> On-Access [...] leverages a kernel api called fanotify to block
> processes from attempting to access malicious files. This
> prevention occurs in kernel-space, and thus offers stronger
> protection than a purely user-space solution.
This is not really useful for the PMG use case and requires user
configuration as otherwise it refuses to start. In fact, is the sole
unit marked as failed after a fresh installation:
> ERROR: Clamonacc: at least one of OnAccessExcludeUID,
> OnAccessExcludeUname, or OnAccessExcludeRootUID must be specified
> it is recommended you exclude the clamd instance UID or uname to
> prevent infinite event scanning loops.
So disable it by default, if a user really wants this, whyever that
would be, the can just configure it and enable it again via
systemctl.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
}
syscmd("chroot $targetdir /bin/chown clamav:clamav -R /var/lib/clamav") == 0 ||
die "unable to set owner for clamav database files\n";
}
syscmd("chroot $targetdir /bin/chown clamav:clamav -R /var/lib/clamav") == 0 ||
die "unable to set owner for clamav database files\n";
+
+ # on-access scanner (blocks file access if it thinks file is bad) needs to be explicit
+ # configured by the user, otherwise it fails, and it doesn't make sense for most users.
+ unlink "$targetdir/etc/systemd/system/multi-user.target.wants/clamav-clamonacc.service"
+ or warn "failed to disable clamav-clamonacc.service - $!";
}
if ($iso_env->{product} eq 'pve') {
}
if ($iso_env->{product} eq 'pve') {