Browse code

bb11978 - onas: onas_fan_checkowner(): distinguish EACCES and ENOENT stat() failures; clean up documentation.

James Ralston authored on 2017/12/14 04:48:16
Showing 3 changed files
... ...
@@ -815,14 +815,15 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
815 815
         return 1;
816 816
     }
817 817
 
818
-    /* check to see if we even need to stat /proc */
818
+    /* look up options */
819 819
     opt = optget (opts, "OnAccessExcludeUID");
820 820
     opt_root = optget (opts, "OnAccessExcludeRootUID");
821 821
 
822
+    /* we can return immediately if no uid exclusions were requested */
822 823
     if (!(opt->enabled || opt_root->enabled))
823 824
         return 0;
824 825
 
825
-    /* if we can stat OK */
826
+    /* perform exclusion checks if we can stat OK */
826 827
     snprintf (path, sizeof (path), "/proc/%u", pid);
827 828
     if (CLAMSTAT (path, &sb) == 0) {
828 829
         /* check all our non-root UIDs first */
... ...
@@ -839,8 +840,11 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
839 839
             if (0 == (long long) sb.st_uid)
840 840
                 return 1;
841 841
         }
842
-    } else {
843
-        logg("*Could not stat /proc to exclude UIDs...consider checking your SELinux policy.");
842
+    } else if (errno == EACCES) {
843
+        logg("*Permission denied to stat /proc/%d to exclude UIDs... perhaps SELinux denial?\n", pid);
844
+    } else if (errno == ENOENT) {
845
+        /* FIXME: should this be configurable? */
846
+        logg("$/proc/%d vanished before UIDs could be excluded; scanning anyway\n", pid);
844 847
     }
845 848
 
846 849
     return 0;
... ...
@@ -658,11 +658,18 @@ This option allows excluding directories from on-access scanning. It can be used
658 658
 .br
659 659
 Default: disabled
660 660
 .TP
661
+\fBOnAccessExcludeRootUID BOOL\fR
662
+With this option you can whitelist the root UID (0). Processes run under root with be able to access all files without triggering scans or permission denied events.
663
+.br
664
+Default: no
665
+.TP
661 666
 \fBOnAccessExcludeUID NUMBER\fR
662 667
 With this option you can whitelist specific UIDs. Processes with these UIDs will be able to access all files.
663 668
 .br
664 669
 This option can be used multiple times (one per line).
665 670
 .br
671
+Note: using a value of 0 on any line will disable this option entirely. To whitelist the root UID (0) please enable the OnAccessExcludeRootUID option.
672
+.br
666 673
 Default: disabled
667 674
 .TP
668 675
 \fBOnAccessMaxFileSize SIZE\fR
... ...
@@ -612,8 +612,8 @@ Example
612 612
 # With this option you can whitelist the root UID (0). Processes run under
613 613
 # root with be able to access all files without triggering scans or
614 614
 # permission denied events.
615
-# Default: disabled
616
-#OnAccessExcludeRootUID 0
615
+# Default: no
616
+#OnAccessExcludeRootUID no
617 617
 
618 618
 # With this option you can whitelist specific UIDs. Processes with these UIDs
619 619
 # will be able to access all files without triggering scans or permission