[clamav-users] 1 - cl_scanfile return value checking, 2 - JIT and SElinux

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Jan 19 16:09:41 UTC 2018


Jose,

Thanks for calling attention to the issue wherein cl_scanfile may return TRUE or FALSE instead of the appropriate CL_ code.  It’s great that you found a workaround for your PHP use-case.  I doubt that calling into libclamav from PHP is a common practice so it’s great that you solved the issue (I don’t expect you’d get a lot of help debugging PHP).

I’ll take a look into fixing the API so it consistently returns a CL_ code in the future and does not mix types with Boolean return values.

Sorry about the delay, things have been a little hectic the last couple weeks.

Take care, and please feel free to report any other disparities as you discover them.  Contributions are greatly appreciated.

Cheers,


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 14, 2018, at 6:07 PM, Jose <teacherjh at aol.com<mailto:teacherjh at aol.com>> wrote:

contents:
1: an observation and caution regarding the cl_scanfile() return value
2: a question about JIT and SElinux

===

1: cl_scanfile()

The php function cl_scanfile() returns an int, where 0 means the file is clean, and a nonzero value indicates an infection of some sort.  The actual ints are abstracted behind constants such as CL_VIRUS and CL_CLEAN, and the documentation shows the following (edited) example usage (note the == comparison):

$retcode = cl_scanfile($file, $virusname);
if ($retcode == CL_VIRUS)
{   // do "infected file" stuff
}
else
{   // do "clean file" stuff
}

However, if cl_scanfile() is refused permission to run at all (such as by a misconfigured SElinux), then the return value is a boolean (FALSE).

When compared to the int value CL_VIRUS using a "double equal" operator, the boolean FALSE is converted to an int zero, and the file looks clean rather than unscanned!

Always check for boolean FALSE, and consider when to use double and triple equal comparisons with this in mind.

Better would be:

$retcode = cl_scanfile($file, $virusname);
if ($retcode === FALSE)
{ // do "file wasn't scanned" stuff
}
elseif ($retcode == CL_VIRUS)
{ // do "infected file" stuff
}
elseif ($retcode === CL_CLEAN)
{ // do "clean file" stuff
}
else
{ // you should never get here
 // do "program has a bug" stuff
}

====

2: Question about JIT and SElinux

It appears to me that if I use JIT, and want to scan file uploads from within php then I also have to tell SElinux to allow httpd (Apache) to use exec, something I'd just as soon not do.  If I disable JIT and disable Apache's access to exec in SElinux, I can still scan files (presumably with a performance hit, which is why JIT is there in the first place).

So my two questions are:

A: Considering I'm calling the virus scanner from within a php script already, does JIT make that much of a performance difference?

B: And (how) can I set cl_scanfile() to use JIT without letting Apache use exec?

Thanks.

Jose
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list