@@ -33,6 +33,8 @@ clamav_milter_SOURCES = \

     $(top_srcdir)/shared/misc.h \

     $(top_srcdir)/shared/options.c \

     $(top_srcdir)/shared/options.h \

+    whitelist.c \

+    whitelist.h \

     connpool.c \

     connpool.h \

     netcode.c \

@@ -77,14 +77,16 @@ am__clamav_milter_SOURCES_DIST = $(top_srcdir)/shared/cfgparser.c \

 	$(top_srcdir)/shared/output.h $(top_srcdir)/shared/getopt.c \

 	$(top_srcdir)/shared/getopt.h $(top_srcdir)/shared/misc.c \

 	$(top_srcdir)/shared/misc.h $(top_srcdir)/shared/options.c \

-	$(top_srcdir)/shared/options.h connpool.c connpool.h netcode.c \

-	netcode.h clamfi.c clamfi.h clamav-milter.c

+	$(top_srcdir)/shared/options.h whitelist.c whitelist.h \

+	connpool.c connpool.h netcode.c netcode.h clamfi.c clamfi.h \

+	clamav-milter.c

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@am_clamav_milter_OBJECTS =  \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	cfgparser.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	output.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	getopt.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	misc.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	options.$(OBJEXT) \

+@BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	whitelist.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	connpool.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	netcode.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@	clamfi.$(OBJEXT) \

@@ -279,6 +281,8 @@ top_srcdir = @top_srcdir@

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    $(top_srcdir)/shared/misc.h \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    $(top_srcdir)/shared/options.c \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    $(top_srcdir)/shared/options.h \

+@BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    whitelist.c \

+@BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    whitelist.h \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    connpool.c \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    connpool.h \

 @BUILD_CLAMD_TRUE@@HAVE_MILTER_TRUE@    netcode.c \

@@ -387,6 +391,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netcode.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/options.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/output.Po@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whitelist.Po@am__quote@

 .c.o:

 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<

@@ -42,7 +42,7 @@

 #include "connpool.h"

 #include "netcode.h"

 #include "clamfi.h"

-

+#include "whitelist.h"

 struct smfiDesc descr = {

     "ClamAV", 		/* filter name */

@@ -214,6 +214,12 @@ int main(int argc, char **argv) {

 	return 1;

     }

+    if((cpt = cfgopt(copt, "Whitelist"))->enabled && whitelist_init(cpt->strarg)) {

+	localnets_free();

+	logg_close();

+	freecfg(copt);

+	return 1;

+    }

     /* FIXME: find a place for these:

      * maxthreads = cfgopt(copt, "MaxThreads")->numarg;

@@ -239,18 +245,24 @@ int main(int argc, char **argv) {

     umask(0007);

     if(!(my_socket = cfgopt(copt, "MilterSocket")->strarg)) {

 	logg("!Please configure the MilterSocket directive\n");

+	localnets_free();

+	whitelist_free();

 	logg_close();

 	freecfg(copt);

 	return 1;

     }

     if(smfi_setconn(my_socket) == MI_FAILURE) {

 	logg("!smfi_setconn failed\n");

+	localnets_free();

+	whitelist_free();

 	logg_close();

 	freecfg(copt);

 	return 1;

     }

     if(smfi_register(descr) == MI_FAILURE) {

 	logg("!smfi_register failed\n");

+	localnets_free();

+	whitelist_free();

 	logg_close();

 	freecfg(copt);

 	return 1;

@@ -258,6 +270,8 @@ int main(int argc, char **argv) {

     cpt = cfgopt(copt, "FixStaleSocket");

     if(smfi_opensocket(cpt->enabled) == MI_FAILURE) {

 	logg("!Failed to create socket %s\n", my_socket);

+	localnets_free();

+	whitelist_free();

 	logg_close();

 	freecfg(copt);

 	return 1;

@@ -269,6 +283,8 @@ int main(int argc, char **argv) {

     cpool_init(copt);

     if (!cp) {

 	logg("!Failed to init the socket pool\n");

+	localnets_free();

+	whitelist_free();

 	logg_close();

 	freecfg(copt);

 	return 1;

@@ -277,6 +293,8 @@ int main(int argc, char **argv) {

     if(!cfgopt(copt, "Foreground")->enabled) {

 	if(daemonize() == -1) {

 	    logg("!daemonize() failed\n");

+	    localnets_free();

+	    whitelist_free();

 	    cpool_free();

 	    logg_close();

 	    return 1;

@@ -293,8 +311,11 @@ int main(int argc, char **argv) {

     logg_close();

     cpool_free();

     localnets_free();

+    whitelist_free();

+

     return ret;

 }

+

 /*

  * Local Variables:

  * mode: c

new file mode 100644

@@ -0,0 +1,124 @@

+/*

+ *  Copyright (C)2008 Sourcefire, Inc.

+ *

+ *  Author: aCaB <acab@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include <stdio.h>

+#include <string.h>

+#include <sys/types.h>

+#include <regex.h>

+

+#include "shared/output.h"

+

+struct WHLST {

+    regex_t preg;

+    struct WHLST *next;

+};

+

+struct WHLST *wfrom = NULL;

+struct WHLST *wto = NULL;

+

+void whitelist_free(void) {

+    struct WHLST *w;

+    while(wfrom) {

+	w = wfrom->next;

+	regfree(&wfrom->preg);

+	free(wfrom);

+	wfrom = w;

+    }

+    while(wto) {

+	w = wfrom->next;

+	regfree(&wto->preg);

+	free(wto);

+	wto = w;

+    }

+}

+

+int whitelist_init(const char *fname) {

+    char buf[2048];

+    FILE *f;

+    struct WHLST *w;

+

+    if(!(f = fopen(fname, "r"))) {

+	logg("!Cannot open whitelist file\n");

+	return 1;

+    }

+

+    while(fgets(buf, sizeof(buf), f) != NULL) {

+	struct WHLST **addto = &wto;

+	char *ptr = buf;

+	int len;

+

+	if(*buf == '#' || *buf == ':' || *buf == '!')

+	    continue;

+

+	if(!strncasecmp("From:", buf, 5)) {

+	    ptr+=5;

+	    addto = &wfrom;

+	} else if (!strncasecmp("To:", buf, 3))

+	    ptr+=3;

+

+	len = strlen(ptr) - 1;

+	for(;len>=0; len--) {

+	    if(buf[len] != '\n' && buf[len] != '\r') break;

+	    buf[len] = '\0';

+	}

+	if(!len) continue;

+	if (!(w = (struct WHLST *)malloc(sizeof(*w)))) {

+	    logg("!Out of memory loading whitelist\n");

+	    whitelist_free();

+	    return 1;

+	}

+	w->next = (*addto)->next;

+	(*addto) = w;

+	if (regcomp(&w->preg, ptr, REG_ICASE|REG_NOSUB)) {

+	    logg("!Failed to compile regex '%s'\n", ptr);

+	    whitelist_free();

+	    return 1;

+	}

+    }

+    return 0;

+}

+

+

+int whitelisted(const char *e, int from) {

+    struct WHLST *w;

+

+    if(from) w = wfrom;

+    else w = wto;

+    while(w) {

+	if(!regexec(&w->preg, e, 0, NULL, 0))

+	    return 1;

+	w = w->next;

+    }

+    return 0;

+}

+

+

+/*

+ * Local Variables:

+ * mode: c

+ * c-basic-offset: 4

+ * tab-width: 8

+ * End: 

+ * vim: set cindent smartindent autoindent softtabstop=4 shiftwidth=4 tabstop=8: 

+ */

new file mode 100644

@@ -0,0 +1,7 @@

+#ifndef _WHITELIST_H

+#define _WHITELIST_H

+

+int whitelist_init(const char *fname);

+void whitelist_free(void);

+

+#endif

@@ -16,39 +16,48 @@ Example

 # [[unix|local]:]/path/to/file - to specify a unix domain socket

 # inet:port@[hostname|ip-address] - to specify an ipv4 socket

 # inet6:port@[hostname|ip-address] - to specify an ipv6 socket

-#Default: no default

+#

+# Default: no default

 ##MilterSocket /tmp/clamav-milter.socket

 ##MilterSocket inet:7357

 # Remove stale socket after unclean shutdown.

+#

 # Default: yes

 ##FixStaleSocket yes

 # Maximum number of threads running at the same time.

+#

 # Default: 10

 ##MaxThreads 20

 # Run as another user (clamav-milter must be started by root for this option to work)

-# Default: don't drop privileges

+#

+# Default: unset (don't drop privileges)

 ##User clamav

 # Initialize supplementary group access (clamd must be started by root).

+#

 # Default: no

 ##AllowSupplementaryGroups no

 # Waiting for data from clamd will timeout after this time (seconds).

 # Value of 0 disables the timeout.

+#

 # Default: 120

 ##ReadTimeout 300

 # Don't fork into background.

+#

 # Default: no

 ##Foreground yes

 # Chroot to the specified directory.

 # Chrooting is performed just after reading the config file and before dropping privileges.

+#

 # Default: unset (don't chroot)

-#Chroot /newroot

+##Chroot /newroot

+

 ##

 ## Clamd options

@@ -88,11 +97,23 @@ Example

 # This option takes a host(name)/mask pair in CIRD notation and can be

 # repeated several times. If "/mask" is omitted, a host is assumed.

 # To specify a locally orignated, non-smtp, email use the keyword "local"

+#

 # Default: unset (scan everything regardless of the origin)

 #LocalNet local

 #LocalNet 192.168.0.0/24

 #LocalNet 1111:2222:3333::/48

+# This option specifies a file which contains a list of e-mail addresses.

+# E-mails sent to or from these addresses will NOT be checked.

+# The file consists of a list of addresses, each address on a line enclosed

+# in angle brackets (e.g. <foo@bar.com>).

+# Optionally each line can start with the string "To:" or "From:" indicating

+# if it is the sender or recipient that is to be whitelisted. If the field

+# is missing, the default is "To:". Lines starting with #, : or ! are ignored.

+#

+# Default unset (no exclusion applied)

+#Whitelist /etc/whitelisted_addresses

+

 ##

 ## Actions

@@ -142,12 +163,14 @@ Example

 # Uncomment this option to enable logging.

 # LogFile must be writable for the user running daemon.

 # A full path is required.

+#

 # Default: disabled

 ##LogFile /tmp/clamav-milter.log

 # By default the log file is locked for writing - the lock protects against

 # running clamav-milter multiple times.

 # This option disables log file locking.

+#

 # Default: no

 ##LogFileUnlock yes

@@ -156,28 +179,34 @@ Example

 # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

 # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

 # in bytes just don't use modifiers.

+#

 # Default: 1M

 ##LogFileMaxSize 2M

 # Log time with each message.

+#

 # Default: no

 ##LogTime yes

 # Also log clean files. Useful in debugging but drastically increases the

 # log size.

+#

 # Default: no

 ##LogClean yes

 # Use system logger (can work together with LogFile).

+#

 # Default: no

 ##LogSyslog yes

 # Specify the type of syslog messages - please refer to 'man syslog'

 # for facility names.

+#

 # Default: LOG_LOCAL6

 ##LogFacility LOG_MAIL

 # Enable verbose logging.

+#

 # Default: no

 ##LogVerbose yes

@@ -225,7 +254,7 @@ Example

 #Todo

-#-C --chroot

+##-C --chroot

 #-D --debug

 #-i --pidfile

 ##-I --ignore