appamor denying clamd access to its own process

Bug #645956 reported by Fabien Tassin on 2010-09-23
This bug affects 2 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Jamie Strandboge

Bug Description

Binary package hint: clamav-daemon

Sep 23 11:42:57 x kernel: [267096.238668] type=1400 audit(1285234977.207:28): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/clamd" name="/proc/29917/status" pid=29917 comm="clamd" requested_mask="r" denied_mask="r" fsuid=117 ouid=117

clamav 29917 0.0 3.2 245060 132744 ? Ssl 10:42 0:05 /usr/sbin/clamd

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: clamav-daemon 0.96.3+dfsg-1ubuntu2
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Thu Sep 23 13:59:11 2010
 PATH=(custom, user)
SourcePackage: clamav

Related branches

Fabien Tassin (fta) wrote :
Jamie Strandboge (jdstrand) wrote :

It looks like this needs the same fix in usr.sbin.clamd as we had for freshclam. Ie:
  owner @{PROC}/[0-9]*/status r,

tags: added: apparmor
removed: amd64 apport-bug
Changed in clamav (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
milestone: none → ubuntu-10.10
status: New → In Progress
Changed in clamav (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-1ubuntu4

clamav (0.96.3+dfsg-1ubuntu4) maverick; urgency=low

  * debian/usr.sbin.clamd: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645956
 -- Jamie Strandboge <email address hidden> Thu, 23 Sep 2010 07:58:35 -0500

Changed in clamav (Ubuntu):
status: Fix Committed → Fix Released
Richard Laager (rlaager) wrote :

This is happening to me on a 12.04 install:
[1793012.835201] type=1400 audit(1336690883.803:534): apparmor="DENIED" operation="open" parent=26571 profile="/usr/sbin/clamd" name="/proc/26820/status" pid=26820 comm="clamd" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

If I remove "owner" from the @{PROC}/[0-9]*/status line in the apparmor policy, it works. I'm not sure if that's "safe" though.

Jamie Strandboge (jdstrand) wrote :

Richard, this should be safe, but can you file a new bug using 'ubuntu-bug clamav-daemon' and give steps to reproduce?

Jean-Pierre van Riel (jpvr) wrote :

Similar issue with freshclam

audit: type=1400 audit(1485244264.939:43): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/5588/status" pid=5588 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=131 ouid=0

Jean-Pierre van Riel (jpvr) wrote :

Related bug which was marked as fixed, but has now regressed somehow. 645061 /

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers