> pn  apparmor-utils           <none>

> -- debconf information:
>   apparmor/homedirs:

-- 
intrigeri

More information about the pkg-apparmor-team mailing list