Mailing List Archive

Your bug was already reported by me. See this
bug: https://bugzilla.clamav.net/show_bug.cgi?id=12306 (and it
contains a workaround too)

Franky

Op Woensdag, 09-10-2019 om 17:32 schreef Arthur Ramsey via
clamav-users:


Hello,

I’m trying to implement on access scanning for docker containers
using overlayfs by running ClamAV outside of a container.  I’m
using Amazon Linux 2 which is currently at 0.101.4.

If I set "OnAccessMountPath /“ an eicar test file downloaded and
read via a container isn’t detected.  If I read the file created
within the container from outside the container it is detected.

If I set “OnAccessIncludePath /var/lib/docker/overlay2” I get:

Tue Oct  8 15:22:12 2019 -> ScanOnAccess: Protecting directory
'/var/lib/docker/overlay2' (and all sub-directories)
Tue Oct  8 15:22:12 2019 -> ERROR: ScanOnAccess: Could not watch path
'/var/lib/docker/overlay2', Success

I also tried "OnAccessIncludePath /var/lib/docker/overlay2//merged“
which isn’t practical because the uuid is generated when the
container starts but it does work.

I see that 0.102.0 has significant changes to on access scanning so
I’m trying to test that but the configure script isn’t detecting
fanotify support. I have kernel-devel and glibc-headers installed.
 I’ve also confirmed fanotify support with "cat /boot/config- |
grep FANOTIFY”.

I get an error from the configure script:
./configure: line 30024: auto=yes: command not found


Here’s the full configure output: https://pastebin.com/0xYqhr2V.


This was my attempt to fix it but it didn’t
work: https://pastebin.com/k2kCrmHP.


Thanks,
Arthur

Thanks, unfortunately the workaround isn’t practical in my case. I’ll start a new thread for the 0.102.0 fanotify support issue.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I was going to try running a main clamonacc using “OnAccessMountPath /“ and a clamonacc process for each docker container or all docker containers with “OnAccessIncludetPath /var/lib/docker/overlayfs/<uuid>/merged” but clamd is given the container path not the real path so it can't find the file to scan.

Thanks,
Arthur

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I have a fix for this issue. It seems to root of the problem is the use of fts which doesn’t traverse across file systems.

Here’s a patch against 1.101.4:

--- a/clamd/onaccess_hash.c
+++ b/clamd/onaccess_hash.c
@@ -33,6 +33,7 @@
#include <string.h>
#include <errno.h>
#include <stdbool.h>
+#include <mntent.h>

#include <sys/fanotify.h>

@@ -622,6 +623,22 @@ int onas_ht_add_hierarchy(struct onas_ht *ht, const char *pathname) {
if (!elem) return CL_EMEM;

if (onas_ht_insert(ht, elem)) return -1;
+
+ char buf[10240];
+ struct mntent ent;
+ struct mntent *mntent;
+ FILE *mountinfo;
+ mountinfo = setmntent("/proc/mounts", "r");
+ if (mountinfo == NULL) {
+ logg("!ScanOnAccess: setmntent failed\n");
+ return CL_EARG;
+ }
+ while ((mntent = getmntent_r(mountinfo, &ent, buf, sizeof(buf))) != NULL) {
+ if (strcmp(curr->fts_path, pathname) != 0 && strcmp(curr->fts_path, mntent->mnt_dir) == 0) {
+ onas_ht_add_hierarchy(ht, curr->fts_path);
+ }
+ }
+ endmntent(mountinfo);
}

_priv_fts_close(ftsp);


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

After more testing this seems better:

--- a/clamd/onaccess_hash.c 2019-10-10 19:19:06.000000000 -0500
+++ b/clamd/onaccess_hash.c 2019-10-10 19:14:23.000000000 -0500
@@ -33,6 +33,7 @@
#include <string.h>
#include <errno.h>
#include <stdbool.h>
+#include <mntent.h>

#include <sys/fanotify.h>

@@ -589,6 +590,22 @@

struct onas_hnode *hnode = NULL;

+ char buf[10240];
+ struct mntent ent;
+ struct mntent *mntent;
+ FILE *mountinfo;
+ mountinfo = setmntent("/proc/mounts", "r");
+ if (mountinfo == NULL) {
+ logg("!ScanOnAccess: setmntent failed\n");
+ return CL_EARG;
+ }
+ while ((mntent = getmntent_r(mountinfo, &ent, buf, sizeof(buf))) != NULL) {
+ if (strcmp(curr->fts_path, pathname) != 0 && strcmp(curr->fts_path, mntent->mnt_dir) == 0) {
+ onas_ht_add_hierarchy(ht, curr->fts_path);
+ }
+ }
+ endmntent(mountinfo);
+
/* May want to handle other options in the future. */
switch (curr->fts_info) {
case FTS_D:


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I’m going to continue this via clamav-devel: https://lists.gt.net/clamav/devel/77346 <https://lists.gt.net/clamav/devel/77346>.