[Pkg-clamav-devel] Bug#999662: clamav-daemon: Use systemd isolation features to reduce risk by compromised clamav-daemon
Detlef Eppers
eppers at posteo.de
Tue Jun 4 15:38:57 BST 2024
On Sun, 14 Nov 2021 13:05:43 +0100 Andreas Feldner <pelzi at feldner-bv.de>
wrote:
> Package: clamav-daemon
> Version: 0.103.3+dfsg-0+deb11u1
> Severity: wishlist
>
> Dear Maintainer,
>
> clamav-daemon is currently shipped with a systemd unit file that makes
> no use of systemd securty features. I found that a number of attack vectors
> can be closed without inferring problems with functionality.
>
> This is my version of /lib/systemd/system/clamav-daemon.service that seems to
> work OK:
>
> ----------------
> [Unit]
> Description=Clam AntiVirus userspace daemon
> Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
> # Check for database existence
> ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
> ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
>
> [Service]
> ExecStart=/usr/sbin/clamd --foreground=true
> User=clamav
> # Reload the database
> ExecReload=/bin/kill -USR2 $MAINPID
> StandardOutput=syslog
> TimeoutStartSec=420
> PrivateTmp=true
> CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
> CapabilityBoundingSet=~CAP_SYS_ADMIN
> CapabilityBoundingSet=~CAP_SYS_PTRACE
> RestrictNamespaces=~CLONE_NEWUSER
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
> CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
> CapabilityBoundingSet=~CAP_FOWNER CAP_IPC_OWNER
> CapabilityBoundingSet=~CAP_NET_ADMIN
> CapabilityBoundingSet=~CAP_SYS_MODULE
> CapabilityBoundingSet=~CAP_SYS_RAWIO
> CapabilityBoundingSet=~CAP_SYS_TIME
>
> [Install]
> WantedBy=multi-user.target
> ----------------
FYI, an issue and a pull request have been opened upstream:
https://github.com/Cisco-Talos/clamav/issues/858
https://github.com/Cisco-Talos/clamav/pull/859
--
PGP: 84F59CAFB6618B1D01C992A6D0462C2C9FB57726
More information about the Pkg-clamav-devel
mailing list