Control: tag -1 + patch
Hi!
Sebastian Andrzej Siewior:
> On 2018-01-07 14:59:54 [+0100], intrigeri wrote:
>> So with my AppArmor in Debian maintainer hat, I would find it
>> reasonable if the clamav-daemon maintainers decided to leave it as-is,
>> possibly improving a little bit the existing documentation in
>> README.Debian to provide better guidance to power-users whose use case
>> is not supported by the current AppArmor policy. I'm happy to help
>> with the latter part if needed.
> So looking at this I think it is just fine. clamd should only access
> specific files which includes files from postfix & exim spool
> directories. By allowing accessing everything it kind of defeats its
> purpose
ACK
> (however I am not sure how that $HOME rule works).
Understood, let me clarify :)
By default /etc/apparmor.d/tunables/home contains:
@{HOME}=@{HOMEDIRS}/*/ /root/
@{HOMEDIRS}=/home/
… that is the $HOME directories for *all* non-system users'.
I guess the idea is to allow users to run their own clamd as their
own user (as opposed to a system service).
Of course, DAC permissions still apply so /home/* with restricted
read access won't be readable by clamd: the MAC checks implemented by
any LSM come on top of DAC permissions, they don't override them.
> The rules file ends with
> | # Site-specific additions and overrides. See local/README for details.
> | #include <local/usr.sbin.clamd>
> Maybe if you could provide some info how to add a local rule to enable
> clamd to read everything, that would be nice.
For such use cases, I think that disabling the clamd AppArmor profile
is a more adequate solution than allowing clamd to read everything.
Please see the attached patch series — generated with `git
format-patch origin/unstable' — that documents how to tweak or disable
the AppArmor profiles :)
Cheers,
--
intrigeri
>From 7324fb97a269ac5cbaece2546bec5e63b565392a Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Wed, 10 Jan 2018 09:16:42 +0000
Subject: [PATCH 1/3] Fix "apparmor" spelling typos in README.Debian.
---
debian/README.Debian | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/debian/README.Debian b/debian/README.Debian
index de5729a..96aaa31 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -254,22 +254,22 @@ CLAMAV-MILTER
APPARMOR PROFILES
- If your system uses apparmor, please note that the shipped enforcing profile
+ If your system uses AppArmor, please note that the shipped enforcing profile
works with the default installation, and changes in your configuration may
- require changes to the installed apparmor profile. Please see
+ require changes to the installed AppArmor profile. Please see
https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
software.
In particular, clamav-daemon runs as it's own user and is confined from
accessing all but a limited set of files. These include the home directory
of the user calling clamav-daemon, but not system files. If you want to
- scan files outside of your home directory, the apparmor profile will need to
+ scan files outside of your home directory, the AppArmor profile will need to
be updated.
The freshclam utility is also protected by an enforcing profile. If you
want to add files to the /etc/clamav/onerrorexecute.d,
/etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories,
- appropriate rules need to be added to the apparmor profile.
+ appropriate rules need to be added to the AppArmor profile.
Please see https://wiki.debian.org/AppArmor for information and
- documentation on modifying apparmor profiles.
+ documentation on modifying AppArmor profiles.
--
2.15.1
>From 788b78959fac6130369f8e818587d5260b98039b Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Wed, 10 Jan 2018 09:28:16 +0000
Subject: [PATCH 2/3] AppArmor: document in README.Debian how to grant
clamav-daemon access to additional paths.
---
debian/README.Debian | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/debian/README.Debian b/debian/README.Debian
index 96aaa31..97eb499 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -264,7 +264,18 @@ APPARMOR PROFILES
accessing all but a limited set of files. These include the home directory
of the user calling clamav-daemon, but not system files. If you want to
scan files outside of your home directory, the AppArmor profile will need to
- be updated.
+ be updated:
+
+ 1. Edit /etc/apparmor.d/local/usr.sbin.clamd to add rules that
+ allow access to the additional paths you want clamav-daemon to
+ scan. For example:
+
+ /mnt/storage1/ r,
+ /mnt/storage1/** r,
+
+ 2. Reload the AppArmor profile:
+
+ apparmor_parser -r -K /etc/apparmor.d/usr.sbin.clamd
The freshclam utility is also protected by an enforcing profile. If you
want to add files to the /etc/clamav/onerrorexecute.d,
--
2.15.1
>From 1e7e78b3671c7fd3e8ae6135699721b9aae5ff82 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Wed, 10 Jan 2018 09:30:46 +0000
Subject: [PATCH 3/3] AppArmor: document in README.Debian how to fully disable
AppArmor confinement. (Closes: #884707)
---
debian/README.Debian | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/debian/README.Debian b/debian/README.Debian
index 97eb499..9b1b2cb 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -282,5 +282,14 @@ APPARMOR PROFILES
/etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories,
appropriate rules need to be added to the AppArmor profile.
+ If you prefer to fully disable AppArmor confinement for
+ clamav-daemon or freshclam, run respectively:
+
+ aa-disable /usr/sbin/clamd
+
+ or:
+
+ aa-disable /usr/bin/freshclam
+
Please see https://wiki.debian.org/AppArmor for information and
documentation on modifying AppArmor profiles.
--
2.15.1
_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
