profiles: email-common: allow clamav plugin for claws-mail #5719
Conversation
marek22k
changed the title
marek22k
force-pushed
the
clawsmail-clamav
branch
from
a656b22
to
2e2f877
Compare
kmk3
changed the title
marek22k
force-pushed
the
clawsmail-clamav
branch
from
2e2f877
to
399b10c
Compare
etc/profile-a-l/email-common.profile
Outdated
| whitelist /var/mail | ||
| whitelist /var/run/clamav/clamd.ctl |
There was a problem hiding this comment.
This will start whitelising in /run and break different thinks on a lot systems (DNS, printing, system-bus, hardware-acceleration(?), ...).
There was a problem hiding this comment.
Good point. Can we mitigate that by including whitelist-run-common.inc? Never used clamav, neither with claws-mail nor anything else for that matter.
There was a problem hiding this comment.
@marek22k Can you test the above? Besides the other entrees add include whitelist-run-common.inc as well to a email-common.local and try clamav from your claws-mail.
There was a problem hiding this comment.
I am unsure if that was the case yesterday. I have now tried accessing the socket without modified claws-mail.local:
$firejail --profile=claws-mail file /var/run/clamav/clamd.ctl
Reading profile /etc/firejail/claws-mail.profile
Reading profile /etc/firejail/email-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 70823, child pid 70826
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping gcrypt for private /etc
Warning: skipping gnupg for private /etc
Warning: skipping groups for private /etc
Warning: skipping hosts.conf for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 43.97 ms
Private /usr/etc installed in 0.00 ms
Child process initialized in 217.64 ms
/var/run/clamav/clamd.ctl: socket
Parent is shutting down, bye...
However, when I add include whitelist-run-common.inc, /var/run/clamav/clamd.ctl: cannot open /var/run/clamav/clamd.ctl' (No such file or directory)` appears.
# allow bsfilter
include allow-ruby.inc
noblacklist ${HOME}/.bsfilter
ignore dbus-user filter
# allow claws mail
whitelist /var/lib/clamav
noblacklist /var/lib/clamav
There was a problem hiding this comment.
The other problem is that ClamAV also needs access also /etc/clamav/clamd.conf.
There was a problem hiding this comment.
A bit confused here. If I understand correctly there's no need to whitelist /var/run/clamav (and the consecutive inclusion of whitelist-run-common.inc) after all? If that's the case just drop those options?
The other problem is that ClamAV also needs access also /etc/clamav/clamd.conf.
Easy fix: add clamav to private-etc in email-common.profile:
[...]
private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone
[...]
There was a problem hiding this comment.
A bit confused here.
Yes, I was too. Apparently I made a mistake yesterday or today. I have now edited the PR again.
There was a problem hiding this comment.
No worries, that happens. We've caught it in time so there is value in this review process :)
marek22k
force-pushed
the
clawsmail-clamav
branch
2 times, most recently
from
346a119
to
8b6ee56
Compare
Closes netblue30#5716 Signed-off-by: Marek Küthe <m.k@mk16.de>
marek22k
force-pushed
the
clawsmail-clamav
branch
from
8b6ee56
to
2453f0e
Compare
|
@rusty-snake Do you still have change requests for this? |
|
merged, thanks! |
kmk3
changed the title
No description provided.