[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-19-g13bc00a

Fri Mar 27 12:26:42 UTC 2009

The following commit has been merged in the debian/unstable branch:
commit 13bc00a50127e53a04d337167b48c6c397abd24f
Author: Michael Tautschnig <mt at debian.org>
Date:   Fri Mar 27 13:24:57 2009 +0100

    Applied Scott's apparmor patch
    
    Signed-off-by: Michael Tautschnig <mt at debian.org>

diff --git a/debian/README.Debian b/debian/README.Debian
index 11af79b..31241fb 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -268,3 +268,11 @@ CLAMAV-MILTER
   or if clamd is on a different machine
      OPTIONS="--max-children=2 --server=192.168.1.9"
 
+APPARMOR PROFILES
+  
+  If your system uses apparmor, please note that the shipped enforcing profile
+  works with the default installation, and changes in your configuration may
+  require changes to the installed apparmor profile. Please see
+  https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
+  software.
+
diff --git a/debian/changelog b/debian/changelog
index 79ad3d9..5e4d121 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,9 @@ clamav (0.95+dfsg-2) unstable; urgency=low
   * Try to preseed clamav-milter.conf with options from clamd.conf where
     possible
 
+  [ Scott Kitterman ]
+  * Added apparmor profile and code to install it.
+
  -- Stephen Gran <sgran at debian.org>  Thu, 26 Mar 2009 23:18:02 -0400
 
 clamav (0.95+dfsg-1) unstable; urgency=low
diff --git a/debian/clamav-daemon.dirs b/debian/clamav-daemon.dirs
index e330313..46a0e34 100644
--- a/debian/clamav-daemon.dirs
+++ b/debian/clamav-daemon.dirs
@@ -3,3 +3,4 @@ etc/clamav
 etc/clamav/virusevent.d
 usr/sbin/
 usr/share/bug/clamav-daemon
+etc/apparmor.d/force-complain
diff --git a/debian/clamav-daemon.install b/debian/clamav-daemon.install
index c71366a..997bd99 100644
--- a/debian/clamav-daemon.install
+++ b/debian/clamav-daemon.install
@@ -2,3 +2,4 @@ debian/tmp/usr/sbin/clamd
 debian/tmp/usr/bin/clamdscan
 debian/tmp/usr/bin/clamconf
 debian/script usr/share/bug/clamav-daemon/
+debian/usr.sbin.clamd etc/apparmor.d/
diff --git a/debian/clamav-daemon.postinst.in b/debian/clamav-daemon.postinst.in
index a75d2c6..e2566b7 100644
--- a/debian/clamav-daemon.postinst.in
+++ b/debian/clamav-daemon.postinst.in
@@ -73,6 +73,11 @@ case "$1" in
     fi
   fi
 
+  # Reload AppArmor profile
+  if [ -x /etc/init.d/apparmor ]; then
+    invoke-rc.d apparmor force-reload || true
+  fi
+
   ;;
   abort-upgrade|abort-remove|abort-deconfigure)
   ;;
diff --git a/debian/clamav-daemon.postrm b/debian/clamav-daemon.postrm
index 23fbde6..466f16c 100644
--- a/debian/clamav-daemon.postrm
+++ b/debian/clamav-daemon.postrm
@@ -29,6 +29,8 @@ case "$1" in
       rm -f $LOGROTATE_FILE
     fi
   fi
+
+  rm -f /etc/apparmor.d/force-complain/usr.sbin.clamd >/dev/null 2>&1 || true
   ;;
   remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
   ;;
diff --git a/debian/clamav-daemon.preinst b/debian/clamav-daemon.preinst
new file mode 100644
index 0000000..d60c5ef
--- /dev/null
+++ b/debian/clamav-daemon.preinst
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for #PACKAGE#
+#
+
+set -e
+
+APP_PROFILE="usr.sbin.clamd"
+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+if [ "$1" = "upgrade" ]; then
+    mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true
+    if dpkg --compare-versions $2 lt 0.92.1~dfsg2-1.1~feisty3 ; then
+        # force-complain for pre-apparmor upgrades
+        ln -sf $APP_CONFFILE $APP_COMPLAIN
+    elif dpkg --compare-versions $2 lt 0.93.3.dfsg-1ubuntu1 ; then
+        if [ -e "$APP_CONFFILE" ]; then
+            md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`"
+            pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`"
+            if [ "$md5sum" = "$pkg_md5sum" ]; then
+                # force-complain on upgrade from pre-shipped profile and
+                # existing profile is same as in conffiles
+                ln -sf $APP_CONFFILE $APP_COMPLAIN
+            fi
+        else
+            # force-complain on upgrade from pre-shipped profile and
+            # there is no existing profile
+            ln -sf $APP_CONFFILE $APP_COMPLAIN
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
+
diff --git a/debian/clamav-freshclam.install b/debian/clamav-freshclam.install
index 163c289..0c6b07c 100644
--- a/debian/clamav-freshclam.install
+++ b/debian/clamav-freshclam.install
@@ -4,3 +4,4 @@ debian/clamav-freshclam-ifupdown etc/network/if-down.d/
 debian/clamav-freshclam-ifupdown etc/ppp/ip-up.d/
 debian/clamav-freshclam-ifupdown etc/ppp/ip-down.d/
 debian/script usr/share/bug/clamav-freshclam/
+debian/usr.bin.freshclam etc/apparmor.d/
diff --git a/debian/clamav-freshclam.postinst.in b/debian/clamav-freshclam.postinst.in
index 15a3919..645c661 100644
--- a/debian/clamav-freshclam.postinst.in
+++ b/debian/clamav-freshclam.postinst.in
@@ -242,6 +242,11 @@ EOF
 
   chown "$dbowner":adm $FRESHCLAMCONFFILE
   
+  # Reload AppArmor profile
+  if [ -x /etc/init.d/apparmor ]; then
+    invoke-rc.d apparmor force-reload || true
+  fi
+
   if [ "$runas" = 'daemon' ]; then
     if [ -x "/etc/init.d/clamav-freshclam" ]; then
       update-rc.d clamav-freshclam defaults >/dev/null
diff --git a/debian/clamav-freshclam.postrm b/debian/clamav-freshclam.postrm
index e746dfa..a06e086 100644
--- a/debian/clamav-freshclam.postrm
+++ b/debian/clamav-freshclam.postrm
@@ -52,6 +52,8 @@ case "$1" in
   [ ! -d "${workdir}/main.inc/" ] || rmdir --ignore-fail-on-non-empty ${workdir}/main.inc/
   [ ! -d "${workdir}/daily.inc/" ] || rmdir --ignore-fail-on-non-empty ${workdir}/daily.inc/
   update-rc.d clamav-freshclam remove >/dev/null
+
+  rm -f /etc/apparmor.d/force-complain/usr.bin.freshclam >/dev/null 2>&1 || true
   ;;
   remove)
   rm -f /var/lib/clamav/main.cvd /var/lib/clamav/main.cld
diff --git a/debian/clamav-freshclam.preinst b/debian/clamav-freshclam.preinst
new file mode 100644
index 0000000..b7fc851
--- /dev/null
+++ b/debian/clamav-freshclam.preinst
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for #PACKAGE#
+#
+
+set -e
+
+APP_PROFILE="usr.bin.freshclam"
+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+if [ "$1" = "upgrade" ]; then
+    mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true
+    if dpkg --compare-versions $2 lt 0.92.1~dfsg2-1.1~feisty3 ; then
+        # force-complain for pre-apparmor upgrades
+        ln -sf $APP_CONFFILE $APP_COMPLAIN
+    elif dpkg --compare-versions $2 lt 0.93.3.dfsg-1ubuntu1 ; then
+        if [ -e "$APP_CONFFILE" ]; then
+            md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`"
+            pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`"
+            if [ "$md5sum" = "$pkg_md5sum" ]; then
+                # force-complain on upgrade from pre-shipped profile and
+                # existing profile is same as in conffiles
+                ln -sf $APP_CONFFILE $APP_COMPLAIN
+            fi
+        else
+            # force-complain on upgrade from pre-shipped profile and
+            # there is no existing profile
+            ln -sf $APP_CONFFILE $APP_COMPLAIN
+        fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
+
diff --git a/debian/usr.bin.freshclam b/debian/usr.bin.freshclam
new file mode 100644
index 0000000..c2bd946
--- /dev/null
+++ b/debian/usr.bin.freshclam
@@ -0,0 +1,35 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at ubuntu.com>
+# Last Modified: Sun Aug  3 09:39:03 2008
+
+#include <tunables/global>
+
+/usr/bin/freshclam {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/clamav/clamd.conf r,
+  /etc/clamav/freshclam.conf r,
+  /etc/clamav/onerrorexecute.d/* mr,
+  /etc/clamav/onupdateexecute.d/* mr,
+  /etc/clamav/virusevent.d/* mr,
+
+  owner /home/*/.clamtk/db/daily.cld r,
+  owner /home/*/.clamtk/db/freshclam.log wk,
+  owner /home/*/.clamtk/db/main.cld r,
+
+  /usr/bin/freshclam mr,
+
+  /var/lib/clamav/ r,
+  /var/lib/clamav/** krw,
+
+  /var/log/clamav/* kw,
+  /var/run/clamav/freshclam.pid w,
+  /var/run/clamav/clamd.ctl w,
+
+  deny /var/run/samba/gencache.tdb mrwkl,
+}
diff --git a/debian/usr.sbin.clamd b/debian/usr.sbin.clamd
new file mode 100644
index 0000000..2f4da35
--- /dev/null
+++ b/debian/usr.sbin.clamd
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at ubuntu.com>
+# Last Modified: Sun Aug  3 09:39:03 2008
+
+#include <tunables/global>
+
+/usr/sbin/clamd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  /etc/clamav/clamd.conf r,
+
+  /usr/sbin/clamd mr,
+
+  /tmp/ rw,
+  /tmp/** krw,
+
+  /var/lib/clamav/ r,
+  /var/lib/clamav/** krw,
+  /var/log/clamav/* krw,
+
+  /var/run/clamav/clamd.ctl w,
+  /var/run/clamav/clamd.pid w,
+
+  /var/spool/clamsmtp/* r,
+
+  # For amavisd-new integration
+  /var/lib/amavis/tmp/** r,
+
+  # For use with exim
+  /var/spool/exim4/** r,
+}

-- 
Debian repository for ClamAV

