ClamAV AppArmor profiles do not allow OnAccess scanning
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clamav (Debian) |
New
|
Unknown
|
|||
clamav (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
Ubuntu 18.04 + clamav-* 0.100.3+
The auditd log info below[1][2] shows what I believe to be a bug in the 0.100.3 AppArmor profiles included with the Ubuntu packages "clamav-daemon" and "clamav-freshclam". The included profiles do not allow the proper execution of clamd.
jblaine@
clamav-daemon: /etc/apparmor.
jblaine@
clamav-freshclam: /etc/apparmor.
jblaine@
Specifically, the denied items[1][2] appear to disallow OnAccess scanning:
1. clamd complains that it needs to run as root:
Sep 4 11:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init failed: Operation not permitted
Sep 4 11:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be started by root
2. clamd *is* running as root (required for OnAccess scanning, configured this way intentionally by me):
root 55172 1 81 16:33 ? 00:00:44 /usr/sbin/clamd --foreground=true
If I disable the clamd AppArmor profile and restart the service, the OnAccess scanning works:
jblaine@
jblaine@
jblaine@
jblaine@
...
Sep 4 12:19:21 ub18test clamd[4299]: ScanOnAccess: preventing access attempts on malicious files.
Sep 4 12:19:21 ub18test clamd[4299]: ScanOnAccess: Max file size limited to 104857600 bytes
Sep 4 12:19:21 ub18test clamd[4299]: ScanOnAccess: Protecting directory '/home' (and all sub-directories)
Regards,
Jeff Blaine
FOOTNOTES:
1. clamd issues found in auditd log:
node=ub18test type=AVC msg=audit(
apparmor="DENIED" operation="capable" profile=
pid=54842 comm="clamd" capability=2 capname=
node=ub18test type=AVC msg=audit(
apparmor="DENIED" operation="open" profile=
name="/
denied_mask="r" fsuid=0 ouid=0
node=ub18test type=AVC msg=audit(
apparmor="DENIED" operation="capable" profile=
pid=54858 comm="clamd" capability=21 capname="sys_admin"
2. freshclam issues found in auditd log:
node=ub18test type=AVC msg=audit(
operation="open" profile=
name="/
denied_mask="r" fsuid=0 ouid=0
node=ub18test type=AVC msg=audit(
operation="capable" profile=
comm="freshclam" capability=2 capname=
node=ub18test type=AVC msg=audit(
operation="capable" profile=
comm="freshclam" capability=1 capname=
Related branches
- git-ubuntu import: Pending requested
-
Diff: 74 lines (+37/-1)3 files modifieddebian/README.Debian (+11/-1)
debian/changelog (+13/-0)
debian/clamav-daemon.postinst.in (+13/-0)
tags: | removed: server-triage-discuss |
Changed in clamav (Ubuntu): | |
status: | New → Triaged |
Changed in clamav (Ubuntu): | |
assignee: | nobody → Michał Małoszewski (michal-maloszewski99) |
tags: | added: server-todo |
Changed in clamav (Ubuntu): | |
status: | Triaged → In Progress |
tags: | removed: server-todo |
Changed in clamav (Ubuntu): | |
assignee: | Michał Małoszewski (michal-maloszewski99) → nobody |
Changed in clamav (Ubuntu): | |
status: | In Progress → Triaged |
Changed in clamav (Debian): | |
status: | Unknown → New |
tags: | added: server-triage-discuss |
Thanks for your report and for providing the relevant logs. This can be reproduced fairly easily by installing the auditd and clamav packages (unprivileged LXD containers can't run auditd, I used a VM). The OnAccess scanning mode can be enabled by setting
LocalSocketGroup root
User root
ScanOnAccess true
in /etc/clamav/ clamd.conf and by running `clamd --foreground` as root. The auditd log will show a message like
apparmor="DENIED" operation="capable" profile= "/usr/sbin/ clamd"
pid=54858 comm="clamd" capability=21 capname="sys_admin"
and clamd won't start in OnAccess mode. I confirm that disabling the clamd AppArmor profile makes it work. As the bug report states, OnAccess doesn't work with the AppArmor profile we ship.
OnAccess scanning needs to call fanotify_init(2), which in turn needs the sys_admin capability. This capability is very wide-ranging, see capabilities(7). Before allowing it the security implications should be evaluated.
Some notes:
1. I don't think flashclam is involved in this specific issue, but the reason for the AppArmor denials shown in the bug description (footnote 2) should probably be investigated too.
2. The only missing capability that prevents clamd from starting in OnAccess mode seems to be the 'sys_admin' capability. In my testing I've got no errors about 'dac_read_search', while the denied "open /etc/ssl/ openssl. cnf" was there but apparently didn't cause any harm.
3. Running the daemon as root is clearly not a good idea. This setup would be better handled by giving cap_sys_admin to /usr/sbin/clamd or to the clamav user. I didn't try this setup, but it should be feasible.