On Sun, 14 Nov 2021 13:05:43 +0100 Andreas Feldner <pe...@feldner-bv.de>
wrote:
Package: clamav-daemon
Version: 0.103.3+dfsg-0+deb11u1
Severity: wishlist
Dear Maintainer,
clamav-daemon is currently shipped with a systemd unit file that makes
no use of systemd securty features. I found that a number of attack vectors
can be closed without inferring problems with functionality.
This is my version of /lib/systemd/system/clamav-daemon.service that seems to
work OK:
----------------
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
[Service]
ExecStart=/usr/sbin/clamd --foreground=true
User=clamav
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
TimeoutStartSec=420
PrivateTmp=true
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_PTRACE
RestrictNamespaces=~CLONE_NEWUSER
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
CapabilityBoundingSet=~CAP_FOWNER CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_SYS_MODULE
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_TIME
[Install]
WantedBy=multi-user.target
----------------
FYI, an issue and a pull request have been opened upstream:
https://github.com/Cisco-Talos/clamav/issues/858
https://github.com/Cisco-Talos/clamav/pull/859
--
PGP: 84F59CAFB6618B1D01C992A6D0462C2C9FB57726
