[clamav-users] 1 - cl_scanfile return value checking, 2 - JIT and SElinux

Jose teacherjh at aol.com
Sun Jan 14 23:07:58 UTC 2018


contents:
1: an observation and caution regarding the cl_scanfile() return value
2: a question about JIT and SElinux

===

1: cl_scanfile()

The php function cl_scanfile() returns an int, where 0 means the file is 
clean, and a nonzero value indicates an infection of some sort.  The 
actual ints are abstracted behind constants such as CL_VIRUS and 
CL_CLEAN, and the documentation shows the following (edited) example 
usage (note the == comparison):

$retcode = cl_scanfile($file, $virusname);
if ($retcode == CL_VIRUS)
{   // do "infected file" stuff
}
else
{   // do "clean file" stuff
}

However, if cl_scanfile() is refused permission to run at all (such as 
by a misconfigured SElinux), then the return value is a boolean (FALSE).

When compared to the int value CL_VIRUS using a "double equal" operator, 
the boolean FALSE is converted to an int zero, and the file looks clean 
rather than unscanned!

Always check for boolean FALSE, and consider when to use double and 
triple equal comparisons with this in mind.

Better would be:

$retcode = cl_scanfile($file, $virusname);
if ($retcode === FALSE)
{ // do "file wasn't scanned" stuff
}
elseif ($retcode == CL_VIRUS)
{ // do "infected file" stuff
}
elseif ($retcode === CL_CLEAN)
{ // do "clean file" stuff
}
else
{ // you should never get here
   // do "program has a bug" stuff
}

====

2: Question about JIT and SElinux

It appears to me that if I use JIT, and want to scan file uploads from 
within php then I also have to tell SElinux to allow httpd (Apache) to 
use exec, something I'd just as soon not do.  If I disable JIT and 
disable Apache's access to exec in SElinux, I can still scan files 
(presumably with a performance hit, which is why JIT is there in the 
first place).

So my two questions are:

A: Considering I'm calling the virus scanner from within a php script 
already, does JIT make that much of a performance difference?

B: And (how) can I set cl_scanfile() to use JIT without letting Apache 
use exec?

Thanks.

Jose



More information about the clamav-users mailing list