clamd: add new option ClamukoExcludeUID (bb#2260)

ChangeLog

@@ -1,3 +1,8 @@
+Mon Feb 28 21:46:50 CET 2011 (tk)
+---------------------------------
+ * clamd: add new option ClamukoExcludeUID (bb#2260)
+	  Based on idea from alfred*bokxing.nl
+
 Fri Feb 25 14:49:04 CET 2011 (tk)
 ---------------------------------
  * libclamav/elf.c: fix incorrect detection of Broken.Executable (bb#2580)

clamd/clamuko.c

@@ -185,6 +185,11 @@ static void *clamukolegacyth(void *arg)
 		}
 	    }
 
+	    if(clamuko_checkowner(acc->pid, tharg->opts)) {
+		scan = 0;
+		logg("*Clamuko: %s skipped (excluded UID)\n", acc->filename);
+	    }
+
 	    context.filename = acc->filename;
 	    context.virsize = 0;
 	    if(scan && cl_scanfile_callback(acc->filename, &virname, NULL, tharg->engine, tharg->options, &context) == CL_VIRUS) {

clamd/clamukofs.c

@@ -153,6 +153,12 @@ static void *clamuko_scanth(void *arg)
 	    }
 	}
 
+	if(clamuko_checkowner(acc.pid, tharg->opts)) {
+	    dazukofs_get_filename(&acc, filename, sizeof(filename));
+	    logg("*Clamuko: %s skipped (excluded UID)\n", filename);
+	    skip_scan = 1;
+	}
+
 	context.filename = NULL;
 	context.virsize = 0;
 	if(skip_scan) {

clamd/others.c

@@ -722,3 +722,25 @@ void detstats_print(int desc, char term)
 	mdprintf(desc, "%u:%s:%u:%s:%s%c", detstats_data[i].time, detstats_data[i].md5, detstats_data[i].fsize, detstats_data[i].virname, detstats_data[i].fname, term);
     pthread_mutex_unlock(&detstats_lock);
 }
+
+#ifdef CLAMUKO
+int clamuko_checkowner(int pid, const struct optstruct *opts)
+{
+	char path[32];
+	struct stat sb;
+	const struct optstruct *opt;
+
+    if(!(opt = optget(opts, "ClamukoExcludeUID"))->enabled)
+	return 0;
+
+    snprintf(path, sizeof(path), "/proc/%u", pid);
+    if(stat(path, &sb) == 0) {
+	while(opt) {
+	    if(opt->numarg == (long long) sb.st_uid)
+		return 1;
+	    opt = opt->nextarg;
+	}
+    }
+    return 0;
+}
+#endif

clamd/others.h

@@ -86,4 +86,8 @@ void detstats_clear(void);
 void detstats_add(const char *virname, const char *fname, unsigned int fsize, const char *md5);
 void detstats_print(int desc, char term);
 
+#ifdef CLAMUKO
+int clamuko_checkowner(int pid, const struct optstruct *opts);
+#endif
+
 #endif

docs/man/clamd.conf.5.in

@@ -466,6 +466,10 @@ Default: no
 Set the exclude paths. All subdirectories will also be excluded.
 .br 
 Default: no
+\fBClamukoExcludeUID NUMBER\fR
+With this option you can whitelist specific UIDs. Processes with these UIDs will be able to access all files. This option can be used multiple times (one per line).
+.br 
+Default: no
 .TP 
 \fBClamukoMaxFileSize SIZE\fR
 Ignore files larger than SIZE.

etc/clamd.conf

@@ -458,6 +458,12 @@ Example
 # Default: disabled
 #ClamukoExcludePath /home/bofh
 
+# With this option you can whitelist specific UIDs. Processes with these UIDs
+# will be able to access all files.
+# This option can be used multiple times (one per line).
+# Default: disabled
+#ClamukoExcludeUID 0
+
 # With this option enabled ClamAV will load bytecode from the database. 
 # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
 # Default: yes

shared/optparser.c

@@ -339,6 +339,8 @@ const struct clam_option __clam_options[] = {
 
     { "ClamukoExcludePath", NULL, 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times.", "/home/bofh\n/root" },
 
+    { "ClamukoExcludeUID", NULL, 0, TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line).", "0" },
+
     { "ClamukoMaxFileSize", NULL, 0, TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD, "Files larger than this value will not be scanned.", "5M" },
 
     /* FIXME: mark these as private and don't output into clamd.conf/man */