This patch adds the "ClamukoBlockAccess" config directive to clamd.conf.
When this directive is set to "yes" (which is the default), Clamuko will
instruct Dazuko to block access to an infected file. (This is how things
are currently set up.) If the directive is set to "no", then Dazuko will
be told not to block read access. The infection is still logged, but the
user can keep accessing the file. It turns Clamuko from a "full stop"
into a "warning sign".
Rationale: we found the blocking to be inconvenient to end users when a
file is a known "false positive". We also want to handle infections
without confounding the end user too much, such as with a script that
monitors the logs and mails the administrator when something is amiss.
Not blocking off a file also makes it possible to move it to a different
partition for quarantaining.
Possible objections against this patch: this hampers security and
prevention of harm; the name of the option is ambiguous since "block"
can also refer to a block device (feel free to change); and there are
other and possibly better ways to do the same thing, like clamfs or an
inotify-based solution. Comments and changes are welcome.
With kind regards,
--Alfred Klomp
--
Bokxing IT
Elektronicaweg 14a
2628 XG Delft
T: 088-00 164 00
F: 015-25 609 77
supp...@bokxing.nl
www.bokxing.nl
KvK: 27194486
diff -ruN ../clamav-0.96.1-orig/clamd/clamuko.c ./clamd/clamuko.c
--- ../clamav-0.96.1-orig/clamd/clamuko.c 2010-04-25 23:57:21.000000000
+0200
+++ ./clamd/clamuko.c 2010-08-09 11:27:55.000000000 +0200
@@ -73,6 +73,7 @@
unsigned long mask = 0;
const struct optstruct *pt;
short int scan;
+ int block_access;
int sizelimit = 0;
struct stat sb;
@@ -130,6 +131,12 @@
return NULL;
}
+ block_access = (optget(tharg->opts, "ClamukoBlockAccess")->numarg);
+ if(block_access)
+ logg("Clamuko: Blocking read access to infected files.\n");
+ else
+ logg("Clamuko: Not blocking read access to infected files.\n");
+
if((pt = optget(tharg->opts, "ClamukoIncludePath"))->enabled) {
while(pt) {
if((dazukoAddIncludePath(pt->strarg))) {
@@ -183,7 +190,7 @@
if(scan && cl_scanfile(acc->filename, &virname, NULL,
tharg->engine, tharg->options) == CL_VIRUS) {
logg("Clamuko: %s: %s FOUND\n", acc->filename, virname);
virusaction(acc->filename, virname, tharg->opts);
- acc->deny = 1;
+ acc->deny = (block_access) ? 1 : 0;
} else
acc->deny = 0;
diff -ruN ../clamav-0.96.1-orig/clamd/clamukofs.c ./clamd/clamukofs.c
--- ../clamav-0.96.1-orig/clamd/clamukofs.c 2010-05-07 20:08:04.000000000
+0200
+++ ./clamd/clamukofs.c 2010-08-09 11:29:33.000000000 +0200
@@ -88,6 +88,7 @@
struct dazukofs_access acc;
const char *groupname = "ClamAV";
int skip_scan = 0;
+ int block_access;
const char *virname;
char filename[4096];
@@ -124,6 +125,12 @@
if(optget(tharg->opts, "ClamukoExcludePath")->enabled)
logg("!Clamuko: ClamukoExcludePath ignored when using DazukoFS.\n");
+ block_access = (optget(tharg->opts, "ClamukoBlockAccess")->numarg);
+ if(block_access)
+ logg("Clamuko: Blocking read access to infected files.\n");
+ else
+ logg("Clamuko: Not blocking read access to infected files.\n");
+
sizelimit = optget(tharg->opts, "ClamukoMaxFileSize")->numarg;
if(sizelimit)
logg("Clamuko: Max file size limited to %u bytes.\n", sizelimit);
@@ -158,7 +165,7 @@
logg("Clamuko: %s: %s FOUND\n", filename, virname);
/* we can not perform any special action because it will
* trigger DazukoFS recursively */
- acc.deny = 1;
+ acc.deny = (block_access) ? 1 : 0;
} else {
acc.deny = 0;
}
diff -ruN ../clamav-0.96.1-orig/docs/man/clamd.conf.5.in
./docs/man/clamd.conf.5.in
--- ../clamav-0.96.1-orig/docs/man/clamd.conf.5.in 2010-05-07
20:08:04.000000000 +0200
+++ ./docs/man/clamd.conf.5.in 2010-08-09 11:18:32.000000000 +0200
@@ -442,6 +442,11 @@
.br
Default: no
.TP
+\fBClamukoBlockAccess BOOL\fR
+Disallow access to infected files. Setting this option to "yes" will block
read access to an infected file's contents. Set to "no" if you just want to log
any infections.
+.br
+Default: yes
+.TP
\fBClamukoIncludePath STRING\fR
Set the include paths (all files and directories inside them will be scanned).
You can have multiple ClamukoIncludePath directives but each directory must be
added in a separate line).
.br
diff -ruN ../clamav-0.96.1-orig/etc/clamd.conf ./etc/clamd.conf
--- ../clamav-0.96.1-orig/etc/clamd.conf 2010-04-27 16:37:30.000000000
+0200
+++ ./etc/clamd.conf 2010-08-09 11:06:19.000000000 +0200
@@ -438,6 +438,9 @@
#ClamukoScanOnClose yes
#ClamukoScanOnExec yes
+# Make Dazuko block file access when a virus is found (otherwise the event is
just logged):
+#ClamukoBlockAccess yes
+
# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line. (Dazuko only)
diff -ruN ../clamav-0.96.1-orig/shared/optparser.c ./shared/optparser.c
--- ../clamav-0.96.1-orig/shared/optparser.c 2010-05-11 22:45:30.000000000
+0200
+++ ./shared/optparser.c 2010-08-09 11:19:11.000000000 +0200
@@ -318,6 +318,8 @@
{ "ClamukoScanOnExec", NULL, 0, TYPE_BOOL, MATCH_BOOL, -1, NULL, 0,
OPT_CLAMD, "Scan files when they get executed by the system.", "yes" },
+ { "ClamukoBlockAccess", NULL, 0, TYPE_BOOL, MATCH_BOOL, -1, NULL, 0,
OPT_CLAMD, "Disallow read access to infected files.", "yes" },
+
{ "ClamukoIncludePath", NULL, 0, TYPE_STRING, NULL, -1, NULL,
FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory (together will all
files and directories\ninside this directory) which should be scanned
on-access. This option can\nbe used multiple times.", "/home\n/students" },
{ "ClamukoExcludePath", NULL, 0, TYPE_STRING, NULL, -1, NULL,
FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from
on-access scanning. It can\nbe used multiple times.", "/home/bofh\n/root" },
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
