@@ -1259,44 +1259,6 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     logg("*MaxQueue set to: %d\n", max_queue);

     acceptdata.max_queue = max_queue;

-    if (optget(opts, "ScanOnAccess")->enabled)

-/*

-#if defined(FANOTIFY) || defined(CLAMAUTH)

-    {

-        int thread_started = 1;

-        do {

-            if (pthread_attr_init(&fan_attr)) break;

-            pthread_attr_setdetachstate(&fan_attr, PTHREAD_CREATE_JOINABLE);

-

-			Allocate memory for arguments. Thread is responsible for freeing it.

-            if (!(tharg = (struct thrarg *)calloc(sizeof(struct thrarg), 1))) break;

-            if (!(tharg->options = (struct cl_scan_options *)calloc(sizeof(struct cl_scan_options), 1))) break;

-

-            (void)memcpy(tharg->options, &options, sizeof(struct cl_scan_options));

-            tharg->opts   = opts;

-            tharg->engine = engine;

-

-            thread_started = pthread_create(&fan_pid, &fan_attr, onas_fan_th, tharg);

-        } while (0);

-

-        if (0 != thread_started) {

-			Failed to create thread. Free anything we may have allocated.

-            logg("!Unable to start on-access scan.\n");

-            if (NULL != tharg) {

-                if (NULL != tharg->options) {

-                    free(tharg->options);

-                    tharg->options = NULL;

-                }

-                free(tharg);

-                tharg = NULL;

-            }

-        }

-    }

-#else

-        logg("!On-access scan is not available\n");

-#endif

-*/

-

 #ifndef _WIN32

     /* set up signal handling */

     sigfillset(&sigset);

@@ -1576,12 +1538,6 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

             reload = 0;

             time(&reloaded_time);

             pthread_mutex_unlock(&reload_mutex);

-

-#if defined(FANOTIFY) || defined(CLAMAUTH)

-            if (optget(opts, "ScanOnAccess")->enabled && tharg) {

-                tharg->engine = engine;

-            }

-#endif

             time(&start_time);

         } else {

             pthread_mutex_unlock(&reload_mutex);

@@ -1603,16 +1559,6 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

      */

     logg("*Waiting for all threads to finish\n");

     thrmgr_destroy(thr_pool);

-#if defined(FANOTIFY) || defined(CLAMAUTH)

-    if (optget(opts, "ScanOnAccess")->enabled && tharg) {

-        logg("Stopping on-access scan\n");

-        pthread_mutex_lock(&logg_mutex);

-        pthread_kill(fan_pid, SIGUSR1);

-        pthread_mutex_unlock(&logg_mutex);

-        pthread_join(fan_pid, NULL);

-        free(tharg);

-    }

-#endif

     if (engine) {

         thrmgr_setactiveengine(NULL);

         cl_engine_free(engine);

@@ -75,6 +75,15 @@ int main(int argc, char **argv)

 	}

 	ctx->opts = opts;

+#ifndef _WIN32

+        if (!optget(ctx->opts, "foreground")->enabled) {

+            if (-1 == daemonize()) {

+                logg("!Clamonacc: could not daemonize\n");

+                return 2;

+            }

+        }

+#endif

+

 	clamdopts = optparse(optget(opts, "config-file")->strarg, 0, NULL, 1, OPT_CLAMD, 0, NULL);

 	if (clamdopts == NULL) {

 		logg("!Clamonacc: can't parse clamd configuration file %s\n", optget(opts, "config-file")->strarg);

@@ -218,14 +227,14 @@ void help(void)

     mprintf("    --version              -V          Print version number and exit\n");

     mprintf("    --verbose              -v          Be verbose\n");

     mprintf("    --log=FILE             -l FILE     Save scanning output to FILE\n");

+    mprintf("    --foreground           -F          Output to foreground and do not daemonize\n");

     mprintf("    --watch-list=FILE      -w FILE     Watch directories from FILE\n");

-    mprintf("    --exclude-list=FILES   -f FILE     Exclude directories from FILE\n");

+    mprintf("    --exclude-list=FILES   -e FILE     Exclude directories from FILE\n");

     mprintf("    --remove                           Remove infected files. Be careful!\n");

     mprintf("    --move=DIRECTORY                   Move infected files into DIRECTORY\n");

     mprintf("    --copy=DIRECTORY                   Copy infected files into DIRECTORY\n");

     mprintf("    --config-file=FILE                 Read configuration from FILE.\n");

     mprintf("    --allmatch             -z          Continue scanning within file after finding a match.\n");

-    mprintf("    --infected             -i          Only print infected files\n");

     mprintf("    --fdpass                           Pass filedescriptor to clamd (useful if clamd is running as a different user)\n");

     mprintf("    --stream                           Force streaming files to clamd (for debugging and unit testing)\n");

     mprintf("\n");

@@ -306,6 +306,9 @@ cl_error_t onas_setup_client (struct onas_context **ctx) {

     }

     (*ctx)->timeout = optget((*ctx)->clamdopts, "OnAccessCurlTimeout")->numarg;

+    (*ctx)->retry_attempts = optget((*ctx)->clamdopts, "OnAccessRetryAttempts")->numarg;

+    (*ctx)->retry_attempts ? ((*ctx)->retry_on_error = 1) : ((*ctx)->retry_on_error = 0);

+    optget((*ctx)->clamdopts, "OnAccessDenyOnError")->enabled ? ((*ctx)->deny_on_error  = 1) : ((*ctx)->deny_on_error = 0);

     (*ctx)->isremote = onas_check_remote(ctx, &err);

     if (err) {

@@ -208,26 +208,33 @@ int onas_fan_eloop(struct onas_context **ctx) {

 	} while((ret == -1 && errno == EINTR));

     time_t start = time(NULL) - 30;

-	while(((bread = read((*ctx)->fan_fd, buf, sizeof(buf))) > 0) || (errno == EOVERFLOW || errno == EMFILE)) {

-

-        if (errno == EOVERFLOW) {

+	while(((bread = read((*ctx)->fan_fd, buf, sizeof(buf))) > 0) || (errno == EOVERFLOW || errno == EMFILE || errno == EACCES)) {

+		switch(errno) {

+			case EOVERFLOW:

             if (time(NULL) - start >= 30) {

-				logg("!ClamFanotif: internal error (failed to read data) ... %s\n", strerror(errno));

-				logg("!ClamFanotif: file too large for fanotify ... recovering and continuing scans...\n");

+					logg("*ClamFanotif: internal error (failed to read data) ... %s\n", strerror(errno));

+					logg("*ClamFanotif: file too large for fanotify ... recovering and continuing scans...\n");

                 start = time(NULL);

             }

             errno = 0;

             continue;

-        }

+			case EACCES:

+				logg("*ClamFanotif: internal error (failed to read data) ... %s\n", strerror(errno));

+				logg("*ClamFanotif: check your SELinux audit logs and consider adding an exception \

+						... recovering and continuing scans...\n");

-                if (errno == EMFILE) {

+				errno = 0;

+				continue;

+			case EMFILE:

 				logg("*ClamFanotif: internal error (failed to read data) ... %s\n", strerror(errno));

                                 logg("*ClamFanotif: waiting for consumer thread to catch up then retrying ...\n");

-                                errno = 0;

-

                                 sleep(3);

+

+				errno = 0;

                                 continue;

+			default:

+			break;

                 }

         fmd = (struct fanotify_event_metadata *)buf;

@@ -614,10 +614,10 @@ int onas_ht_add_hierarchy(struct onas_ht *ht, const char *pathname)

         switch (curr->fts_info) {

             case FTS_D:

                 hnode = onas_hashnode_init();

-				if (!hnode) {

-                                    ret = CL_EMEM;

-                                    goto out;

-                                }

+                if (!hnode) {

+                    ret = CL_EMEM;

+                    goto out;

+                }

                 hnode->pathlen  = curr->fts_pathlen;

                 hnode->pathname = cli_strndup(curr->fts_path, hnode->pathlen);

@@ -637,12 +637,10 @@ int onas_ht_add_hierarchy(struct onas_ht *ht, const char *pathname)

                 if (childlist->fts_info == FTS_D) {

                     if (CL_EMEM == onas_add_hashnode_child(hnode, childlist->fts_name)) {

-						ret = CL_EMEM;

-                                                goto out;

-                                        }

+                        ret = CL_EMEM;

+                        goto out;

                     }

                 }

-

             } while ((childlist = childlist->fts_link));

         }

@@ -31,6 +31,7 @@

 #include <sys/stat.h>

 #include <errno.h>

 #include <pthread.h>

+#include <pwd.h>

 #include "libclamav/clamav.h"

 #include "shared/optparser.h"

 #include "shared/output.h"

@@ -42,10 +43,12 @@

 int onas_fan_checkowner(int pid, const struct optstruct *opts)

 {

+    struct passwd *pwd;

     char path[32];

     STATBUF sb;

     const struct optstruct *opt      = NULL;

     const struct optstruct *opt_root = NULL;

+    const struct optstruct *opt_uname = NULL;

     /* always ignore ourselves */

     if (pid == (int)getpid()) {

@@ -55,9 +58,10 @@ int onas_fan_checkowner(int pid, const struct optstruct *opts)

     /* look up options */

     opt      = optget(opts, "OnAccessExcludeUID");

     opt_root = optget(opts, "OnAccessExcludeRootUID");

+    opt_uname = optget (opts, "OnAccessExcludeUname");

     /* we can return immediately if no uid exclusions were requested */

-    if (!(opt->enabled || opt_root->enabled))

+    if (!(opt->enabled || opt_root->enabled || opt_uname->enabled))

         return CHK_CLEAN;

     /* perform exclusion checks if we can stat OK */

@@ -71,16 +75,26 @@ int onas_fan_checkowner(int pid, const struct optstruct *opts)

                 opt = opt->nextarg;

             }

         }

+        /* then check our unames */

+        if (opt_uname->enabled) {

+            while (opt_uname)

+            {

+                pwd = getpwuid(sb.st_uid);

+                if (!strncmp(opt_uname->strarg, pwd->pw_name, strlen(opt_uname->strarg)))

+                    return CHK_FOUND;

+                opt_uname = opt_uname->nextarg;

+            }

+        }

         /* finally check root UID */

         if (opt_root->enabled) {

             if (0 == (long long)sb.st_uid)

                 return CHK_FOUND;

         }

     } else if (errno == EACCES) {

-        logg("*Permission denied to stat /proc/%d to exclude UIDs... perhaps SELinux denial?\n", pid);

+        logg("*ClamMisc: permission denied to stat /proc/%d to exclude UIDs... perhaps SELinux denial?\n", pid);

     } else if (errno == ENOENT) {

         /* TODO: should this be configurable? */

-        logg("$/proc/%d vanished before UIDs could be excluded; scanning anyway\n", pid);

+        logg("ClamMisc: $/proc/%d vanished before UIDs could be excluded; scanning anyway\n", pid);

     }

     return CHK_CLEAN;

@@ -614,34 +614,53 @@ Example

 ## On-access Scan Settings

 ##

-# Enable on-access scanning. Currently, this is supported via fanotify.

-# Clamuko/Dazuko support has been deprecated.

-# Default: no

-#ScanOnAccess yes

-

-# Set the  mount point to be scanned. The mount point specified, or the mount

-# point containing the specified directory will be watched. If any directories

-# are specified, this option will preempt the DDD system. This will notify

-# only. It can be used multiple times.

-# (On-access scan only)

-# Default: disabled

-#OnAccessMountPath /

-#OnAccessMountPath /home/user

-

 # Don't scan files larger than OnAccessMaxFileSize

 # Value of 0 disables the limit.

 # Default: 5M

 #OnAccessMaxFileSize 10M

+# Max number of scanning threads to allocate to the OnAccess thread pool at startup.

+# These threads are the ones responsible for creating a connection with the daemon 

+# and kicking off scanning after an event has been processed. To prevent clamonacc 

+# from consuming all clamd's resources keep this lower than clamd's max threads.

+# Default: 5

+#OnAccessMaxThreads 10

+

+# Max amount of time (in milliseconds) that the OnAccess client should spend for every 

+# connect, send, and recieve attempt when communicating with clamd via curl.

+# Default: 5000L (5 seconds)

+# OnAccessCurlTimeout 10000L

+

 # Set the include paths (all files inside them will be scanned). You can have

 # multiple OnAccessIncludePath directives but each directory must be added

-# in a separate line. (On-access scan only)

+# in a separate line.

 # Default: disabled

 #OnAccessIncludePath /home

 #OnAccessIncludePath /students

+# Modifies fanotify blocking behaviour when handling permission events.

+# If off, fanotify will only notify if the file scanned is a virus,

+# and not perform any blocking.

+# Default: no

+#OnAccessPrevention yes

+

+# Toggles dynamic directory determination. Allows for recursively watching

+# include paths.

+# Default: no

+#OnAccessDisableDDD yes

+

+# Set the  mount point to be scanned. The mount point specified, or the mount

+# point containing the specified directory will be watched. If any directories

+# are specified, this option will preempt (disable and ignore all options related to) 

+# the DDD system. This option will result in verdicts only: Prevention is explicitly 

+# disallowed to prevent uninteded, fatal misuse by users due to their potential 

+# fundamental misunderstanding of (pre kernel 5.1) fanotify mechanisms.

+# It can be used multiple times.

+# Default: disabled

+#OnAccessMountPath /

+#OnAccessMountPath /home/user

+

 # Set the exclude paths. All subdirectories are also excluded.

-# (On-access scan only)

 # Default: disabled

 #OnAccessExcludePath /home/bofh

@@ -671,25 +690,28 @@ Example

 # Default: disabled

 #OnAccessExcludeUID -1

-# Toggles dynamic directory determination. Allows for recursively watching

-# include paths.

-# (On-access scan only)

-# Default: no

-#OnAccessDisableDDD yes

+# This option allows exclusions via user names when using the on-access 

+# scanning client. It can be used multiple times.

+# It has the same potential race condition limitations of the OnAccessExcludeUID option.

+# Default: disabled

+#OnAccessExcludeUname clamuser

-# Modifies fanotify blocking behaviour when handling permission events.

-# If off, fanotify will only notify if the file scanned is a virus,

-# and not perform any blocking.

-# (On-access scan only)

+# Number of times the OnAccess client will retry a failed scan due to connection problems 

+# (or other issues). 

+# Default: 0

+#OnAccessRetryAttempts 3

+

+# When using prevention, if this option is turned on, any errors that occur during 

+# scanning will result in the event attempt being denied. This could potentially 

+# lead to unwanted system behaviour with certain configurations, so the client defaults 

+# this to off and prefers allowing access events in case of scan or connection error.

 # Default: no

-#OnAccessPrevention yes

+#OnAccessDenyOnError yes

+

 # Toggles extra scanning and notifications when a file or directory is

 # created or moved.

 # Requires the  DDD system to kick-off extra scans.

-# NOTE:  This feature is disabled until a thread resource leak bug

-#        in the OnAccessExtraScanning code can be resolved.

-# (On-access scan only)

 # Default: no

 #OnAccessExtraScanning yes

@@ -277,7 +277,7 @@ const struct clam_option __clam_options[] = {

     {"AllowAllMatchScan", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "Permit use of the ALLMATCHSCAN command.", "yes"},

-    {"Foreground", "foreground", 'F', CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Don't fork into background.", "no"},

+    { "Foreground", "foreground", 'F', CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_CLAMONACC, "Don't fork into background.", "no" },

     {"Debug", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM, "Enable debug messages in libclamav.", "no"},

@@ -400,8 +400,6 @@ const struct clam_option __clam_options[] = {

     {"PCREMaxFileSize", "pcre-max-filesize", 0, CLOPT_TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_PCRE_MAX_FILESIZE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum filesize for which PCRE subsigs will be executed.\nFiles exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.\nNegative values are not allowed.\nSetting this value to zero disables the limit.\nWARNING: setting this limit too high or disabling it may severely impact performance.", "25M"},

     /* OnAccess settings */

-    {"ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "This option enables on-access scanning (Linux only)", "no"},

-

     {"OnAccessMountPath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory or mount point which should be scanned on access. The mount point specified, or the mount point containing the specified directory will be watched, but only notifications will occur. If any directories are specified, this option will preempt the DDD system. It can also be used multiple times.", "/\n/home/user"},

     { "OnAccessIncludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory (including all files and directories\ninside it), which should be scanned on access. This option can\nbe used multiple times.", "/home\n/students" },

@@ -412,6 +410,8 @@ const struct clam_option __clam_options[] = {

     {"OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). Using a value of 0 on any line will disable this option entirely. To whitelist the root UID please enable the OnAccessExcludeRootUID option.", "0"},

+    { "OnAccessExcludeUname", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows exclusions via user names when using the on-access scanning client. It can\nbe used multiple times.", "clamuser" },

+

     {"OnAccessMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD, "Files larger than this value will not be scanned in on access.", "5M"},

     { "OnAccessDisableDDD", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only).", "no" },

@@ -425,6 +425,10 @@ const struct clam_option __clam_options[] = {

     { "OnAccessMaxThreads", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 5, NULL, 0, OPT_CLAMD, "Max number of scanning threads to allocate to the OnAccess thread pool at startup--these threads are the ones responsible for creating a connection with the daemon and kicking off scanning after an event has been processed. To prevent clamonacc from consuming all clamd's resources keep this lower than clamd's max threads. Default is 5", "10" },

+    { "OnAccessRetryAttempts", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMD, "Number of times the OnAccess client will retry a failed scan due to connection problems (or other issues). Defaults to no retries.", "3" },

+

+    { "OnAccessDenyOnError", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "When using prevention, if this option is turned on, any errors that occur during scanning will result in the event attempt being denied. This could potentially lead to unwanted system behaviour with certain configurations, so the client defaults to off and allowing access events in case of error.", "yes" },

+

     /* clamonacc cmdline options */

@@ -520,16 +524,8 @@ const struct clam_option __clam_options[] = {

     {"ArchiveBlockMax", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

     {"ArchiveLimitMemoryUsage", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

     {"MailFollowURLs", "mail-follow-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", ""},

-    {"ClamukoScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoScannerCount", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 3, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoScanOnOpen", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoScanOnClose", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoScanOnExec", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoIncludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_DEPRECATED, "", ""},

-    {"ClamukoMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

     {"AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no"},

+    { "ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },

     /* Milter specific options */