[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-19-g13bc00a
Michael Tautschnig
mt at debian.org
Fri Mar 27 12:26:42 UTC 2009
The following commit has been merged in the debian/unstable branch:
commit 13bc00a50127e53a04d337167b48c6c397abd24f
Author: Michael Tautschnig <mt at debian.org>
Date: Fri Mar 27 13:24:57 2009 +0100
Applied Scott's apparmor patch
Signed-off-by: Michael Tautschnig <mt at debian.org>
diff --git a/debian/README.Debian b/debian/README.Debian
index 11af79b..31241fb 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -268,3 +268,11 @@ CLAMAV-MILTER
or if clamd is on a different machine
OPTIONS="--max-children=2 --server=192.168.1.9"
+APPARMOR PROFILES
+
+ If your system uses apparmor, please note that the shipped enforcing profile
+ works with the default installation, and changes in your configuration may
+ require changes to the installed apparmor profile. Please see
+ https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
+ software.
+
diff --git a/debian/changelog b/debian/changelog
index 79ad3d9..5e4d121 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,9 @@ clamav (0.95+dfsg-2) unstable; urgency=low
* Try to preseed clamav-milter.conf with options from clamd.conf where
possible
+ [ Scott Kitterman ]
+ * Added apparmor profile and code to install it.
+
-- Stephen Gran <sgran at debian.org> Thu, 26 Mar 2009 23:18:02 -0400
clamav (0.95+dfsg-1) unstable; urgency=low
diff --git a/debian/clamav-daemon.dirs b/debian/clamav-daemon.dirs
index e330313..46a0e34 100644
--- a/debian/clamav-daemon.dirs
+++ b/debian/clamav-daemon.dirs
@@ -3,3 +3,4 @@ etc/clamav
etc/clamav/virusevent.d
usr/sbin/
usr/share/bug/clamav-daemon
+etc/apparmor.d/force-complain
diff --git a/debian/clamav-daemon.install b/debian/clamav-daemon.install
index c71366a..997bd99 100644
--- a/debian/clamav-daemon.install
+++ b/debian/clamav-daemon.install
@@ -2,3 +2,4 @@ debian/tmp/usr/sbin/clamd
debian/tmp/usr/bin/clamdscan
debian/tmp/usr/bin/clamconf
debian/script usr/share/bug/clamav-daemon/
+debian/usr.sbin.clamd etc/apparmor.d/
diff --git a/debian/clamav-daemon.postinst.in b/debian/clamav-daemon.postinst.in
index a75d2c6..e2566b7 100644
--- a/debian/clamav-daemon.postinst.in
+++ b/debian/clamav-daemon.postinst.in
@@ -73,6 +73,11 @@ case "$1" in
fi
fi
+ # Reload AppArmor profile
+ if [ -x /etc/init.d/apparmor ]; then
+ invoke-rc.d apparmor force-reload || true
+ fi
+
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
diff --git a/debian/clamav-daemon.postrm b/debian/clamav-daemon.postrm
index 23fbde6..466f16c 100644
--- a/debian/clamav-daemon.postrm
+++ b/debian/clamav-daemon.postrm
@@ -29,6 +29,8 @@ case "$1" in
rm -f $LOGROTATE_FILE
fi
fi
+
+ rm -f /etc/apparmor.d/force-complain/usr.sbin.clamd >/dev/null 2>&1 || true
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
diff --git a/debian/clamav-daemon.preinst b/debian/clamav-daemon.preinst
new file mode 100644
index 0000000..d60c5ef
--- /dev/null
+++ b/debian/clamav-daemon.preinst
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for #PACKAGE#
+#
+
+set -e
+
+APP_PROFILE="usr.sbin.clamd"
+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+if [ "$1" = "upgrade" ]; then
+ mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true
+ if dpkg --compare-versions $2 lt 0.92.1~dfsg2-1.1~feisty3 ; then
+ # force-complain for pre-apparmor upgrades
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ elif dpkg --compare-versions $2 lt 0.93.3.dfsg-1ubuntu1 ; then
+ if [ -e "$APP_CONFFILE" ]; then
+ md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`"
+ pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`"
+ if [ "$md5sum" = "$pkg_md5sum" ]; then
+ # force-complain on upgrade from pre-shipped profile and
+ # existing profile is same as in conffiles
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ else
+ # force-complain on upgrade from pre-shipped profile and
+ # there is no existing profile
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
+
diff --git a/debian/clamav-freshclam.install b/debian/clamav-freshclam.install
index 163c289..0c6b07c 100644
--- a/debian/clamav-freshclam.install
+++ b/debian/clamav-freshclam.install
@@ -4,3 +4,4 @@ debian/clamav-freshclam-ifupdown etc/network/if-down.d/
debian/clamav-freshclam-ifupdown etc/ppp/ip-up.d/
debian/clamav-freshclam-ifupdown etc/ppp/ip-down.d/
debian/script usr/share/bug/clamav-freshclam/
+debian/usr.bin.freshclam etc/apparmor.d/
diff --git a/debian/clamav-freshclam.postinst.in b/debian/clamav-freshclam.postinst.in
index 15a3919..645c661 100644
--- a/debian/clamav-freshclam.postinst.in
+++ b/debian/clamav-freshclam.postinst.in
@@ -242,6 +242,11 @@ EOF
chown "$dbowner":adm $FRESHCLAMCONFFILE
+ # Reload AppArmor profile
+ if [ -x /etc/init.d/apparmor ]; then
+ invoke-rc.d apparmor force-reload || true
+ fi
+
if [ "$runas" = 'daemon' ]; then
if [ -x "/etc/init.d/clamav-freshclam" ]; then
update-rc.d clamav-freshclam defaults >/dev/null
diff --git a/debian/clamav-freshclam.postrm b/debian/clamav-freshclam.postrm
index e746dfa..a06e086 100644
--- a/debian/clamav-freshclam.postrm
+++ b/debian/clamav-freshclam.postrm
@@ -52,6 +52,8 @@ case "$1" in
[ ! -d "${workdir}/main.inc/" ] || rmdir --ignore-fail-on-non-empty ${workdir}/main.inc/
[ ! -d "${workdir}/daily.inc/" ] || rmdir --ignore-fail-on-non-empty ${workdir}/daily.inc/
update-rc.d clamav-freshclam remove >/dev/null
+
+ rm -f /etc/apparmor.d/force-complain/usr.bin.freshclam >/dev/null 2>&1 || true
;;
remove)
rm -f /var/lib/clamav/main.cvd /var/lib/clamav/main.cld
diff --git a/debian/clamav-freshclam.preinst b/debian/clamav-freshclam.preinst
new file mode 100644
index 0000000..b7fc851
--- /dev/null
+++ b/debian/clamav-freshclam.preinst
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for #PACKAGE#
+#
+
+set -e
+
+APP_PROFILE="usr.bin.freshclam"
+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+if [ "$1" = "upgrade" ]; then
+ mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true
+ if dpkg --compare-versions $2 lt 0.92.1~dfsg2-1.1~feisty3 ; then
+ # force-complain for pre-apparmor upgrades
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ elif dpkg --compare-versions $2 lt 0.93.3.dfsg-1ubuntu1 ; then
+ if [ -e "$APP_CONFFILE" ]; then
+ md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`"
+ pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`"
+ if [ "$md5sum" = "$pkg_md5sum" ]; then
+ # force-complain on upgrade from pre-shipped profile and
+ # existing profile is same as in conffiles
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ else
+ # force-complain on upgrade from pre-shipped profile and
+ # there is no existing profile
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
+
diff --git a/debian/usr.bin.freshclam b/debian/usr.bin.freshclam
new file mode 100644
index 0000000..c2bd946
--- /dev/null
+++ b/debian/usr.bin.freshclam
@@ -0,0 +1,35 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at ubuntu.com>
+# Last Modified: Sun Aug 3 09:39:03 2008
+
+#include <tunables/global>
+
+/usr/bin/freshclam {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability setgid,
+ capability setuid,
+
+ /etc/clamav/clamd.conf r,
+ /etc/clamav/freshclam.conf r,
+ /etc/clamav/onerrorexecute.d/* mr,
+ /etc/clamav/onupdateexecute.d/* mr,
+ /etc/clamav/virusevent.d/* mr,
+
+ owner /home/*/.clamtk/db/daily.cld r,
+ owner /home/*/.clamtk/db/freshclam.log wk,
+ owner /home/*/.clamtk/db/main.cld r,
+
+ /usr/bin/freshclam mr,
+
+ /var/lib/clamav/ r,
+ /var/lib/clamav/** krw,
+
+ /var/log/clamav/* kw,
+ /var/run/clamav/freshclam.pid w,
+ /var/run/clamav/clamd.ctl w,
+
+ deny /var/run/samba/gencache.tdb mrwkl,
+}
diff --git a/debian/usr.sbin.clamd b/debian/usr.sbin.clamd
new file mode 100644
index 0000000..2f4da35
--- /dev/null
+++ b/debian/usr.sbin.clamd
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at ubuntu.com>
+# Last Modified: Sun Aug 3 09:39:03 2008
+
+#include <tunables/global>
+
+/usr/sbin/clamd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ /etc/clamav/clamd.conf r,
+
+ /usr/sbin/clamd mr,
+
+ /tmp/ rw,
+ /tmp/** krw,
+
+ /var/lib/clamav/ r,
+ /var/lib/clamav/** krw,
+ /var/log/clamav/* krw,
+
+ /var/run/clamav/clamd.ctl w,
+ /var/run/clamav/clamd.pid w,
+
+ /var/spool/clamsmtp/* r,
+
+ # For amavisd-new integration
+ /var/lib/amavis/tmp/** r,
+
+ # For use with exim
+ /var/spool/exim4/** r,
+}
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list