@@ -695,8 +695,8 @@ changes.

 ### Other improvements

-- Improved Windows executable Authenticode handling, enabling both whitelisting

-  and blacklisting of files based on code-signing certificates. Additional

+- Improved Windows executable Authenticode handling, enabling both allowing

+  and blocking of files based on code-signing certificates. Additional

   improvements to Windows executable (PE file) parsing.

   Work courtesy of Andrew Williams.

 - Added support for creating bytecode signatures for Mach-O and

@@ -1085,7 +1085,7 @@ we've cooked up over the past 6 months.

   request by Andrew Williams.

   - Added support for Authenticode signature properties commonly used by

     Windows system files. These files are now much more likely to be

-    whitelisted correctly.

+    trusted correctly.

   - Signature parsing now works correctly on big endian systems.

 - Some simplification to freshclam mirror management code, including changes

@@ -1769,7 +1769,7 @@ support for additional filetypes, and internal upgrades.

 - Authenticode: ClamAV is now aware of the certificate chains when

   scanning signed PE files. When the database contains signatures for

-  trusted root certificate authorities, the engine can whitelist

+  trusted root certificate authorities, the engine can trust

   PE files with a valid signature. The same database file can also

   include known compromised certificates to be rejected! This

   feature can also be disabled in clamd.conf (DisableCertCheck) or

@@ -1998,7 +1998,7 @@ The following are the key features of this release:

 - Google Safe Browsing support: in addition to the heuristic and signature

   based phishing detection mechanisms already available in ClamAV, the

-  scanner can now make use of the Google's blacklists of suspected

+  scanner can now make use of the Google's block lists of suspected

   phishing and malware sites. The ClamAV Project distributes a constantly

   updated Safe Browsing database, which can be automatically fetched by

   freshclam. For more information, please see freshclam.conf(5) and

@@ -2395,7 +2395,7 @@ Detailed list of changes:

     - PhishingAlwaysBlockCloak

 - clamav-milter:

-  - Black list mode: optionally black lists an IP for a configurable amount

+  - Block list mode: optionally block lists an IP for a configurable amount

     of time

   - Black hole mode: detects emails that will be discarded and refrains from

     scanning them

@@ -48,7 +48,7 @@ clang-format -i -verbose unit_tests/*.h

 clang-format -i -verbose win32/compat/*.c

 clang-format -i -verbose win32/compat/*.h

-# Undo changes to specific files (whitelist)

+# Undo changes to specific files that we don't really want to reformat

 git checkout libclamav/iana_cctld.h

 git checkout libclamav/bytecode_api_decl.c

 git checkout libclamav/bytecode_api_impl.h

@@ -11,8 +11,8 @@ target_sources( clamav-milter

         connpool.h

         netcode.c

         netcode.h

-        whitelist.c

-        whitelist.h )

+        allow_list.c

+        allow_list.h )

 target_include_directories( clamav-milter

     PRIVATE ${CMAKE_BINARY_DIR} # For clamav-config.h

 )

new file mode 100644

@@ -0,0 +1,229 @@

+/*

+ *  Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *  Copyright (C) 2008-2013 Sourcefire, Inc.

+ *

+ *  Author: aCaB <acab@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include <stdio.h>

+#include <string.h>

+#include <sys/types.h>

+

+// libclamav

+#include "regex/regex.h"

+

+// common

+#include "output.h"

+

+#include "allow_list.h"

+

+struct WHLST {

+    regex_t preg;

+    struct WHLST *next;

+};

+

+struct WHLST *wfrom = NULL;

+struct WHLST *wto   = NULL;

+

+int skipauth = 0;

+regex_t authreg;

+

+void allow_list_free(void)

+{

+    struct WHLST *w;

+    while (wfrom) {

+        w = wfrom->next;

+        cli_regfree(&wfrom->preg);

+        free(wfrom);

+        wfrom = w;

+    }

+    while (wto) {

+        w = wto->next;

+        cli_regfree(&wto->preg);

+        free(wto);

+        wto = w;

+    }

+}

+

+int allow_list_init(const char *fname)

+{

+    char buf[2048];

+    FILE *f;

+    struct WHLST *w;

+

+    if (!(f = fopen(fname, "r"))) {

+        logg("!Cannot open allow list file '%s'\n", fname);

+        return 1;

+    }

+

+    while (fgets(buf, sizeof(buf), f) != NULL) {

+        struct WHLST **addto = &wto;

+        char *ptr            = buf;

+        int len;

+

+        if (*buf == '#' || *buf == ':' || *buf == '!')

+            continue;

+

+        if (!strncasecmp("From:", buf, 5)) {

+            ptr += 5;

+            addto = &wfrom;

+        } else if (!strncasecmp("To:", buf, 3))

+            ptr += 3;

+

+        len = strlen(ptr) - 1;

+        for (; len >= 0; len--) {

+            if (ptr[len] != '\n' && ptr[len] != '\r') break;

+            ptr[len] = '\0';

+        }

+        if (!len) continue;

+        if (!(w = (struct WHLST *)malloc(sizeof(*w)))) {

+            logg("!Out of memory loading allow list file\n");

+            allow_list_free();

+            fclose(f);

+            return 1;

+        }

+        w->next  = (*addto);

+        (*addto) = w;

+        if (cli_regcomp(&w->preg, ptr, REG_ICASE | REG_NOSUB)) {

+            logg("!Failed to compile regex '%s' in allow list file\n", ptr);

+            allow_list_free();

+            fclose(f);

+            return 1;

+        }

+    }

+    fclose(f);

+    return 0;

+}

+

+int allowed(const char *addr, int from)

+{

+    struct WHLST *w;

+

+    if (from)

+        w = wfrom;

+    else

+        w = wto;

+

+    while (w) {

+        if (!cli_regexec(&w->preg, addr, 0, NULL, 0))

+            return 1;

+        w = w->next;

+    }

+    return 0;

+}

+

+int smtpauth_init(const char *r)

+{

+    char *regex = NULL;

+

+    if (!strncmp(r, "file:", 5)) {

+        char buf[2048];

+        FILE *f    = fopen(r + 5, "r");

+        int rxsize = 0, rxavail = 0, rxused = 0;

+

+        if (!f) {

+            logg("!Cannot open allow list file '%s'\n", r + 5);

+            return 1;

+        }

+        while (fgets(buf, sizeof(buf), f) != NULL) {

+            int len;

+            char *ptr;

+

+            if (*buf == '#' || *buf == ':' || *buf == '!')

+                continue;

+            len = strlen(buf) - 1;

+            for (; len >= 0; len--) {

+                if (buf[len] != '\n' && buf[len] != '\r') break;

+                buf[len] = '\0';

+            }

+            if (len <= 0) continue;

+            if (len * 3 + 1 > rxavail) {

+                ptr   = regex;

+                regex = realloc(regex, rxsize + 2048);

+                if (!regex) {

+                    logg("!Cannot allocate memory for SkipAuthenticated file\n");

+                    fclose(f);

+                    return 1;

+                }

+                rxavail = 2048;

+                rxsize += 2048;

+                if (!ptr) {

+                    regex[0] = '^';

+                    regex[1] = '(';

+                    rxavail -= 2;

+                    rxused = 2;

+                }

+            }

+            ptr = buf;

+            while (*ptr) {

+                if ((*ptr >= 'A' && *ptr <= 'Z') || (*ptr >= 'a' && *ptr <= 'z') || (*ptr >= '0' && *ptr <= '9') || *ptr == '@') {

+                    regex[rxused] = *ptr;

+                    rxused++;

+                    rxavail--;

+                } else {

+                    regex[rxused]     = '[';

+                    regex[rxused + 1] = *ptr;

+                    regex[rxused + 2] = ']';

+                    rxused += 3;

+                    rxavail -= 3;

+                }

+                ptr++;

+            }

+            regex[rxused++] = '|';

+            rxavail--;

+        }

+        if (rxavail < 4 && !(regex = realloc(regex, rxsize + 4))) {

+            logg("!Cannot allocate memory for SkipAuthenticated file\n");

+            fclose(f);

+            return 1;

+        }

+        regex[rxused - 1] = ')';

+        regex[rxused]     = '$';

+        regex[rxused + 1] = '\0';

+        r                 = regex;

+        fclose(f);

+    }

+

+    if (cli_regcomp(&authreg, r, REG_ICASE | REG_NOSUB | REG_EXTENDED)) {

+        logg("!Failed to compile regex '%s' for SkipAuthenticated\n", r);

+        if (regex) free(regex);

+        return 1;

+    }

+    if (regex) free(regex);

+    skipauth = 1;

+    return 0;

+}

+

+int smtpauthed(const char *login)

+{

+    if (skipauth && !cli_regexec(&authreg, login, 0, NULL, 0))

+        return 1;

+    return 0;

+}

+

+/*

+ * Local Variables:

+ * mode: c

+ * c-basic-offset: 4

+ * tab-width: 8

+ * End:

+ * vim: set cindent smartindent autoindent softtabstop=4 shiftwidth=4 tabstop=8:

+ */

new file mode 100644

@@ -0,0 +1,30 @@

+/*

+ *  Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *  Copyright (C) 2008-2013 Sourcefire, Inc.

+ *

+ *  Author: aCaB <acab@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#ifndef _ALLOW_LIST_H

+#define _ALLOW_LIST_H

+

+int allow_list_init(const char *fname);

+void allow_list_free(void);

+int allowed(const char *addr, int from);

+int smtpauth_init(const char *r);

+int smtpauthed(const char *login);

+#endif

@@ -49,7 +49,7 @@

 #include "connpool.h"

 #include "netcode.h"

 #include "clamfi.h"

-#include "whitelist.h"

+#include "allow_list.h"

 #ifndef _WIN32

 #include <sys/wait.h>

@@ -80,7 +80,7 @@ static void milter_exit(int sig)

     logg_close();

     cpool_free();

     localnets_free();

-    whitelist_free();

+    allow_list_free();

 }

 int main(int argc, char **argv)

@@ -349,7 +349,7 @@ int main(int argc, char **argv)

         return 1;

     }

-    if ((opt = optget(opts, "Whitelist"))->enabled && whitelist_init(opt->strarg)) {

+    if (((opt = optget(opts, "Whitelist"))->enabled || (opt = optget(opts, "AllowList"))->enabled) && allow_list_init(opt->strarg)) {

         localnets_free();

         logg_close();

         optfree(opts);

@@ -358,7 +358,7 @@ int main(int argc, char **argv)

     if ((opt = optget(opts, "SkipAuthenticated"))->enabled && smtpauth_init(opt->strarg)) {

         localnets_free();

-        whitelist_free();

+        allow_list_free();

         logg_close();

         optfree(opts);

         return 1;

@@ -371,7 +371,7 @@ int main(int argc, char **argv)

         if (-1 == daemonize_parent_wait(user_name, logg_file)) {

             logg("!daemonize() failed\n");

             localnets_free();

-            whitelist_free();

+            allow_list_free();

             cpool_free();

             logg_close();

             optfree(opts);

@@ -410,7 +410,7 @@ int main(int argc, char **argv)

     if (!cp) {

         logg("!Failed to init the socket pool\n");

         localnets_free();

-        whitelist_free();

+        allow_list_free();

         logg_close();

         optfree(opts);

         return 1;

@@ -451,7 +451,7 @@ int main(int argc, char **argv)

         if (err) {

             localnets_free();

-            whitelist_free();

+            allow_list_free();

             logg_close();

             optfree(opts);

             return 2;

@@ -44,7 +44,7 @@

 #include "connpool.h"

 #include "netcode.h"

-#include "whitelist.h"

+#include "allow_list.h"

 #include "clamfi.h"

 #if __GNUC__ >= 3 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)

@@ -87,7 +87,7 @@ struct CLAMFI {

     int alt;

     unsigned int totsz;

     unsigned int bufsz;

-    unsigned int all_whitelisted;

+    unsigned int all_allowed;

     unsigned int gotbody;

     unsigned int scanned_count;

     unsigned int status_count;

@@ -227,8 +227,8 @@ sfsistat clamfi_header(SMFICTX *ctx, char *headerf, char *headerv)

     if (!(cf = (struct CLAMFI *)smfi_getpriv(ctx)))

         return SMFIS_CONTINUE; /* whatever */

-    if (!cf->totsz && cf->all_whitelisted) {

-        logg("*Skipping scan (all destinations whitelisted)\n");

+    if (!cf->totsz && cf->all_allowed) {

+        logg("*Skipping scan (all destinations allowed)\n");

         nullify(ctx, cf, CF_NONE);

         free(cf);

         return SMFIS_ACCEPT;

@@ -712,8 +712,8 @@ sfsistat clamfi_envfrom(SMFICTX *ctx, char **argv)

         return SMFIS_ACCEPT;

     }

-    if (whitelisted(argv[0], 1)) {

-        logg("*Skipping scan for %s (whitelisted from)\n", argv[0]);

+    if (allowed(argv[0], 1)) {

+        logg("*Skipping scan for %s (allowed from)\n", argv[0]);

         return SMFIS_ACCEPT;

     }

@@ -724,7 +724,7 @@ sfsistat clamfi_envfrom(SMFICTX *ctx, char **argv)

     cf->totsz = 0;

     cf->bufsz = 0;

     cf->main = cf->alt  = -1;

-    cf->all_whitelisted = 1;

+    cf->all_allowed     = 1;

     cf->gotbody         = 0;

     cf->msg_subj = cf->msg_date = cf->msg_id = NULL;

     if (multircpt) {

@@ -747,8 +747,8 @@ sfsistat clamfi_envrcpt(SMFICTX *ctx, char **argv)

     if (!(cf = (struct CLAMFI *)smfi_getpriv(ctx)))

         return SMFIS_CONTINUE; /* whatever */

-    if (cf->all_whitelisted)

-        cf->all_whitelisted &= whitelisted(argv[0], 0);

+    if (cf->all_allowed)

+        cf->all_allowed &= allowed(argv[0], 0);

     if (multircpt) {

         void *new_rcpt = realloc(cf->recipients, (cf->nrecipients + 1) * sizeof(*(cf->recipients)));

deleted file mode 100644

@@ -1,229 +0,0 @@

-/*

- *  Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

- *  Copyright (C) 2008-2013 Sourcefire, Inc.

- *

- *  Author: aCaB <acab@clamav.net>

- *

- *  This program is free software; you can redistribute it and/or modify

- *  it under the terms of the GNU General Public License version 2 as

- *  published by the Free Software Foundation.

- *

- *  This program is distributed in the hope that it will be useful,

- *  but WITHOUT ANY WARRANTY; without even the implied warranty of

- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- *  GNU General Public License for more details.

- *

- *  You should have received a copy of the GNU General Public License

- *  along with this program; if not, write to the Free Software

- *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

- *  MA 02110-1301, USA.

- */

-

-#if HAVE_CONFIG_H

-#include "clamav-config.h"

-#endif

-

-#include <stdio.h>

-#include <string.h>

-#include <sys/types.h>

-

-// libclamav

-#include "regex/regex.h"

-

-// common

-#include "output.h"

-

-#include "whitelist.h"

-

-struct WHLST {

-    regex_t preg;

-    struct WHLST *next;

-};

-

-struct WHLST *wfrom = NULL;

-struct WHLST *wto   = NULL;

-

-int skipauth = 0;

-regex_t authreg;

-

-void whitelist_free(void)

-{

-    struct WHLST *w;

-    while (wfrom) {

-        w = wfrom->next;

-        cli_regfree(&wfrom->preg);

-        free(wfrom);

-        wfrom = w;

-    }

-    while (wto) {

-        w = wto->next;

-        cli_regfree(&wto->preg);

-        free(wto);

-        wto = w;

-    }

-}

-

-int whitelist_init(const char *fname)

-{

-    char buf[2048];

-    FILE *f;

-    struct WHLST *w;

-

-    if (!(f = fopen(fname, "r"))) {

-        logg("!Cannot open whitelist file '%s'\n", fname);

-        return 1;

-    }

-

-    while (fgets(buf, sizeof(buf), f) != NULL) {

-        struct WHLST **addto = &wto;

-        char *ptr            = buf;

-        int len;

-

-        if (*buf == '#' || *buf == ':' || *buf == '!')

-            continue;

-

-        if (!strncasecmp("From:", buf, 5)) {

-            ptr += 5;

-            addto = &wfrom;

-        } else if (!strncasecmp("To:", buf, 3))

-            ptr += 3;

-

-        len = strlen(ptr) - 1;

-        for (; len >= 0; len--) {

-            if (ptr[len] != '\n' && ptr[len] != '\r') break;

-            ptr[len] = '\0';

-        }

-        if (!len) continue;

-        if (!(w = (struct WHLST *)malloc(sizeof(*w)))) {

-            logg("!Out of memory loading whitelist file\n");

-            whitelist_free();

-            fclose(f);

-            return 1;

-        }

-        w->next  = (*addto);

-        (*addto) = w;

-        if (cli_regcomp(&w->preg, ptr, REG_ICASE | REG_NOSUB)) {

-            logg("!Failed to compile regex '%s' in whitelist file\n", ptr);

-            whitelist_free();

-            fclose(f);

-            return 1;

-        }

-    }

-    fclose(f);

-    return 0;

-}

-

-int whitelisted(const char *addr, int from)

-{

-    struct WHLST *w;

-

-    if (from)

-        w = wfrom;

-    else

-        w = wto;

-

-    while (w) {

-        if (!cli_regexec(&w->preg, addr, 0, NULL, 0))

-            return 1;

-        w = w->next;

-    }

-    return 0;

-}

-

-int smtpauth_init(const char *r)

-{

-    char *regex = NULL;

-

-    if (!strncmp(r, "file:", 5)) {

-        char buf[2048];

-        FILE *f    = fopen(r + 5, "r");

-        int rxsize = 0, rxavail = 0, rxused = 0;

-

-        if (!f) {

-            logg("!Cannot open whitelist file '%s'\n", r + 5);

-            return 1;

-        }

-        while (fgets(buf, sizeof(buf), f) != NULL) {

-            int len;

-            char *ptr;

-

-            if (*buf == '#' || *buf == ':' || *buf == '!')

-                continue;

-            len = strlen(buf) - 1;

-            for (; len >= 0; len--) {

-                if (buf[len] != '\n' && buf[len] != '\r') break;

-                buf[len] = '\0';

-            }

-            if (len <= 0) continue;

-            if (len * 3 + 1 > rxavail) {

-                ptr   = regex;

-                regex = realloc(regex, rxsize + 2048);

-                if (!regex) {

-                    logg("!Cannot allocate memory for SkipAuthenticated file\n");

-                    fclose(f);

-                    return 1;

-                }

-                rxavail = 2048;

-                rxsize += 2048;

-                if (!ptr) {

-                    regex[0] = '^';

-                    regex[1] = '(';

-                    rxavail -= 2;

-                    rxused = 2;

-                }

-            }

-            ptr = buf;

-            while (*ptr) {

-                if ((*ptr >= 'A' && *ptr <= 'Z') || (*ptr >= 'a' && *ptr <= 'z') || (*ptr >= '0' && *ptr <= '9') || *ptr == '@') {

-                    regex[rxused] = *ptr;

-                    rxused++;

-                    rxavail--;

-                } else {

-                    regex[rxused]     = '[';

-                    regex[rxused + 1] = *ptr;

-                    regex[rxused + 2] = ']';

-                    rxused += 3;

-                    rxavail -= 3;

-                }

-                ptr++;

-            }

-            regex[rxused++] = '|';

-            rxavail--;

-        }

-        if (rxavail < 4 && !(regex = realloc(regex, rxsize + 4))) {

-            logg("!Cannot allocate memory for SkipAuthenticated file\n");

-            fclose(f);

-            return 1;

-        }

-        regex[rxused - 1] = ')';

-        regex[rxused]     = '$';

-        regex[rxused + 1] = '\0';

-        r                 = regex;

-        fclose(f);

-    }

-

-    if (cli_regcomp(&authreg, r, REG_ICASE | REG_NOSUB | REG_EXTENDED)) {

-        logg("!Failed to compile regex '%s' for SkipAuthenticated\n", r);

-        if (regex) free(regex);

-        return 1;

-    }

-    if (regex) free(regex);

-    skipauth = 1;

-    return 0;

-}

-

-int smtpauthed(const char *login)

-{

-    if (skipauth && !cli_regexec(&authreg, login, 0, NULL, 0))

-        return 1;

-    return 0;

-}

-

-/*

- * Local Variables:

- * mode: c

- * c-basic-offset: 4

- * tab-width: 8

- * End:

- * vim: set cindent smartindent autoindent softtabstop=4 shiftwidth=4 tabstop=8:

- */

deleted file mode 100644

@@ -1,30 +0,0 @@

-/*

- *  Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

- *  Copyright (C) 2008-2013 Sourcefire, Inc.

- *

- *  Author: aCaB <acab@clamav.net>

- *

- *  This program is free software; you can redistribute it and/or modify

- *  it under the terms of the GNU General Public License version 2 as

- *  published by the Free Software Foundation.

- *

- *  This program is distributed in the hope that it will be useful,

- *  but WITHOUT ANY WARRANTY; without even the implied warranty of

- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- *  GNU General Public License for more details.

- *

- *  You should have received a copy of the GNU General Public License

- *  along with this program; if not, write to the Free Software

- *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

- *  MA 02110-1301, USA.

- */

-

-#ifndef _WHITELIST_H

-#define _WHITELIST_H

-

-int whitelist_init(const char *fname);

-void whitelist_free(void);

-int whitelisted(const char *addr, int from);

-int smtpauth_init(const char *r);

-int smtpauthed(const char *login);

-#endif

@@ -458,9 +458,9 @@ const struct clam_option __clam_options[] = {

     {"OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root"},

-    {"OnAccessExcludeRootUID", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "Use this option to whitelist the root UID (0) and allow any processes run under root to access all watched files without triggering scans.", "no"},

+    {"OnAccessExcludeRootUID", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "Use this option to exclude the root UID (0) and allow any processes run under root to access all watched files without triggering scans.", "no"},

-    {"OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). Using a value of 0 on any line will disable this option entirely. To whitelist the root UID please enable the OnAccessExcludeRootUID option.", "0"},

+    {"OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can exclude specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). Using a value of 0 on any line will disable this option entirely. To exclude the root UID please enable the OnAccessExcludeRootUID option.", "0"},

     {"OnAccessExcludeUname", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows exclusions via user names when using the on-access scanning client. It can\nbe used multiple times.", "clamuser"},

@@ -605,7 +605,9 @@ const struct clam_option __clam_options[] = {

     {"Chroot", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Chroot to the specified directory.\nChrooting is performed just after reading the config file and before\ndropping privileges.", "/newroot"},

-    {"Whitelist", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option specifies a file which contains a list of basic POSIX regular\nexpressions. Addresses (sent to or from - see below) matching these regexes\nwill not be scanned.  Optionally each line can start with the string \"From:\"\nor \"To:\" (note: no whitespace after the colon) indicating if it is,\nrespectively, the sender or recipient that is to be whitelisted.\nIf the field is missing, \"To:\" is assumed.\nLines starting with #, : or ! are ignored.", "/etc/whitelisted_addresses"},

+    {"AllowList", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option specifies a file which contains a list of basic POSIX regular\nexpressions. Addresses (sent to or from - see below) matching these regexes\nwill not be scanned.  Optionally each line can start with the string \"From:\"\nor \"To:\" (note: no whitespace after the colon) indicating if it is,\nrespectively, the sender or recipient that is to be allowed.\nIf the field is missing, \"To:\" is assumed.\nLines starting with #, : or ! are ignored.", "/etc/allowed_addresses"},

+    // The Whitelist option should remain functional for a version or two, but has been deprecated in the documentation in favor of "AllowList".

+    {"Whitelist", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option specifies a file which contains a list of basic POSIX regular\nexpressions. Addresses (sent to or from - see below) matching these regexes\nwill not be scanned.  Optionally each line can start with the string \"From:\"\nor \"To:\" (note: no whitespace after the colon) indicating if it is,\nrespectively, the sender or recipient that is to be allowed.\nIf the field is missing, \"To:\" is assumed.\nLines starting with #, : or ! are ignored.", "/etc/allowed_addresses"},

     {"SkipAuthenticated", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Messages from authenticated SMTP users matching this extended POSIX\nregular expression (egrep-like) will not be scanned.\nAs an alternative, a file containing a plain (not regex) list of names (one\nper line) can be specified using the prefix \"file:\".\ne.g. SkipAuthenticated file:/etc/good_guys\n\nNote: this is the AUTH login name!", "SkipAuthenticated ^(tom|dick|henry)$"},

@@ -1,29 +1,29 @@

 .TH "clamav-milter.conf" "5" "Feb 25, 2009" "ClamAV @VERSION@" "Clam AntiVirus"

 .SH "NAME"

-.LP 

+.LP

 \fBclamav-milter.conf\fR \- Configuration file for clamav-milter

 .SH "DESCRIPTION"

-.LP 

+.LP

 clamav-milter.conf contains the configuration options for clamav-milter(8).

 .SH "FILE FORMAT"

 The file consists of comments and options with arguments. Each line which starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and arguments are case sensitive and of the form \fBOption Argument\fR. The arguments are of the following types:

-.TP 

+.TP

 \fBBOOL\fR

 Boolean value (yes/no or true/false or 1/0).

-.TP 

+.TP

 \fBSTRING\fR

 String without blank characters.

-.TP 

+.TP

 \fBSIZE\fR

 Size in bytes. You can use 'M' or 'm' modifiers for megabytes and 'K' or 'k' for kilobytes.

-.TP 

+.TP

 \fBNUMBER\fR

 Unsigned integer.

 .SH "MAIN OPTIONS"

-.TP 

+.TP

 \fBExample\fR

 If this option is set clamav-milter will not run.

-.TP 

+.TP

 \fBMilterSocket STRING\fR

 Define the interface through which we communicate with sendmail. This option is mandatory!

 .br

@@ -34,19 +34,19 @@ Possible formats are:

 inet:port@[hostname|ip-address] - to specify an ipv4 socket

 .br

 inet6:port@[hostname|ip-address] - to specify an ipv6 socket

-.br 

+.br

 Default: unset

-.TP 

+.TP

 \fBMilterSocketGroup STRING\fR

 Define the group ownership for the (unix) milter socket.

 .br

 Default: disabled (the primary group of the user running clamd)

-.TP 

+.TP

 \fBMilterSocketMode STRING\fR

 Sets the permissions on the (unix) milter socket to the specified mode.

 .br

 Default: disabled (obey umask)

-.TP 

+.TP

 \fBFixStaleSocket BOOL\fR

 Remove stale socket after unclean shutdown.

 .br

@@ -56,33 +56,33 @@ Default: yes

 Run as another user (clamav-milter must be started by root for this option to work)

 .br

 Default: unset (don\'t drop privileges)

-.TP 

+.TP

 \fBReadTimeout NUMBER\fR

 Waiting for data from clamd will timeout after this time (seconds).

-.br 

+.br

 Default: 120

-.TP 

+.TP

 \fBForeground BOOL\fR

 Don\'t fork into background.

-.br 

+.br

 Default: no

-.TP 

+.TP

 \fBChroot STRING\fR

 Chroot to the specified directory. Chrooting is performed just after reading the config file and before dropping privileges.

 .br

 Default: unset (don\'t chroot)

-.TP 

+.TP

 \fBPidFile STRING\fR

 Save the process identifier of a clamav-milter (main thread) to a specified file.

-.br 

+.br

 Default: disabled

-.TP 

+.TP

 \fBTemporaryDirectory STRING\fR

 Optional path to the global temporary directory.

-.br 

+.br

 Default: system specific (usually /tmp or /var/tmp).

 .SH "CLAMD OPTIONS"

-.TP 

+.TP

 \fBClamdSocket STRING\fR

 Define the clamd socket to connect to for scanning. This option is mandatory! Syntax:

 .br

@@ -102,22 +102,22 @@ This option can be repeated several times with different sockets or even with th

 .br

 Default: no default

 .SH "EXCLUSIONS"

-.TP 

+.TP

 \fBLocalNet STRING\fR

 Messages originating from these hosts/networks will not be scanned. This option takes a host(name)/mask pair in CIRD notation and can be repeated several times. If "/mask" is omitted, a host is assumed. To specify a locally originated, non-smtp, email use the keyword "local"

 .br

 Default: unset (scan everything regardless of the origin)

-.TP 

-\fBWhitelist STRING\fR

-This option specifies a file which contains a list of basic POSIX regular expressions. Addresses (sent to or from - see below) matching these regexes  will not be scanned.  Optionally each line can start with the string "From:" or "To:" (note: no whitespace after the colon) indicating if it is,  respectively, the sender or recipient that is to be whitelisted. If the field is missing, "To:" is assumed.  Lines starting with #, : or ! are ignored.

+.TP

+\fBAllowList STRING\fR

+This option specifies a file which contains a list of basic POSIX regular expressions. Addresses (sent to or from - see below) matching these regexes  will not be scanned.  Optionally each line can start with the string "From:" or "To:" (note: no whitespace after the colon) indicating if it is,  respectively, the sender or recipient that is to be allowed. If the field is missing, "To:" is assumed.  Lines starting with #, : or ! are ignored.

 .br