@@ -47,6 +47,8 @@ clamd_SOURCES = \

     others.c \

     others.h \

     shared.h \

+    onaccess_others.c \

+    onaccess_others.h \

     onaccess_fan.c \

     onaccess_fan.h \

     onaccess_ddd.c \

@@ -173,8 +173,9 @@ am__clamd_SOURCES_DIST = $(top_srcdir)/shared/output.c \

 	$(top_srcdir)/shared/misc.h clamd.c tcpserver.c tcpserver.h \

 	localserver.c localserver.h session.c session.h thrmgr.c \

 	thrmgr.h server-th.c server.h scanner.c scanner.h others.c \

-	others.h shared.h onaccess_fan.c onaccess_fan.h onaccess_ddd.c \

-	onaccess_ddd.h onaccess_hash.c onaccess_hash.h onaccess_scth.c \

+	others.h shared.h onaccess_others.c onaccess_others.h \

+	onaccess_fan.c onaccess_fan.h onaccess_ddd.c onaccess_ddd.h \

+	onaccess_hash.c onaccess_hash.h onaccess_scth.c \

 	onaccess_scth.h priv_fts.h fts.c

 @BUILD_CLAMD_TRUE@@SYSTEM_LFS_FTS_FALSE@am__objects_1 = fts.$(OBJEXT)

 @BUILD_CLAMD_TRUE@am_clamd_OBJECTS = output.$(OBJEXT) \

@@ -184,6 +185,7 @@ am__clamd_SOURCES_DIST = $(top_srcdir)/shared/output.c \

 @BUILD_CLAMD_TRUE@	localserver.$(OBJEXT) session.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	thrmgr.$(OBJEXT) server-th.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	scanner.$(OBJEXT) others.$(OBJEXT) \

+@BUILD_CLAMD_TRUE@	onaccess_others.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	onaccess_fan.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	onaccess_ddd.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	onaccess_hash.$(OBJEXT) \

@@ -492,6 +494,7 @@ top_srcdir = @top_srcdir@

 @BUILD_CLAMD_TRUE@	localserver.h session.c session.h thrmgr.c \

 @BUILD_CLAMD_TRUE@	thrmgr.h server-th.c server.h scanner.c \

 @BUILD_CLAMD_TRUE@	scanner.h others.c others.h shared.h \

+@BUILD_CLAMD_TRUE@	onaccess_others.c onaccess_others.h \

 @BUILD_CLAMD_TRUE@	onaccess_fan.c onaccess_fan.h onaccess_ddd.c \

 @BUILD_CLAMD_TRUE@	onaccess_ddd.h onaccess_hash.c \

 @BUILD_CLAMD_TRUE@	onaccess_hash.h onaccess_scth.c \

@@ -623,6 +626,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_ddd.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_fan.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_hash.Po@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_others.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_scth.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optparser.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/others.Po@am__quote@

@@ -44,9 +44,8 @@

 #include "shared/optparser.h"

 #include "shared/output.h"

+#include "onaccess_others.h"

 #include "server.h"

-#include "others.h"

-#include "scanner.h"

 #include "onaccess_fan.h"

 #include "onaccess_hash.h"

@@ -73,23 +72,27 @@ static void onas_fan_exit(int sig)

 static int onas_fan_scanfile(int fan_fd, const char *fname, struct fanotify_event_metadata *fmd, int scan, int extinfo, struct thrarg *tharg)

 {

 	struct fanotify_response res;

-	struct cb_context context;

 	const char *virname;

 	int ret = 0;

     res.fd = fmd->fd;

     res.response = FAN_ALLOW;

-    context.filename = fname;

+    /*context.filename = fname;

     context.virsize = 0;

-    context.scandata = NULL;

-    if(scan && cl_scandesc_callback(fmd->fd, &virname, NULL, tharg->engine, tharg->options, &context) == CL_VIRUS) {

+    context.scandata = NULL;*/

+   /* if(scan && onas_scan(fmd->fd, &virname, NULL, tharg->engine, tharg->options, &context) == CL_VIRUS) {

 	if(extinfo && context.virsize)

 	    logg("ScanOnAccess: %s: %s(%s:%llu) FOUND\n", fname, virname, context.virhash, context.virsize);

 	else

 	    logg("ScanOnAccess: %s: %s FOUND\n", fname, virname);

-	virusaction(fname, virname, tharg->opts);

-

-	res.response = FAN_DENY;

+	virusaction(fname, virname, tharg->opts);*/

+    if (scan) {

+        if (onas_scan(fname, fmd->fd, &virname, tharg->engine, tharg->options, extinfo) == CL_VIRUS) {

+            /* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks, 

+             * or at the very least lead to extreme memory consumption. Leaving disabled for now.*/ 

+            virusaction(fname, virname, tharg->opts);

+            res.response = FAN_DENY;

+        }

     }

     if(fmd->mask & FAN_ALL_PERM_EVENTS) {

@@ -292,6 +295,8 @@ void *onas_fan_th(void *arg)

     return NULL;

 }

+

+/* CLAMAUTH is deprecated */

 #elif defined(CLAMAUTH)

 #include <stdio.h>

new file mode 100644

@@ -0,0 +1,121 @@

+/*

+ *  Copyright (C) 2017 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *

+ *  Authors: Mickey Sola

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#if defined(FANOTIFY)

+

+#include <stdio.h>

+#include <stdarg.h>

+#include <stdlib.h>

+#include <string.h>

+//#include <fcntl.h>

+#include <sys/stat.h>

+#include <errno.h>

+#include <pthread.h>

+//#include <limits.h>

+#include "libclamav/clamav.h"

+//#include "libclamav/scanners.h"

+#include "shared/optparser.h"

+#include "shared/output.h"

+//#include "shared/misc.h"

+//#include "libclamav/others.h"

+

+//#include "others.h"

+

+#include "onaccess_others.h"

+#include "scanner.h"

+

+static pthread_mutex_t onas_scan_lock = PTHREAD_MUTEX_INITIALIZER;

+

+int onas_fan_checkowner(int pid, const struct optstruct *opts)

+{

+    char path[32];

+    STATBUF sb;

+    const struct optstruct *opt = NULL;

+    const struct optstruct *opt_root = NULL;

+

+    /* always ignore ourselves */

+    if (pid == (int) getpid()) {

+        return 1;

+    }

+

+    /* look up options */

+    opt = optget (opts, "OnAccessExcludeUID");

+    opt_root = optget (opts, "OnAccessExcludeRootUID");

+

+    /* we can return immediately if no uid exclusions were requested */

+    if (!(opt->enabled || opt_root->enabled))

+        return 0;

+

+    /* perform exclusion checks if we can stat OK */

+    snprintf (path, sizeof (path), "/proc/%u", pid);

+    if (CLAMSTAT (path, &sb) == 0) {

+        /* check all our non-root UIDs first */

+        if (opt->enabled) {

+            while (opt)

+            {

+                if (opt->numarg == (long long) sb.st_uid)

+                    return 1;

+                opt = opt->nextarg;

+            }

+        }

+        /* finally check root UID */

+        if (opt_root->enabled) {

+            if (0 == (long long) sb.st_uid)

+                return 1;

+        }

+    } else if (errno == EACCES) {

+        logg("*Permission denied to stat /proc/%d to exclude UIDs... perhaps SELinux denial?\n", pid);

+    } else if (errno == ENOENT) {

+        /* FIXME: should this be configurable? */

+        logg("$/proc/%d vanished before UIDs could be excluded; scanning anyway\n", pid);

+    }

+

+    return 0;

+}

+

+int onas_scan(const char *fname, int fd, const char **virname, const struct cl_engine *engine, int options, int extinfo)

+{

+    int ret = 0;

+    struct cb_context context;

+

+    context.filename = fname;

+    context.virsize = 0;

+    context.scandata = NULL;

+

+    pthread_mutex_lock(&onas_scan_lock);

+    

+    ret = cl_scandesc_callback(fd, virname, NULL, engine, options, context);

+

+    pthread_mutex_unlock(&onas_scan_lock);

+

+    if (ret) {

+        if (extinfo && context.virsize)

+            logg("ScanOnAccess: %s: %s(%s:%llu) FOUND\n", fname, *virname, context.virhash, context.virsize);

+        else

+            logg("ScanOnAccess: %s: %s FOUND\n", fname, *virname);

+    }

+

+    return ret;

+}

+#endif

new file mode 100644

@@ -0,0 +1,29 @@

+/*

+ *  Copyright (C) 2017 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *

+ *  Authors: Mickey Sola

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#ifndef __CLAMD_ONAS_OTHERS_H

+#define __CLAMD_ONAS_OTHERS_H

+

+#include "shared/optparser.h"

+

+int onas_fan_checkowner(int pid, const struct optstruct *opts);

+int onas_scan(const char *fname, int fd, const char **virname, const struct cl_engine *engine, int options, int extinfo);

+

+#endif

@@ -68,12 +68,12 @@

 #include <limits.h>

 #include "libclamav/clamav.h"

+#include "libclamav/scanners.h"

 #include "shared/optparser.h"

 #include "shared/output.h"

 #include "shared/misc.h"

 #include "libclamav/others.h"

-#include "session.h"

 #include "others.h"

 static pthread_mutex_t virusaction_lock = PTHREAD_MUTEX_INITIALIZER;

@@ -800,53 +800,3 @@ fds_free (struct fd_data *data)

     data->nfds = 0;

     fds_unlock (data);

 }

-

-#ifdef FANOTIFY

-int

-onas_fan_checkowner (int pid, const struct optstruct *opts)

-{

-    char path[32];

-    STATBUF sb;

-    const struct optstruct *opt = NULL;

-    const struct optstruct *opt_root = NULL;

-

-    /* always ignore ourselves */

-    if (pid == (int) getpid()) {

-        return 1;

-    }

-

-    /* look up options */

-    opt = optget (opts, "OnAccessExcludeUID");

-    opt_root = optget (opts, "OnAccessExcludeRootUID");

-

-    /* we can return immediately if no uid exclusions were requested */

-    if (!(opt->enabled || opt_root->enabled))

-        return 0;

-

-    /* perform exclusion checks if we can stat OK */

-    snprintf (path, sizeof (path), "/proc/%u", pid);

-    if (CLAMSTAT (path, &sb) == 0) {

-        /* check all our non-root UIDs first */

-        if (opt->enabled) {

-            while (opt)

-            {

-                if (opt->numarg == (long long) sb.st_uid)

-                    return 1;

-                opt = opt->nextarg;

-            }

-        }

-        /* finally check root UID */

-        if (opt_root->enabled) {

-            if (0 == (long long) sb.st_uid)

-                return 1;

-        }

-    } else if (errno == EACCES) {

-        logg("*Permission denied to stat /proc/%d to exclude UIDs... perhaps SELinux denial?\n", pid);

-    } else if (errno == ENOENT) {

-        /* FIXME: should this be configurable? */

-        logg("$/proc/%d vanished before UIDs could be excluded; scanning anyway\n", pid);

-    }

-

-    return 0;

-}

-#endif

@@ -83,8 +83,4 @@ void fds_cleanup(struct fd_data *data);

 int fds_poll_recv(struct fd_data *data, int timeout, int check_signals, void *event);

 void fds_free(struct fd_data *data);

-#ifdef FANOTIFY

-int onas_fan_checkowner(int pid, const struct optstruct *opts);

-#endif

-

 #endif