← Back to team overview

group.of.nepali.translators team mailing list archive

  1. group.of.nepali.translators team
  2. Mailing list archive
  3. Message #23034

[Bug 1659223] Re: apparmor regression blocking freshclam process info

  Thread PreviousDate PreviousThread Next 
I can't reproduce this on Bionic today. I'm expecting to see a denial in
/var/log/kern.log or dmesg after installing the clamav package, but I
see none. I also tried stopping the clamav-freshclam service and running
"sudo freshclam" manually, but I still don't see a denial.

/etc/apparmor.d/usr.bin.freshclam includes abstractions/base, which
contains "@{PROC}/@{pid}/{maps,auxv,status} r". So I'd expect the open
call to work now based on Andreas' comment 1 above.

I did manage to see a denial message in Xenial though. Here, I don't see
"status" in /etc/apparmor.d/abstractions/base.

Therefore I believe this is fixed in Bionic.

It seems to me that the best way to fix this would be to add
"@{PROC}/@{pid}/{maps,auxv,status} r" to
/etc/apparmor.d/abstractions/base in an SRU to the apparmor package
Xenial?

Having said that, since it's just a warning for clamav and doesn't cause
a functional problem, I'm not sure an SRU would be justified.

** Also affects: clamav (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: clamav (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1659223

Title:
  apparmor regression blocking freshclam process info

Status in clamav package in Ubuntu:
  Fix Released
Status in clamav source package in Xenial:
  Won't Fix

Bug description:
  Very much like, but a new regression with the same issue

  https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/645061

  The following IS in /etc/apparmor.d/usr.bin.freshclam

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  And

  $ ps -u clamav -f | more
  UID PID PPID C STIME TTY TIME CMD
  clamav 1348 1 0 08:38 ? 00:00:02 /usr/bin/freshclam -d --foregrou
  nd=true
  $ ls -l /proc/1348/status
  -r--r--r-- 1 root root 0 Jan 25 08:38 /proc/1348/status

  Shows that root owns the status file, not the clamav user.

  Hence denied.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1659223/+subscriptions
  Thread PreviousDate PreviousThread Next