** Description changed: [Impact] After installing clamav on Ubuntu bionic, the clamav-freshclam unit is started. This service is responsible for automating the update process of virus databases. In order to perform its job, clamav-freshclam links against libssl and uses it to validate SSL certificates when updating its virus definitions. This means that it also needs to be able to read the file /etc/ssl/openssl.cnf. The current clamav shipped in Ubuntu bionic does not contain the proper - directives necessary to instruct apparmor that clamav-freshclam (and - clamd) are allowed to open the file /etc/ssl/openssl.cnf, which ends up + directives necessary to instruct apparmor that clamav-freshclam and + clamd are allowed to open the file /etc/ssl/openssl.cnf, which ends up with apparmor blocking the operation. Fortunately, clamav-freshclam is able to proceed and finish the operation without problems, but the warning can be misleading to a user and give the impression that no certificate validation is being performed, for example. The fix is very simple and contained: we just need to add the proper openssl abstractions to the clamav-freshclam and clamd apparmor profiles. This makes sure that both processes will be able to properly read the /etc/ssl/openssl.cnf file, and no warning will be generated by apparmor. + This update also fixes the fact that clamav-freshclam runs unconfined on + its first install, because its apparmor profile is loaded after the + service has been started. Part of this fix involves adopting dh- + apparmor and getting rid of the hand-crafted apparmor code that + currently lives in the *.postinst files. + [Test Case] In order to reproduce the bug, one can do: $ multipass launch -n clamav-bug1839767 bionic $ multipass shell clamav-bug1839767 When inside the VM: $ sudo apt install clamav - $ sudo systemctl restart clamav-freshclam.service - Restarting the service is not strictly required, but guarantees that it - will indeed try to open the /etc/ssl/openssl.cnf file. Now, we can grep - for the warning message: + Now, we can grep for the warning message: $ sudo dmesg | grep DENIED | grep freshclam [ 60.177762] audit: type=1400 audit(1588102725.538:18): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=1864 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 [ 60.201982] audit: type=1400 audit(1588102725.566:19): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=1864 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 + + Notice also that the clamav-freshclam daemon is running in unconfined + mode, even though it does have an apparmor profile installed: + + $ sudo aa-status + ... + 1 processes are unconfined but have a profile defined. + /usr/bin/freshclam (657) [Regression Potential] This change is trivial and self-contained, and as such it is not likely to cause regressions on current setups. An obvious potential (albeit unlikely) issue is the fact that we will be introducing a package built using the current libraries and headers that are available in bionic today, instead of the ones available back when the current release of clamav was built. Another issue might arise if the user has edited the clamav-freshclam and/or clamd apparmor profiles by hand in order to mitigate the warning on their systems. An upgrade problem could happen in this case if dpkg has problems replacing the user-modified file by the new file shipped by - the package, especially because dh-apparmor is not available on bionic - (and therefore is not used by clamav). + the package, because dh-apparmor was not used by clamav until this SRU. + + A fact worth noting is that, in this update, clamav will start using dh- + apparmor to handle its appamor profiles, while so far it has been using + a hand-crafted code inside the *.postinst files. This could have the + side-effect of introducing dh-apparmor specific problems that might + exist today, but overall I believe the adoption of a debhelper utility + makes the package much more robust. + + [Other Info] + + Finally, something else worth mentioning is the fact that the *.postrm + scripts still carry apparmor-specific code to manually remove the + profiles when purging the package, which can be considered a duplicate + effort of what dh-apparmor already does. The justification for leaving + this bit as-is is that it also happens in focal and groovy, which means + that this SRU would have to apply to them as well if we were to fix this + small problem. [Original Description] A similar bug seems to have been reported before but keeps returning. I'm seeing it on an new install of bionic server 18.04 clamav version: 0.100.3+dfsg-0ubuntu0.18.04.1 kern.log keeps reporting the following after installing clamav and clamav-daemon: kernel: [ 10.851831] audit: type=1400 audit(1565467797.334:27): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=962 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 kernel: [ 10.897174] audit: type=1400 audit(1565467797.382:28): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/etc/ssl/openssl.cnf" pid=1101 comm="clamd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0 Similar to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1778812 Only seems like freshclam and clamd now need access to /etc/ssl/openssl.cnf Looking at /etc/apparmor.d/usr.bin.freshclam I have: @{PROC}/filesystems r, owner @{PROC}/[0-9]*/status r, Do we need to add: /etc/ssl/openssl.cnf r, To both usr.bin.freshclam and usr.bin.clamd ?
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839767 Title: apparmor DENIED freshclam and clamd access to openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1839767/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
