@@ -33,6 +33,10 @@

 #endif

 #include <time.h>

 #include <signal.h>

+#if defined(FANOTIFY)

+#include <sys/fanotify.h>

+#include <fcntl.h>

+#endif

 #include "../libclamav/clamav.h"

 #include "../libclamav/others.h"

@@ -220,6 +224,9 @@ int onas_start_eloop(struct onas_context **ctx) {

 static int startup_checks(struct onas_context *ctx) {

+#if defined(FANOTIFY)

+	char faerr[128];

+#endif

 	int ret = 0;

         cl_error_t err = CL_SUCCESS;

@@ -235,6 +242,17 @@ static int startup_checks(struct onas_context *ctx) {

 		goto done;

 	}

+#if defined(FANOTIFY)

+        ctx->fan_fd = fanotify_init(FAN_CLASS_CONTENT | FAN_UNLIMITED_QUEUE | FAN_UNLIMITED_MARKS, O_LARGEFILE | O_RDONLY);

+        if (ctx->fan_fd < 0) {

+            logg("!Clamonacc: fanotify_init failed: %s\n", cli_strerror(errno, faerr, sizeof(faerr)));

+            if (errno == EPERM)

+                logg("!Clamonacc: clamonacc must have elevated permissions ... exiting ...\n");

+            ret = 2;

+            goto done;

+        }

+#endif

+

         if (curl_global_init(CURL_GLOBAL_NOTHING)) {

             ret = 2;

             goto done;

@@ -284,7 +302,6 @@ void help(void)

 void* onas_cleanup(struct onas_context *ctx) {

 	onas_context_cleanup(ctx);

-	cl_cleanup_crypto();

 	logg_close();

 }

@@ -62,6 +62,9 @@ static int onas_fan_fd;

 static void onas_fan_exit(int sig)

 {

 	logg("*ClamFanotif: onas_fan_exit(), signal %d\n", sig);

+        if (sig == 11) {

+            logg("!Clamonacc: clamonacc has experienced a fatal error, if you continue to see this error, please run clamonacc with --debug and report the issue and crash report to the developpers\n");

+        }

 	if(onas_fan_fd) {

 		close(onas_fan_fd);

@@ -88,80 +91,72 @@ static void onas_fan_exit(int sig)

 cl_error_t onas_setup_fanotif(struct onas_context **ctx) {

-    const struct optstruct *pt;

-    short int scan;

-    unsigned int sizelimit = 0, extinfo;

+	const struct optstruct *pt;

+	short int scan;

+	unsigned int sizelimit = 0, extinfo;

 	uint64_t fan_mask = FAN_EVENT_ON_CHILD;

-    char err[128];

-

-    pthread_attr_t ddd_attr;

-    struct ddd_thrarg *ddd_tharg = NULL;

-    ddd_pid = 0;

-

-    /* Initialize fanotify */

-    onas_fan_fd = fanotify_init(FAN_CLASS_CONTENT | FAN_UNLIMITED_QUEUE | FAN_UNLIMITED_MARKS, O_LARGEFILE | O_RDONLY);

-    if (onas_fan_fd < 0) {

-		logg("!ClamFanotif: fanotify_init failed: %s\n", cli_strerror(errno, err, sizeof(err)));

-        if (errno == EPERM)

-			logg("!ClamFanotif: clamonacc must have elevated permissions ... exiting ...\n");

-		return CL_EOPEN;

-    }

+	pthread_attr_t ddd_attr;

+	struct ddd_thrarg *ddd_tharg = NULL;

+	ddd_pid = 0;

 	if (!ctx || !*ctx) {

 		logg("!ClamFanotif: unable to start clamonacc. (bad context)\n");

 		return CL_EARG;

-    }

+	}

-	(*ctx)->fan_fd = onas_fan_fd;

+        onas_fan_fd = (*ctx)->fan_fd;

 	(*ctx)->fan_mask = fan_mask;

 	if (optget((*ctx)->clamdopts, "OnAccessPrevention")->enabled && !optget((*ctx)->clamdopts, "OnAccessMountPath")->enabled) {

 		logg("*ClamFanotif: kernel-level blocking feature enabled ... preventing malicious files access attempts\n");

 		(*ctx)->fan_mask |= FAN_ACCESS_PERM | FAN_OPEN_PERM;

-    } else {

+	} else {

 		logg("*ClamFanotif: kernel-level blocking feature disabled ...\n");

 		if (optget((*ctx)->clamdopts, "OnAccessPrevention")->enabled && optget((*ctx)->clamdopts, "OnAccessMountPath")->enabled) {

 			logg("*ClamFanotif: feature not available when watching mounts ... \n");

 		}

 		(*ctx)->fan_mask |= FAN_ACCESS | FAN_OPEN;

-    }

+	}

 	if ((pt = optget((*ctx)->clamdopts, "OnAccessMountPath"))->enabled) {

-        while (pt) {

+		while (pt) {

 			if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT, (*ctx)->fan_mask, (*ctx)->fan_fd, pt->strarg) != 0) {

 				logg("!ClamFanotif: can't include mountpoint '%s'\n", pt->strarg);

 				return CL_EARG;

-            } else

+			} else {

 				logg("*ClamFanotif: recursively watching the mount point '%s'\n", pt->strarg);

-            pt = (struct optstruct *)pt->nextarg;

-        }

+			}

+			pt = (struct optstruct *)pt->nextarg;

+		}

 	} else if (!optget((*ctx)->clamdopts, "OnAccessDisableDDD")->enabled) {

 		(*ctx)->ddd_enabled = 1;

-    } else {

+	} else {

 		if((pt = optget((*ctx)->clamdopts, "OnAccessIncludePath"))->enabled) {

-            while (pt) {

+			while (pt) {

 				if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD, (*ctx)->fan_mask, (*ctx)->fan_fd, pt->strarg) != 0) {

 					logg("!ClamFanotif: can't include path '%s'\n", pt->strarg);

 					return CL_EARG;

-                } else

+				} else {

 					logg("*ClamFanotif: watching directory '%s' (non-recursively)\n", pt->strarg);

-                pt = (struct optstruct *)pt->nextarg;

-            }

-        } else {

+				}

+				pt = (struct optstruct *)pt->nextarg;

+			}

+		} else {

 			logg("!ClamFanotif: please specify at least one path with OnAccessIncludePath\n");

 			return CL_EARG;

-        }

-    }

+		}

+	}

-    /* Load other options. */

+	/* Load other options. */

 	(*ctx)->sizelimit = optget((*ctx)->clamdopts, "OnAccessMaxFileSize")->numarg;

-	if((*ctx)->sizelimit)

+	if((*ctx)->sizelimit) {

 		logg("*ClamFanotif: max file size limited to %lu bytes\n", (*ctx)->sizelimit);

-    else

+	} else {

 		logg("*ClamFanotif: file size limit disabled\n");

+	}

 	extinfo = optget((*ctx)->clamdopts, "ExtendedDetectionInfo")->enabled;

@@ -38,9 +38,12 @@

 #include "../../clamd/scanner.h"

 #include "../clamonacc.h"

 #include "../client/onaccess_client.h"

+#include "../scan/onaccess_scque.h"

 #if defined(FANOTIFY)

+extern pthread_cond_t onas_scque_empty_cond;

+

 int onas_fan_checkowner(int pid, const struct optstruct *opts)

 {

     struct passwd *pwd;

@@ -49,6 +52,7 @@ int onas_fan_checkowner(int pid, const struct optstruct *opts)

     const struct optstruct *opt      = NULL;

     const struct optstruct *opt_root = NULL;

     const struct optstruct *opt_uname = NULL;

+    int retry = 0;

     /* always ignore ourselves */

     if (pid == (int)getpid()) {

@@ -79,9 +83,45 @@ int onas_fan_checkowner(int pid, const struct optstruct *opts)

         if (opt_uname->enabled) {

             while (opt_uname)

             {

+                errno = 0;

                 pwd = getpwuid(sb.st_uid);

-                if (!strncmp(opt_uname->strarg, pwd->pw_name, strlen(opt_uname->strarg)))

-                    return CHK_FOUND;

+		if (NULL == pwd) {

+			if (errno) {

+				logg("*ClamMisc: internal error (failed to exclude event) ... %s\n", strerror(errno));

+				switch (errno) {

+					case EIO:

+						logg("*ClamMisc: system i/o failed while retrieving username information (excluding for safety)\n");

+						return CHK_FOUND;

+						break;

+					case EINTR:

+						logg("*ClamMisc: caught signal while retrieving username information from system (excluding for safety)\n");

+						return CHK_FOUND;

+						break;

+					case EMFILE:

+					case ENFILE:

+						if (0 == retry) {

+							logg("*ClamMisc: waiting for consumer thread to catch up then retrying ...\n");

+							sleep(3);

+							retry = 1;

+							continue;

+						} else {

+							logg("*ClamMisc: fds have been exhausted ... attempting to force the consumer thread to catch up ... (excluding for safety)\n");

+							pthread_cond_signal(&onas_scque_empty_cond);

+							sleep(3);

+							return CHK_FOUND;

+						}

+					case ERANGE:

+					default:

+						logg("*ClamMisc: unknown error occurred (excluding for safety)\n");

+						return CHK_FOUND;

+						break;

+				}

+			}

+		} else {

+			if (!strncmp(opt_uname->strarg, pwd->pw_name, strlen(opt_uname->strarg))) {

+				return CHK_FOUND;

+			}

+		}

                 opt_uname = opt_uname->nextarg;

             }

         }

@@ -52,7 +52,7 @@ static void onas_destroy_event_queue_node(struct onas_event_queue_node *node);

 static pthread_mutex_t onas_queue_lock = PTHREAD_MUTEX_INITIALIZER;

 static pthread_mutex_t onas_scque_loop = PTHREAD_MUTEX_INITIALIZER;

-static pthread_cond_t onas_scque_empty_cond = PTHREAD_COND_INITIALIZER;

+pthread_cond_t onas_scque_empty_cond = PTHREAD_COND_INITIALIZER;

 extern pthread_t scque_pid;

 static threadpool g_thpool;