From 54016ddaf4f4bcb523e03c9702a22dbf1d30ee2f Mon Sep 17 00:00:00 2001 From: "W. Michael Petullo" Date: Fri, 8 Jan 2021 13:33:34 -0600 Subject: [PATCH] clamav: allow configuration to use TCP socket Something having to do with passing a file descriptor over spamd's Unix socket causes the ClamAV milter to fail. The milter says "ERROR: Unknown reply from clamd," and running strace on spamd reveals "No file descriptor received. ERROR." Some work by others can be found on the Internet that suggests using a TCP socket for the communication between the milter and spamd fixes this. Lucian Cristian confirmed this on OpenWrt. I am not sure why the Unix socket does not work. I suspect it is something related to musl, but I have not yet found evidence of this. This merge request adds the option to configure spamd to use a TCP socket, and it uses this as the default. The merge request also adds an init script for clamav-milter. Signed-off-by: W. Michael Petullo --- net/clamav/Makefile | 5 +- net/clamav/files/clamav-milter.config | 26 +++++++ net/clamav/files/clamav-milter.init | 100 ++++++++++++++++++++++++++ net/clamav/files/clamav.config | 4 +- net/clamav/files/clamav.init | 12 +++- 5 files changed, 144 insertions(+), 3 deletions(-) create mode 100644 net/clamav/files/clamav-milter.config create mode 100644 net/clamav/files/clamav-milter.init diff --git a/net/clamav/Makefile b/net/clamav/Makefile index 3fb870d06..abbb9d374 100644 --- a/net/clamav/Makefile +++ b/net/clamav/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=clamav PKG_VERSION:=0.102.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.clamav.net/downloads/production/ @@ -88,6 +88,7 @@ TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed $(if $(CONFIG_USE_MUSL),-lfts) define Package/clamav/conffiles /etc/config/clamav +/etc/config/clamav-milter endef define Package/clamav/install @@ -106,9 +107,11 @@ define Package/clamav/install $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/clamav.config $(1)/etc/config/clamav + $(INSTALL_CONF) ./files/clamav-milter.config $(1)/etc/config/clamav-milter $(INSTALL_DIR) $(1)/etc/init.d/ $(INSTALL_BIN) ./files/clamav.init $(1)/etc/init.d/clamav + $(INSTALL_BIN) ./files/clamav-milter.init $(1)/etc/init.d/clamav-milter $(INSTALL_DIR) $(1)/usr/share/clamav $(CP) ./files/bytecode.cvd $(1)/usr/share/clamav/ diff --git a/net/clamav/files/clamav-milter.config b/net/clamav/files/clamav-milter.config new file mode 100644 index 000000000..2598f2604 --- /dev/null +++ b/net/clamav/files/clamav-milter.config @@ -0,0 +1,26 @@ +config clamav-milter 'clamav-milter' + option clamav_milter_config_file '/etc/clamav/clamav-milter.conf' + option Foreground 'true' + option PidFile '/var/run/clamav/clamav-milter.pid' + option User 'nobody' + option MilterSocketGroup 'nogroup' + option AllowSupplementaryGroups 'true' + option ReadTimeout '120' + option OnClean 'Accept' + option OnInfected 'Quarantine' + option OnFail 'Defer' + option AddHeader 'Replace' + option LogVerbose 'true' + option LogTime 'true' + option LogSyslog 'true' + option LogFacility 'LOG_LOCAL6' + option LogInfected 'Full' + option LogClean 'Basic' + option MaxFileSize '25M' + option SupportMultipleRecipients 'true' + option RejectMsg 'Rejecting Harmful Email: %v found.' + option TemporaryDirectory '/tmp' + option MilterSocket 'unix:/var/run/clamav/clamav-milter.sock' + option MilterSocketMode '666' + option ClamdSocket 'tcp:127.0.0.1:3310' + option FixStaleSocket 'true' diff --git a/net/clamav/files/clamav-milter.init b/net/clamav/files/clamav-milter.init new file mode 100644 index 000000000..a4a0fdec5 --- /dev/null +++ b/net/clamav/files/clamav-milter.init @@ -0,0 +1,100 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2015 OpenWrt.org + +START=90 +STOP=10 + +USE_PROCD=1 +PROG=/usr/sbin/clamav-milter +CLAMAV_MILTER_CONFIGFILE="/tmp/clamav/clamav-milter.conf" + +validate_clamav_milter_section() { + uci_load_validate clamav-milter clamav_milter "$1" "$2" \ + 'clamav_milter_config_file:string' \ + 'Foreground:string' \ + 'PidFile:string' \ + 'User:string' \ + 'MilterSocketGroup:string' \ + 'AllowSupplementaryGroups:string' \ + 'ReadTimeout:uinteger' \ + 'OnClean:string' \ + 'OnInfected:string' \ + 'OnFail:string' \ + 'AddHeader:string' \ + 'LogVerbose:string' \ + 'LogTime:string' \ + 'LogSyslog:string' \ + 'LogFacility:string' \ + 'LogInfected:string' \ + 'LogClean:string' \ + 'MaxFileSize:string' \ + 'SupportMultipleRecipients:string' \ + 'RejectMsg:string' \ + 'TemporaryDirectory:string' \ + 'MilterSocket:string' \ + 'MilterSocketMode:uinteger' \ + 'ClamdSocket:string' \ + 'FixStaleSocket:string' +} + +start_clamav_milter_instance() { + [ "$2" = 0 ] || { + echo "validation failed" + return 1 + } + + mkdir -p /etc/clamav/ + mkdir -p /var/run/clamav/ + chmod a+rw /var/run/clamav + + mkdir -p "$(dirname $CLAMAV_MILTER_CONFIGFILE)" + ln -sf "$clamav_milter_config_file" "$CLAMAV_MILTER_CONFIGFILE" + + { + echo "Foreground " "$Foreground" + echo "PidFile " "$PidFile" + echo "User " "$User" + echo "MilterSocketGroup " "$MilterSocketGroup" + echo "AllowSupplementaryGroups " "$AllowSupplementaryGroups" + echo "ReadTimeout " "$ReadTimeout" + echo "OnClean " "$OnClean" + echo "OnInfected " "$OnInfected" + echo "OnFail " "$OnFail" + echo "AddHeader " "$AddHeader" + echo "LogVerbose " "$LogVerbose" + echo "LogTime " "$LogTime" + echo "LogSyslog " "$LogSyslog" + echo "LogFacility " "$LogFacility" + echo "LogInfected " "$LogInfected" + echo "LogClean " "$LogClean" + echo "MaxFileSize " "$MaxFileSize" + echo "SupportMultipleRecipients " "$SupportMultipleRecipients" + echo "RejectMsg " "$RejectMsg" + echo "TemporaryDirectory " "$TemporaryDirectory" + echo "MilterSocket " "$MilterSocket" + echo "MilterSocketMode " "$MilterSocketMode" + echo "ClamdSocket " "$ClamdSocket" + echo "FixStaleSocket " "$FixStaleSocket" + } > "$CLAMAV_MILTER_CONFIGFILE" + + procd_open_instance + procd_set_param command $PROG -c $CLAMAV_MILTER_CONFIGFILE + procd_set_param file $CLAMAV_MILTER_CONFIGFILE + procd_close_instance +} + +start_service() +{ + validate_clamav_milter_section clamav_milter start_clamav_milter_instance +} + +stop_service() +{ + service_stop $PROG +} + +service_triggers() +{ + procd_add_reload_trigger "clamav-milter" + procd_add_validation validate_clamav_milter_section +} diff --git a/net/clamav/files/clamav.config b/net/clamav/files/clamav.config index 9f945e3b9..bdd555033 100644 --- a/net/clamav/files/clamav.config +++ b/net/clamav/files/clamav.config @@ -29,7 +29,9 @@ config clamav 'clamav' option AlertEncrypted 'yes' option MaxFileSize '10M' option TemporaryDirectory '/tmp' - option LocalSocket '/var/run/clamav/clamd.sock' + # option LocalSocket '/var/run/clamav/clamd.sock' + option TCPAddr '127.0.0.1' + option TCPSocket '3310' option User 'nobody' option ExitOnOOM 'yes' option DatabaseDirectory '/usr/share/clamav' diff --git a/net/clamav/files/clamav.init b/net/clamav/files/clamav.init index e06dfa60c..ca093cdff 100644 --- a/net/clamav/files/clamav.init +++ b/net/clamav/files/clamav.init @@ -41,6 +41,8 @@ validate_clamav_section() { 'AlertEncrypted:string' \ 'MaxFileSize:string' \ 'LocalSocket:string' \ + 'TCPSocket:port' \ + 'TCPAddr:ipaddr' \ 'User:string' \ 'ExitOnOOM:string' \ 'DatabaseDirectory:string' @@ -90,12 +92,20 @@ start_clamav_instance() { echo "TemporaryDirectory " "$TemporaryDirectory" echo "AlertEncrypted " "$AlertEncrypted" echo "MaxFileSize " "$MaxFileSize" - echo "LocalSocket " "$LocalSocket" echo "User " "$User" echo "ExitOnOOM " "$ExitOnOOM" echo "DatabaseDirectory " "$DatabaseDirectory" } > "$CLAMD_CONFIGFILE" + if [ -n "$LocalSocket" ]; then + echo "LocalSocket " "$LocalSocket" >>"$CLAMD_CONFIGFILE" + fi + + if [ -n "$TCPSocket" ]; then + echo "TCPAddr" "$TCPAddr" >>"$CLAMD_CONFIGFILE" + echo "TCPSocket " "$TCPSocket" >>"$CLAMD_CONFIGFILE" + fi + procd_open_instance procd_set_param command $PROG -c $CLAMD_CONFIGFILE procd_set_param file $CLAMD_CONFIGFILE