fanotify: adding clamd configuration toggle options to prevent read and access attempts

clamd/onaccess_fan.c

@@ -84,7 +84,14 @@ static int onas_fan_scanfile(int fan_fd, const char *fname, struct fanotify_even
 	else
 	    logg("ScanOnAccess: %s: %s FOUND\n", fname, virname);
 	virusaction(fname, virname, tharg->opts);
-	res.response = FAN_DENY;
+
+	if(!optget(tharg->opts, "OnAccessPreventRead")->enabled && fmd->mask & FAN_ACCESS_PERM) {
+		res.response = FAN_ALLOW;
+	} else if(!optget(tharg->opts, "OnAccessPreventOpen")->enabled && fmd->mask & FAN_OPEN_PERM) {
+		res.response = FAN_ALLOW;
+	} else {
+		res.response = FAN_DENY;
+	}
     }
 
     if(fmd->mask & FAN_ALL_PERM_EVENTS) {
@@ -144,6 +151,22 @@ void *onas_fan_th(void *arg)
 	return NULL;
     }
 
+    if (optget(tharg->opts, "OnAccessPreventRead")->enabled) {
+	    logg("ScanOnAccess: preventing read attempts on malicious files.\n");
+	    fan_mask |= FAN_ACCESS_PERM;
+    } else {
+	    logg("ScanOnAccess: notifying for read attempts.\n");
+	    fan_mask |= FAN_ACCESS;
+    }
+
+    if (optget(tharg->opts, "OnAccessPreventOpen")->enabled) {
+	    logg("ScanOnAccess: preventing open attempts on malicious files.\n");
+	    fan_mask |= FAN_OPEN_PERM; 
+    } else {
+	    logg("ScanOnAccess: notifying for open attempts.\n");
+	    fan_mask |= FAN_OPEN; 
+    }
+
     if (!optget(tharg->opts, "OnAccessDisableDDD")->enabled) {
 	    do {
 		    if(pthread_attr_init(&ddd_attr)) break;

etc/clamd.conf.sample

@@ -584,6 +584,17 @@ Example
 # Default: no
 #OnAccessDisableDDD yes
 
+# Modifies fanotify blocking behaviour when handling read permission events.
+# If turned on, fanotify will prevent any read attempt if the file is a virus.
+# (On-access scan only)
+# Default: yes
+#OnAccessPreventRead no
+
+# Modifies fanotify blocking behaviour when handling open permission events.
+# If turned on, fanotify will prevent any open attempt if the file is a virus.
+# (On-access scan only)
+# Default: yes
+#OnAccessPreventOpen no
 
 ##
 ## Bytecode

shared/optparser.c

@@ -394,7 +394,7 @@ const struct clam_option __clam_options[] = {
 
     { "OnAccessIncludePath", "on-access-include", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory (including all files and directories\ninside it), which should be scanned on access. This option can\nbe used multiple times.", "/home\n/students" },
 
-    { "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times.", "/home/bofh\n/root" },
+    { "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root" },
 
     { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line).", "0" },
 
@@ -402,6 +402,10 @@ const struct clam_option __clam_options[] = {
 
     { "OnAccessDisableDDD", "disable-ddd", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only)", "no" },
 
+    { "OnAccessPreventRead", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies is fanotify will prevent read attempts on malicious files (Linux only)", "yes" },
+
+    { "OnAccessPreventOpen", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies if fanotify will prevent open attempts for malicious files (Linux only)", "yes" },
+
     /* FIXME: mark these as private and don't output into clamd.conf/man */
     { "DevACOnly", "dev-ac-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", "" },