[Pkg-clamav-devel] Bug#884707: apparmor breaks clamdscan
Francois Gouget
fgouget at free.fr
Fri Dec 29 15:27:35 UTC 2017
Intrigeri wrote:
> Can you please provide the corresponding AppArmor denial logs you'll
> find in the Journal or in kern.log?
Here is a short extract:
Dec 26 12:30:29 amboise clamd[22031]: /mnt/storage1/cxinstallers/a3ebe77b3a63fdf0f3b1872110137bf0.Rift_LIVE_Patcher_setup.exe: Can't open file or directory ERROR
Dec 26 12:30:29 amboise kernel: [1014421.014749] audit: type=1400 audit(1514287829.691:24461): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/mnt/storage1/cxinstallers/a3ebe77b3a63fdf0f3b1872110137bf0.Rift_LIVE_Patcher_setup.exe" pid=22031 comm="clamd" requested_mask="r" denied_mask="r" fsuid=118 ouid=1001
Dec 26 12:30:30 amboise clamd[22031]: /mnt/storage1/cxinstallers/e6623e9bcb0c3eeaedc5f4742ef0141e.qt-opensource-windows-x86-msvc2010-5.5.1.exe: Can't open file or directory ERROR
Dec 26 12:30:30 amboise kernel: [1014421.757351] audit: type=1400 audit(1514287830.434:24462): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/mnt/storage1/cxinstallers/e6623e9bcb0c3eeaedc5f4742ef0141e.qt-opensource-windows-x86-msvc2010-5.5.1.exe" pid=22031 comm="clamd" requested_mask="r" denied_mask="r" fsuid=118 ouid=1001
> In the clamav-daemon's README.Debian I see:
Ah, I missed that.
> Yes, we're running an experiment about enabling AppArmor by default in
> testing/sid since a couple months. I
Ok. It makes sense to do that as an experiment. So here is my feedback on
the current configuration:
As far as I understand the apparmor profile is set up to only allow
scanning email attachements, either from the email server of from some
user email agent, or to scan the current user's files. That would be
fine for a smartphone or tablet, or even a single-purpose computer or a
locked down desktop meant for a large company's non-technical employees.
However I feel that it is way too restricting for a general purpose
computer, particularly for a Linux distribution like Debian which is
geared towards power users.
Also this apparmor configuration makes it impossible for clamdscan to work
on files that are on usb keys since they are typically mounted in
/media/<USER> and thus outside the locations allowed by the apparmor
profile. Given the security risks presented by USB keys that's probably
unwise.
If I understand the rationale behind the apparmor profile correctly, the
goal is to limit the impact of clamd being compromised by a file it is
asked to scan. However this apparmor profile will only push users to use
clamscan instead of clamdscan and I doubt this is any better:
* clamd already runs in its own account. Only clamav's files belong to
that account so the damage clamd can do is limited by the fileystem
permissions. And they could be further limited by running clamd under
another account (e.g. clamd) with only read-only access to the clamav
files.
* In constrast clamscan runs in the user account. The system files are
still protected against it by the exact same filesystem permissions but
now all the user's files are vulnerable. This is all a ransomware app
really needs.
Finally this profile interferes with two of my use cases:
* The first one is that ClamAV is used as part of CrossOver, CodeWeavers'
version of Wine.
http://www.winehq.org/
https://www.codeweavers.com/products/crossover-linux
One of the things that CrossOver adds is that it scans all files for
viruses before running (for Windows executables) or opening (for
documents, e.g. Word files) them in Wine. So what should CrossOver do
if the user opens a file in a location outside those allowed by the
apparmor profile? Silently open the file without scanning it, thus
betraying the trust of the user who thinks the anti-virus will stop
malicious files? Tell the user his anti-virus scanner is broken, which
the user is going to contest when he tests clamdscan on a file in his
directory? Tell the user to determine whether the file is infected by
himself? (as if he could)
* The second use case is the one which generated the log messages above.
I have a script that monitors a bunch of Windows applications
installer URLs to make sure they are still valid and don't point to
viruses (or, more often than not, to detect ClamAV false positives).
Obviously the installers are cached and are not stored in my $HOME
(the installers total 127GB, and unlike my $HOME content they don't
need to be backed up, stored on a RAID disk or a fast SSD). Thus
clamdscan cannot scan them now. Sure that's not the kind of thing a
neophyte user would do but that's totally the kind of thing I would
expect a Debian user to do.
Workarounds:
* Modify the apparmor configuration obviously, though that workaround
is not applicable to the CrossOver case: (every Linux distribution's
apparmor configuration is going to be different, getting such a
modification working everywhere is likely going to be impractical, and
having a third-party package 'water down' the apparmor configuration
in some people's opinion presents obvious ethical issues).
* Use clamscan instead of clamdscan. However clamscan is really slow
which has a particularly significant impact on small files. For
instance on my laptop it takes over 9 seconds for clamscan to analyze
a 242 *bytes* file, while clamdscan does it in under 0.1 second (and 4
millisecond on the second run). This would also really impact the
CrossOver use case.
* Try to detect when clamdscan fails with an exit code of 2 and try again
with clamscan. This would limit the impact of clamscan's poor
performance. But this means introducing a lot of complication
everywhere that clamdscan is used.
* Use 'clamdscan --fdpass'. This completely bypasses the apparmor profile.
What are the security implications of that? As far as I can tell it's
not possible to reopen an existing fd with different access bits so
if clamdscan opens the file to be scanned in read-only mode, then clamd
should not be able to write to it. So why not make --fdpass the default?
--
Francois Gouget <fgouget at free.fr>
More information about the Pkg-clamav-devel
mailing list