@@ -33,7 +33,7 @@ pkgconfig_DATA = libclamav.pc

 # don't complain that configuration files and databases are not removed, this is intended

 distuninstallcheck_listfiles = find . -type f ! -name clamd.conf ! -name freshclam.conf ! -name daily.cvd ! -name main.cvd -print

 DISTCLEANFILES = target.h

-DISTCHECK_CONFIGURE_FLAGS=--enable-milter --disable-clamav --enable-all-jit-targets --enable-llvm=yes

+DISTCHECK_CONFIGURE_FLAGS=--enable-milter --disable-clamav --enable-all-jit-targets --enable-llvm=yes --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir)

 lcov:

 	($(MAKE); cd unit_tests; $(MAKE) lcov)

 quick-check:

@@ -56,6 +56,10 @@ clamd_SOURCES = \

 AM_CFLAGS=@WERR_CFLAGS@

+if INSTALL_SYSTEMD_UNITS

+systemdsystemunit_DATA = clamav-daemon.socket clamav-daemon.service

+endif

+

 endif

 LIBS = $(top_builddir)/libclamav/libclamav.la @CLAMD_LIBS@ @THREAD_LIBS@

new file mode 100644

@@ -0,0 +1,17 @@

+[Unit]

+Description=Clam AntiVirus userspace daemon

+Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/

+Requires=clamav-daemon.socket

+# Check for database existence

+ConditionPathExistsGlob=@DBDIR@/main.{c[vl]d,inc}

+ConditionPathExistsGlob=@DBDIR@/daily.{c[vl]d,inc}

+

+[Service]

+ExecStart=@prefix@/sbin/clamd --foreground=true

+# Reload the database

+ExecReload=/bin/kill -USR2 $MAINPID

+StandardOutput=syslog

+

+[Install]

+WantedBy=multi-user.target

+Also=clamav-daemon.socket

new file mode 100644

@@ -0,0 +1,16 @@

+[Unit]

+Description=Socket for Clam AntiVirus userspace daemon

+Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/

+# Check for database existence

+ConditionPathExistsGlob=@DBDIR@/main.{c[vl]d,inc}

+ConditionPathExistsGlob=@DBDIR@/daily.{c[vl]d,inc}

+

+[Socket]

+ListenStream=/run/clamav/clamd.ctl

+#ListenStream=127.0.0.1:1024

+SocketUser=clamav

+SocketGroup=clamav

+RemoveOnStop=True

+

+[Install]

+WantedBy=sockets.target

@@ -73,7 +73,7 @@

 #include "scanner.h"

 short debug_mode = 0, logok = 0;

-short foreground = 0;

+short foreground = -1;

 char hostid[37];

 char *get_hostid(void *cbdata);

@@ -125,7 +125,9 @@ int main(int argc, char **argv)

     int *lsockets=NULL;

     unsigned int nlsockets = 0;

     unsigned int dboptions = 0;

-    unsigned int i;

+    unsigned int i;	

+    int j;

+    int num_fd;

 #ifdef C_LINUX

     STATBUF sb;

 #endif

@@ -161,6 +163,30 @@ int main(int argc, char **argv)

         debug_mode = 1;

     }

+    /* check foreground option from command line to override config file */

+    for(j = 0; j < argc; j += 1)

+    {

+        if ((memcmp(argv[j], "--foreground", 12) == 0) || (memcmp(argv[j], "-F", 2) == 0))

+        {

+            /* found */

+            break;

+        }

+    }

+

+    if (j < argc)

+    {

+        if(optget(opts, "Foreground")->enabled)

+        {

+            foreground = 1;

+        }

+        else

+        {

+            foreground = 0;

+        }

+    }

+

+    num_fd = sd_listen_fds(0);

+

     /* parse the config file */

     cfgfile = optget(opts, "config-file")->strarg;

     pt = strdup(cfgfile);

@@ -300,7 +326,9 @@ int main(int argc, char **argv)

         if(optget(opts, "LocalSocket")->enabled)

             localsock = 1;

-        if(!tcpsock && !localsock) {

+        logg("#Received %d file descriptor(s) from systemd.\n", num_fd);

+

+        if(!tcpsock && !localsock && num_fd == 0) {

             logg("!Please define server type (local and/or TCP).\n");

             ret = 1;

             break;

@@ -607,7 +635,9 @@ int main(int argc, char **argv)

             break;

         }

-        if(tcpsock) {

+        if(tcpsock || num_fd > 0) {

+            int *t;

+

             opt = optget(opts, "TCPAddr");

             if (opt->enabled) {

                 int breakout = 0;

@@ -634,7 +664,7 @@ int main(int argc, char **argv)

             }

         }

 #ifndef _WIN32

-        if(localsock) {

+        if(localsock && num_fd == 0) {

             int *t;

             mode_t sock_mode, umsk = umask(0777); /* socket is created with 000 to avoid races */

@@ -696,8 +726,43 @@ int main(int argc, char **argv)

             nlsockets++;

         }

+        /* check for local sockets passed by systemd */

+        if (num_fd > 0)

+        {

+            int *t;

+            t = realloc(lsockets, sizeof(int) * (nlsockets + 1));

+            if (!(t)) {

+                ret = 1;

+                break;

+            }

+            lsockets = t;

+

+            lsockets[nlsockets] = localserver(opts);

+            if (lsockets[nlsockets] == -1)

+            {

+                ret = 1;

+                break;

+            }

+            else if (lsockets[nlsockets] > 0)

+            {

+                nlsockets++;

+            }

+        }

+

         /* fork into background */

-        if(!optget(opts, "Foreground")->enabled) {

+        if (foreground == -1)

+        {

+            if (optget(opts, "Foreground")->enabled)

+            {

+                foreground = 1;

+            }

+            else

+            {

+                foreground = 0;

+            }

+        }

+        if(foreground == 0)

+        {

 #ifdef C_BSD	    

             /* workaround for OpenBSD bug, see https://wwws.clamav.net/bugzilla/show_bug.cgi?id=885 */

             for(ret=0;(unsigned int)ret<nlsockets;ret++) {

@@ -731,8 +796,6 @@ int main(int argc, char **argv)

                 if(chdir("/") == -1)

                     logg("^Can't change current working directory to root\n");

-        } else {

-            foreground = 1;

         }

 #endif

@@ -746,22 +809,24 @@ int main(int argc, char **argv)

     } while (0);

-    logg("*Closing the main socket%s.\n", (nlsockets > 1) ? "s" : "");

-

-    for (i = 0; i < nlsockets; i++) {

-        closesocket(lsockets[i]);

-    }

+    if (num_fd == 0)

+    {

+        logg("*Closing the main socket%s.\n", (nlsockets > 1) ? "s" : "");

+        for (i = 0; i < nlsockets; i++) {

+            closesocket(lsockets[i]);

+        }

 #ifndef _WIN32

-    if(nlsockets && localsock) {

-        opt = optget(opts, "LocalSocket");

+        if(nlsockets && localsock) {

+            opt = optget(opts, "LocalSocket");

-        if(unlink(opt->strarg) == -1)

-            logg("!Can't unlink the socket file %s\n", opt->strarg);

-        else

-            logg("Socket file removed.\n");

-    }

+            if(unlink(opt->strarg) == -1)

+                logg("!Can't unlink the socket file %s\n", opt->strarg);

+            else

+                logg("Socket file removed.\n");

+        }

 #endif

+    }

     free(lsockets);

@@ -40,6 +40,7 @@

 #include "shared/optparser.h"

 #include "shared/output.h"

+#include "shared/misc.h"

 #include "others.h"

 #include "server.h"

@@ -61,6 +62,39 @@ int localserver(const struct optstruct *opts)

 	STATBUF foo;

 	char *estr;

+    int num_fd = sd_listen_fds(0);

+    if (num_fd > 2)

+    {

+        logg("!LOCAL: Received more than two file descriptors from systemd.\n");

+        return -1;

+    }

+    else if (num_fd > 0)

+    {

+        /* use socket passed by systemd */

+        int i;

+        for(i = 0; i < num_fd; i += 1)

+        {

+            sockfd = SD_LISTEN_FDS_START + i;

+            if (sd_is_socket(sockfd, AF_UNIX, SOCK_STREAM, 1) == 1)

+            {

+                /* correct socket */

+                break;

+            }

+            else

+            {

+                /* wrong socket */

+                sockfd = -2;

+            }

+        }

+        if (sockfd == -2)

+        {

+            logg("#LOCAL: No local AF_UNIX SOCK_STREAM socket received from systemd.\n");

+            return -2;

+        }

+        logg("#LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.\n");

+        return sockfd;

+    }

+    /* create socket */

     memset((char *) &server, 0, sizeof(server));

     server.sun_family = AF_UNIX;

     strncpy(server.sun_path, optget(opts, "LocalSocket")->strarg, sizeof(server.sun_path));

@@ -49,6 +49,7 @@

 #include "shared/output.h"

 #include "shared/optparser.h"

+#include "shared/misc.h"

 #include "onaccess_fan.h"

 #include "server.h"

@@ -455,13 +456,19 @@ static void *acceptloop_th(void *arg)

     }

     pthread_mutex_unlock(fds->buf_mutex);

-    for (i=0;i < fds->nfds; i++) {

-	if (fds->buf[i].fd == -1)

-	    continue;

-	logg("$Shutdown: closed fd %d\n", fds->buf[i].fd);

-	shutdown(fds->buf[i].fd, 2);

-	closesocket(fds->buf[i].fd);

+    if (sd_listen_fds(0) == 0)

+    {

+        /* only close the sockets, when not using systemd socket activation */

+        for (i=0;i < fds->nfds; i++)

+        {

+            if (fds->buf[i].fd == -1)

+                continue;

+            logg("$Shutdown: closed fd %d\n", fds->buf[i].fd);

+            shutdown(fds->buf[i].fd, 2);

+            closesocket(fds->buf[i].fd);

+        }

     }

+

     fds_free(fds);

     pthread_mutex_destroy(fds->buf_mutex);

     pthread_mutex_lock(&exit_mutex);

@@ -1396,16 +1403,22 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	if (progexit) {

 	    pthread_mutex_unlock(&exit_mutex);

 	    pthread_mutex_lock(fds->buf_mutex);

-	    for (i=0;i < fds->nfds; i++) {

-		if (fds->buf[i].fd == -1)

-		    continue;

-		thrmgr_group_terminate(fds->buf[i].group);

-		if (thrmgr_group_finished(fds->buf[i].group, EXIT_ERROR)) {

-		    logg("$Shutdown closed fd %d\n", fds->buf[i].fd);

-		    shutdown(fds->buf[i].fd, 2);

-		    closesocket(fds->buf[i].fd);

-		    fds->buf[i].fd = -1;

-		}

+        if (sd_listen_fds(0) == 0)

+        {

+            /* only close the sockets, when not using systemd socket activation */

+            for (i=0;i < fds->nfds; i++)

+            {

+                if (fds->buf[i].fd == -1)

+                    continue;

+                thrmgr_group_terminate(fds->buf[i].group);

+                if (thrmgr_group_finished(fds->buf[i].group, EXIT_ERROR))

+                {

+                    logg("$Shutdown closed fd %d\n", fds->buf[i].fd);

+                    shutdown(fds->buf[i].fd, 2);

+                    closesocket(fds->buf[i].fd);

+                    fds->buf[i].fd = -1;

+                }

+            }

 	    }

 	    pthread_mutex_unlock(fds->buf_mutex);

 	    break;

@@ -1506,9 +1519,13 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 #endif

     if(dbstat.entries)

 	cl_statfree(&dbstat);

-    logg("*Shutting down the main socket%s.\n", (nsockets > 1) ? "s" : "");

-    for (i = 0; i < nsockets; i++)

-	shutdown(socketds[i], 2);

+    if (sd_listen_fds(0) == 0)

+    {

+        /* only close the sockets, when not using systemd socket activation */

+        logg("*Shutting down the main socket%s.\n", (nsockets > 1) ? "s" : "");

+        for (i = 0; i < nsockets; i++)

+            shutdown(socketds[i], 2);

+    }

     if((opt = optget(opts, "PidFile"))->enabled) {

 	if(unlink(opt->strarg) == -1)

@@ -58,9 +58,60 @@ int tcpserver(int **lsockets, unsigned int *nlsockets, char *ipaddr, const struc

     int yes = 1;

     int res;

     unsigned int i=0;

+	int num_fd;

     sockets = *lsockets;

+    num_fd = sd_listen_fds(0);

+    if (num_fd > 2)

+    {

+        logg("!TCP: Received more than two file descriptors from systemd.\n");

+        return -1;

+    }

+    else if (num_fd > 0)

+    {

+        /* use socket passed by systemd */

+        int i;

+        for(i = 0; i < num_fd; i += 1)

+        {

+            sockfd = SD_LISTEN_FDS_START + i;

+            if (sd_is_socket(sockfd, AF_INET, SOCK_STREAM, 1) == 1)

+            {

+                /* correct socket */

+                logg("#TCP: Received AF_INET SOCK_STREAM socket from systemd.\n");

+                break;

+            }

+            else if (sd_is_socket(sockfd, AF_INET6, SOCK_STREAM, 1) == 1)

+            {

+                /* correct socket */

+                logg("#TCP: Received AF_INET6 SOCK_STREAM socket from systemd.\n");

+                break;

+            }

+            else

+            {

+                /* wrong socket */

+                sockfd = -2;

+            }

+        }

+        if (sockfd == -2)

+        {

+            logg("#TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.\n");

+            return -2;

+        }

+

+        t = realloc(sockets, sizeof(int) * (*nlsockets + 1));

+        if (!(t)) {

+            return -1;

+        }

+        sockets = t;

+

+        sockets[*nlsockets] = sockfd;

+        (*nlsockets)++;

+        *lsockets = sockets;

+        return 0;

+    }

+

+    /* create socket */

     snprintf(port, sizeof(port), "%lld", optget(opts, "TCPSocket")->numarg);

     memset(&hints, 0x00, sizeof(struct addrinfo));

@@ -87,6 +87,7 @@ AM_MAINTAINER_MODE

 m4_include([m4/reorganization/libs/libz.m4])

 m4_include([m4/reorganization/libs/bzip.m4])

 m4_include([m4/reorganization/libs/unrar.m4])

+m4_include([m4/reorganization/libs/systemd.m4])

 m4_include([m4/reorganization/code_checks/ipv6.m4])

 m4_include([m4/reorganization/code_checks/dns.m4])

 m4_include([m4/reorganization/code_checks/fanotify.m4])

@@ -139,9 +140,12 @@ clamscan/Makefile

 database/Makefile

 docs/Makefile

 clamd/Makefile

+clamd/clamav-daemon.service

+clamd/clamav-daemon.socket

 clamdscan/Makefile

 clamsubmit/Makefile

 clamav-milter/Makefile

+freshclam/clamav-freshclam.service

 freshclam/Makefile

 sigtool/Makefile

 clamconf/Makefile

@@ -49,6 +49,10 @@ freshclam_SOURCES = \

     mirman.c \

     mirman.h

+if INSTALL_SYSTEMD_UNITS

+systemdsystemunit_DATA = clamav-freshclam.service

+endif

+

 AM_CFLAGS=@WERR_CFLAGS@

 DEFS = @DEFS@ -DCL_NOTHREADS

 AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/shared -I$(top_srcdir)/libclamav @SSL_CPPFLAGS@ @FRESHCLAM_CPPFLAGS@  @JSON_CPPFLAGS@ @PCRE_CPPFLAGS@

new file mode 100644

@@ -0,0 +1,12 @@

+[Unit]

+Description=ClamAV virus database updater

+Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/

+# If user wants it run from cron, don't start the daemon.

+ConditionPathExists=!/etc/cron.d/clamav-freshclam

+

+[Service]

+ExecStart=@prefix@/bin/freshclam -d --foreground=true

+StandardOutput=syslog

+

+[Install]

+WantedBy=multi-user.target

@@ -64,7 +64,7 @@

 static short terminate = 0;

 extern int active_children;

-static short foreground = 1;

+static short foreground = -1;

 char updtmpdir[512], dbdir[512];

 int sigchld_wait = 1;

 const char *pidfile = NULL;

@@ -117,7 +117,7 @@ sighandler (int sig)

         if (pidfile)

             unlink (pidfile);

         logg ("Update process terminated\n");

-        exit (2);

+        exit (0);

     }

     return;

@@ -298,6 +298,7 @@ main (int argc, char **argv)

 #endif

     STATBUF statbuf;

     struct mirdat mdat;

+	int j;

     if (check_flevel ())

         exit (FCE_INIT);

@@ -322,6 +323,25 @@ main (int argc, char **argv)

         return 0;

     }

+    /* check foreground option from command line to override config file */

+    for(j = 0; j < argc; j += 1)

+    {

+        if ((memcmp(argv[j], "--foreground", 12) == 0) || (memcmp(argv[j], "-F", 2) == 0))

+        {

+            /* found */

+            break;

+        }

+    }

+

+	if (j < argc) {

+		if(optget(opts, "Foreground")->enabled) {

+			foreground = 1;

+		}

+		else {

+			foreground = 0;

+		}

+	}

+

     /* parse the config file */

     cfgfile = optget (opts, "config-file")->strarg;

     pt = strdup (cfgfile);

@@ -638,7 +658,19 @@ main (int argc, char **argv)

         bigsleep = 24 * 3600 / checks;

 #ifndef _WIN32

-        if (!optget (opts, "Foreground")->enabled)

+        /* fork into background */

+        if (foreground == -1)

+        {

+            if (optget(opts, "Foreground")->enabled)

+            {

+                foreground = 1;

+            }

+            else

+            {

+                foreground = 0;

+            }

+        }

+        if(foreground == 0)

         {

             if (daemonize () == -1)

             {

@@ -646,7 +678,6 @@ main (int argc, char **argv)

                 optfree (opts);

                 return FCE_FAILEDUPDATE;

             }

-            foreground = 0;

             mprintf_disabled = 1;

         }

 #endif

new file mode 100644

@@ -0,0 +1,19 @@

+dnl Check for systemd-daemon

+PKG_CHECK_MODULES(SYSTEMD, [libsystemd], [AC_DEFINE([HAVE_SYSTEMD],,[systemd is supported])],

+                  [PKG_CHECK_MODULES(SYSTEMD, [libsystemd-daemon], [AC_DEFINE([HAVE_SYSTEMD],,[systemd-daemon is supported])], [AC_MSG_RESULT([systemd is not supported])])])

+CLAMD_LIBS="$CLAMD_LIBS $SYSTEMD_LIBS"

+CFLAGS="$CFLAGS $SYSTEMD_CFLAGS"

+

+dnl Check for systemd system unit installation directory (see man 7 daemon)

+AC_ARG_WITH([systemdsystemunitdir], AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),, [with_systemdsystemunitdir=auto])

+AS_IF([test "x$with_systemdsystemunitdir" = "xyes" -o "x$with_systemdsystemunitdir" = "xauto"], [

+     def_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)

+     AS_IF([test "x$def_systemdsystemunitdir" = "x"],

+         [AS_IF([test "x$with_systemdsystemunitdir" = "xyes"], [AC_MSG_ERROR([systemd support requested but pkg-config unable to query systemd package])])

+          with_systemdsystemunitdir=no],

+         [with_systemdsystemunitdir=$def_systemdsystemunitdir])])

+AS_IF([test "x$with_systemdsystemunitdir" != "xno"],

+      [AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])])

+AM_CONDITIONAL(INSTALL_SYSTEMD_UNITS, [test "x$with_systemdsystemunitdir" != "xno"])

+AC_MSG_RESULT([checking for systemd system unit installation directory... $with_systemdsystemunitdir])

+

@@ -38,6 +38,14 @@

 # endif

 #endif

+#ifdef HAVE_SYSTEMD

+# include <systemd/sd-daemon.h>

+#else

+# define sd_listen_fds(u) 0

+# define SD_LISTEN_FDS_START 3

+# define sd_is_socket(f, a, s, l) 1

+#endif

+

 #include <limits.h>

 #ifndef PATH_MAX

@@ -276,7 +276,7 @@ const struct clam_option __clam_options[] = {

     { "AllowAllMatchScan", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "Permit use of the ALLMATCHSCAN command.", "yes" },

-    { "Foreground", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Don't fork into background.", "no" },

+    { "Foreground", "foreground", 'F', CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Don't fork into background.", "no" },

     { "Debug", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM, "Enable debug messages in libclamav.", "no" },