1464270 – PrivateTmp = true breaks all ScanOnAccess features

Bug 1464270 - PrivateTmp = true breaks all ScanOnAccess features

Summary: PrivateTmp = true breaks all ScanOnAccess features

Keywords:
Status:	CLOSED DUPLICATE of bug 1464269
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	clamav
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Robert Scheck
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1464269
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-22 20:59 UTC by James Ralston
Modified:	2018-01-08 02:01 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1464269
Environment:
Last Closed:	2018-01-08 02:01:12 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description James Ralston 2017-06-22 20:59:54 UTC

+++ This bug was initially created as a clone of Bug #1464269 +++

"PrivateTmp = true" was added to the clamd@.service unit file per request of Dan Walsh in bug 782488.

Since version 0.99, Clam AntiVirus has been able to use fanotify() in order to provide on-access scanning:

http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Unfortunately, using "PrivateTmp = true" silently breaks all on-access scanning features. Not only does on-access scanning for /tmp and /var/tmp not work (because the clamd service is not looking at the real /tmp and /var/tmp directories), but all other uses of OnAccessIncludePath and OnAccessMountPath silently fail as well.

This is trivial to test. As root:

$ cat >/etc/clamd.d/root.conf <<EOF
ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.sock
ScanOnAccess yes
OnAccessExcludeUID 0
OnAccessExtraScanning yes
OnAccessMountPath /home
OnAccessMountPath /tmp
OnAccessMountPath /var/tmp
EOF

$ systemctl start clamd@root

As a regular user, cd to your home directory, and do:

$ cat >/home/testuser/eicar.com <<EOF
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

Result: the clamd daemon will not receive a fanotify event, and therefore will not detect the creation of the test virus file.

Now turn off the PrivateTmp feature. As root:

$ cat >/etc/systemd/system/clamd@.service
.include /usr/lib/systemd/system/clamd@.service

[Service]
PrivateTmp = false
EOF

$ systemctl daemon-reload
$ systemctl restart clamd@root

As the regular user, cat the eicar.com test file:

$ cat eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now, the clam daemon will receive the fanotify event, and emit something like this:

2017-06-22T16:41:41.758517-04:00 host.example.org clamd: ScanOnAccess: /home/testuser/eicar.com: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used with clamav, because a service with PrivateTmp = true will never receive any fanotify() events, which breaks clamav core functionality.

Please remove the "PrivateTmp = true" line from the clamd@.service file.

Comment 1 Sergio Basto 2018-01-08 02:01:12 UTC


*** This bug has been marked as a duplicate of bug 1464269 ***

Note You need to log in before you can comment on or make changes to this bug.