... | ... |
@@ -1,3 +1,9 @@ |
1 |
+Thu Feb 17 19:13:15 CET 2011 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * clamd: add new config option BytecodeUnsigned (bb#2537); drop |
|
4 |
+ "None" from BytecodeSecurity |
|
5 |
+ * clamscan: add new switch --bytecode-unsigned and drop --bytecode-trust-all |
|
6 |
+ |
|
1 | 7 |
Tue Feb 15 19:19:31 CET 2011 (tk) |
2 | 8 |
--------------------------------- |
3 | 9 |
* sigtool/sigtool.c: improve handling of bytecode.info (bb#2292) |
... | ... |
@@ -436,44 +436,49 @@ int main(int argc, char **argv) |
436 | 436 |
else |
437 | 437 |
logg("#Not loading phishing signatures.\n"); |
438 | 438 |
|
439 |
- if(optget(opts,"Bytecode")->enabled) |
|
439 |
+ if(optget(opts,"Bytecode")->enabled) { |
|
440 | 440 |
dboptions |= CL_DB_BYTECODE; |
441 |
- |
|
442 |
- if((opt = optget(opts,"BytecodeSecurity"))->enabled) { |
|
443 |
- enum bytecode_security s; |
|
444 |
- if (!strcmp(opt->strarg, "TrustSigned")) |
|
445 |
- s = CL_BYTECODE_TRUST_SIGNED; |
|
446 |
- else if (!strcmp(opt->strarg, "None")) |
|
447 |
- s = CL_BYTECODE_TRUST_ALL; |
|
448 |
- else if (!strcmp(opt->strarg, "Paranoid")) |
|
449 |
- s = CL_BYTECODE_TRUST_NOTHING; |
|
450 |
- else { |
|
451 |
- logg("!Unable to parse bytecode security setting:%s\n", |
|
452 |
- opt->strarg); |
|
453 |
- ret = 1; |
|
454 |
- break; |
|
441 |
+ if((opt = optget(opts,"BytecodeSecurity"))->enabled) { |
|
442 |
+ enum bytecode_security s; |
|
443 |
+ if (!strcmp(opt->strarg, "TrustSigned")) { |
|
444 |
+ s = CL_BYTECODE_TRUST_SIGNED; |
|
445 |
+ logg("Bytecode: Security mode set to \"TrustSigned\".\n"); |
|
446 |
+ } else if (!strcmp(opt->strarg, "Paranoid")) { |
|
447 |
+ s = CL_BYTECODE_TRUST_NOTHING; |
|
448 |
+ logg("Bytecode: Security mode set to \"Paranoid\".\n"); |
|
449 |
+ } else { |
|
450 |
+ logg("!Unable to parse bytecode security setting:%s\n", |
|
451 |
+ opt->strarg); |
|
452 |
+ ret = 1; |
|
453 |
+ break; |
|
454 |
+ } |
|
455 |
+ if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) { |
|
456 |
+ logg("Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret)); |
|
457 |
+ ret = 1; |
|
458 |
+ break; |
|
459 |
+ } |
|
455 | 460 |
} |
456 |
- if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) { |
|
457 |
- logg("Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret)); |
|
458 |
- ret = 1; |
|
459 |
- break; |
|
461 |
+ if((opt = optget(opts,"BytecodeUnsigned"))->enabled) { |
|
462 |
+ dboptions |= CL_DB_BYTECODE_UNSIGNED; |
|
463 |
+ logg("Bytecode: Enabled support for unsigned bytecode.\n"); |
|
460 | 464 |
} |
461 |
- } |
|
462 |
- if((opt = optget(opts,"BytecodeMode"))->enabled) { |
|
463 |
- enum bytecode_mode mode; |
|
464 |
- if (!strcmp(opt->strarg, "ForceJIT")) |
|
465 |
- mode = CL_BYTECODE_MODE_JIT; |
|
466 |
- else if(!strcmp(opt->strarg, "ForceInterpreter")) |
|
467 |
- mode = CL_BYTECODE_MODE_INTERPRETER; |
|
468 |
- else if(!strcmp(opt->strarg, "Test")) |
|
469 |
- mode = CL_BYTECODE_MODE_TEST; |
|
470 |
- else |
|
471 |
- mode = CL_BYTECODE_MODE_AUTO; |
|
472 |
- cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode); |
|
473 |
- } |
|
474 |
- if((opt = optget(opts,"BytecodeTimeout"))->enabled) { |
|
475 |
- cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); |
|
476 |
- } |
|
465 |
+ if((opt = optget(opts,"BytecodeMode"))->enabled) { |
|
466 |
+ enum bytecode_mode mode; |
|
467 |
+ if (!strcmp(opt->strarg, "ForceJIT")) |
|
468 |
+ mode = CL_BYTECODE_MODE_JIT; |
|
469 |
+ else if(!strcmp(opt->strarg, "ForceInterpreter")) |
|
470 |
+ mode = CL_BYTECODE_MODE_INTERPRETER; |
|
471 |
+ else if(!strcmp(opt->strarg, "Test")) |
|
472 |
+ mode = CL_BYTECODE_MODE_TEST; |
|
473 |
+ else |
|
474 |
+ mode = CL_BYTECODE_MODE_AUTO; |
|
475 |
+ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode); |
|
476 |
+ } |
|
477 |
+ if((opt = optget(opts,"BytecodeTimeout"))->enabled) { |
|
478 |
+ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); |
|
479 |
+ } |
|
480 |
+ } else |
|
481 |
+ logg("Bytecode support disabled.\n"); |
|
477 | 482 |
|
478 | 483 |
if(optget(opts,"PhishingScanURLs")->enabled) |
479 | 484 |
dboptions |= CL_DB_PHISHING_URLS; |
... | ... |
@@ -222,7 +222,7 @@ void help(void) |
222 | 222 |
mprintf(" --include-dir=REGEX Only scan directories matching REGEX\n"); |
223 | 223 |
mprintf("\n"); |
224 | 224 |
mprintf(" --bytecode[=yes(*)/no] Load bytecode from the database\n"); |
225 |
- mprintf(" --bytecode-trust-all[=yes/no(*)] Trust all loaded bytecode\n"); |
|
225 |
+ mprintf(" --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode\n"); |
|
226 | 226 |
mprintf(" --bytecode-timeout=N Set bytecode timeout (in milliseconds)\n"); |
227 | 227 |
mprintf(" --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications\n"); |
228 | 228 |
mprintf(" --exclude-pua=CAT Skip PUA sigs of category CAT\n"); |
... | ... |
@@ -488,8 +488,9 @@ int scanmanager(const struct optstruct *opts) |
488 | 488 |
if(optget(opts, "leave-temps")->enabled) |
489 | 489 |
cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1); |
490 | 490 |
|
491 |
- if(optget(opts, "bytecode-trust-all")->enabled) |
|
492 |
- cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL); |
|
491 |
+ if(optget(opts, "bytecode-unsigned")->enabled) |
|
492 |
+ dboptions |= CL_DB_BYTECODE_UNSIGNED; |
|
493 |
+ |
|
493 | 494 |
if((opt = optget(opts,"bytecode-timeout"))->enabled) |
494 | 495 |
cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); |
495 | 496 |
if((opt = optget(opts,"bytecode-mode"))->enabled) { |
... | ... |
@@ -974,7 +974,6 @@ with_user |
974 | 974 |
with_group |
975 | 975 |
enable_clamav |
976 | 976 |
enable_debug |
977 |
-enable_unsigned_bytecode |
|
978 | 977 |
enable_no_cache |
979 | 978 |
enable_dns_fix |
980 | 979 |
enable_bigstack |
... | ... |
@@ -1652,7 +1651,6 @@ Optional Features: |
1652 | 1652 |
--enable-yp-check use ypmatch utility instead of /etc/passwd parsing |
1653 | 1653 |
--disable-clamav disable test for clamav user/group |
1654 | 1654 |
--enable-debug enable debug code |
1655 |
- --enable-unsigned-bytecode enable load of unsigned bytecode |
|
1656 | 1655 |
--enable-no-cache use "Cache-Control: no-cache" in freshclam |
1657 | 1656 |
--enable-dns-fix enable workaround for broken DNS servers (as in SpeedTouch 510) |
1658 | 1657 |
--enable-bigstack increase thread stack size |
... | ... |
@@ -5182,13 +5180,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : |
5182 | 5182 |
else |
5183 | 5183 |
lt_cv_nm_interface="BSD nm" |
5184 | 5184 |
echo "int some_variable = 0;" > conftest.$ac_ext |
5185 |
- (eval echo "\"\$as_me:5185: $ac_compile\"" >&5) |
|
5185 |
+ (eval echo "\"\$as_me:5183: $ac_compile\"" >&5) |
|
5186 | 5186 |
(eval "$ac_compile" 2>conftest.err) |
5187 | 5187 |
cat conftest.err >&5 |
5188 |
- (eval echo "\"\$as_me:5188: $NM \\\"conftest.$ac_objext\\\"\"" >&5) |
|
5188 |
+ (eval echo "\"\$as_me:5186: $NM \\\"conftest.$ac_objext\\\"\"" >&5) |
|
5189 | 5189 |
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) |
5190 | 5190 |
cat conftest.err >&5 |
5191 |
- (eval echo "\"\$as_me:5191: output\"" >&5) |
|
5191 |
+ (eval echo "\"\$as_me:5189: output\"" >&5) |
|
5192 | 5192 |
cat conftest.out >&5 |
5193 | 5193 |
if $GREP 'External.*some_variable' conftest.out > /dev/null; then |
5194 | 5194 |
lt_cv_nm_interface="MS dumpbin" |
... | ... |
@@ -6383,7 +6381,7 @@ ia64-*-hpux*) |
6383 | 6383 |
;; |
6384 | 6384 |
*-*-irix6*) |
6385 | 6385 |
# Find out which ABI we are using. |
6386 |
- echo '#line 6386 "configure"' > conftest.$ac_ext |
|
6386 |
+ echo '#line 6384 "configure"' > conftest.$ac_ext |
|
6387 | 6387 |
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 |
6388 | 6388 |
(eval $ac_compile) 2>&5 |
6389 | 6389 |
ac_status=$? |
... | ... |
@@ -7910,11 +7908,11 @@ else |
7910 | 7910 |
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ |
7911 | 7911 |
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ |
7912 | 7912 |
-e 's:$: $lt_compiler_flag:'` |
7913 |
- (eval echo "\"\$as_me:7913: $lt_compile\"" >&5) |
|
7913 |
+ (eval echo "\"\$as_me:7911: $lt_compile\"" >&5) |
|
7914 | 7914 |
(eval "$lt_compile" 2>conftest.err) |
7915 | 7915 |
ac_status=$? |
7916 | 7916 |
cat conftest.err >&5 |
7917 |
- echo "$as_me:7917: \$? = $ac_status" >&5 |
|
7917 |
+ echo "$as_me:7915: \$? = $ac_status" >&5 |
|
7918 | 7918 |
if (exit $ac_status) && test -s "$ac_outfile"; then |
7919 | 7919 |
# The compiler can only warn and ignore the option if not recognized |
7920 | 7920 |
# So say no if there are warnings other than the usual output. |
... | ... |
@@ -8249,11 +8247,11 @@ else |
8249 | 8249 |
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ |
8250 | 8250 |
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ |
8251 | 8251 |
-e 's:$: $lt_compiler_flag:'` |
8252 |
- (eval echo "\"\$as_me:8252: $lt_compile\"" >&5) |
|
8252 |
+ (eval echo "\"\$as_me:8250: $lt_compile\"" >&5) |
|
8253 | 8253 |
(eval "$lt_compile" 2>conftest.err) |
8254 | 8254 |
ac_status=$? |
8255 | 8255 |
cat conftest.err >&5 |
8256 |
- echo "$as_me:8256: \$? = $ac_status" >&5 |
|
8256 |
+ echo "$as_me:8254: \$? = $ac_status" >&5 |
|
8257 | 8257 |
if (exit $ac_status) && test -s "$ac_outfile"; then |
8258 | 8258 |
# The compiler can only warn and ignore the option if not recognized |
8259 | 8259 |
# So say no if there are warnings other than the usual output. |
... | ... |
@@ -8354,11 +8352,11 @@ else |
8354 | 8354 |
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ |
8355 | 8355 |
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ |
8356 | 8356 |
-e 's:$: $lt_compiler_flag:'` |
8357 |
- (eval echo "\"\$as_me:8357: $lt_compile\"" >&5) |
|
8357 |
+ (eval echo "\"\$as_me:8355: $lt_compile\"" >&5) |
|
8358 | 8358 |
(eval "$lt_compile" 2>out/conftest.err) |
8359 | 8359 |
ac_status=$? |
8360 | 8360 |
cat out/conftest.err >&5 |
8361 |
- echo "$as_me:8361: \$? = $ac_status" >&5 |
|
8361 |
+ echo "$as_me:8359: \$? = $ac_status" >&5 |
|
8362 | 8362 |
if (exit $ac_status) && test -s out/conftest2.$ac_objext |
8363 | 8363 |
then |
8364 | 8364 |
# The compiler can only warn and ignore the option if not recognized |
... | ... |
@@ -8409,11 +8407,11 @@ else |
8409 | 8409 |
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ |
8410 | 8410 |
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ |
8411 | 8411 |
-e 's:$: $lt_compiler_flag:'` |
8412 |
- (eval echo "\"\$as_me:8412: $lt_compile\"" >&5) |
|
8412 |
+ (eval echo "\"\$as_me:8410: $lt_compile\"" >&5) |
|
8413 | 8413 |
(eval "$lt_compile" 2>out/conftest.err) |
8414 | 8414 |
ac_status=$? |
8415 | 8415 |
cat out/conftest.err >&5 |
8416 |
- echo "$as_me:8416: \$? = $ac_status" >&5 |
|
8416 |
+ echo "$as_me:8414: \$? = $ac_status" >&5 |
|
8417 | 8417 |
if (exit $ac_status) && test -s out/conftest2.$ac_objext |
8418 | 8418 |
then |
8419 | 8419 |
# The compiler can only warn and ignore the option if not recognized |
... | ... |
@@ -10793,7 +10791,7 @@ else |
10793 | 10793 |
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 |
10794 | 10794 |
lt_status=$lt_dlunknown |
10795 | 10795 |
cat > conftest.$ac_ext <<_LT_EOF |
10796 |
-#line 10796 "configure" |
|
10796 |
+#line 10794 "configure" |
|
10797 | 10797 |
#include "confdefs.h" |
10798 | 10798 |
|
10799 | 10799 |
#if HAVE_DLFCN_H |
... | ... |
@@ -10889,7 +10887,7 @@ else |
10889 | 10889 |
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 |
10890 | 10890 |
lt_status=$lt_dlunknown |
10891 | 10891 |
cat > conftest.$ac_ext <<_LT_EOF |
10892 |
-#line 10892 "configure" |
|
10892 |
+#line 10890 "configure" |
|
10893 | 10893 |
#include "confdefs.h" |
10894 | 10894 |
|
10895 | 10895 |
#if HAVE_DLFCN_H |
... | ... |
@@ -11561,7 +11559,7 @@ else |
11561 | 11561 |
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 |
11562 | 11562 |
lt_status=$lt_dlunknown |
11563 | 11563 |
cat > conftest.$ac_ext <<_LT_EOF |
11564 |
-#line 11564 "configure" |
|
11564 |
+#line 11562 "configure" |
|
11565 | 11565 |
#include "confdefs.h" |
11566 | 11566 |
|
11567 | 11567 |
#if HAVE_DLFCN_H |
... | ... |
@@ -16651,21 +16649,6 @@ $as_echo "#define NDEBUG 1" >>confdefs.h |
16651 | 16651 |
|
16652 | 16652 |
fi |
16653 | 16653 |
|
16654 |
-# Check whether --enable-unsigned-bytecode was given. |
|
16655 |
-if test "${enable_unsigned_bytecode+set}" = set; then : |
|
16656 |
- enableval=$enable_unsigned_bytecode; enable_unsignedbytecode="$enableval" |
|
16657 |
-else |
|
16658 |
- enable_unsignedbytecode="no" |
|
16659 |
-fi |
|
16660 |
- |
|
16661 |
- |
|
16662 |
-if test "$enable_unsignedbytecode" = "yes"; then |
|
16663 |
- VERSION_SUFFIX="$VERSION_SUFFIX-unsigned-bc" |
|
16664 |
- |
|
16665 |
-$as_echo "#define CL_BCUNSIGNED 1" >>confdefs.h |
|
16666 |
- |
|
16667 |
-fi |
|
16668 |
- |
|
16669 | 16654 |
# Check whether --enable-no-cache was given. |
16670 | 16655 |
if test "${enable_no_cache+set}" = set; then : |
16671 | 16656 |
enableval=$enable_no_cache; enable_nocache=$enableval |
... | ... |
@@ -856,15 +856,6 @@ else |
856 | 856 |
AC_DEFINE([NDEBUG],1,[disable assertions]) |
857 | 857 |
fi |
858 | 858 |
|
859 |
-AC_ARG_ENABLE([unsigned-bytecode], |
|
860 |
-[ --enable-unsigned-bytecode enable load of unsigned bytecode], |
|
861 |
-enable_unsignedbytecode="$enableval", enable_unsignedbytecode="no") |
|
862 |
- |
|
863 |
-if test "$enable_unsignedbytecode" = "yes"; then |
|
864 |
- VERSION_SUFFIX="$VERSION_SUFFIX-unsigned-bc" |
|
865 |
- AC_DEFINE([CL_BCUNSIGNED],1,[enable loading of unsigned bytecode]) |
|
866 |
-fi |
|
867 |
- |
|
868 | 859 |
AC_ARG_ENABLE([no-cache], |
869 | 860 |
[ --enable-no-cache use "Cache-Control: no-cache" in freshclam], |
870 | 861 |
enable_nocache=$enableval, enable_nocache="no") |
... | ... |
@@ -250,10 +250,15 @@ With this option enabled ClamAV will load bytecode from the database. It is high |
250 | 250 |
Default: yes |
251 | 251 |
.TP |
252 | 252 |
\fBBytecodeSecurity STRING\fR |
253 |
-Set bytecode security level. Possible values: \fBNone\fR: no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS, \fBTrustSigned\fR: trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources, \fBParanoid\fR: don't trust any bytecode, insert runtime checks for all. The recommended setting is \fBTrustSigned\fR, because bytecode in .cvd files already has safety checks inserted into it. |
|
253 |
+Set bytecode security level. Possible values: \fBTrustSigned\fR: trust bytecode loaded from signed .c[lv]d files and insert runtime safety checks for bytecode loaded from other sources, \fBParanoid\fR: don't trust any bytecode, insert runtime checks for all. The recommended setting is \fBTrustSigned\fR, because bytecode in .cvd files already has safety checks inserted into it. |
|
254 | 254 |
.br |
255 | 255 |
Default: TrustSigned |
256 | 256 |
.TP |
257 |
+\fBBytecodeUnsigned BOOL\fR |
|
258 |
+Allow loading bytecode from outside digitally signed .c[lv]d files. |
|
259 |
+.br |
|
260 |
+Default: no |
|
261 |
+.TP |
|
257 | 262 |
\fBBytecodeTimeout NUMBER\fR |
258 | 263 |
Set bytecode timeout in milliseconds. |
259 | 264 |
.br |
... | ... |
@@ -87,8 +87,8 @@ Copy infected files into DIRECTORY. Directory must be writable for the '@CLAMAVU |
87 | 87 |
\fB\-\-bytecode[=yes(*)/no]\fR |
88 | 88 |
With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses. |
89 | 89 |
.TP |
90 |
-\fB\-\-bytecode\-trust\-all[=yes/no(*)]\fR |
|
91 |
-This option disables safety checks and makes ClamAV trust all bytecode. It should only be used for debugging. |
|
90 |
+\fB\-\-bytecode\-unsigned[=yes/no(*)]\fR |
|
91 |
+Allow loading bytecode from outside digitally signed .c[lv]d files. |
|
92 | 92 |
.TP |
93 | 93 |
\fB\-\-bytecode\-timeout=N\fR |
94 | 94 |
Set bytecode timeout in milliseconds (default: 60000 = 60s) |
... | ... |
@@ -92,6 +92,7 @@ typedef enum { |
92 | 92 |
#define CL_DB_OFFICIAL_ONLY 0x1000 |
93 | 93 |
#define CL_DB_BYTECODE 0x2000 |
94 | 94 |
#define CL_DB_SIGNED 0x4000 /* internal */ |
95 |
+#define CL_DB_BYTECODE_UNSIGNED 0x8000 |
|
95 | 96 |
|
96 | 97 |
/* recommended db settings */ |
97 | 98 |
#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE) |
... | ... |
@@ -160,7 +161,7 @@ enum cl_engine_field { |
160 | 160 |
}; |
161 | 161 |
|
162 | 162 |
enum bytecode_security { |
163 |
- CL_BYTECODE_TRUST_ALL=0, /* insecure, debug setting */ |
|
163 |
+ CL_BYTECODE_TRUST_ALL=0, /* obsolete */ |
|
164 | 164 |
CL_BYTECODE_TRUST_SIGNED, /* default */ |
165 | 165 |
CL_BYTECODE_TRUST_NOTHING /* paranoid setting */ |
166 | 166 |
}; |
... | ... |
@@ -413,12 +413,6 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long |
413 | 413 |
engine->keeptmp = num; |
414 | 414 |
break; |
415 | 415 |
case CL_ENGINE_BYTECODE_SECURITY: |
416 |
-#ifndef CL_BCUNSIGNED |
|
417 |
- if (num == CL_BYTECODE_TRUST_ALL) { |
|
418 |
- cli_errmsg("cl_engine_set_num: CL_BYTECODE_TRUST_ALL is only supported when ClamAV is built with ./configure --enable-unsigned-bytecode\n"); |
|
419 |
- return CL_EARG; |
|
420 |
- } |
|
421 |
-#endif |
|
422 | 416 |
if (engine->dboptions & CL_DB_COMPILED) { |
423 | 417 |
cli_errmsg("cl_engine_set_num: CL_ENGINE_BYTECODE_SECURITY cannot be set after engine was compiled\n"); |
424 | 418 |
return CL_EARG; |
... | ... |
@@ -1430,13 +1430,12 @@ static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
1430 | 1430 |
return CL_SUCCESS; |
1431 | 1431 |
} |
1432 | 1432 |
|
1433 |
-#ifndef CL_BCUNSIGNED |
|
1434 |
- if (!(options & CL_DB_SIGNED)) { |
|
1433 |
+ if (!(options & CL_DB_BYTECODE_UNSIGNED) && !(options & CL_DB_SIGNED)) { |
|
1435 | 1434 |
cli_warnmsg("Only loading signed bytecode, skipping load of unsigned bytecode!\n"); |
1436 |
- cli_warnmsg("Build with ./configure --enable-unsigned-bytecode to enable loading of unsigned bytecode\n"); |
|
1435 |
+ cli_warnmsg("Turn on BytecodeUnsigned/--bytecode-unsigned to enable loading of unsigned bytecode\n"); |
|
1437 | 1436 |
return CL_SUCCESS; |
1438 | 1437 |
} |
1439 |
-#endif |
|
1438 |
+ |
|
1440 | 1439 |
bcs->all_bcs = cli_realloc2(bcs->all_bcs, sizeof(*bcs->all_bcs)*(bcs->count+1)); |
1441 | 1440 |
if (!bcs->all_bcs) { |
1442 | 1441 |
cli_errmsg("cli_loadcbc: Can't allocate memory for bytecode entry\n"); |
... | ... |
@@ -1446,10 +1445,6 @@ static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
1446 | 1446 |
bc = &bcs->all_bcs[bcs->count-1]; |
1447 | 1447 |
|
1448 | 1448 |
switch (engine->bytecode_security) { |
1449 |
- case CL_BYTECODE_TRUST_ALL: |
|
1450 |
- security_trust = 1; |
|
1451 |
- cli_dbgmsg("bytecode: trusting all bytecode!\n"); |
|
1452 |
- break; |
|
1453 | 1449 |
case CL_BYTECODE_TRUST_SIGNED: |
1454 | 1450 |
security_trust = !!(options & CL_DB_SIGNED); |
1455 | 1451 |
break; |
... | ... |
@@ -126,7 +126,6 @@ const struct clam_option __clam_options[] = { |
126 | 126 |
|
127 | 127 |
{ NULL, "force-interpreter", 'f', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Force using the interpreter instead of the JIT", "" }, |
128 | 128 |
{ NULL, "trust-bytecode", 't', TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMBC, "Trust loaded bytecode (default yes)", ""}, |
129 |
- { NULL, "bytecode-trust-all", 't', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN, "Trust loaded bytecode (default: only if signed)", ""}, |
|
130 | 129 |
{ NULL, "info", 'i', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Load and print bytecode information without executing", ""}, |
131 | 130 |
{ NULL, "printsrc", 'p', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Print source code of bytecode", ""}, |
132 | 131 |
{ NULL, "input", 'r', TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMBC, "Input file to run the bytecode n", ""}, |
... | ... |
@@ -134,6 +133,7 @@ const struct clam_option __clam_options[] = { |
134 | 134 |
{ NULL, "no-trace-showsource", 's', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Don't show source line during tracing",""}, |
135 | 135 |
|
136 | 136 |
/* cmdline only - deprecated */ |
137 |
+ { NULL, "bytecode-trust-all", 't', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMSCAN | OPT_DEPRECATED, "", ""}, |
|
137 | 138 |
{ NULL, "http-proxy", 0, TYPE_STRING, NULL, 0, NULL, 0, OPT_FRESHCLAM | OPT_DEPRECATED, "", "" }, |
138 | 139 |
{ NULL, "proxy-user", 0, TYPE_STRING, NULL, 0, NULL, 0, OPT_FRESHCLAM | OPT_DEPRECATED, "", "" }, |
139 | 140 |
{ NULL, "log-verbose", 0, TYPE_BOOL, NULL, 0, NULL, 0, OPT_FRESHCLAM | OPT_DEPRECATED, "", "" }, |
... | ... |
@@ -254,12 +254,19 @@ const struct clam_option __clam_options[] = { |
254 | 254 |
|
255 | 255 |
/* Scan options */ |
256 | 256 |
{ "Bytecode", "bytecode", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.", "yes" }, |
257 |
- { "BytecodeSecurity", NULL, 0, TYPE_STRING, "^(None|TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD, |
|
258 |
- "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, |
|
257 |
+ |
|
258 |
+ { "BytecodeSecurity", NULL, 0, TYPE_STRING, "^(TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD, |
|
259 |
+ "Set bytecode security level.\nPossible values:\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, |
|
260 |
+ |
|
259 | 261 |
{ "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 5000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, |
260 | 262 |
"Set bytecode timeout in miliseconds.\n","5000"}, |
263 |
+ |
|
264 |
+ { "BytecodeUnsigned", "bytecode-unsigned", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, |
|
265 |
+ "Allow loading bytecode from outside digitally signed .c[lv]d files.\n","no"}, |
|
266 |
+ |
|
261 | 267 |
{ "BytecodeMode", "bytecode-mode", 0, TYPE_STRING, "^(Auto|ForceJIT|ForceInterpreter|Test)$", -1, "Auto", FLAG_REQUIRED, OPT_CLAMD | OPT_CLAMSCAN, |
262 | 268 |
"Set bytecode execution mode.\nPossible values:\n\tAuto - automatically choose JIT if possible, fallback to interpreter\nForceJIT - always choose JIT, fail if not possible\nForceIntepreter - always choose interpreter\nTest - run with both JIT and interpreter and compare results. Make all failures fatal\n","Auto"}, |
269 |
+ |
|
263 | 270 |
{ "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, |
264 | 271 |
|
265 | 272 |
{ "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" }, |