appamor denying clamd access to its own process

Bug #645956 reported by Fabien Tassin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: clamav-daemon

Sep 23 11:42:57 x kernel: [267096.238668] type=1400 audit(1285234977.207:28): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/clamd" name="/proc/29917/status" pid=29917 comm="clamd" requested_mask="r" denied_mask="r" fsuid=117 ouid=117

clamav 29917 0.0 3.2 245060 132744 ? Ssl 10:42 0:05 /usr/sbin/clamd

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: clamav-daemon 0.96.3+dfsg-1ubuntu2
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Thu Sep 23 13:59:11 2010
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/usr/bin/tcsh
SourcePackage: clamav

Related branches

Revision history for this message
Fabien Tassin (fta) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It looks like this needs the same fix in usr.sbin.clamd as we had for freshclam. Ie:
  owner @{PROC}/[0-9]*/status r,

tags: added: apparmor
removed: amd64 apport-bug
Changed in clamav (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
milestone: none → ubuntu-10.10
status: New → In Progress
Changed in clamav (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.96.3+dfsg-1ubuntu4

---------------
clamav (0.96.3+dfsg-1ubuntu4) maverick; urgency=low

  * debian/usr.sbin.clamd: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645956
 -- Jamie Strandboge <email address hidden> Thu, 23 Sep 2010 07:58:35 -0500

Changed in clamav (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Richard Laager (rlaager) wrote :

This is happening to me on a 12.04 install:
[1793012.835201] type=1400 audit(1336690883.803:534): apparmor="DENIED" operation="open" parent=26571 profile="/usr/sbin/clamd" name="/proc/26820/status" pid=26820 comm="clamd" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

If I remove "owner" from the @{PROC}/[0-9]*/status line in the apparmor policy, it works. I'm not sure if that's "safe" though.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Richard, this should be safe, but can you file a new bug using 'ubuntu-bug clamav-daemon' and give steps to reproduce?

Revision history for this message
Jean-Pierre van Riel (jpvr) wrote :

Similar issue with freshclam

audit: type=1400 audit(1485244264.939:43): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/5588/status" pid=5588 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=131 ouid=0

Revision history for this message
Jean-Pierre van Riel (jpvr) wrote :

Related bug which was marked as fixed, but has now regressed somehow. 645061 / https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/645061

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.