Comment 5 for bug 264817

Feature Freeze Exception Request

1. The proposed change is to install an enforcing Apparmor profile for freshclam and clamd. The potential impact for a default/documented installation is considered low, as the profiles have been used and work properly with amavisd-new, clamsmtpd and other frontends. Non-default or untested configurations may break, depending on the configuration and use of clamd.

2. It's my opinion that clamav should not have been promoted to main without an enforcing apparmor profile, considering the secuurity history of clamav and its role in processing untrusted input using C. An enforcing apparmor profile would go a long way in mitigating clamd's use.

The above apparmor profiles have been in use on a (small) production server for months and are known to work well with clamsmtpd. Additionally, tests were run against the amavisd-new configuration specified in https://wiki.ubuntu.com/MOTU/Clamav/TestingProcedures and (correct if I'm wrong Scott) in complain mode on production Hardy servers using amavisd-new.