[Pkg-clamav-devel] Bug#903834: Bug#903834: clamav-freshclam: AppArmor denies access to /procp/<pid>/status
intrigeri
intrigeri at debian.org
Mon Jul 23 08:47:32 BST 2018
Hi,
Sebastian Andrzej Siewior:
> On 2018-07-22 20:10:08 [+0800], intrigeri wrote:
>> Looking at the Journal, it looks very much like the clamav-freshclam
>> service is started before the /usr/bin/freshclam AppArmor profile
>> is loaded.
>>
>> I think this is potentially racy, which might be why the problem can't
>> trivially be reproduced in sid.
> Is this something the clamav ppl need to improve or is this generic AppArmor /
> debhelper thingy?
AFAICT dh-apparmor is not used but a similar code snippet is
hard-coded in debian/clamav-freshclam.postinst.in:
https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/clamav-freshclam.postinst.in#L360
… so dh-apparmor cannot really be blamed :)
Now, *if* dh-apparmor were used, similar code would be added in the
#DEBHELPER# section
(https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/clamav-freshclam.postinst.in#L388)
so the profile would still be loaded after the service is started, i.e. too late.
So I see two options:
- Either switch to dh-apparmor and make the code substituted to the
#DEBHELPER# placeholder run *before* the code that starts
the service. That would be best unless there's a good reason why
other debhelper-generated code should run after the other
hard-coded part of that postinst script.
- Or move the hard-coded AppArmor handling bits higher in the script
so they run before the code that starts the service.
Makes sense?
Cheers,
--
intrigeri
More information about the Pkg-clamav-devel
mailing list