Comment 2 for bug 1842695
Revision history for this message
| Paride Legovini (paride) wrote Re: ClamAV AppArmor profiles are incorrect in 0.100.3 | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Giving a process cap_sys_admin is effectively giving it root, which is something we don't want to do. This means there is no good way to support OnAccess by default.
Allowing cap_sys_admin via AppArmor also kind of defeats the purpose of AppArmor, as the capability is so wide, so I doubt the change will be integrated in the default AppArmor profile.
Unfortunately there is no good solution here. The best we can do is to document that OnAccess needs root (= cap_sys_admin) and what is the best way to implement this setup. Running the daemon with uid=0 is certainly not the right thing to do for a number of reasons. Giving cap_sys_admin to /usr/sbin/clamd could work, but we need to ensure the setting will survive the package upgrades. (I gave a shot to `setcap cap_sys_admin+ep /usr/sbin/clamd` and it still failed to run fanotify_init(), but I'm pretty sure this is feasible.)