... | ... |
@@ -808,27 +808,40 @@ onas_fan_checkowner (int pid, const struct optstruct *opts) |
808 | 808 |
char path[32]; |
809 | 809 |
STATBUF sb; |
810 | 810 |
int num_arg; |
811 |
- const struct optstruct *opt; |
|
811 |
+ const struct optstruct *opt = NULL; |
|
812 |
+ const struct optstruct *opt_root = NULL; |
|
812 | 813 |
|
814 |
+ /* always ignore ourselves */ |
|
813 | 815 |
if (pid == (int) getpid()) { |
814 | 816 |
return 1; |
815 | 817 |
} |
816 | 818 |
|
817 |
- if (!(opt = optget (opts, "OnAccessExcludeUID"))->enabled) |
|
819 |
+ /* check to see if we even need to stat /proc */ |
|
820 |
+ |
|
821 |
+ if (!(opt = optget (opts, "OnAccessExcludeUID"))->enabled && !(opt_root = optget (opts, "OnAccessExcludeRootUID"))->enabled) |
|
818 | 822 |
return 0; |
819 | 823 |
|
824 |
+ /* if we can stat OK */ |
|
820 | 825 |
snprintf (path, sizeof (path), "/proc/%u", pid); |
821 |
- if (CLAMSTAT (path, &sb) == 0) |
|
822 |
- { |
|
823 |
- while (opt) |
|
824 |
- { |
|
825 |
- /* We use UID 0 in place of -1 because the option would be disabled for UID 0*/ |
|
826 |
- (opt->numarg == -1) ? (num_arg = 0) : (num_arg = opt->numarg); |
|
827 |
- if (num_arg == (long long) sb.st_uid) |
|
826 |
+ if (CLAMSTAT (path, &sb) == 0) { |
|
827 |
+ /* check all our non-root UIDs first */ |
|
828 |
+ if (opt->enabled) { |
|
829 |
+ while (opt) |
|
830 |
+ { |
|
831 |
+ if (opt->numarg == (long long) sb.st_uid) |
|
832 |
+ return 1; |
|
833 |
+ opt = opt->nextarg; |
|
834 |
+ } |
|
835 |
+ } |
|
836 |
+ /* finally check root UID */ |
|
837 |
+ if (opt_root->enabled) { |
|
838 |
+ if (0 == (long long) sb.st_uid) |
|
828 | 839 |
return 1; |
829 |
- opt = opt->nextarg; |
|
830 | 840 |
} |
841 |
+ } else { |
|
842 |
+ logg("*Could not stat /proc to exclude UIDs...consider checking your SELinux policy."); |
|
831 | 843 |
} |
844 |
+ |
|
832 | 845 |
return 0; |
833 | 846 |
} |
834 | 847 |
#endif |
... | ... |
@@ -609,10 +609,18 @@ Example |
609 | 609 |
# Default: disabled |
610 | 610 |
#OnAccessExcludePath /home/bofh |
611 | 611 |
|
612 |
+# With this option you can whitelist the root UID (0). Processes run under |
|
613 |
+# root with be able to access all files without triggering scans or |
|
614 |
+# permission denied events. |
|
615 |
+# Default: disabled |
|
616 |
+#OnAccessExcludeRootUID 0 |
|
617 |
+ |
|
612 | 618 |
# With this option you can whitelist specific UIDs. Processes with these UIDs |
613 |
-# will be able to access all files. For UID 0 please use a value of -1 since |
|
614 |
-# a value of 0 will disable this option. |
|
619 |
+# will be able to access all files without triggering scans or permission |
|
620 |
+# denied events. |
|
615 | 621 |
# This option can be used multiple times (one per line). |
622 |
+# Using a value of 0 on any line will disable this option entirely. To whitelist |
|
623 |
+# the root UID (0) please enable the OnAccessExcludeRootUID option. |
|
616 | 624 |
# Default: disabled |
617 | 625 |
#OnAccessExcludeUID -1 |
618 | 626 |
|
... | ... |
@@ -404,7 +404,9 @@ const struct clam_option __clam_options[] = { |
404 | 404 |
|
405 | 405 |
{ "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root" }, |
406 | 406 |
|
407 |
- { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). For a UID of 0 please use the value -1 instead, since 0 will disable this option.", "0" }, |
|
407 |
+ { "OnAccessExcludeRootUID", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "Use this option to whitelist the root UID (0) and allow any processes run under root to access all watched files without triggering scans.", "no" }, |
|
408 |
+ |
|
409 |
+ { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line). Using a value of 0 on any line will disable this option entirely. To whitelist the root UID please enable the OnAccessExcludeRootUID option.", "0" }, |
|
408 | 410 |
|
409 | 411 |
{ "OnAccessMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD, "Files larger than this value will not be scanned in on access.", "5M" }, |
410 | 412 |
|