apparmor blocks freshclam process info after latest update

Hi

Does this affect freshclam in any way, is it not working, does it give any other errors besides this log entry?

Updater seemed to work fine:
Received signal: wake up
ClamAV update process started at Wed Sep 22 05:00:55 2010
main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
Downloading daily-11996.cdiff [100%]
daily.cld updated (version: 11996, sigs: 130710, f-level: 53, builder: arnaud)
bytecode.cvd is up to date (version: 57, sigs: 10, f-level: 53, builder: edwin)
Database updated (835447 signatures) from db.local.clamav.net (IP: 85.114.135.198)

Confirmed on Lucid with (not yet) backported clamav 0.96.3 from clamav-ppa.

Seems like this is some new feature in 0.96.3 where freshclam (and indeed clamav-daemon too) does some checking in /proc/self and also /proc/filesystems. Attached some syslog entries which appear exactly after freshclam is done downloading .cvd files (virus definition databases).

The warnings seem to go away when adding the following line to /etc/apparmor.d/local/usr.bin.freshclam:

  /proc/** r,

This doesn't seem to be a bug in clamav but a too restrictive apparmor profile.

According to upstream, this is for selinux and pax detection. This permission problem doesn't affect anything, except for apparmor logs since we have neither and they wouldn't co-exist with apparmor if a user had switched to them.

The detection process opens /proc/pid/status and if it can't be opened, it assumes no pax. Then it opens /proc/filesystems and if it can't open it then it tries /proc/selinux/enforce and if that can't be opened either it assumes no selinux.

I suspect it's probably better to allow these checks because other people will see this in their logs and file bugs. Additionally, I don't like the idea of leaving a profile in place that interferes with upstream functionality even though it happens to produce the same result at the moment.

[09/22-194642] <jdstrand> owner @{PROC}/[0-9]*/status r,
[09/22-195205] <jdstrand> cemc: /proc/filesystems r, is fine

Added these two lines to /etc/apparmor.d/usr.bin.freshclam and /etc/apparmor.d/usr.sbin.clamd , and after reloading apparmor and restarting clamav-freshclam and clamav-daemon the log entries no longer show up, apparmor doesn't complain. Seems like this fixes the problem (tested on Lucid).

This bug was fixed in the package clamav - 0.96.3+dfsg-1ubuntu2

---------------
clamav (0.96.3+dfsg-1ubuntu2) maverick; urgency=low

  * debian/usr.bin.freshclam: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645061
 -- Jamie Strandboge <email address hidden> Wed, 22 Sep 2010 12:28:39 -0500

This bug is back?

$ freshclam --version
ClamAV 0.99.2/22939/Tue Jan 24 06:19:06 2017

$ grep DENIED /var/log/kern.log
Jan 24 09:51:04 <hostname> kernel: [ 41.318809] audit: type=1400 audit(1485244264.939:43): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/5588/status" pid=5588 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=131 ouid=0

Also noted, the following IS in /etc/apparmor.d/usr.bin.freshclam

@{PROC}/filesystems r,
owner @{PROC}/[0-9]*/status r,

And

$ ps -u clamav -f | more
UID PID PPID C STIME TTY TIME CMD
clamav 1348 1 0 08:38 ? 00:00:02 /usr/bin/freshclam -d --foregrou
nd=true
$ ls -l /proc/1348/status
-r--r--r-- 1 root root 0 Jan 25 08:38 /proc/1348/status

Shows that root owns the status file, not the clamav user.

Jean-Pierre, please note it'd be more useful if you filed new bugs rather than comment on bugs that were closed six years ago.

In this case this looks like https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658239

Thanks