AppArmor and clamav-freshclam in container

nahuelange · January 12, 2021, 1:42pm

Hello,

I have an lxd host under ubuntu 20.04 that runs an lxc container under Debian 9.
I installed clamav-freshclam in the container, freshclam can’t resolve database.clamav.net hostname:

Tue Jan 12 14:08:09 2021 -> ERROR: remote_cvdhead: Download failed (6) Tue Jan 12 14:08:09 2021 -> ERROR:  Message: Couldn't resolve host name
Tue Jan 12 14:08:09 2021 -> WARNING: Failed to get daily database version information from server: https://database.clamav.net
Tue Jan 12 14:08:09 2021 -> ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.

In the host syslog, we can see that AppArmor refused network access to freshclam binary:

Jan 12 14:08:09 sd kernel: [355010.297775] audit: type=1400 audit(1610456889.229:2146): apparmor="DENIED" operation="create" namespace="root//lxd-instance_<var-snap-lxd-common-lxd>" profile="/usr/bin/freshclam" pid=731692 comm="freshclam" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create`"`

Does anyone know how to allow network access to freshclam binary ?

Thanks

tomp · January 12, 2021, 5:53pm

The profile="/usr/bin/freshclam" suggests another apparmor profile is blocking this.

Do you agree @stgraber?

stgraber · January 12, 2021, 8:40pm

Yep, this is apparmor in the container preventing it.

I guess you could disable that apparmor profile in /etc/apparmor.d or extend it to allow what you need here.

nahuelange · January 13, 2021, 7:35am

Thank for your answers!

Indeed, disabling the profile inside the container works.

But, this seems weird that the default freshclam’s debian profile disallow DNS queries, especially that “abstractions/nameservice” is included.

Isn’t interactions between host’s profiles and container’s profiles ?

stgraber · January 13, 2021, 3:14pm

The error shows that it’s the freshclam profile that blocked it.
It could be an issue in the apparmor parser though, it wouldn’t be the first time that a container is getting a stricter policy than the host due to how apparmor functions…

In most cases, if you can figure out what needs to be added to the profile, the packagers are usually quite happy to update it.

nahuelange · January 18, 2021, 1:01pm

It’s clear for me now. I’ll try to provide a profile patch for this issue.
Thanks for all your answers