@@ -50,7 +50,9 @@ clamd_SOURCES = \

     onaccess_ddd.c \

     onaccess_ddd.h \

     onaccess_hash.c \

-    onaccess_hash.h

+    onaccess_hash.h \

+    onaccess_scth.c \

+    onaccess_scth.h

 AM_CFLAGS=@WERR_CFLAGS@

@@ -186,7 +186,8 @@ am__clamd_SOURCES_DIST = $(top_srcdir)/shared/output.c \

 	localserver.c localserver.h session.c session.h thrmgr.c \

 	thrmgr.h server-th.c server.h scanner.c scanner.h others.c \

 	others.h shared.h onaccess_fan.c onaccess_fan.h onaccess_ddd.c \

-	onaccess_ddd.h onaccess_hash.c onaccess_hash.h

+	onaccess_ddd.h onaccess_hash.c onaccess_hash.h onaccess_scth.c \

+	onaccess_scth.h

 @BUILD_CLAMD_TRUE@am_clamd_OBJECTS = output.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	optparser.$(OBJEXT) getopt.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	misc.$(OBJEXT) clamd.$(OBJEXT) \

@@ -195,7 +196,8 @@ am__clamd_SOURCES_DIST = $(top_srcdir)/shared/output.c \

 @BUILD_CLAMD_TRUE@	server-th.$(OBJEXT) scanner.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	others.$(OBJEXT) onaccess_fan.$(OBJEXT) \

 @BUILD_CLAMD_TRUE@	onaccess_ddd.$(OBJEXT) \

-@BUILD_CLAMD_TRUE@	onaccess_hash.$(OBJEXT)

+@BUILD_CLAMD_TRUE@	onaccess_hash.$(OBJEXT) \

+@BUILD_CLAMD_TRUE@	onaccess_scth.$(OBJEXT)

 clamd_OBJECTS = $(am_clamd_OBJECTS)

 clamd_LDADD = $(LDADD)

 AM_V_lt = $(am__v_lt_@AM_V@)

@@ -493,7 +495,9 @@ top_srcdir = @top_srcdir@

 @BUILD_CLAMD_TRUE@    onaccess_ddd.c \

 @BUILD_CLAMD_TRUE@    onaccess_ddd.h \

 @BUILD_CLAMD_TRUE@    onaccess_hash.c \

-@BUILD_CLAMD_TRUE@    onaccess_hash.h

+@BUILD_CLAMD_TRUE@    onaccess_hash.h \

+@BUILD_CLAMD_TRUE@    onaccess_scth.c \

+@BUILD_CLAMD_TRUE@    onaccess_scth.h

 @BUILD_CLAMD_TRUE@AM_CFLAGS = @WERR_CFLAGS@

 AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/shared -I$(top_srcdir)/libclamav @SSL_CPPFLAGS@ @JSON_CPPFLAGS@ @PCRE_CPPFLAGS@

@@ -619,6 +623,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_ddd.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_fan.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_hash.Po@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onaccess_scth.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optparser.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/others.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/output.Po@am__quote@

@@ -44,6 +44,7 @@

 #include "onaccess_fan.h"

 #include "onaccess_hash.h"

 #include "onaccess_ddd.h"

+#include "onaccess_scth.h"

 #include "libclamav/clamav.h"

 #include "libclamav/scanners.h"

@@ -285,12 +286,12 @@ void *onas_ddd_th(void *arg) {

 	/* ignore all signals except SIGUSR1 */

 	sigfillset(&sigset);

 	sigdelset(&sigset, SIGUSR1);

-	/* The behavior of a process is undefined after it ignores a 

+	/* The behavior of a process is undefined after it ignores a

 	 * SIGFPE, SIGILL, SIGSEGV, or SIGBUS signal */

 	sigdelset(&sigset, SIGFPE);

 	sigdelset(&sigset, SIGILL);

 	sigdelset(&sigset, SIGSEGV);

-#ifdef SIGBUS    

+#ifdef SIGBUS

 	sigdelset(&sigset, SIGBUS);

 #endif

 	pthread_sigmask(SIG_SETMASK, &sigset, NULL);

@@ -366,6 +367,10 @@ void *onas_ddd_th(void *arg) {

 		}

 	}

+	if(optget(tharg->opts, "OnAccessExtraScanning")->enabled) {

+		logg("ScanOnAccess: Extra scanning and notifications enabled.\n");

+	}

+

 	FD_ZERO(&rfds);

 	FD_SET(onas_in_fd, &rfds);

@@ -393,35 +398,24 @@ void *onas_ddd_th(void *arg) {

 				size_t size = strlen(child) + len + 2;

 				char *child_path = (char *) cli_malloc(size);

 				if (child_path == NULL)

-					return CL_EMEM;

+					return NULL;

+

 				if (path[len-1] == '/')

 					snprintf(child_path, --size, "%s%s", path, child);

 				else

 					snprintf(child_path, size, "%s/%s", path, child);

-				struct stat s;

-				if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) continue;

-				if(!(event->mask & IN_ISDIR)) continue;

-

 				if (event->mask & IN_DELETE) {

-					logg("*ddd: DELETE - Removing %s from %s with wd:%d\n", child_path, path, wd);

-					onas_ddd_unwatch(child_path, tharg->fan_fd, onas_in_fd);

-					onas_ht_rm_hierarchy(ddd_ht, child_path, strlen(child_path), 0);

+					onas_ddd_handle_in_delete(tharg, path, child_path, event, wd);

 				} else if (event->mask & IN_MOVED_FROM) {

-					logg("*ddd: MOVED_FROM - Removing %s from %s with wd:%d\n", child_path, path, wd);

-					onas_ddd_unwatch(child_path, tharg->fan_fd, onas_in_fd);

-					onas_ht_rm_hierarchy(ddd_ht, child_path, strlen(child_path), 0);

+					onas_ddd_handle_in_moved_from(tharg, path, child_path, event, wd);

 				} else if (event->mask & IN_CREATE) {

-					logg("*ddd: CREATE - Adding %s to %s with wd:%d\n", child_path, path, wd);

-					onas_ht_add_hierarchy(ddd_ht, child_path);

-					onas_ddd_watch(child_path, tharg->fan_fd, tharg->fan_mask, onas_in_fd, in_mask);

+					onas_ddd_handle_in_create(tharg, path, child_path, event, wd, in_mask);

 				} else if (event->mask & IN_MOVED_TO) {

-					logg("*ddd: MOVED_TO - Adding %s to %s with wd:%d\n", child_path, path, wd);

-					onas_ht_add_hierarchy(ddd_ht, child_path);

-					onas_ddd_watch(child_path, tharg->fan_fd, tharg->fan_mask, onas_in_fd, in_mask);

+					onas_ddd_handle_in_moved_to(tharg, path, child_path, event, wd, in_mask);

 				}

 			}

 		}

@@ -430,6 +424,118 @@ void *onas_ddd_th(void *arg) {

 	return NULL;

 }

+static void onas_ddd_handle_in_delete(struct ddd_thrarg *tharg,

+		const char *path, const char *child_path, const struct inotify_event *event, int wd) {

+

+	struct stat s;

+	if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) return;

+	if(!(event->mask & IN_ISDIR)) return;

+

+	logg("*ddd: DELETE - Removing %s from %s with wd:%d\n", child_path, path, wd);

+	onas_ddd_unwatch(child_path, tharg->fan_fd, onas_in_fd);

+	onas_ht_rm_hierarchy(ddd_ht, child_path, strlen(child_path), 0);

+

+	return;

+}

+

+

+static void onas_ddd_handle_in_moved_from(struct ddd_thrarg *tharg,

+		const char *path, const char *child_path, const struct inotify_event *event, int wd) {

+

+	struct stat s;

+	if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) return;

+	if(!(event->mask & IN_ISDIR)) return;

+

+	logg("*ddd: MOVED_FROM - Removing %s from %s with wd:%d\n", child_path, path, wd);

+	onas_ddd_unwatch(child_path, tharg->fan_fd, onas_in_fd);

+	onas_ht_rm_hierarchy(ddd_ht, child_path, strlen(child_path), 0);

+

+	return;

+}

+

+

+static void onas_ddd_handle_in_create(struct ddd_thrarg *tharg,

+		const char *path, const char *child_path, const struct inotify_event *event, int wd, uint64_t in_mask) {

+

+	struct stat s;

+	if (optget(tharg->opts, "OnAccessExtraScanning")->enabled) {

+		if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) {

+			onas_ddd_handle_extra_scanning(tharg, child_path, ONAS_SCTH_ISFILE);

+

+		} else if(stat(child_path, &s) == 0 && S_ISDIR(s.st_mode)) {

+			logg("*ddd: CREATE - Adding %s to %s with wd:%d\n", child_path, path, wd);

+			onas_ht_add_hierarchy(ddd_ht, child_path);

+			onas_ddd_watch(child_path, tharg->fan_fd, tharg->fan_mask, onas_in_fd, in_mask);

+

+			onas_ddd_handle_extra_scanning(tharg, child_path, ONAS_SCTH_ISDIR);

+		}

+	} else {

+

+		if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) return;

+		if(!(event->mask & IN_ISDIR)) return;

+

+		logg("*ddd: MOVED_TO - Adding %s to %s with wd:%d\n", child_path, path, wd);

+		onas_ht_add_hierarchy(ddd_ht, child_path);

+		onas_ddd_watch(child_path, tharg->fan_fd, tharg->fan_mask, onas_in_fd, in_mask);

+	}

+

+	return;

+}

+

+static void onas_ddd_handle_in_moved_to(struct ddd_thrarg *tharg,

+		const char *path, const char *child_path, const struct inotify_event *event, int wd, uint64_t in_mask) {

+

+	struct stat s;

+	if (optget(tharg->opts, "OnAccessExtraScanning")->enabled) {

+		if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) {

+			onas_ddd_handle_extra_scanning(tharg, child_path, ONAS_SCTH_ISFILE);

+

+		} else if(stat(child_path, &s) == 0 && S_ISDIR(s.st_mode)) {

+			logg("*ddd: MOVED_TO - Adding %s to %s with wd:%d\n", child_path, path, wd);

+			onas_ht_add_hierarchy(ddd_ht, child_path);

+			onas_ddd_watch(child_path, tharg->fan_fd, tharg->fan_mask, onas_in_fd, in_mask);

+

+			onas_ddd_handle_extra_scanning(tharg, child_path, ONAS_SCTH_ISDIR);

+		}

+	} else {

+		if(stat(child_path, &s) == 0 && S_ISREG(s.st_mode)) return;

+		if(!(event->mask & IN_ISDIR)) return;

+

+		logg("*ddd: MOVED_TO - Adding %s to %s with wd:%d\n", child_path, path, wd);

+		onas_ht_add_hierarchy(ddd_ht, child_path);

+		onas_ddd_watch(child_path, tharg->fan_fd, tharg->fan_mask, onas_in_fd, in_mask);

+	}

+

+	return;

+}

+

+static void onas_ddd_handle_extra_scanning(struct ddd_thrarg *tharg, const char *pathname, int options) {

+

+	struct scth_thrarg *scth_tharg = NULL;

+	pthread_attr_t scth_attr;

+	pthread_t scth_pid = 0;

+

+	do {

+		if (pthread_attr_init(&scth_attr)) break;

+		pthread_attr_setdetachstate(&scth_attr, PTHREAD_CREATE_JOINABLE);

+

+		if (!(scth_tharg = (struct scth_thrarg *) malloc(sizeof(struct scth_thrarg)))) break;

+

+		scth_tharg->options = options;

+		scth_tharg->opts = tharg->opts;

+		scth_tharg->pathname = strdup(pathname);

+

+		if (!pthread_create(&scth_pid, &scth_attr, onas_scan_th, scth_tharg)) break;

+

+		free(scth_tharg);

+		scth_tharg = NULL;

+	} while(0);

+	if (!scth_tharg) logg("!ScanOnAccess: Unable to kick off extra scanning.\n");

+

+	return;

+}

+

+

 static void onas_ddd_exit(int sig) {

 	logg("*ScanOnAccess: onas_ddd_exit(), signal %d\n", sig);

@@ -437,7 +543,7 @@ static void onas_ddd_exit(int sig) {

 	onas_free_ht(ddd_ht);

 	free(wdlt);

-	

+

 	pthread_exit(NULL);

 	logg("ScanOnAccess: stopped\n");

 }

@@ -46,6 +46,12 @@ static int onas_ddd_watch_hierarchy(const char* pathname, size_t len, int fd, ui

 static int onas_ddd_unwatch(const char *pathname, int fan_fd, int in_fd);

 static int onas_ddd_unwatch_hierarchy(const char* pathname, size_t len, int fd, uint32_t type);

+static void onas_ddd_handle_in_moved_to(struct ddd_thrarg *tharg, const char *path, const char *child_path, const struct inotify_event *event, int wd, uint64_t in_mask);

+static void onas_ddd_handle_in_create(struct ddd_thrarg *tharg, const char *path, const char *child_path, const struct inotify_event *event, int wd, uint64_t in_mask);

+static void onas_ddd_handle_in_moved_from(struct ddd_thrarg *tharg, const char *path, const char *child_path, const struct inotify_event *event, int wd);

+static void onas_ddd_handle_in_delete(struct ddd_thrarg *tharg, const char *path, const char *child_path, const struct inotify_event *event, int wd);

+static void onas_ddd_handle_extra_scanning(struct ddd_thrarg *tharg, const char *pathname, int options);

+

 int onas_ddd_init(uint64_t nwatches, size_t ht_size);

 void *onas_ddd_th(void *arg);

 static void onas_ddd_exit(int sig);

new file mode 100644

@@ -0,0 +1,117 @@

+/*

+ *  Copyright (C) 2015 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *

+ *  Authors: Mickey Sola

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#if defined(FANOTIFY)

+

+#include <stdio.h>

+#include <unistd.h>

+#include <string.h>

+#include <fcntl.h>

+#include <fts.h>

+#include <signal.h>

+#include <pthread.h>

+

+#include "shared/optparser.h"

+#include "shared/output.h"

+

+#include "others.h"

+

+#include "onaccess_scth.h"

+

+static void onas_scth_exit(int sig) {

+	logg("*ScanOnAccess: onas_scth_exit(), signal %d\n", sig);

+

+	pthread_exit(NULL);

+}

+

+static void onas_scth_handle_dir(const char *pathname) {

+	FTS *ftsp = NULL;

+	int ftspopts = FTS_PHYSICAL | FTS_XDEV;

+	FTSENT *curr = NULL;

+

+	char *const pathargv[] = { pathname, NULL };

+	if (!(ftsp = fts_open(pathargv, ftspopts, NULL))) return;

+

+	/* Offload scanning work to fanotify thread to avoid potential deadlocks. */

+	while (curr = fts_read(ftsp)) {

+		if (curr->fts_info != FTS_D) {

+			int fd = open(curr->fts_path, O_RDONLY);

+			if (fd > 0) close(fd);

+		}

+	}

+

+	return;

+}

+

+

+static void onas_scth_handle_file(const char *pathname) {

+	if (!pathname) return;

+

+	/* Offload scanning work to fanotify thread to avoid potential deadlocks. */

+	int fd = open(pathname, O_RDONLY);

+	if (fd > 0) close(fd);

+

+	return;

+}

+

+void *onas_scan_th(void *arg) {

+	struct scth_thrarg *tharg = (struct scth_thrarg *) arg;

+	sigset_t sigset;

+	struct sigaction act;

+	const struct optstruct *pt;

+	short int scan;

+

+	/* ignore all signals except SIGUSR1 */

+	sigfillset(&sigset);

+	sigdelset(&sigset, SIGUSR1);

+	/* The behavior of a process is undefined after it ignores a

+	 * SIGFPE, SIGILL, SIGSEGV, or SIGBUS signal */

+	sigdelset(&sigset, SIGFPE);

+	sigdelset(&sigset, SIGILL);

+	sigdelset(&sigset, SIGSEGV);

+#ifdef SIGBUS

+	sigdelset(&sigset, SIGBUS);

+#endif

+	pthread_sigmask(SIG_SETMASK, &sigset, NULL);

+	memset(&act, 0, sizeof(struct sigaction));

+	act.sa_handler = onas_scth_exit;

+	sigfillset(&(act.sa_mask));

+	sigaction(SIGUSR1, &act, NULL);

+	sigaction(SIGSEGV, &act, NULL);

+

+

+	if (tharg->options & ONAS_SCTH_ISDIR) {

+		logg("ScanOnAccess: Performing additional scanning on directory '%s'\n", tharg->pathname);

+		onas_scth_handle_dir(tharg->pathname);

+	} else if (tharg->options & ONAS_SCTH_ISFILE) {

+		logg("ScanOnAccess: Performing additional scanning on file '%s'\n", tharg->pathname);

+		onas_scth_handle_file(tharg->pathname);

+	}

+

+	free(tharg->pathname);

+	tharg->pathname = NULL;

+

+	return NULL;

+}

+#endif

new file mode 100644

@@ -0,0 +1,39 @@

+/*

+ *  Copyright (C) 2015 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *

+ *  Authors: Mickey Sola

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#ifndef __ONAS_SCTH_H

+#define __ONAS_SCTH_H

+

+#define ONAS_SCTH_ISDIR  0x01

+#define ONAS_SCTH_ISFILE 0x02

+

+struct scth_thrarg {

+	int options;

+	const struct optstruct *opts;

+	const char *pathname;

+};

+

+static void onas_scth_handle_dir(const char *pathname);

+static void onas_scth_handle_file(const char *pathname);

+

+void *onas_scan_th(void *arg);

+static void onas_scth_exit(int sig);

+

+#endif

@@ -599,6 +599,12 @@ Example

 # Default: no

 #OnAccessPrevention yes

+# Toggles extra scanning and notifications when a file or directory is created or moved.

+# Requires the  DDD system to kick-off extra scans.

+# (On-access scan only)

+# Default: no

+#OnAccessExtraScanning yes

+

 ##

 ## Bytecode

 ##

@@ -407,6 +407,8 @@ const struct clam_option __clam_options[] = {

     { "OnAccessPrevention", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option changes fanotify behavior to prevent access attempts on malicious files instead of simply notifying the user (On Access scan only).", "yes" },

+    { "OnAccessExtraScanning", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Enables extra scanning and notification after catching certain inotify events. Only works with the DDD system enabled.", "yes" },

+

     /* FIXME: mark these as private and don't output into clamd.conf/man */

     { "DevACOnly", "dev-ac-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", "" },