FACT_core icon indicating copy to clipboard operation
FACT_core copied to clipboard

Published 20 hours ago verified publisher icon fkie-cad

malware_scanner plugin error

Open jstucke opened this issue 3 years ago • 0 comments

AppArmor can deny access to the default firmware save folder in /media/data for daemon processes like the ClamAV deamon

This results in an error in the call to clamdscan:

/media/data/fact_fw_data/27/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f_68: Can't open file or directory ERROR

from dmesg:

[19930.771376] audit: type=1400 audit(1640092373.610:215): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/media/data/fact_fw_data/27/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f_68" pid=1549 comm="clamd" requested_mask="r" denied_mask="r" fsuid=128 ouid=1000

In the malware_scanner plugin this results only in a "clean" scan result.

The problem can be fixed by appending the line /media/data/** r, to /etc/apparmor.d/local/usr.sbin.clamd

jstucke avatar Dec 21 '21 14:12 jstucke