Bug#903834: clamav-freshclam: AppArmor denies access to /procp/<pid>/status

[Vincas Dargis]

Package: clamav-freshclam
Version: 0.100.0+dfsg-0+deb9u2
Severity: minor
Control: user pkg-appa...@lists.alioth.debian.org
Control: usertag -1 platform

Dear Maintainer,

I've discovered DENIED message that appears (apparently) only first time
after clamav is installed:

```
type=AVC msg=audit(1531663533.125:198): apparmor="DENIED"
operation="open" profile="/usr/bin/freshclam" name="/proc/3306/status"
pid=3306 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119
ouid=0

type=SYSCALL msg=audit(1531663533.125:198): arch=c000003e
syscall=2 success=no exit=-13 a0=7f6e643331d9 a1=0 a2=1b6 a3=0 items=0
ppid=3250 pid=3306 auid=4294967295 uid=119 gid=123 euid=119 suid=119
fsuid=119 egid=123 sgid=123 fsgid=123 tty=(none) ses=4294967295
comm="freshclam" exe="/usr/bin/freshclam" key=(null)

type=PROCTITLE
msg=audit(1531663533.125:198):
proctitle=2F7573722F62696E2F6672657368636C616D002D64002D2D666F726567726F756E643D74727565
```

That's puzzling as `/etc/apparmor.d/usr.bin.freshclam` does contain
relevant rule:

```
# fgrep -e status /etc/apparmor.d/usr.bin.freshclam
owner @{PROC}/[0-9]*/status r,
```

Here's clamav-freshcmal and auditd combined log:

```
journalctl | fgrep -e audit -e freshclam
Jul 15 17:05:05 debian9kde audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=clamav-freshclam comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ClamAV update process started at Sun Jul 15 17:05:05 2018
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ^Your ClamAV installation is OUTDATED!
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> ^Local version: 0.100.0 Recommended version: 0.100.1
Jul 15 17:05:05 debian9kde freshclam[3250]: Sun Jul 15 17:05:05 2018 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Jul 15 17:05:05 debian9kde audit[3259]: AVC apparmor="STATUS" operation="profile_replace" name="/usr/bin/freshclam" pid=3259 comm="apparmor_parser"
Jul 15 17:05:05 debian9kde audit[3259]: SYSCALL arch=c000003e syscall=1 success=yes exit=31929 a0=7 a1=55c91c13af40 a2=7cb9 a3=0 items=0 ppid=3258 pid=3259 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=3 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
Jul 15 17:05:05 debian9kde audit: PROCTITLE proctitle=61707061726D6F725F706172736572002D72002D54002D57002F6574632F61707061726D6F722E642F7573722E62696E2E6672657368636C616D
Jul 15 17:05:06 debian9kde audit[2936]: USER_END pid=2936 uid=0 auid=1000 ses=3 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jul 15 17:05:06 debian9kde audit[2936]: CRED_DISP pid=2936 uid=0 auid=1000 ses=3 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jul 15 17:05:16 debian9kde freshclam[3250]: Sun Jul 15 17:05:16 2018 -> Downloading main.cvd [100%]
Jul 15 17:05:23 debian9kde freshclam[3250]: Sun Jul 15 17:05:23 2018 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jul 15 17:05:28 debian9kde freshclam[3250]: Sun Jul 15 17:05:28 2018 -> Downloading daily.cvd [100%]
Jul 15 17:05:32 debian9kde freshclam[3250]: Sun Jul 15 17:05:32 2018 -> daily.cvd updated (version: 24755, sigs: 2014160, f-level: 63, builder: neo)
Jul 15 17:05:33 debian9kde freshclam[3250]: Sun Jul 15 17:05:33 2018 -> Downloading bytecode.cvd [100%]
Jul 15 17:05:33 debian9kde audit[3306]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/3306/status" pid=3306 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Jul 15 17:05:33 debian9kde audit[3306]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f6e643331d9 a1=0 a2=1b6 a3=0 items=0 ppid=3250 pid=3306 auid=4294967295 uid=119 gid=123 euid=119 suid=119 fsuid=119 egid=123 sgid=123 fsgid=123 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" key=(null)
Jul 15 17:05:33 debian9kde audit: PROCTITLE proctitle=2F7573722F62696E2F6672657368636C616D002D64002D2D666F726567726F756E643D74727565
Jul 15 17:05:33 debian9kde freshclam[3250]: Sun Jul 15 17:05:33 2018 -> bytecode.cvd updated (version: 324, sigs: 89, f-level: 63, builder: neo)
Jul 15 17:05:37 debian9kde freshclam[3250]: Sun Jul 15 17:05:37 2018 -> Database updated (6580498 signatures) from db.local.clamav.net (IP: 104.16.185.138)
Jul 15 17:05:37 debian9kde freshclam[3250]: Sun Jul 15 17:05:37 2018 -> !NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf
```

Please note that there is "profile_replace" audit message that happens
during freshclam startup. Maybe that's the culprint?

To reproduce, I just have to purge and reinstall clamav:

```
sudo apt purge --autoremove clamav
sudo apt install clamav
sudo tail -f /var/log/audit/audit.log | fgrep -eDENIED
```

I wait for about 30 seconds to see DENIED message.

It seems to reproduce only once after initial installation.

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 162692
-rw-r--r-- 1 clamav clamav 185246 Jul 15 17:05 bytecode.cvd
-rw-r--r-- 1 clamav clamav 48503040 Jul 15 17:05 daily.cvd
-rw-r--r-- 1 clamav clamav 117892267 Jul 15 17:05 main.cvd
-rw------- 1 clamav clamav 52 Jul 15 17:05 mirrors.dat

-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages clamav-freshclam depends on:
ii clamav-base 0.100.0+dfsg-0+deb9u2
ii debconf [debconf-2.0] 1.5.61
ii dpkg 1.18.25
ii init-system-helpers 1.48
ii libc6 2.24-11+deb9u3
ii libclamav7 0.100.0+dfsg-0+deb9u2
ii libssl1.1 1.1.0f-3+deb9u2
ii logrotate 3.11.0-0.1
ii lsb-base 9.20161125
ii procps 2:3.3.12-3+deb9u1
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-5

clamav-freshclam recommends no packages.

Versions of packages clamav-freshclam suggests:
ii apparmor 2.11.0-3+deb9u2
pn clamav-docs <none>

-- debconf information:
clamav-freshclam/internet_interface:
clamav-freshclam/PrivateMirror:
clamav-freshclam/LogRotate: true
clamav-freshclam/Bytecode: true
clamav-freshclam/proxy_user:
clamav-freshclam/local_mirror: db.local.clamav.net
clamav-freshclam/autoupdate_freshclam: daemon
clamav-freshclam/update_interval: 24
clamav-freshclam/NotifyClamd: true
clamav-freshclam/http_proxy:
clamav-freshclam/SafeBrowsing: false

[Vincas Dargis]

This doesn't seem to reproduce on Sid though.

[intrigeri]

Vincas Dargis:

> This doesn't seem to reproduce on Sid though.

On sid, during initial installation aa-status says:

1 processes are unconfined but have a profile defined.
/usr/bin/freshclam (1573)

Looking at the Journal, it looks very much like the clamav-freshclam
service is started before the /usr/bin/freshclam AppArmor profile
is loaded.

I think this is potentially racy, which might be why the problem can't
trivially be reproduced in sid.

Cheers,
--
intrigeri

[Sebastian Andrzej Siewior]

On 2018-07-22 20:10:08 [+0800], intrigeri wrote:
> Looking at the Journal, it looks very much like the clamav-freshclam
> service is started before the /usr/bin/freshclam AppArmor profile
> is loaded.
>
> I think this is potentially racy, which might be why the problem can't
> trivially be reproduced in sid.

Is this something the clamav ppl need to improve or is this generic AppArmor /
debhelper thingy?

> Cheers,

Sebastian

[intrigeri]

Hi,

Sebastian Andrzej Siewior:

AFAICT dh-apparmor is not used but a similar code snippet is
hard-coded in debian/clamav-freshclam.postinst.in:
https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/clamav-freshclam.postinst.in#L360
… so dh-apparmor cannot really be blamed :)

Now, *if* dh-apparmor were used, similar code would be added in the
#DEBHELPER# section
(https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/clamav-freshclam.postinst.in#L388)
so the profile would still be loaded after the service is started, i.e. too late.

So I see two options:

- Either switch to dh-apparmor and make the code substituted to the
#DEBHELPER# placeholder run *before* the code that starts
the service. That would be best unless there's a good reason why
other debhelper-generated code should run after the other
hard-coded part of that postinst script.

- Or move the hard-coded AppArmor handling bits higher in the script
so they run before the code that starts the service.

Makes sense?

Cheers,
--
intrigeri

[Vincas Dargis]

Ping?

[Andrzej Siewior]

On 2018-11-08 19:24:28 [+0200], Vincas Dargis wrote:
> Ping?

ehm. So I assumed that I have taken care of this. But it seems I have
not. Sorry.
I doubt I can make this week and I will be gone next week but I will try
to look at this once I get back.

Should nothing happen within reasonable time feel free to ping again.

Sebastian