fanotify: consolidating prevention options into a single NotifyOnly o…

…ption.
Cisco-Talos · Sep 14, 2015 · f408e5b · f408e5b
1 parent 2217edf
commit f408e5b
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 29 deletions.
diff --git a/clamd/onaccess_fan.c b/clamd/onaccess_fan.c
@@ -106,7 +106,7 @@ void *onas_fan_th(void *arg)
 	short int scan;
 	int sizelimit = 0, extinfo;
 	STATBUF sb;
-        uint64_t fan_mask = FAN_ACCESS_PERM | FAN_OPEN_PERM | FAN_EVENT_ON_CHILD;
+        uint64_t fan_mask = FAN_EVENT_ON_CHILD;
         fd_set rfds;
 	char buf[4096];
 	ssize_t bread;
@@ -145,26 +145,17 @@ void *onas_fan_th(void *arg)
 	return NULL;
     }
 
-    if (optget(tharg->opts, "OnAccessPreventRead")->enabled) {
-	    logg("ScanOnAccess: preventing read attempts on malicious files.\n");
-	    fan_mask |= FAN_ACCESS_PERM;
+    if (!optget(tharg->opts, "OnAccessNotifyOnly")->enabled && !optget(tharg->opts, "OnAccessMountPath")->enabled) {
+	    logg("ScanOnAccess: preventing access attempts on malicious files.\n");
+	    fan_mask |= FAN_ACCESS_PERM | FAN_OPEN_PERM;
     } else {
-	    logg("ScanOnAccess: notifying for read attempts.\n");
-	    fan_mask |= FAN_ACCESS;
-    }
-
-    if (optget(tharg->opts, "OnAccessPreventOpen")->enabled) {
-	    logg("ScanOnAccess: preventing open attempts on malicious files.\n");
-	    fan_mask |= FAN_OPEN_PERM; 
-    } else {
-	    logg("ScanOnAccess: notifying for open attempts.\n");
-	    fan_mask |= FAN_OPEN; 
+	    logg("ScanOnAccess: notifying only for access attempts.\n");
+	    fan_mask |= FAN_ACCESS | FAN_OPEN;
     }
 
     if ((pt = optget(tharg->opts, "OnAccessMountPath"))->enabled) {
 	    while(pt) {
-		    if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT,
-					    FAN_OPEN | FAN_ACCESS | FAN_EVENT_ON_CHILD, onas_fan_fd, pt->strarg) != 0) {
+		    if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT, fan_mask, onas_fan_fd, pt->strarg) != 0) {
 			    logg("!ScanOnAccess: Can't include mountpoint '%s'\n", pt->strarg);
 			    return NULL;
 		    } else

diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
@@ -592,17 +592,12 @@ Example
 # Default: no
 #OnAccessDisableDDD yes
 
-# Modifies fanotify blocking behaviour when handling read permission events.
-# If turned on, fanotify will prevent any read attempt if the file is a virus.
+# Modifies fanotify blocking behaviour when handling permission events.
+# If turned on, fanotify will only notify if the file scanned is a virus,
+# and not perform any blocking.
 # (On-access scan only)
-# Default: yes
-#OnAccessPreventRead no
-
-# Modifies fanotify blocking behaviour when handling open permission events.
-# If turned on, fanotify will prevent any open attempt if the file is a virus.
-# (On-access scan only)
-# Default: yes
-#OnAccessPreventOpen no
+# Default: no
+#OnAccessNotifyOnly yes
 
 ##
 ## Bytecode

diff --git a/shared/optparser.c b/shared/optparser.c
@@ -404,9 +404,7 @@ const struct clam_option __clam_options[] = {
 
     { "OnAccessDisableDDD", "disable-ddd", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only).", "no" },
 
-    { "OnAccessPreventRead", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies is fanotify will prevent read attempts on malicious files (Linux only)", "yes" },
-
-    { "OnAccessPreventOpen", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies if fanotify will prevent open attempts for malicious files (Linux only)", "yes" },
+    { "OnAccessNotifyOnly", "notify-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option changes fanotify behavior to not prevent access attempts on malicious files and simply notify the user instead (On Access scan only).", "no" },
 
     /* FIXME: mark these as private and don't output into clamd.conf/man */
     { "DevACOnly", "dev-ac-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", "" },