/* * Copyright (C) 2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. * * Authors: Mickey Sola * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. */ #if HAVE_CONFIG_H #include "clamav-config.h" #endif #include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <errno.h> #include <pthread.h> #include <pwd.h> #include "libclamav/clamav.h" #include "shared/optparser.h" #include "shared/output.h" #include "utils.h" #include "clamd/scanner.h" #include "../clamonacc.h" #include "../client/client.h" #include "../scan/queue.h" #if defined(FANOTIFY) extern pthread_cond_t onas_scan_queue_empty_cond; int onas_fan_checkowner(int pid, const struct optstruct *opts) { struct passwd *pwd; char path[32]; STATBUF sb; const struct optstruct *opt = NULL; const struct optstruct *opt_root = NULL; const struct optstruct *opt_uname = NULL; int retry = 0; /* always ignore ourselves */ if (pid == (int)getpid()) { return CHK_SELF; } /* look up options */ opt = optget(opts, "OnAccessExcludeUID"); opt_root = optget(opts, "OnAccessExcludeRootUID"); opt_uname = optget (opts, "OnAccessExcludeUname"); /* we can return immediately if no uid exclusions were requested */ if (!(opt->enabled || opt_root->enabled || opt_uname->enabled)) return CHK_CLEAN; /* perform exclusion checks if we can stat OK */ snprintf(path, sizeof(path), "/proc/%u", pid); if (CLAMSTAT(path, &sb) == 0) { /* check all our non-root UIDs first */ if (opt->enabled) { while (opt) { if (opt->numarg == (long long)sb.st_uid) return CHK_FOUND; opt = opt->nextarg; } } /* then check our unames */ if (opt_uname->enabled) { while (opt_uname) { errno = 0; pwd = getpwuid(sb.st_uid); if (NULL == pwd) { if (errno) { logg("*ClamMisc: internal error (failed to exclude event) ... %s\n", strerror(errno)); switch (errno) { case EIO: logg("*ClamMisc: system i/o failed while retrieving username information (excluding for safety)\n"); return CHK_FOUND; break; case EINTR: logg("*ClamMisc: caught signal while retrieving username information from system (excluding for safety)\n"); return CHK_FOUND; break; case EMFILE: case ENFILE: if (0 == retry) { logg("*ClamMisc: waiting for consumer thread to catch up then retrying ...\n"); sleep(3); retry = 1; continue; } else { logg("*ClamMisc: fds have been exhausted ... attempting to force the consumer thread to catch up ... (excluding for safety)\n"); pthread_cond_signal(&onas_scan_queue_empty_cond); sleep(3); return CHK_FOUND; } case ERANGE: default: logg("*ClamMisc: unknown error occurred (excluding for safety)\n"); return CHK_FOUND; break; } } } else { if (!strncmp(opt_uname->strarg, pwd->pw_name, strlen(opt_uname->strarg))) { return CHK_FOUND; } } opt_uname = opt_uname->nextarg; } } /* finally check root UID */ if (opt_root->enabled) { if (0 == (long long)sb.st_uid) return CHK_FOUND; } } else if (errno == EACCES) { logg("*ClamMisc: permission denied to stat /proc/%d to exclude UIDs... perhaps SELinux denial?\n", pid); } else if (errno == ENOENT) { /* TODO: should this be configurable? */ logg("ClamMisc: $/proc/%d vanished before UIDs could be excluded; scanning anyway\n", pid); } return CHK_CLEAN; } #endif char **onas_get_opt_list(const char *fname, int *num_entries, cl_error_t *err) { FILE* opt_file = 0; STATBUF sb; char** opt_list = NULL; char** rlc_ptr = NULL; uint64_t len = 0; int32_t ret = 0; *num_entries = 0; opt_list = cli_malloc(sizeof(char*)); if (NULL == opt_list) { *err = CL_EMEM; return NULL; } opt_list[*num_entries] = NULL; errno = 0; opt_file = fopen(fname, "r"); if (NULL == opt_file) { logg("!ClamMisc: could not open path list file `%s', %s\n", fname, errno ? strerror(errno) : ""); *err = CL_EARG; return NULL; } while((ret = getline(opt_list + *num_entries, &len, opt_file)) != -1) { opt_list[*num_entries][strlen(opt_list[*num_entries])-1] = '\0'; errno = 0; if (0 != CLAMSTAT(opt_list[*num_entries], &sb)) { logg("*ClamMisc: when parsing path list ... could not stat '%s' ... %s ... skipping\n", opt_list[*num_entries], strerror(errno)); len = 0; free(opt_list[*num_entries]); opt_list[*num_entries] = NULL; continue; } if (!S_ISDIR(sb.st_mode)) { logg("*ClamMisc: when parsing path list ... '%s' is not a directory ... skipping\n", opt_list[*num_entries]); len = 0; free(opt_list[*num_entries]); opt_list[*num_entries] = NULL; continue; } if (strcmp(opt_list[*num_entries], "/") == 0) { logg("*ClamMisc: when parsing path list ... ignoring path '%s' while DDD is enabled ... skipping\n", opt_list[*num_entries]); logg("*ClamMisc: use the OnAccessMountPath configuration option to watch '%s'\n", opt_list[*num_entries]); len = 0; free(opt_list[*num_entries]); opt_list[*num_entries] = NULL; continue; } (*num_entries)++; rlc_ptr = cli_realloc(opt_list, sizeof(char*) * (*num_entries+1)); if (rlc_ptr) { opt_list = rlc_ptr; opt_list[*num_entries] = NULL; } else { *err = CL_EMEM; fclose(opt_file); free_opt_list(opt_list, *num_entries); return NULL; } len = 0; } opt_list[*num_entries] = NULL; fclose(opt_file); return opt_list; } void free_opt_list(char** opt_list, int entries) { int i = 0; for (i; i < entries; i++) { if (opt_list[i]) { free(opt_list[i]); opt_list[i] = NULL; } } free(opt_list); opt_list = NULL; return; }