clamav should ship apparmor profiles

Attached is a debdiff against Intrepid's apparmor. This profile is in production for a clamsmtp installation, and has been lightly tested to work with amavisd-new.

I've tested this also with the two most popular desktop front ends (clamtk and klamav) and as expected, they work fine.

Now that clamav is in Main, I'd like to request this as an FFe for clamav. My recommendation is to update to 0.94 since the rdepends work needs to be done asap and then add this shortly after.

The attached debdiff now uses for clamd:
/tmp/** krw,

This was discussed on IRC and what was tested by Scott

Feature Freeze Exception Request

1. The proposed change is to install an enforcing Apparmor profile for freshclam and clamd. The potential impact for a default/documented installation is considered low, as the profiles have been used and work properly with amavisd-new, clamsmtpd and other frontends. Non-default or untested configurations may break, depending on the configuration and use of clamd.

2. It's my opinion that clamav should not have been promoted to main without an enforcing apparmor profile, considering the secuurity history of clamav and its role in processing untrusted input using C. An enforcing apparmor profile would go a long way in mitigating clamd's use.

The above apparmor profiles have been in use on a (small) production server for months and are known to work well with clamsmtpd. Additionally, tests were run against the amavisd-new configuration specified in https://wiki.ubuntu.com/MOTU/Clamav/TestingProcedures and (correct if I'm wrong Scott) in complain mode on production Hardy servers using amavisd-new.

To clarify, the servers I have a all very low volume.

One further note is that since this debdiff was prepared, I did a clamav upload to strip the recommends we didn't want in Main. I'll refactor this for the new revision number if it's approved.

I also processed bug #264437 before looking at this one, so clamav 0.94.dfsg-1 has now been synced to intrepid. Please provide an updated debdiff against the current intrepid version.

This bug was fixed in the package clamav - 0.94.dfsg-1ubuntu1

---------------
clamav (0.94.dfsg-1ubuntu1) intrepid; urgency=low

  * Follow ApparmorProfileMigration and force apparmor complain mode on some
    upgrades (LP: #264817)
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor

 -- Jamie Strandboge <email address hidden> Thu, 18 Sep 2008 22:06:59 -0400