[Pkg-clamav-devel] Bug#884707: apparmor breaks clamdscan

Wed Jan 10 09:36:26 UTC 2018

Control: tag -1 + patch

Hi!

Sebastian Andrzej Siewior:
> On 2018-01-07 14:59:54 [+0100], intrigeri wrote:
>> So with my AppArmor in Debian maintainer hat, I would find it
>> reasonable if the clamav-daemon maintainers decided to leave it as-is,
>> possibly improving a little bit the existing documentation in
>> README.Debian to provide better guidance to power-users whose use case
>> is not supported by the current AppArmor policy. I'm happy to help
>> with the latter part if needed.

> So looking at this I think it is just fine. clamd should only access
> specific files which includes files from postfix & exim spool
> directories. By allowing accessing everything it kind of defeats its
> purpose

ACK

> (however I am not sure how that $HOME rule works).

Understood, let me clarify :)

By default /etc/apparmor.d/tunables/home contains:

  @{HOME}=@{HOMEDIRS}/*/ /root/
  @{HOMEDIRS}=/home/

… that is the $HOME directories for *all* non-system users'.
I guess the idea is to allow users to run their own clamd as their
own user (as opposed to a system service).

Of course, DAC permissions still apply so /home/* with restricted
read access won't be readable by clamd: the MAC checks implemented by
any LSM come on top of DAC permissions, they don't override them.

> The rules file ends with
> | # Site-specific additions and overrides. See local/README for details.
> | #include <local/usr.sbin.clamd>

> Maybe if you could provide some info how to add a local rule to enable
> clamd to read everything, that would be nice.

For such use cases, I think that disabling the clamd AppArmor profile
is a more adequate solution than allowing clamd to read everything.

Please see the attached patch series — generated with `git
format-patch origin/unstable' — that documents how to tweak or disable
the AppArmor profiles :)

Cheers,
-- 
intrigeri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-apparmor-spelling-typos-in-README.Debian.patch
Type: text/x-diff
Size: 1894 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20180110/1721af8e/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-AppArmor-document-in-README.Debian-how-to-grant-clam.patch
Type: text/x-diff
Size: 1284 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20180110/1721af8e/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-AppArmor-document-in-README.Debian-how-to-fully-disa.patch
Type: text/x-diff
Size: 981 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20180110/1721af8e/attachment-0005.patch>