-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
profiles: email-common: allow clamav plugin for claws-mail #5719
Conversation
a656b22
to
2e2f877
Compare
2e2f877
to
399b10c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Improve protection.
etc/profile-a-l/email-common.profile
Outdated
whitelist /var/mail | ||
whitelist /var/run/clamav/clamd.ctl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will start whitelising in /run
and break different thinks on a lot systems (DNS, printing, system-bus, hardware-acceleration(?), ...).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Can we mitigate that by including whitelist-run-common.inc? Never used clamav, neither with claws-mail nor anything else for that matter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marek22k Can you test the above? Besides the other entrees add include whitelist-run-common.inc
as well to a email-common.local and try clamav from your claws-mail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am unsure if that was the case yesterday. I have now tried accessing the socket without modified claws-mail.local:
$firejail --profile=claws-mail file /var/run/clamav/clamd.ctl
Reading profile /etc/firejail/claws-mail.profile
Reading profile /etc/firejail/email-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 70823, child pid 70826
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping gcrypt for private /etc
Warning: skipping gnupg for private /etc
Warning: skipping groups for private /etc
Warning: skipping hosts.conf for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 43.97 ms
Private /usr/etc installed in 0.00 ms
Child process initialized in 217.64 ms
/var/run/clamav/clamd.ctl: socket
Parent is shutting down, bye...
However, when I add include whitelist-run-common.inc
, /var/run/clamav/clamd.ctl: cannot open
/var/run/clamav/clamd.ctl' (No such file or directory)` appears.
# allow bsfilter
include allow-ruby.inc
noblacklist ${HOME}/.bsfilter
ignore dbus-user filter
# allow claws mail
whitelist /var/lib/clamav
noblacklist /var/lib/clamav
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other problem is that ClamAV also needs access also /etc/clamav/clamd.conf
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit confused here. If I understand correctly there's no need to whitelist /var/run/clamav (and the consecutive inclusion of whitelist-run-common.inc) after all? If that's the case just drop those options?
The other problem is that ClamAV also needs access also /etc/clamav/clamd.conf.
Easy fix: add clamav
to private-etc in email-common.profile:
[...]
private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone
[...]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit confused here.
Yes, I was too. Apparently I made a mistake yesterday or today. I have now edited the PR again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, that happens. We've caught it in time so there is value in this review process :)
346a119
to
8b6ee56
Compare
Closes netblue30#5716 Signed-off-by: Marek Küthe <m.k@mk16.de>
8b6ee56
to
2453f0e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@rusty-snake Do you still have change requests for this? |
merged, thanks! |
No description provided.