[Pkg-clamav-devel] Bug#917648: [pkg-apparmor] Bug#917648: clamav-freshclam: doesn't properly clean up temporary files, consumes all disk
intrigeri
intrigeri at debian.org
Sun Jan 27 14:52:44 GMT 2019
Hi,
Sebastian Andrzej Siewior:
> On 2019-01-09 08:01:47 [+0000], Witold Baryluk wrote:
>> tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=6590668k,mode=755)
>> /dev/sda1 on /run/live/medium type iso9660 (ro,noatime,nojoliet,check=s,map=n,blocksize=2048)
>> /dev/loop0 on /run/live/rootfs/filesystem.squashfs type squashfs (ro,noatime)
>> tmpfs on /run/live/overlay type tmpfs (rw,noatime,mode=755)
>> overlay on / type overlay (rw,noatime,lowerdir=/run/live/rootfs/filesystem.squashfs/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work)
>> tmpfs on /usr/lib/live/mount type tmpfs (rw,nosuid,noexec,relatime,size=6590668k,mode=755)
>> /dev/sda1 on /usr/lib/live/mount/medium type iso9660 (ro,noatime,nojoliet,check=s,map=n,blocksize=2048)
>> /dev/loop0 on /usr/lib/live/mount/rootfs/filesystem.squashfs type squashfs (ro,noatime)
>> tmpfs on /usr/lib/live/mount/overlay type tmpfs (rw,noatime,mode=755)
> So the rules are correct in general but due to the overlay the pathname
> gets a rw at the front of the path.
> Is there something I need to include to profile or is this something
> that is not supported?
Indeed, unionfs in general are pretty poorly supported by AppArmor at
the moment. Adding the attach_disconnected flag, as suggested by
Vincas, often helps, but it's not always sufficient.
To make AppArmor work with aufs, in Tails we need quite a few custom
tricks; and overlayfs will need yet another set of tricks.
Cheers,
--
intrigeri
More information about the Pkg-clamav-devel
mailing list