apparmor blocks freshclam process info after latest update

Bug #645061 reported by Micah Gersten on 2010-09-22
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Low
Jamie Strandboge

Bug Description

Binary package hint: clamav

Sep 22 05:00:56 defiant kernel: [ 3685.854925] type=1400 audit(1285149656.699:8211): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/freshclam" name="/proc/1435/status" pid=1435 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119 ouid=119

This just started after upgrading to 0.96.3+dfsg-1ubuntu1

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: clamav-freshclam 0.96.3+dfsg-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Wed Sep 22 05:03:58 2010
ProcEnviron:
 PATH=(custom, no user)
 LANG=C
 SHELL=/bin/bash
SourcePackage: clamav

Related branches

Micah Gersten (micahg) wrote :
Imre Gergely (cemc) wrote :

Hi

Does this affect freshclam in any way, is it not working, does it give any other errors besides this log entry?

Micah Gersten (micahg) wrote :

Updater seemed to work fine:
Received signal: wake up
ClamAV update process started at Wed Sep 22 05:00:55 2010
main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
Downloading daily-11996.cdiff [100%]
daily.cld updated (version: 11996, sigs: 130710, f-level: 53, builder: arnaud)
bytecode.cvd is up to date (version: 57, sigs: 10, f-level: 53, builder: edwin)
Database updated (835447 signatures) from db.local.clamav.net (IP: 85.114.135.198)

Imre Gergely (cemc) wrote :

Confirmed on Lucid with (not yet) backported clamav 0.96.3 from clamav-ppa.

Seems like this is some new feature in 0.96.3 where freshclam (and indeed clamav-daemon too) does some checking in /proc/self and also /proc/filesystems. Attached some syslog entries which appear exactly after freshclam is done downloading .cvd files (virus definition databases).

The warnings seem to go away when adding the following line to /etc/apparmor.d/local/usr.bin.freshclam:

  /proc/** r,

This doesn't seem to be a bug in clamav but a too restrictive apparmor profile.

Thierry Carrez (ttx) on 2010-09-22
Changed in clamav (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Scott Kitterman (kitterman) wrote :

According to upstream, this is for selinux and pax detection. This permission problem doesn't affect anything, except for apparmor logs since we have neither and they wouldn't co-exist with apparmor if a user had switched to them.

The detection process opens /proc/pid/status and if it can't be opened, it assumes no pax. Then it opens /proc/filesystems and if it can't open it then it tries /proc/selinux/enforce and if that can't be opened either it assumes no selinux.

I suspect it's probably better to allow these checks because other people will see this in their logs and file bugs. Additionally, I don't like the idea of leaving a profile in place that interferes with upstream functionality even though it happens to produce the same result at the moment.

Changed in clamav (Ubuntu):
milestone: none → ubuntu-10.10
Imre Gergely (cemc) wrote :

[09/22-194642] <jdstrand> owner @{PROC}/[0-9]*/status r,
[09/22-195205] <jdstrand> cemc: /proc/filesystems r, is fine

Added these two lines to /etc/apparmor.d/usr.bin.freshclam and /etc/apparmor.d/usr.sbin.clamd , and after reloading apparmor and restarting clamav-freshclam and clamav-daemon the log entries no longer show up, apparmor doesn't complain. Seems like this fixes the problem (tested on Lucid).

Changed in clamav (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in clamav (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-1ubuntu2

---------------
clamav (0.96.3+dfsg-1ubuntu2) maverick; urgency=low

  * debian/usr.bin.freshclam: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645061
 -- Jamie Strandboge <email address hidden> Wed, 22 Sep 2010 12:28:39 -0500

Changed in clamav (Ubuntu):
status: Fix Committed → Fix Released
Jean-Pierre van Riel (jpvr) wrote :

This bug is back?

$ freshclam --version
ClamAV 0.99.2/22939/Tue Jan 24 06:19:06 2017

$ grep DENIED /var/log/kern.log
Jan 24 09:51:04 <hostname> kernel: [ 41.318809] audit: type=1400 audit(1485244264.939:43): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/5588/status" pid=5588 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=131 ouid=0

Jean-Pierre van Riel (jpvr) wrote :

Also noted, the following IS in /etc/apparmor.d/usr.bin.freshclam

@{PROC}/filesystems r,
owner @{PROC}/[0-9]*/status r,

And

$ ps -u clamav -f | more
UID PID PPID C STIME TTY TIME CMD
clamav 1348 1 0 08:38 ? 00:00:02 /usr/bin/freshclam -d --foregrou
nd=true
$ ls -l /proc/1348/status
-r--r--r-- 1 root root 0 Jan 25 08:38 /proc/1348/status

Shows that root owns the status file, not the clamav user.

Seth Arnold (seth-arnold) wrote :

Jean-Pierre, please note it'd be more useful if you filed new bugs rather than comment on bugs that were closed six years ago.

In this case this looks like https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658239

Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers