[Pkg-clamav-devel] Bug#917648: clamav-freshclam: doesn't properly clean up temporary files, consumes all disk

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Wed Jan 2 21:50:32 GMT 2019


On 2018-12-29 20:28:23 [+0000], Witold Baryluk wrote:
> It looks it is by default on Debian, because libgtk or something depends
> on apparmor and then it is automatically enabled. Or some package
> suggests it and my apt by default probably install suggests or something.
that and the fact that apparmor is enabled by default in the kernel.
Earlier, the default was what you can achieve now if add
	apparmor=0
to the kernel command line (disable kernel support for apparmor).

> I did:
> 
> 1) aa-disable  /usr/bin/freshclam
…
> And it works, it updates a database, and removes temporary directory.

perfect. So it works in general but the apparmor profile lacks some
permissions.

> Reenableing it (aa-enforce), and restarting, bring old behaviour, even if
> all databases are up to date, it creates an empty temporary directory
> that is not removed when it finished update process.

okay. Thanks for the analysis.

> openat(AT_FDCWD, "/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 EACCES (Permission denied)
> stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=93037, ...}) = 0
> 
> 
> No idea why it does a 'stat' of the log all the time (maybe log rotation
> functionality), because it is in append mode, so it shouldn't be doing
> this maybe.

It might be part of some higher API. I dunno.

> 
> Anyhow, you can see
> 
> openat(AT_FDCWD, "/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY)
> 
> fails with permission denied message.
> 
> However, it doesn't even attempt to remove the directory in the case of
> an error. That is a bug in the freshclam, not apparmor profile. (The
> removal might still fail due to apparmor or other issues, like broken
> file system, nfs mount, etc, but it does change the fact that clamav
> should attempt to clean files and directory even on failure, and if it fails
> to remove, emit a log message).

hmm. I'm not sure if that is the problem. It might however. If it is the
cleaning up part then it should be followed by unlinkat(2) if the
openat(2) would not fail.
"dmesg" should give you the output you look for. Like "apparmor: denied
$this because of $reason".
Looking at the profile it should allow creating and removing
files/directories below /var/lib/clamav/. But then it only allows
reading in /var/lib/clamav and there are cvd written so I miss
something.
Anyway, I have currently no access to box due to vacation time. I will
take a look next week. I would suggest you to remove the freshclam
apparmor profile if you want to use apparmor but it seems you do not
rely on it.

> Regards,
> Witold

Sebastian



More information about the Pkg-clamav-devel mailing list