Ubuntu

freshclam won't execute /etc/clamav/onupdateexecute.d scripts

Reported by Ralf Hildebrandt on 2010-05-24
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: clamav

my freshclam.conf uses:

OnUpdateExecute /bin/run-parts /etc/clamav/onupdateexecute.d

but the apparmour profile seems to disallow this:

[1427457.803239] type=1503 audit(1274406436.102:100): operation="exec" pid=25597 parent=25596 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"
[1445463.435245] type=1503 audit(1274424441.734:101): operation="exec" pid=10464 parent=10463 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"
[1449066.054598] type=1503 audit(1274428044.354:102): operation="exec" pid=30971 parent=30970 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"
[1452667.660441] type=1503 audit(1274431645.962:103): operation="exec" pid=19238 parent=19237 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"
[1463472.998457] type=1503 audit(1274442451.298:104): operation="exec" pid=16132 parent=16131 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"
[1470677.395380] type=1503 audit(1274449655.694:105): operation="exec" pid=26667 parent=26666 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"
[1495879.704428] type=1503 audit(1274474858.006:106): operation="exec" pid=8018 parent=8017 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash"

/etc/clamav/onupdateexecute.d contains:

# ll /etc/clamav/onupdateexecute.d
total 4
-rwxr-xr-x 1 root root 177 2010-05-23 11:12 reload_virusdb

which is as simple as:

#!/bin/bash
sleep $(($RANDOM % 120));
echo "Reloading clam on `hostname`" | mailx -s "clam reload" <email address hidden>
echo -n "srv_clamav:dbreload" > /var/run/c-icap/c-icap.ctl

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: clamav-freshclam 0.96+dfsg-2ubuntu1.2
ProcVersionSignature: Ubuntu 2.6.32-21.32-generic-pae 2.6.32.11+drm33.2
Uname: Linux 2.6.32-21-generic-pae i686
Architecture: i386
Date: Mon May 24 18:21:17 2010
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: clamav

Scott Kitterman (kitterman) wrote :

Please put apparmor in complain mode and provide the log results. The process is described in https://wiki.ubuntu.com/DebuggingApparmor

I'm currently preparing a post-release update for clamav to update to clamav 0.96.1, so if we can get this answered quickly I ought to be able to include it.

Changed in clamav (Ubuntu):
status: New → Incomplete
Download full text (4.8 KiB)

The result:

[1754543.251421] type=1505 audit(1274733521.551:129): operation="profile_replace" pid=25980 name="/usr/bin/freshclam"
[1765351.326452] type=1502 audit(1274744329.626:130): operation="exec" pid=24546 parent=24545 profile="/usr/bin/freshclam" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/dash" name2="/usr/bin/freshclam//null-12"
[1765351.326826] type=1502 audit(1274744329.626:131): operation="open" pid=24546 parent=24545 profile="/usr/bin/freshclam//null-12" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/etc/ld.so.cache"
[1765351.326884] type=1502 audit(1274744329.626:132): operation="open" pid=24546 parent=24545 profile="/usr/bin/freshclam//null-12" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/lib/tls/i686/cmov/libc-2.11.1.so"
[1765351.326915] type=1502 audit(1274744329.626:133): operation="file_mmap" pid=24546 parent=24545 profile="/usr/bin/freshclam//null-12" requested_mask="::mr" denied_mask="::mr" fsuid=107 ouid=0 name="/lib/tls/i686/cmov/libc-2.11.1.so"
[1765351.361355] type=1502 audit(1274744329.662:134): operation="exec" pid=24547 parent=24546 profile="/usr/bin/freshclam//null-12" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/run-parts" name2="/usr/bin/freshclam//null-12//null-13"
[1765351.366319] type=1502 audit(1274744329.666:135): operation="open" pid=24547 parent=24546 profile="/usr/bin/freshclam//null-12//null-13" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/etc/ld.so.cache"
[1765351.366379] type=1502 audit(1274744329.666:136): operation="open" pid=24547 parent=24546 profile="/usr/bin/freshclam//null-12//null-13" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/lib/tls/i686/cmov/libc-2.11.1.so"
[1765351.366410] type=1502 audit(1274744329.666:137): operation="file_mmap" pid=24547 parent=24546 profile="/usr/bin/freshclam//null-12//null-13" requested_mask="::mr" denied_mask="::mr" fsuid=107 ouid=0 name="/lib/tls/i686/cmov/libc-2.11.1.so"
[1765351.379702] type=1502 audit(1274744329.678:138): operation="open" pid=24547 parent=24546 profile="/usr/bin/freshclam//null-12//null-13" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/etc/clamav/onupdateexecute.d/"
[1765385.616534] __ratelimit: 135 callbacks suppressed
[1765385.616539] type=1502 audit(1274744363.918:184): operation="exec" pid=24887 parent=24885 profile="/usr/bin/freshclam//null-12//null-13//null-14" requested_mask="::x" denied_mask="::x" fsuid=107 ouid=0 name="/bin/hostname" name2="/usr/bin/freshclam//null-12//null-13//null-14//null-16"
[1765385.619011] type=1502 audit(1274744363.918:185): operation="open" pid=24887 parent=24885 profile="/usr/bin/freshclam//null-12//null-13//null-14//null-16" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/etc/ld.so.cache"
[1765385.619065] type=1502 audit(1274744363.918:186): operation="open" pid=24887 parent=24885 profile="/usr/bin/freshclam//null-12//null-13//null-14//null-16" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/lib/tls/i686/cmov/libnsl-2.11.1.so"
[1765385.619100] type=1502 audit(1274744363.918:187): operation="file_mmap" pid=24887 parent=24885 profile="/...

Read more...

Changed in clamav (Ubuntu):
status: Incomplete → Triaged
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

The default apparmor profile for the freshclam binary doesn't contain rules for scripts added to the /etc/clamav/onupdateexecute.d directory as we can't predict what those scripts will be doing.

You can fix this is one of three ways:

1- Modify the /etc/apparmor.d/usr.bin.freshclam profile to add "/bin/dash ixr," and other rules necessary for your script to run properly. (recommended)

2- Modify the /etc/apparmor.d/usr.bin.freshclam profile to add "/bin/dash Uxr,", which will let scripts run unconfined. This is a security compromise.

3- Disable the freshclam profile by doing "sudo touch /etc/apparmor.d/disable/usr.bin.freshclam". This disables apparmor security for the freshclam tool. This is not recommended.

Scott Kitterman (kitterman) wrote :

In the long run, the solution is to have freshclam use a helper application. The helper application would run unconfined but would only run stuff that is in those directories, and the main freshclam binary wouldn't be able to write to those directories.

For now, about all I can do is extend the README a bit. This is the proposed text:

  The freshclam utility is also protected by an enforcing profile. If you
  want to add files to the /etc/clamav/onerrorexecute.d,
  /etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories,
  appropriate rules need to be added to the apparmor profile.

  Please see https://wiki.ubuntu.com/AppArmor for information and
  documentation on modifying apparmor profiles.

Imre Gergely (cemc) wrote :

This sounds like a feature request -> wishlist ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers