Lack of FANOTIFY support in kernel in 14.2?

horizn · 07-27-2016, 05:11 AM

HI,
I am trying to configure ClamAV Scan On Access option, but unfortunately default kernel seems to be not configured for FANOTIFY:

Code:

root@:/usr/local/bin# cat /boot/config | grep FANOTIFY
CONFIG_FANOTIFY=y
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
root@:/usr/local/bin# cat /boot/config-generic-4.4.14 | grep FANOTIFY
CONFIG_FANOTIFY=y
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
root@:/usr/local/bin# cat /boot/config-huge-4.4.14 | grep FANOTIFY
CONFIG_FANOTIFY=y
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set

is there any option to workaround it without kernel recompilation?

Even if I start Clamav as root:

Code:

Wed Jul 27 11:18:34 2016 -> ScanOnAccess: preventing access attempts on malicious files.
Wed Jul 27 11:18:34 2016 -> ScanOnAccess: Max file size limited to 10485760 bytes
Wed Jul 27 11:18:34 2016 -> ScanOnAccess: Protecting directory '/home/xyz' (and all sub-directories)
Wed Jul 27 11:18:34 2016 -> ERROR: ScanOnAccess: Could not watch path '/home/xyz', Invalid argument
Wed Jul 27 11:18:34 2016 -> ERROR: ScanOnAccess: When using the OnAccessPrevention option, please ensure your kernel
                        was compiled with CONFIG_FANOTIFY_ACCESS_PERMISSIONS set to Y
Wed Jul 27 11:18:34 2016 -> Waiting for all threads to finish
Wed Jul 27 11:18:34 2016 -> Stopping on-access scan
Wed Jul 27 11:18:34 2016 -> ScanOnAccess: onas_ddd_exit(), signal 10
Wed Jul 27 11:18:35 2016 -> Shutting down the main socket.
Wed Jul 27 11:18:35 2016 -> Pid file removed.
Wed Jul 27 11:18:35 2016 -> --- Stopped at Wed Jul 27 11:18:35 2016
Wed Jul 27 11:18:35 2016 -> Closing the main socket.
Wed Jul 27 11:18:35 2016 -> Socket file removed.

ponce · 07-27-2016, 05:36 AM

Slackware 14.2 kernel supports "Filesystem wide access notification" (FANOTIFY), it's the "fanotify permissions checking" support that's not compiled in.

http://blog.clamav.net/2016/03/confi...in-clamav.html

Code:

If this is seen:

  CONFIG_FANOTIFY=y
  # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set

Then on-access scanning will be constrained to notify-only mode
and will be unable to prevent access to malicious files, since
fanotify lacks the ability to block events on the system.

so, if notifying isn't enough for you and you want to prevent access you have to rebuild your kernel.

IMHO, this specific clamav function is useful mainly if you are monitoring samba shares via clamd, cannot think of other use cases: protecting unix home directories from viruses doesn't make much sense...

horizn · 07-27-2016, 07:01 AM

Quote:

Originally Posted by ponce

Slackware 14.2 kernel supports "Filesystem wide access notification" (FANOTIFY), it's the "fanotify permissions checking" support that's not compiled in.

http://blog.clamav.net/2016/03/confi...in-clamav.html

Code:

If this is seen:

  CONFIG_FANOTIFY=y
  # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set

Then on-access scanning will be constrained to notify-only mode
and will be unable to prevent access to malicious files, since
fanotify lacks the ability to block events on the system.

so, if notifying isn't enough for you and you want to prevent access you have to rebuild your kernel.

IMHO, this specific clamav function is useful mainly if you are monitoring samba shares via clamd, cannot think of other use cases: protecting unix home directories from viruses doesn't make much sense...

it make sense, if you have FTP account (with well known credentials) where customers can upload (only) files. Of course I can prevent uploading malicious file extensions, but sometimes is too less.

MarcT · 07-27-2016, 12:49 PM

Sounds like you'll need to recompile the kernel then. It's not too tough.

You should already have the kernel source in the package "kernel-source-4.4.14-noarch-1.txz". Personally I'd unpack a copy of this in a build directory in a non-root user's home directory. Don't build your kernel in /usr/src/linux.

For example, as a user:
mkdir build
cd build
xz -dc kernel-source-4.4.14-noarch-1.txz | tar xvf -

Use one of the existing "config" files from /boot as a template, rename it to .config (note the leading dot) at the top of the kernel source tree.
Edit .config to enable what you need.
Read the README (which should be in the kernel's top level directory, same as your new .config file).

Then do:

make oldconfig (this should run through without any prompts. Since you're rebuilding the same version of kernel there won't be any new/unanswered options).
time make
time make modules (if it's a modular kernel, as defined by the config file you used).

...then you'll have to install your new kernel & modules.

That's the subject of another post - see if you can get it re-compiled first.

Good luck!

horizn · 07-27-2016, 02:29 PM

Quote:

Originally Posted by MarcT

Sounds like you'll need to recompile the kernel then. It's not too tough.

You should already have the kernel source in the package "kernel-source-4.4.14-noarch-1.txz". Personally I'd unpack a copy of this in a build directory in a non-root user's home directory. Don't build your kernel in /usr/src/linux.

For example, as a user:
mkdir build
cd build
xz -dc kernel-source-4.4.14-noarch-1.txz | tar xvf -

Use one of the existing "config" files from /boot as a template, rename it to .config (note the leading dot) at the top of the kernel source tree.
Edit .config to enable what you need.
Read the README (which should be in the kernel's top level directory, same as your new .config file).

Then do:

make oldconfig (this should run through without any prompts. Since you're rebuilding the same version of kernel there won't be any new/unanswered options).
time make
time make modules (if it's a modular kernel, as defined by the config file you used).

...then you'll have to install your new kernel & modules.

That's the subject of another post - see if you can get it re-compiled first.

Good luck!

I've done it in past (kernel 2.6 era)