Browse code
fanotify: adding option to watch and notify on mountpoints.
Mickey Sola authored on 2015/09/15 00:46:35Showing 3 changed files
| ... | ... |
@@ -85,13 +85,7 @@ static int onas_fan_scanfile(int fan_fd, const char *fname, struct fanotify_even |
| 85 | 85 |
logg("ScanOnAccess: %s: %s FOUND\n", fname, virname);
|
| 86 | 86 |
virusaction(fname, virname, tharg->opts); |
| 87 | 87 |
|
| 88 |
- if(!optget(tharg->opts, "OnAccessPreventRead")->enabled && fmd->mask & FAN_ACCESS_PERM) {
|
|
| 89 |
- res.response = FAN_ALLOW; |
|
| 90 |
- } else if(!optget(tharg->opts, "OnAccessPreventOpen")->enabled && fmd->mask & FAN_OPEN_PERM) {
|
|
| 91 |
- res.response = FAN_ALLOW; |
|
| 92 |
- } else {
|
|
| 93 |
- res.response = FAN_DENY; |
|
| 94 |
- } |
|
| 88 |
+ res.response = FAN_DENY; |
|
| 95 | 89 |
} |
| 96 | 90 |
|
| 97 | 91 |
if(fmd->mask & FAN_ALL_PERM_EVENTS) {
|
| ... | ... |
@@ -112,7 +106,7 @@ void *onas_fan_th(void *arg) |
| 112 | 112 |
short int scan; |
| 113 | 113 |
int sizelimit = 0, extinfo; |
| 114 | 114 |
STATBUF sb; |
| 115 |
- uint64_t fan_mask = FAN_OPEN_PERM | FAN_ACCESS_PERM | FAN_EVENT_ON_CHILD; |
|
| 115 |
+ uint64_t fan_mask = FAN_ACCESS_PERM | FAN_OPEN_PERM | FAN_EVENT_ON_CHILD; |
|
| 116 | 116 |
fd_set rfds; |
| 117 | 117 |
char buf[4096]; |
| 118 | 118 |
ssize_t bread; |
| ... | ... |
@@ -167,7 +161,18 @@ void *onas_fan_th(void *arg) |
| 167 | 167 |
fan_mask |= FAN_OPEN; |
| 168 | 168 |
} |
| 169 | 169 |
|
| 170 |
- if (!optget(tharg->opts, "OnAccessDisableDDD")->enabled) {
|
|
| 170 |
+ if ((pt = optget(tharg->opts, "OnAccessMountPath"))->enabled) {
|
|
| 171 |
+ while(pt) {
|
|
| 172 |
+ if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT, |
|
| 173 |
+ FAN_OPEN | FAN_ACCESS | FAN_EVENT_ON_CHILD, onas_fan_fd, pt->strarg) != 0) {
|
|
| 174 |
+ logg("!ScanOnAccess: Can't include mountpoint '%s'\n", pt->strarg);
|
|
| 175 |
+ return NULL; |
|
| 176 |
+ } else |
|
| 177 |
+ logg("ScanOnAccess: Protecting '%s' and rest of mount.\n", pt->strarg);
|
|
| 178 |
+ pt = (struct optstruct *) pt->nextarg; |
|
| 179 |
+ } |
|
| 180 |
+ |
|
| 181 |
+ } else if (!optget(tharg->opts, "OnAccessDisableDDD")->enabled) {
|
|
| 171 | 182 |
do {
|
| 172 | 183 |
if(pthread_attr_init(&ddd_attr)) break; |
| 173 | 184 |
pthread_attr_setdetachstate(&ddd_attr, PTHREAD_CREATE_JOINABLE); |
| ... | ... |
@@ -556,6 +556,14 @@ Example |
| 556 | 556 |
# Default: no |
| 557 | 557 |
#ScanOnAccess yes |
| 558 | 558 |
|
| 559 |
+# Set the mount point to be scanned. The mount point specified, or the mount point |
|
| 560 |
+# containing the specified directory will be watched. If any directories are specified, |
|
| 561 |
+# this option will preempt the DDD system. This will notify only. It can be used multiple times. |
|
| 562 |
+# (On-access scan only) |
|
| 563 |
+# Default: disabled |
|
| 564 |
+#OnAccessMountPath / |
|
| 565 |
+#OnAccessMountPath /home/user |
|
| 566 |
+ |
|
| 559 | 567 |
# Don't scan files larger than OnAccessMaxFileSize |
| 560 | 568 |
# Value of 0 disables the limit. |
| 561 | 569 |
# Default: 5M |
| ... | ... |
@@ -392,6 +392,8 @@ const struct clam_option __clam_options[] = {
|
| 392 | 392 |
/* OnAccess settings */ |
| 393 | 393 |
{ "ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "This option enables on-access scanning (Linux only)", "no" },
|
| 394 | 394 |
|
| 395 |
+ { "OnAccessMountPath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory or mount point which should be scanned on access. The mount point specified, or the mount point containing the specified directory will be watched, but only notifications will occur. If any directories are specified, this option will preempt the DDD system. It can also be used multiple times.", "/\n/home/user" },
|
|
| 396 |
+ |
|
| 395 | 397 |
{ "OnAccessIncludePath", "on-access-include", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory (including all files and directories\ninside it), which should be scanned on access. This option can\nbe used multiple times.", "/home\n/students" },
|
| 396 | 398 |
|
| 397 | 399 |
{ "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root" },
|
| ... | ... |
@@ -400,7 +402,7 @@ const struct clam_option __clam_options[] = {
|
| 400 | 400 |
|
| 401 | 401 |
{ "OnAccessMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD, "Files larger than this value will not be scanned in on access.", "5M" },
|
| 402 | 402 |
|
| 403 |
- { "OnAccessDisableDDD", "disable-ddd", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only)", "no" },
|
|
| 403 |
+ { "OnAccessDisableDDD", "disable-ddd", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only).", "no" },
|
|
| 404 | 404 |
|
| 405 | 405 |
{ "OnAccessPreventRead", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies is fanotify will prevent read attempts on malicious files (Linux only)", "yes" },
|
| 406 | 406 |
|