search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.27k stars 692 forks source link

Needs write access to /dev/null #1269

Closed strasszer closed 4 months ago

strasszer commented 4 months ago

Describe the bug

Even after configuring TemporaryDirectory, ClamAV needs write access to /dev/null.

How to reproduce the problem

Start ClamAV in docker, apply the deny /dev/** wl AppArmor config and start the service. ClamAV fails on initialization.

micahsnyder commented 4 months ago

As a part of the daemonizing the clamd, freshclam, clamav-milter, and clamonacc processes, ClamAV replaces the standard file descriptors (0: stdin, 1: stdout, 2: stderr) with readonly or writeonly file descriptors that point to /dev/null). In this way, those file descriptor values 0, 1, and 2, are reserved and no newly opened files will use those values which could cause unexpected problems later if some code attempts to write directly to stdout, for example.

In short, yes this is expected.

micahsnyder commented 4 months ago

If you run clamd with -F or --foreground you should not run into this issue. But then it won't daemonize/run in the background.

strasszer commented 4 months ago

If you run clamd with -F or --foreground you should not run into this issue. But then it won't daemonize/run in the background.

We already use it in foreground, with clam.conf Foreground yes option.