Bug#959915: redundant freshclam profile since it's shipped in-package

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#959915: redundant freshclam profile since it's shipped in-package

John Scott-3
Package: apparmor-profiles-extra
Version: 1.27
Severity: minor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

An experimental freshclam profile is provided at
 /usr/share/apparmor/extra-profiles/usr.bin.freshclam, but clamav-freshclam
provides its own more recent one in enforce mode at /etc/aa.d/ and has been
for a while.

Please remove this one.

- -- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (2, 'unstable'), (1, 'testing-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.13.4-1+b1

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQT287WtmxUhmhucNnhyvHFIwKstpwUCXrNEiAAKCRByvHFIwKst
pz8jAP9hDm6l+bk4I4OKB2IyWlh0aL2ZPtH6E9fm+Pw269OCwAEAzzsqu3YuGsgw
wETgjZAg6N6AMdBsOcjxN4s5gmWHOws=
=SQtB
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Bug#959915: redundant freshclam profile since it's shipped in-package

intrigeri-4
Control: tag -1 + pending

Hi John & others,

John Scott (2020-05-06):
> An experimental freshclam profile is provided at
>  /usr/share/apparmor/extra-profiles/usr.bin.freshclam, but clamav-freshclam
> provides its own more recent one in enforce mode at /etc/aa.d/ and has been
> for a while.

Indeed, good catch!

FTR, here's the profile shipped in the clamav-freshclam package:
https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/usr.bin.freshclam
It has been updated a few times in the last few years.

And here's the upstream one from the AppArmor project:
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/usr.bin.freshclam
It has been updated once in the last 10 years.

I would love to see cross-distro collaboration on this profile, but
our current infrastructure & processes are not ready for that yet,
and I lack time/energy to push this forward myself.
So for the time being:

> Please remove this one.

This makes sense to me:
/usr/share/apparmor/extra-profiles/usr.bin.freshclam
gives no benefit to Debian users and instead it can cause confusion.

The next upload won't include
/usr/share/apparmor/extra-profiles/usr.bin.freshclam

Cheers!

Reply | Threaded
Open this post in threaded view
|

Bug#959915: [pkg-apparmor] Bug#959915: redundant freshclam profile since it's shipped in-package

Christian Boltz-6
Hello,

Am Montag, 25. Mai 2020, 11:22:01 CEST schrieb intrigeri:
> FTR, here's the profile shipped in the clamav-freshclam package:
> https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/usr
> .bin.freshclam It has been updated a few times in the last few years.
>
> And here's the upstream one from the AppArmor project:
> https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/p
> rofiles/extras/usr.bin.freshclam It has been updated once in the last
> 10 years.

... and it works on my openSUSE servers (and nobody reported issues from
other distros), which means there was no reason for additional updates
;-)

> I would love to see cross-distro collaboration on this profile, but
> our current infrastructure & processes are not ready for that yet,
> and I lack time/energy to push this forward myself.

I compared both profiles, and to cover both Debian and openSUSE, you'd
need to add the following lines to the Debian profile:


  #include <abstractions/consoles>   # rule exists since the original
                # profile version in 2006, no idea if it's really needed

  # openSUSE configfile paths
  /etc/clamd.conf r,
  /etc/freshclam.conf r,

I'd recommend to change the pidfile rule to have the owner restriction
if possible:
  #    /{,var/}run/clamav/freshclam.pid w,  # from Debian profile
  owner /{,var/}run/clamav/freshclam.pid w,  # upstream profiles/extra

I also wonder about ~/.clamtk/db/ and ~/.klamav/database/ (which I
obviously don't need for server usage) - but I'm sure Jamie had good
reasons to allow that ;-)


If you open a merge request upstream, I'll happily review it ;-)
Feel free to commit the Debian profile + the additional rules listed
above - that's probably easier than integrating the profiles the other
way round.


Regards,

Christian Boltz
--
>> emoenke@ftp4:4 /mirr/bin > du -s /pub/opensuse/distribution/*
> Using `du -sh` might be more readable. ;-)
Not for me - only for so called "humans".
[> houghi and Eberhard Moenkeberg in opensuse]

signature.asc (849 bytes) Download Attachment