clamav blocked by apparmor in firefox (using fireclam plugin)

The following added to the firefox profile would be enough to 'fix' this bug:
  /usr/bin/clamscan Ux,

However, Ubuntu ships a profile for /usr/sbin/clamd. It would be much better if the plugin could (optionally?) use clamd by reading in the contents of the file to be scanned, then opening /var/run/clamav/clamd.ctl and writing:
SCAN <complete file contents>\n

Then checking for the output text/return code. This would allow for us to use in the firefox profile:
  /var/run/clamav/clamd.ctl w,

This allows for better security since clamscan won't be an avenue of attack.

Hi Jamie,

The solution you suggest about making the plugin directly interact with clamd socket makes sense. I have an interrogation though : what will happen if a user download a DVD ISO ?

Will Firefox be OOM-killed because of the memory consumption or is it possible to do batch writing to clamd socket ?

Thanks in advance

I talked with the add-on developer, Christof Efkemann.

He agreed to investigate on supporting the solution suggested by Jamie. Unfortunately he was unable to find code example on how to access a Unix domain sockets from Firefox add-ons (i.e. from JavaScript).

If someone could help him on that maybe we could have a test version of Fireclam.

From https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/642008 ...

I am using Firefox 3.6.10 with Fireclam0.6.5 add-on under Ubuntu 9.10 (64 bit) . I've got ClamAV Antivirus engine 0.96.1, GUI version 4.15, and my Virus definitions are up-to-date.

In the past month, Synaptic has upgraded my Firefox twice -- first to 3.6.9, then to 3.6.10. Following the most recent upgrade, it seems that every download using Firefox produces a message that the file is infected.

Running sudo aa-complain /etc/apparmor.d/usr.bin.firefox , I get the following in my messages log:

Sep 20 13:38:46 RL kernel: [24988.076744] type=1505 audit(1285007926.066:46): operation="profile_replace" pid=29473 name=/usr/lib/firefox-3.6.10/firefox-*bin
Sep 20 13:38:46 RL kernel: [24988.076949] type=1505 audit(1285007926.066:47): operation="profile_replace" pid=29473 name=/usr/lib/firefox-3.6.10/firefox-*bin//firefox_java
Sep 20 13:38:46 RL kernel: [24988.077111] type=1505 audit(1285007926.066:48): operation="profile_replace" pid=29473 name=/usr/lib/firefox-3.6.10/firefox-*bin//firefox_openjdk
Sep 20 13:39:41 RL kernel: [25043.207793] type=1502 audit(1285007981.195:49): operation="exec" pid=29513 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 <email address hidden>/chrome/content/download_complete_notify.py" name2="/usr/lib/firefox-3.6.10/firefox-*bin//null-11"
Sep 20 13:39:41 RL kernel: [25043.221845] type=1502 audit(1285007981.215:50): operation="exec" pid=29516 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/clamscan" name2="/usr/lib/firefox-3.6.10/firefox-*bin//null-13"
Sep 20 13:39:41 RL kernel: [25043.228507] type=1502 audit(1285007981.215:51): operation="open" pid=29516 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin//null-13" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/ld.so.cache"
Sep 20 13:39:41 RL kernel: [25043.228530] type=1502 audit(1285007981.215:52): operation="file_mmap" pid=29516 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin//null-13" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/ld.so.cache"
Sep 20 13:39:41 RL kernel: [25043.228578] type=1502 audit(1285007981.215:53): operation="open" pid=29516 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin//null-13" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/lib/libclamav.so.6.1.3"
Sep 20 13:39:41 RL kernel: [25043.228595] type=1502 audit(1285007981.215:54): operation="file_perm" pid=29516 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin//null-13" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/usr/lib/libclamav.so.6.1.3"
Sep 20 13:39:41 RL kernel: [25043.228621] type=1502 audit(1285007981.215:55): operation="file_mmap" pid=29516 parent=29512 profile="/usr/lib/firefox-3.6.10/firefox-*bin//null-13" requested_mask="::mr" denied_mask="::mr" fsuid=1000 ouid=0 name="/usr/lib/libclamav.so.6.1.3"
Sep 20 13:39:41 RL kernel: [25043.228644] type=1502 audit(1285007981.215:56): operation="file_mmap" pid...

Following #1, I did:
  sudo gedit /etc/apparmor.d/usr.bin.firefox

adding the line (including the comma):
  /usr/bin/clamscan Ux,

This did solve it for me. Thanks.

This bug was fixed in the package apparmor - 2.7.0-0ubuntu1

---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low

  * New upstream release. Fixes the following:
    - LP: #794974
    - LP: #815883
    - LP: #840973
  * Drop the following patches, included upstream:
    - af_names-generation.patch
    - 0004-adjust-logprof-log-search-order.patch
    - 0005-lp826914.patch
    - 0006-lp838275.patch
    - 0007-fix-introspection-tests.patch
  * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
  * debian/patches/0003-commits-through-r1882.patch: several bug,
    documentation and performance fixes on our road to AppArmor 2.8
    (LP: #840734, LP: #905412)
  * debian/patches/0004-lp887992.patch: cups-client abstraction should allow
    owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
    (LP: #887992)
  * update debian/patches/0001-add-chromium-browser.patch for deeper
    directories of /sys/devices/pci (LP: #885833)
  * debian/patches/0005-lp884748.patch: allow kate as text editor in the
    browsers abstraction (LP: #884748)
  * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
    to ~/.fonts.conf.d (LP: #870992)
  * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
    in the python abstraction, which is needed for apport hooks to work in
    python applications (LP: #860856)
  * debian/patches/0008-lp852062.patch: update binaries for transmission
    clients (LP: #852062)
  * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
    Xubuntu and friends (LP: #851977)
  * debian/patches/0010-lp890894.patch: allow access to Thunar as well as
    thunar in ubuntu-integration abstraction (LP: #890894)
  * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
    (LP: #817956)
  * debian/patches/0012-lp458922.patch: update dovecot deliver profile to
    access various .conf files for dovecot (LP: #458922)
  * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
    (LP: #769148)
  * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
    (LP: #904548)
  * debian/patches/0015-lp712584.patch: Nvidia users need access to
    /dev/nvidia* files for various plugins to work right. Since these are all
    focused around multimedia, add the acceses to the multimedia abstraction.
    (LP: #712584)
  * debian/patches/0016-lp562831.patch: allow fireclam plugin to work
    (LP: #562831)
  * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
    integration browser abstraction (LP: #662906)
  * debian/patches/0018-deny-home-pki-so.patch: update private-files
    abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
  * debian/patches/0019-lp899963.patch: add audacity to the
    ubuntu-media-players abstraction (LP: #899963)
  * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
    abstraction and add it to the authentication abstraction (LP: #912754)
  * debian/patches/0022-workaround-lp851986.patch: instead of using Ux
    in the ubuntu and launchpad abstractions, use a helper child profile.
    This will help work around the lack of en...