Mailing List Archive

fanotify based on-access scanning doesn't work as expected
Hello,

I have recently made some experiments with on-access scanning with
clamd, using clamav 0.98.3 from Fedora 19.

The documentation of the "OnAccessIncludePath" option says "Set the
include paths (all files inside them will be scanned)".

The clamd code calls fanotify_mark() with
fan_mask=(FAN_ACCESS|FAN_EVENT_ON_CHILD). This means that clamd will
only receive events for *immediate* children of a directory listed as
"OnAccessIncludePath" (see fanotify_mark(2)).

Is that really meant by "all files inside them will be scanned"? My
expectation would have been that by specifying "/home" as
OnAccessIncludePath, all user's home directories would be scanned
(rather than just regular files directly under /home, which is probably
an empty set).

Why doesn't clamd use FAN_MARK_MOUNT instead?

Regards
Martin

PS: I'd also be curious to understand why FAN_ACCESS (notification on
read) is used by clamd. For the commen case of files that are read more
often than written, this would result some files being re-scanned over
and over again. Why not scan files as they are written, at least for a
host's local, non-removable file systems?

--
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone: ++49 5251 525 2796
Fax: ++49 5251 525 2820
Email: martin.wilck@ts.fujitsu.com
Internet: http://ts.fujitsu.com
Company Details: http://ts.fujitsu.com/imprint
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: fanotify based on-access scanning doesn't work as expected [ In reply to ]
Martin,

You are correct. I've opened ticket 11049 on bugzilla.clamav.net to track
the issues.

Thanks,
Steve


On Mon, Jun 30, 2014 at 12:10 PM, Martin Wilck <martin.wilck@ts.fujitsu.com>
wrote:

> Hello,
>
> I have recently made some experiments with on-access scanning with
> clamd, using clamav 0.98.3 from Fedora 19.
>
> The documentation of the "OnAccessIncludePath" option says "Set the
> include paths (all files inside them will be scanned)".
>
> The clamd code calls fanotify_mark() with
> fan_mask=(FAN_ACCESS|FAN_EVENT_ON_CHILD). This means that clamd will
> only receive events for *immediate* children of a directory listed as
> "OnAccessIncludePath" (see fanotify_mark(2)).
>
> Is that really meant by "all files inside them will be scanned"? My
> expectation would have been that by specifying "/home" as
> OnAccessIncludePath, all user's home directories would be scanned
> (rather than just regular files directly under /home, which is probably
> an empty set).
>
> Why doesn't clamd use FAN_MARK_MOUNT instead?
>
> Regards
> Martin
>
> PS: I'd also be curious to understand why FAN_ACCESS (notification on
> read) is used by clamd. For the commen case of files that are read more
> often than written, this would result some files being re-scanned over
> and over again. Why not scan files as they are written, at least for a
> host's local, non-removable file systems?
>
> --
> Dr. Martin Wilck
> PRIMERGY System Software Engineer
> x86 Server Engineering
>
> FUJITSU
> Fujitsu Technology Solutions GmbH
> Heinz-Nixdorf-Ring 1
> 33106 Paderborn, Germany
> Phone: ++49 5251 525 2796
> Fax: ++49 5251 525 2820
> Email: martin.wilck@ts.fujitsu.com
> Internet: http://ts.fujitsu.com
> Company Details: http://ts.fujitsu.com/imprint
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net