apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify

Bug #1404762 reported by Thomas Mayer on 2014-12-22
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Unassigned

Bug Description

I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning.

Doing so, /var/log/clamav/clamav.log tells me:
ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
ScanOnAccess: clamd must be started by root

Setting User to root in /etc/clamav/clamd.conf
makes the clamav-daemon to fail with

service clamav-daemon start
 * Starting ClamAV daemon clamd
ERROR: initgroups() failed.

I had to disable the apparmor.profile with a
cd /etc/apparmor.d/disable
ln -s ./../usr.sbin.clamd

Then, the "ERROR: initgroups() failed." disappears.

The apparmor itself came via apt-get packages. I did not edit it.

Description: Ubuntu 14.04.1 LTS
Release: 14.04

apt-cache policy apparmor-profiles
apparmor-profiles:
  Installiert: (keine)
  Installationskandidat: 2.8.95~2430-0ubuntu5.1
  Versionstabelle:
     2.8.95~2430-0ubuntu5.1 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.8.95~2430-0ubuntu5 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor-profiles (not installed)
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Mon Dec 22 01:23:04 2014
InstallationDate: Installed on 2014-11-29 (22 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
ProcEnviron:
 LANGUAGE=de_DE
 TERM=xterm
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Thomas Mayer (thomas303) wrote :
Christian Boltz (cboltz) wrote :

Please add
    capability setgid,
to the clamd profile and re-enable it ("aa-enforce clamd").

If it still doesn't work, set it to complain mode ("aa-complain clamd") so that it permits everything and logs what would be denied. Then use clamd for a while and provide the clamd-related entries from /var/log/audit/audit.log.

You can also update the profile yourself using aa-logprof, and set the profile back to enforce mode with "aa-enforce clamd".

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Hartwig Kolbe (kolbeb) wrote :

I have the same problem, but the above does not help me.
aa-complain clamd needs to be done at every startup, otherwise clamd would not start.
No /var/log/audit/audit.log
Eicar file can be copied despite clamav on-access running (acc clamav.log)
Details see https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109

Hartwig Kolbe (kolbeb) wrote :

some further info:
I now have installed auditd to have the log in /var/log/audit/audit.log.
I added to usr.bin.clamd:
  capability setgid,
  capability setuid,
and used aa-logprof to add some more items:
  capability chown,
  capability dac_override,
  capability fsetid,
  capability sys_admin,
But, after reload apparmor, aa-enforce clamd, and restart clamd
I still have "ERROR: initgroups() failed" at clamd start.
It still needs aa-complain clamd to successfully start clamd

Hartwig Kolbe (kolbeb) wrote :

no any reaction?
Does that mean on-access scanning does not work with clamav (non-detection of Eicar file)?
Because of lacking compatibility with apparmor?

Thomas Mayer (thomas303) wrote :

I was describing two issues: One is that root user was needed for ScanOnAccess. Second was that the apparmor profile does not fit.

Basically, there should be an easy way to use ScanOnAccess with correct apparmor profile.

Fanotify seems to be a basic feature in conjunction with a virus scanner (which can simply run in user space without a kernel module, still getting notified about changes in files).

With the two changes I described, ScanOnAccess is working for me with root privileges and apparmor profile disabled. Therefore, it also detects Eicar testfiles.

I'd suggest to make ScanOnAccess more accessible to an average user.

Seth Arnold (seth-arnold) wrote :

Hartwig, are there still AppArmor DENIED lines in your /var/log/syslog or /var/log/audit/audit.log files even after adding all those extra capabilities? Granted, a profiled application with all those capabilities is likely powerful enough to do great damage to the system anyway...

Thanks

Hartwig Kolbe (kolbeb) wrote :

clamd starts with:
1. aa-complain clamd
2. invoke-rc.d clamav-daemon restart

No clamd entries in syslog.
audit.log after starting clamd:
type=USER_AUTH msg=audit(1428468600.638:193): pid=8314 uid=1000 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="hartwig" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'
type=USER_ACCT msg=audit(1428468600.638:194): pid=8314 uid=1000 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="hartwig" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'
type=USER_START msg=audit(1428468600.658:195): pid=8314 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'
type=AVC msg=audit(1428468604.378:196): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/clamd" pid=8319 comm="apparmor_parser"
type=SYSCALL msg=audit(1428468604.378:196): arch=40000003 syscall=4 success=yes exit=26185 a0=3 a1=9c6677c a2=6649 a3=bfbf36c4 items=0 ppid=8315 pid=8319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=USER_END msg=audit(1428468604.450:197): pid=8314 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'

But - Eicar file can be copied, no error msg, no log entry

Hartwig Kolbe (kolbeb) wrote :

As another try, I tried to disable the apparmor profile by
  cd /etc/apparmor.d/disable
  ln -s ./../usr.sbin.clamd
as described by Thomas above. Unexpectedly, that did not get rid of the message "ERROR: initgroups() failed".
I found I had a file "usr.sbin(Kopie).clamd" in that folder; this file was a backup of the original, and got used by apparmor (went into the cache folder). After removing this backup copy (and reload apparmor) clamd could start.

Next try: use the original usr.sbin.clamd and add "capability setgid," as recommended by Christian above.
After reload apparmor and restart clamd I got "ERROR: Failed to change socket ownership to group clamav Closing the main socket."
But at system restart clamd started without error.
So, it was the backup file in /etc/apparmor.d which caused the trouble.
Maybe, I will gradually find out how to get on-access scan working.

Seth Arnold (seth-arnold) wrote :

Hartwig, great find with the backup copied file! That would definitely complicate all debugging efforts. Please do report back now that you can make some forward progress.

Hartwig Kolbe (kolbeb) wrote :

Now, that on-access scan seems to be working, I tried some cases:
No detections when I copied some Eicar files around in subfolders of /home/hartwig. However, I got a detection when I placed an Eicar file directly into that folder (mentioned in /var/log/clamav/clamav.log). It looks like that only the folder mentioned in the OnAccessIncludePath parameter is scanned, but no subfolders. Any way to include subfolders?

However, this behaviour does not seem to be connected to apparmor, so it is off-topic for this bug. I put my observations into the original clamav question https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109.

Changed in apparmor (Ubuntu):
importance: Undecided → Low
Branden Pleines (bpleines) wrote :

We ran into the same issue, but wanted to avoid installing apparmor-utils.

In the /etc/apparmor.d/usr.sbin.clam profile, it is possible to set the clamd profile to complain mode directly (we used Ansible) without having to install apparmor-utils or use aa-complain.

Before:
/usr/sbin/clamd {

After:
/usr/sbin/clamd flags=(complain) {

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers