Ubuntu
clamav package

Merge ~lvoytek/ubuntu/+source/clamav:clamav-sru-lp1925182-bionic into ubuntu/+source/clamav:ubuntu/bionic-devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/clamav
  3. clamav-sru-lp1925182-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Lena Voytek
Status: Merged
Merged at revision: a1a2f8d4a90cd5e153cd41e6f1594f1a8e004a98
Proposed branch: ~lvoytek/ubuntu/+source/clamav:clamav-sru-lp1925182-bionic
Merge into: ubuntu/+source/clamav:ubuntu/bionic-devel
Diff against target: 164 lines (+36/-60)
5 files modified
debian/changelog (+12/-0)
debian/clamav-daemon.postinst.in (+0/-25)
debian/clamav-freshclam.postinst.in (+18/-35)
debian/control (+1/-0)
debian/rules (+5/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+411886@code.launchpad.net

Description of the change

Cherry-picked from existing Debian fix for version 0.101.1+dfsg-1 at commit c284f2144560e840b6ce50eeb739dd036fec131f

  * Deploy apparmor profile before first start of freshclam daemon.
    - d/control: Add dh-apparmor as a build dependency
    - d/rules: Add dh install override to deploy apparmor profiles
    - d/clamav-daemon.postinst.in: Remove old apparmor profile deployment
    - d/clamav-freshclam.postinst.in: Remove old apparmor profile
      deployment
    Thanks to Sebastian Andrzej Siewior <email address hidden>.

PPA: ppa:lvoytek/clamav-fix-apparmor-profile-sru-bionic

Steps to test:

# lxc launch images:ubuntu/bionic test-failure
# lxc exec test-failure bash

# apt update
# apt dist-upgrade
# apt install -y apparmor apparmor-utils wget software-properties-common

- Install clamav packages of version 1 before current in bionic

# wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-freshclam_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-milter_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-testfiles_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamdscan_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/libclamav-dev_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/libclamav9_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-daemon_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-docs_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-base_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb
# apt install -y ./*

- enforce apparmor profile for freshclam

# aa-enforce /usr/bin/freshclam

# apt update
# apt upgrade

- Check status of freshclam and notice that it was unable to restart

# systemctl status clamav-freshclam

clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/system/clamav-freshclam.service.d
           └─zzz-lxc-service.conf
   Active: failed (Result: exit-code) since Mon 2021-11-15 20:48:40 UTC; 34s ago
     Docs: man:freshclam(1)
           man:freshclam.conf(5)
           https://www.clamav.net/documents
 Main PID: 8785 (code=exited, status=2)

Nov 15 20:48:40 test-failure systemd[1]: Started ClamAV virus database updater.
Nov 15 20:48:40 test-failure freshclam[8785]: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/freshclam.conf:22
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: initialize: libfreshclam init failed.
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Initialization error!
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).
Nov 15 20:48:40 test-failure systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Nov 15 20:48:40 test-failure systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'.

- Recreate the container but this time include the updated ppa version

# lxc launch images:ubuntu/bionic test-success
# lxc exec test-success bash

# apt update
# apt dist-upgrade
# apt install -y apparmor apparmor-utils wget software-properties-common

- Install clamav packages of version 1 before current in bionic

# wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-freshclam_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-milter_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-testfiles_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamdscan_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/libclamav-dev_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/libclamav9_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-daemon_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-docs_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-base_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb
# apt install -y ./*

- enforce apparmor profile for freshclam

# aa-enforce /usr/bin/freshclam

- Add ppa and update

# add-apt-repository ppa:lvoytek/clamav-fix-apparmor-profile-sru-bionic
# apt update
# apt upgrade

- Check status of freshclam and notice that it now starts properly

# systemctl status clamav-freshclam

clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/system/clamav-freshclam.service.d
           └─zzz-lxc-service.conf
   Active: active (running) since Mon 2021-11-15 20:53:17 UTC; 1min 22s ago
     Docs: man:freshclam(1)
           man:freshclam.conf(5)
           https://www.clamav.net/documents
 Main PID: 9122 (freshclam)
    Tasks: 1 (limit: 19010)
   CGroup: /system.slice/clamav-freshclam.service
           └─9122 /usr/bin/freshclam -d --foreground=true

Nov 15 20:53:26 test-success freshclam[9122]: Mon Nov 15 20:53:26 2021 -> daily.cvd updated (version: 26354, sigs: 1945178, f-level: 90, builder: raynman)
Nov 15 20:53:26 test-success freshclam[9122]: Mon Nov 15 20:53:26 2021 -> main database available for download (remote version: 62)
Nov 15 20:53:43 test-success freshclam[9122]: Mon Nov 15 20:53:43 2021 -> Testing database: '/var/lib/clamav/tmp.18348c295d/clamav-33ed505d397b14992fffa075c959d4f5.tmp-main.cvd' ...
Nov 15 20:53:48 test-success freshclam[9122]: Mon Nov 15 20:53:48 2021 -> Database test passed.
Nov 15 20:53:48 test-success freshclam[9122]: Mon Nov 15 20:53:48 2021 -> main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Nov 15 20:53:48 test-success freshclam[9122]: Mon Nov 15 20:53:48 2021 -> bytecode database available for download (remote version: 333)
Nov 15 20:53:48 test-success freshclam[9122]: Mon Nov 15 20:53:48 2021 -> Testing database: '/var/lib/clamav/tmp.18348c295d/clamav-4d4fb7100fb221e038730cde42d70c42.tmp-bytecode.cvd' ...
Nov 15 20:53:49 test-success freshclam[9122]: Mon Nov 15 20:53:49 2021 -> Database test passed.
Nov 15 20:53:49 test-success freshclam[9122]: Mon Nov 15 20:53:49 2021 -> bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Package Test Results:

autopkgtest [14:18:17]: @@@@@@@@@@@@@@@@@@@@ summary
clamd PASS
client PASS
milter PASS

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Looks great, and thanks for the good paint-by-numbers test case.

I verified the d/rules change in the upstream commit is not needed for bionic's version of the package, and that the postinst change matches exactly with upstream's change. I ran through the test case and verified it is accurate and I got the expected results.

Since this is all technically correct I'm going to mark this approved, however I have one recommendation on the changelog entry, and there's a couple other steps that should be done first before this lands.

With changelog entries for SRUs in particular, I like to mention what the problem was that is being solved, for two reasons. First, for users experiencing this problem it helps clue them in that this version should fix their problem (they may not know what apparmor or daemons are). Second, if someone upgrades their system and experiences some weird unrelated fault, it lets them know your change was probably not what caused it. In this case, probably could simply say "Fixes failure restarting the clamav-freshclam service during upgrades."

One step to do before we land this, is to get it landed in jammy. The SRU process will reject fixes that are missing from the current devel release (or any intervening stable release). We also don't need to deal with SRU paperwork for things landing in -devel.

But the other step is that for landing in bionic, we do need to deal with the SRU paperwork. While that's not technically _required_ in order to upload the package to bionic-proposed, it'll allow it to be reviewed as part of the MP review. Especially for your first few SRUs there's some conventions and tips to pick up in how to craft good SRUs that sail through review.

So, LGTM, approved, but before landing this MP:
1. Update the changelog to make mention of the problem being fixed
2. Create MPs with these same changes for jammy, focal, hirsute, and impish
3. Fill in the SRU template

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

Added the info on the problem being fixed in the changelog. Is the formatting / amount of information on it alright?

Revision history for this message
Bryce Harrington (bryce) wrote :

Content looks great, I'd suggest moving the sentence earlier, maybe like:

  * d/clamav-freshclam.postinst.in: Deploy apparmor profile before first start
    of freshclam daemon. Fixes an error where clamav-freshclam fails to start
    automatically after an update when protected by apparmor. Thanks to
    Simon Déziel <email address hidden>.
    (LP: #1925182)

Everyone has a different style for where to put the LP #, I personally like having it at the end on a line by itself since it looks clean to me, but you'll see it done a variety of ways.

Revision history for this message
Lena Voytek (lvoytek) wrote :

Alright, got it updated. Thanks!

Revision history for this message
Bryce Harrington (bryce) wrote :

Looks good!

Grab me on mattermost if you'd like help or tips for filling in the SRU. And give me a ping once the jammy MP is ready to review.

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote (last edit ):

Found the location of the fix for this issue which was added alongside some other fixes after Bionic's release. Used that fix instead to match newer versions. Confirmed both the testing steps and autopkgtests still work

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for identifying the better fix. Looks good, I've sponsored the upload:

Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/clamav
Vcs-Git-Commit: a1a2f8d4a90cd5e153cd41e6f1594f1a8e004a98
Vcs-Git-Ref: refs/heads/clamav-sru-lp1925182-bionic

$ dput ubuntu ../clamav_0.103.2+dfsg-0ubuntu0.18.04.3_source.changes
Checking signature on .changes
gpg: ../clamav_0.103.2+dfsg-0ubuntu0.18.04.3_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../clamav_0.103.2+dfsg-0ubuntu0.18.04.3.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading clamav_0.103.2+dfsg-0ubuntu0.18.04.3.dsc: done.
  Uploading clamav_0.103.2+dfsg-0ubuntu0.18.04.3.debian.tar.xz: done.
  Uploading clamav_0.103.2+dfsg-0ubuntu0.18.04.3_source.buildinfo: done.
  Uploading clamav_0.103.2+dfsg-0ubuntu0.18.04.3_source.changes: done.
Successfully uploaded packages.

Next step will be that it's accepted into the archive, and builds in -proposed. Keep an eye on https://launchpad.net/ubuntu/+source/clamav. After that, next thing to look at is migration issues: https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#clamav. Finally it'll go to sru review.

Most likely there won't be any problems. If there are give me a ping and we'll work through them.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index dd27093..ba246bd 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+clamav (0.103.2+dfsg-0ubuntu0.18.04.3) bionic; urgency=medium
7+
8+ * Deploy apparmor profile before first start of freshclam daemon.
9+ - d/control: Add dh-apparmor as a build dependency
10+ - d/rules: Add dh install override to deploy apparmor profiles
11+ - d/clamav-daemon.postinst.in: Remove old apparmor profile deployment
12+ - d/clamav-freshclam.postinst.in: Remove old apparmor profile deployment
13+ Thanks to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>.
14+ (LP: #1925182)
15+
16+ -- Lena Voytek <lena.voytek@canonical.com> Mon, 29 Nov 2021 10:13:20 -0700
17+
18 clamav (0.103.2+dfsg-0ubuntu0.18.04.2) bionic-security; urgency=medium
19
20 * SECURITY REGRESSION: clamdscan - MULTISCAN parameter causes
21diff --git a/debian/clamav-daemon.postinst.in b/debian/clamav-daemon.postinst.in
22index db408de..64652ed 100644
23--- a/debian/clamav-daemon.postinst.in
24+++ b/debian/clamav-daemon.postinst.in
25@@ -543,31 +543,6 @@ EOF
26 ;;
27 esac
28
29-# AppArmor integration
30-if [ "$1" = "configure" ]; then
31- APP_PROFILE=/etc/apparmor.d/usr.sbin.clamd
32- if [ -f "$APP_PROFILE" ]; then
33- # Add the local/ include
34- LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.sbin.clamd
35-
36- test -e "$LOCAL_APP_PROFILE" || {
37- tmp=`mktemp`
38- cat <<EOM > "$tmp"
39-# Site-specific additions and overrides for usr.sbin.clamd.
40-# For more details, please see /etc/apparmor.d/local/README.
41-EOM
42- mkdir `dirname $LOCAL_APP_PROFILE` 2>/dev/null || true
43- mv -f "$tmp" "$LOCAL_APP_PROFILE"
44- chmod 644 "$LOCAL_APP_PROFILE"
45- }
46-
47- # Reload the profile, including any abstraction updates
48- if aa-status --enabled 2>/dev/null; then
49- apparmor_parser -r -T -W "$APP_PROFILE" || true
50- fi
51- fi
52-fi
53-
54 # dh_installdeb will replace this with shell code automatically
55 # generated by other debhelper scripts.
56
57diff --git a/debian/clamav-freshclam.postinst.in b/debian/clamav-freshclam.postinst.in
58index 3efcce5..8add54a 100644
59--- a/debian/clamav-freshclam.postinst.in
60+++ b/debian/clamav-freshclam.postinst.in
61@@ -33,6 +33,7 @@ FRESHCLAMLOGFILE=/var/log/clamav/freshclam.log
62 DEBCONFFILE=/var/lib/clamav/freshclam.conf
63 LOGROTFILE=/etc/logrotate.d/clamav-freshclam
64 DEBROTFILE=/var/lib/clamav/clamav-freshclam
65+DO_RUN_AS_EVALUATION=0
66
67 case "$1" in
68 configure)
69@@ -333,6 +334,23 @@ EOF
70 chown "$dbowner":adm $FRESHCLAMCONFFILE
71 fi
72
73+ DO_RUN_AS_EVALUATION=1
74+ ;;
75+ abort-upgrade|abort-remove|abort-deconfigure)
76+ ;;
77+ *)
78+ echo "postinst called with unknown argument \`$1'" >&2
79+ exit 1
80+ ;;
81+esac
82+
83+# dh_installdeb will replace this with shell code automatically
84+# generated by other debhelper scripts.
85+
86+#DEBHELPER#
87+
88+if [ $DO_RUN_AS_EVALUATION -eq 1 ]
89+then
90 if [ "$runas" = 'daemon' ]; then
91 update-rc.d clamav-freshclam defaults >/dev/null
92 invoke-rc.d clamav-freshclam start
93@@ -349,43 +367,8 @@ EOF
94 invoke-rc.d clamav-freshclam no-daemon || true
95 update-rc.d -f clamav-freshclam disable > /dev/null 2>&1 || true
96 fi
97- ;;
98- abort-upgrade|abort-remove|abort-deconfigure)
99- ;;
100- *)
101- echo "postinst called with unknown argument \`$1'" >&2
102- exit 1
103- ;;
104-esac
105-
106-# AppArmor integration
107-if [ "$1" = "configure" ]; then
108- APP_PROFILE=/etc/apparmor.d/usr.bin.freshclam
109- if [ -f "$APP_PROFILE" ]; then
110- # Add the local/ include
111- LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.bin.freshclam
112
113- test -e "$LOCAL_APP_PROFILE" || {
114- tmp=`mktemp`
115- cat <<EOM > "$tmp"
116-# Site-specific additions and overrides for usr.bin.freshclam.
117-# For more details, please see /etc/apparmor.d/local/README.
118-EOM
119- mkdir `dirname $LOCAL_APP_PROFILE` 2>/dev/null || true
120- mv -f "$tmp" "$LOCAL_APP_PROFILE"
121- chmod 644 "$LOCAL_APP_PROFILE"
122- }
123-
124- # Reload the profile, including any abstraction updates
125- if aa-status --enabled 2>/dev/null; then
126- apparmor_parser -r -T -W "$APP_PROFILE" || true
127- fi
128- fi
129 fi
130
131-# dh_installdeb will replace this with shell code automatically
132-# generated by other debhelper scripts.
133-
134-#DEBHELPER#
135
136 exit 0
137diff --git a/debian/control b/debian/control
138index 60b90a6..4bf2ebb 100644
139--- a/debian/control
140+++ b/debian/control
141@@ -11,6 +11,7 @@ Uploaders: Michael Meskes <meskes@debian.org>,
142 Build-Depends: automake,
143 check,
144 debhelper (>= 11),
145+ dh-apparmor,
146 dh-strip-nondeterminism,
147 electric-fence,
148 libbz2-dev,
149diff --git a/debian/rules b/debian/rules
150index 0f02706..6d03668 100755
151--- a/debian/rules
152+++ b/debian/rules
153@@ -144,6 +144,11 @@ endif
154 override_dh_strip:
155 dh_strip --dbgsym-migration=clamav-dbg
156
157+override_dh_install:
158+ dh_install
159+ dh_apparmor -pclamav-freshclam --profile-name=usr.bin.freshclam
160+ dh_apparmor -pclamav-daemon --profile-name=usr.sbin.clamd
161+
162 override_dh_installinit:
163 dh_installinit -pclamav-daemon
164 # Don't change the postinst/postrm scripts for clamav-freshclam, as they need non-standard code.

Subscribers

People subscribed via source and target branches