Bug 1464269 - PrivateTmp = true breaks all ScanOnAccess features
PrivateTmp = true breaks all ScanOnAccess features
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: clamav (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Sergio Monteiro Basto
Fedora Extras Quality Assurance
:
: 1464270 (view as bug list)
Depends On:
Blocks: 1464270
  Show dependency treegraph
 
Reported: 2017-06-22 16:57 EDT by James Ralston
Modified: 2018-01-25 02:14 EST (History)
5 users (show)

See Also:
Fixed In Version: clamav-0.99.2-18.fc27
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1464270 (view as bug list)
Environment:
Last Closed: 2018-01-25 02:14:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Ralston 2017-06-22 16:57:53 EDT
"PrivateTmp = true" was added to the clamd@.service unit file per request of Dan Walsh in bug 782488.

Since version 0.99, Clam AntiVirus has been able to use fanotify() in order to provide on-access scanning:

http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Unfortunately, using "PrivateTmp = true" silently breaks all on-access scanning features. Not only does on-access scanning for /tmp and /var/tmp not work (because the clamd service is not looking at the real /tmp and /var/tmp directories), but all other uses of OnAccessIncludePath and OnAccessMountPath silently fail as well.

This is trivial to test. As root:

$ cat >/etc/clamd.d/root.conf <<EOF
ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.sock
ScanOnAccess yes
OnAccessExcludeUID 0
OnAccessExtraScanning yes
OnAccessMountPath /home
OnAccessMountPath /tmp
OnAccessMountPath /var/tmp
EOF

$ systemctl start clamd@root

As a regular user, cd to your home directory, and do:

$ cat >/home/testuser/eicar.com <<EOF
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

Result: the clamd daemon will not receive a fanotify event, and therefore will not detect the creation of the test virus file.

Now turn off the PrivateTmp feature. As root:

$ cat >/etc/systemd/system/clamd@.service
.include /usr/lib/systemd/system/clamd@.service

[Service]
PrivateTmp = false
EOF

$ systemctl daemon-reload
$ systemctl restart clamd@root

As the regular user, cat the eicar.com test file:

$ cat eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now, the clam daemon will receive the fanotify event, and emit something like this:

2017-06-22T16:41:41.758517-04:00 host.example.org clamd: ScanOnAccess: /home/testuser/eicar.com: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used with clamav, because a service with PrivateTmp = true will never receive any fanotify() events, which breaks clamav core functionality.

Please remove the "PrivateTmp = true" line from the clamd@.service file.
Comment 1 Fedora Admin XMLRPC Client 2017-07-12 22:21:03 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Fedora Admin XMLRPC Client 2017-07-17 08:48:05 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Jan Kurik 2017-08-15 04:22:50 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 4 Sergio Monteiro Basto 2018-01-07 21:01:12 EST
*** Bug 1464270 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2018-01-08 21:22:15 EST
clamav-0.99.2-15.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc
Comment 6 Fedora Update System 2018-01-09 12:43:57 EST
clamav-0.99.2-15.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc
Comment 7 Fedora Update System 2018-01-09 19:13:52 EST
clamav-0.99.2-16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc
Comment 8 Fedora Update System 2018-01-10 11:12:43 EST
clamav-0.99.2-16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-546d6f3abc
Comment 9 Fedora Update System 2018-01-11 21:52:17 EST
clamav-0.99.2-17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e5e5ec6ca2
Comment 10 Fedora Update System 2018-01-11 22:07:56 EST
clamav-0.99.2-17.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-1713497ca1
Comment 11 Fedora Update System 2018-01-12 10:14:32 EST
clamav-0.99.2-17.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-1713497ca1
Comment 12 Fedora Update System 2018-01-12 10:51:50 EST
clamav-0.99.2-17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e5e5ec6ca2
Comment 13 Fedora Update System 2018-01-17 16:37:21 EST
clamav-0.99.2-18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a1f469c85
Comment 14 Fedora Update System 2018-01-17 16:40:28 EST
clamav-0.99.2-18.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1
Comment 15 Fedora Update System 2018-01-17 19:32:20 EST
clamav-0.99.2-18.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-11ba3bced1
Comment 16 Fedora Update System 2018-01-17 21:12:17 EST
clamav-0.99.2-18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a1f469c85
Comment 17 Fedora Update System 2018-01-25 02:14:58 EST
clamav-0.99.2-18.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.