* Fix permission denied issues.

* Set ReceiveTimeout=0 (disabled) in freshclam.conf. * Fix various AppArmor issues. * Improved clamav-onaccess.service unit file. Now it is possible to customize the options via /etc/default/clamav-onaccess environment file. Signed-off-by: Volker Theile <votdev@gmx.de>
2024-07-08 20:17:29 +00:00 · 2020-03-07 08:50:33 +01:00 · 2020-03-07 08:50:33 +01:00 · 33d2c0cedf
commit 33d2c0cedf
parent 26d8418f6f
8 changed files with 33 additions and 12 deletions
--- a/deb/openmediavault-clamav/debian/changelog
+++ b/deb/openmediavault-clamav/debian/changelog
@ -1,3 +1,14 @@
+openmediavault-clamav (5.0.8-1) stable; urgency=low
+
+  * Fix permission denied issues.
+  * Set ReceiveTimeout=0 (disabled) in freshclam.conf.
+  * Fix various AppArmor issues.
+  * Improved clamav-onaccess.service unit file. Now it is possible to
+    customize the options via /etc/default/clamav-onaccess environment
+    file.
+
+ -- Volker Theile <volker.theile@openmediavault.org>  Fri, 06 Mar 2020 17:07:26 +0100
+
 openmediavault-clamav (5.0.7-1) stable; urgency=low

  * Improve clamav-onaccess.service unit file.
--- a/deb/openmediavault-clamav/debian/control
+++ b/deb/openmediavault-clamav/debian/control
@ -9,7 +9,7 @@ Homepage: http://www.openmediavault.org

 Package: openmediavault-clamav
 Architecture: all
-Depends: openmediavault (>= 5.3.4), clamav-daemon (>= 0.102), clamav-freshclam, clamdscan
+Depends: openmediavault (>= 5.3.7), clamav-daemon (>= 0.102), clamav-freshclam, clamdscan
 Priority: optional
 Description: openmediavault ClamAV plugin
 Clam AntiVirus is an anti-virus toolkit for Unix.
--- a/deb/openmediavault-clamav/debian/openmediavault-clamav.postinst
+++ b/deb/openmediavault-clamav/debian/openmediavault-clamav.postinst
@ -57,10 +57,8 @@ case "$1" in
 		########################################################################
 		# Action to be done depending on the previous version.
 		########################################################################
-		if dpkg --compare-versions "$2" lt-nl "5.0.3"; then
-		  # Create systemd clamav-onaccess.service unit file and rebuild
-		  # all configuration files.
-		  omv-salt deploy run --quiet clamav
+		if dpkg --compare-versions "$2" lt-nl "5.0.8"; then
+		  omv_module_set_dirty clamav
 		fi
 	;;

--- a/deb/openmediavault-clamav/etc/systemd/system/clamav-onaccess.service
+++ b/deb/openmediavault-clamav/etc/systemd/system/clamav-onaccess.service
@ -5,8 +5,9 @@ Wants=clamav-daemon.service
 BindsTo=clamav-daemon.service

 [Service]
+EnvironmentFile=-/etc/default/clamav-onaccess
 ExecStartPre=-/sbin/sysctl fs.inotify.max_user_watches=524288
-ExecStart=/usr/bin/clamonacc --foreground=true
+ExecStart=/usr/bin/clamonacc --fdpass --foreground=true ${CLAMONACC_OPTIONS}
 Restart=on-failure
 RestartSec=5s
 StandardOutput=syslog
--- a/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/default.sls
+++ b/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/default.sls
@ -21,6 +21,7 @@
 # http://wiki.dreamhost.com/index.php/Crontab/
 # https://www.systutorials.com/docs/linux/man/5-clamd.conf/
 # https://www.systutorials.com/docs/linux/man/5-freshclam.conf/
+# https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html

 {% set cron_scripts_dir = salt['pillar.get']('default:OMV_CRONSCRIPTS_DIR', '/var/lib/openmediavault/cron.d') %}
 {% set cron_script_prefix = salt['pillar.get']('default:OMV_CLAMAV_CLAMDSCAN_CRONSCRIPT_PREFIX', 'clamdscan-') %}
@ -64,7 +65,17 @@ configure_clamd_apparmor_profile:
 configure_clamd_apparmor_local_profile:
  file.append:
    - name: "/etc/apparmor.d/local/usr.sbin.clamd"
-    - text: "/srv/** krw,"
+    - text: |
+        # Allow mount dirs to be scanned. Need write access to be able to
+        # move/delete malicious files.
+        /srv/** krw,
+        /media/** krw,
+
+        # Allow an action to perform when clamav detects a malicious file.
+        # The scripts located in /etc/clamav/virusevent.d/ may require
+        # complex privileges, because of that we use the unconfined
+        # execute mode.
+        /usr/bin/dash muxr,

 # https://help.ubuntu.com/community/AppArmor#Reload_one_profile
 reload_clamd_apparmor_profile:
--- a/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/files/cron-clamdscan-script.j2
+++ b/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/files/cron-clamdscan-script.j2
@ -1,6 +1,6 @@
 {%- set separator = ' ' -%}
 {%- set script_prefix = salt['pillar.get']('default:OMV_CLAMAV_CLAMDSCAN_CRONSCRIPT_PREFIX', 'clamdscan-') -%}
-{%- set cmd_args = salt['pillar.get']('default:OMV_CLAMAV_CLAMDSCAN_CMDARGS', '--stdout') -%}
+{%- set cmd_args = salt['pillar.get']('default:OMV_CLAMAV_CLAMDSCAN_CMDARGS', '--fdpass --stdout') -%}
 {%- set runfile = '/run' | path_join(script_prefix ~ job.uuid) -%}
 #!/bin/sh
 {{ pillar['headers']['multiline'] -}}
--- a/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/files/etc-clamav-clamd_conf.j2
+++ b/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/files/etc-clamav-clamd_conf.j2
@ -3,7 +3,7 @@
 {%- set localsocketmode = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_LOCALSOCKETMODE', '666') -%}
 {%- set archiveblockencrypted = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_ARCHIVEBLOCKENCRYPTED', 'false') -%}
 {%- set maxdirectoryrecursion = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_MAXDIRECTORYRECURSION', '15') -%}
-{%- set readtimeout = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_READTIMEOUT', '180') -%}
+{%- set readtimeout = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_READTIMEOUT', '120') -%}
 {%- set maxthreads = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_MAXTHREADS', '12') -%}
 {%- set maxconnectionqueuelength = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_MAXCONNECTIONQUEUELENGTH', '15') -%}
 {%- set logsyslog = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_LOGSYSLOG', 'false') -%}
@ -31,8 +31,8 @@
 {%- set scanpartialmessages = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_SCANPARTIALMESSAGES', 'false') -%}
 {%- set heuristicscanprecedence = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_HEURISTICSCANPRECEDENCE', 'false') -%}
 {%- set structureddatadetection = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_STRUCTUREDDATADETECTION', 'false') -%}
-{%- set commandreadtimeout = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_COMMANDREADTIMEOUT', '5') -%}
-{%- set sendbuftimeout = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_SENDBUFTIMEOUT', '200') -%}
+{%- set commandreadtimeout = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_COMMANDREADTIMEOUT', '30') -%}
+{%- set sendbuftimeout = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_SENDBUFTIMEOUT', '500') -%}
 {%- set maxqueue = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_MAXQUEUE', '100') -%}
 {%- set extendeddetectioninfo = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_EXTENDEDDETECTIONINFO', 'true') -%}
 {%- set ole2blockmacros = salt['pillar.get']('default:OMV_CLAMAV_CLAMD_OLE2BLOCKMACROS', 'false') -%}
--- a/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/files/etc-clamav-freshclam_conf.j2
+++ b/deb/openmediavault-clamav/srv/salt/omv/deploy/clamav/files/etc-clamav-freshclam_conf.j2
@ -11,7 +11,7 @@
 {% set notifyclamd = salt['pillar.get']('default:OMV_CLAMAV_FRESHCLAM_NOTIFYCLAMD', '/etc/clamav/clamd.conf') -%}
 {% set databasemirror = salt['pillar.get']('default:OMV_CLAMAV_FRESHCLAM_DATABASEMIRROR', 'database.clamav.net') -%}
 {% set connecttimeout = salt['pillar.get']('default:OMV_CLAMAV_FRESHCLAM_CONNECTTIMEOUT', '30') -%}
-{% set receivetimeout = salt['pillar.get']('default:OMV_CLAMAV_FRESHCLAM_RECEIVETIMEOUT', '300') -%}
+{% set receivetimeout = salt['pillar.get']('default:OMV_CLAMAV_FRESHCLAM_RECEIVETIMEOUT', '0') -%}

 {{ pillar['headers']['multiline'] }}