Browse code

0.99.3 - bb11978 - onas - adding ExcludeRootUID option as cleaner alternative to using negative values to whitelist root UIDs using the ExcludeUID option

Mickey Sola authored on 2017/12/13 05:56:55
Showing 3 changed files
... ...
@@ -808,27 +808,40 @@ onas_fan_checkowner (int pid, const struct optstruct *opts)
808 808
     char path[32];
809 809
     STATBUF sb;
810 810
     int num_arg;
811
-    const struct optstruct *opt;
811
+    const struct optstruct *opt = NULL;
812
+    const struct optstruct *opt_root = NULL;
812 813
 
814
+    /* always ignore ourselves */
813 815
     if (pid == (int) getpid()) {
814 816
         return 1;
815 817
     }
816 818
 
817
-    if (!(opt = optget (opts, "OnAccessExcludeUID"))->enabled)
819
+    /* check to see if we even need to stat /proc */
820
+
821
+    if (!(opt = optget (opts, "OnAccessExcludeUID"))->enabled && !(opt_root = optget (opts, "OnAccessExcludeRootUID"))->enabled)
818 822
         return 0;
819 823
 
824
+    /* if we can stat OK */
820 825
     snprintf (path, sizeof (path), "/proc/%u", pid);
821
-    if (CLAMSTAT (path, &sb) == 0)
822
-    {
823
-        while (opt)
824
-        {
825
-            /* We use UID 0 in place of -1 because the option would be disabled for UID 0*/
826
-            (opt->numarg == -1) ? (num_arg = 0) : (num_arg = opt->numarg);
827
-            if (num_arg == (long long) sb.st_uid)
826
+    if (CLAMSTAT (path, &sb) == 0) {
827
+        /* check all our non-root UIDs first */
828
+        if (opt->enabled) {
829
+            while (opt)
830
+            {
831
+                if (opt->numarg == (long long) sb.st_uid)
832
+                    return 1;
833
+                opt = opt->nextarg;
834
+            }
835
+        }
836
+        /* finally check root UID */
837
+        if (opt_root->enabled) {
838
+            if (0 == (long long) sb.st_uid)
828 839
                 return 1;
829
-            opt = opt->nextarg;
830 840
         }
841
+    } else {
842
+        logg("*Could not stat /proc to exclude UIDs...consider checking your SELinux policy.");
831 843
     }
844
+
832 845
     return 0;
833 846
 }
834 847
 #endif
... ...
@@ -609,10 +609,18 @@ Example
609 609
 # Default: disabled
610 610
 #OnAccessExcludePath /home/bofh
611 611
 
612
+# With this option you can whitelist the root UID (0). Processes run under
613
+# root with be able to access all files without triggering scans or
614
+# permission denied events.
615
+# Default: disabled
616
+#OnAccessExcludeRootUID 0
617
+
612 618
 # With this option you can whitelist specific UIDs. Processes with these UIDs
613
-# will be able to access all files. For UID 0 please use a value of -1 since
614
-# a value of 0 will disable this option.
619
+# will be able to access all files without triggering scans or permission
620
+# denied events.
615 621
 # This option can be used multiple times (one per line).
622
+# Using a value of 0 on any line will disable this option entirely. To whitelist
623
+# the root UID (0) please enable the OnAccessExcludeRootUID option.
616 624
 # Default: disabled
617 625
 #OnAccessExcludeUID -1
618 626
 
... ...
@@ -404,7 +404,9 @@ const struct clam_option __clam_options[] = {
404 404
 
405 405
     { "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root" },
406 406
 
407
-    { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). For a UID of 0 please use the value -1 instead, since 0 will disable this option.", "0" },
407
+    { "OnAccessExcludeRootUID", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "Use this option to whitelist the root UID (0) and allow any processes run under root to access all watched files without triggering scans.", "no" },
408
+
409
+    { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). Using a value of 0 on any line will disable this option entirely. To whitelist the root UID please enable the OnAccessExcludeRootUID option.", "0" },
408 410
 
409 411
     { "OnAccessMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD, "Files larger than this value will not be scanned in on access.", "5M" },
410 412