Loading nixos/modules/services/security/clamav.nix +71 −1 Original line number Diff line number Diff line Loading @@ -65,6 +65,34 @@ in ''; }; }; clamonacc = { enable = lib.mkOption { default = false; example = true; description = '' Whether to enable ClamAV on-access scanner. The settings for ClamAV's on-access scanner is configured in `clamd.conf` via `services.clamav.daemon.settings`. Refer to <https://docs.clamav.net/manual/OnAccess.html> on how to configure it. Example to scan `/home/foo/Downloads` (and block access until scanning is completed) would be: ``` services.clamav = { daemon.enable = true; clamonacc.enable = true; daemon.settings = { OnAccessPrevention = true; OnAccessIncludePath = "/home/foo/Downloads"; }; }; ``` ''; type = lib.types.bool; }; }; updater = { enable = lib.mkEnableOption "ClamAV freshclam updater"; Loading Loading @@ -172,6 +200,17 @@ in }; config = lib.mkIf (cfg.updater.enable || cfg.daemon.enable) { assertions = [ { assertion = cfg.scanner.enable -> cfg.daemon.enable; message = "ClamAV scanner requires ClamAV daemon to operate"; } { assertion = cfg.clamonacc.enable -> cfg.daemon.enable; message = "ClamAV on-access scanner requires ClamAV daemon to operate"; } ]; environment.systemPackages = [ cfg.package ]; users.users.${clamavUser} = { Loading @@ -189,8 +228,10 @@ in DatabaseDirectory = stateDir; LocalSocket = "/run/clamav/clamd.ctl"; PidFile = "/run/clamav/clamd.pid"; User = "clamav"; User = clamavUser; Foreground = true; # Prevent infinite recursion in scanning OnAccessExcludeUname = clamavUser; }; services.clamav.updater.settings = { Loading @@ -216,11 +257,26 @@ in description = "ClamAV Antivirus Slice"; }; systemd.sockets.clamav-daemon = lib.mkIf cfg.daemon.enable { description = "Socket for ClamAV daemon (clamd)"; wantedBy = [ "sockets.target" ]; listenStreams = [ cfg.daemon.settings.LocalSocket ]; socketConfig = { SocketUser = clamavUser; SocketGroup = clamavGroup; # LocalSocketMode setting in clamd.conf is not prefixed with octal 0, add it here. SocketMode = "0${cfg.daemon.settings.LocalSocketMode or "666"}"; }; }; systemd.services.clamav-daemon = lib.mkIf cfg.daemon.enable { description = "ClamAV daemon (clamd)"; documentation = [ "man:clamd(8)" ]; after = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; wants = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; requires = [ "clamav-daemon.socket" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ clamdConfigFile ]; Loading @@ -238,6 +294,20 @@ in }; }; systemd.services.clamav-clamonacc = lib.mkIf cfg.clamonacc.enable { description = "ClamAV on-access scanner (clamonacc)"; after = [ "clamav-daemon.socket" ]; requires = [ "clamav-daemon.socket" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ clamdConfigFile ]; # This unit must start as root to be able to use fanotify. serviceConfig = { ExecStart = "${cfg.package}/bin/clamonacc -F --fdpass"; Slice = "system-clamav.slice"; }; }; systemd.timers.clamav-freshclam = lib.mkIf cfg.updater.enable { description = "Timer for ClamAV virus database updater (freshclam)"; wantedBy = [ "timers.target" ]; Loading nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -359,6 +359,7 @@ in cinnamon = runTest ./cinnamon.nix; cinnamon-wayland = runTest ./cinnamon-wayland.nix; cjdns = runTest ./cjdns.nix; clamav = runTest ./clamav.nix; clatd = runTest ./clatd.nix; clickhouse = import ./clickhouse { inherit runTest; Loading nixos/tests/clamav.nix 0 → 100644 +45 −0 Original line number Diff line number Diff line # Test ClamAV. { lib, pkgs, ... }: { name = "clamav"; nodes = { machine = { services.clamav = { daemon.enable = true; clamonacc.enable = true; daemon.settings = { OnAccessPrevention = true; OnAccessIncludePath = "/opt"; }; }; # Add the definition for our test file. # We cannot download definitions from Internet using freshclam in sandboxed test. systemd.tmpfiles.settings."10-eicar"."/var/lib/clamav/test.hdb".L.argument = "${pkgs.runCommand "test.hdb" { } '' echo CLAMAVTEST > testfile ${lib.getExe' pkgs.clamav "sigtool"} --sha256 testfile > $out '' }"; # Test using /opt as the ClamAV on-access scanner-protected directory. systemd.tmpfiles.settings."10-testdir"."/opt".d = { }; }; }; testScript = '' start_all() machine.wait_for_unit("default.target") # Write test file into the test directory. # This won't trigger ClamAV as it scans on file open. machine.succeed("echo CLAMAVTEST > /opt/testfile") machine.fail("cat /opt/testfile") ''; } Loading
nixos/modules/services/security/clamav.nix +71 −1 Original line number Diff line number Diff line Loading @@ -65,6 +65,34 @@ in ''; }; }; clamonacc = { enable = lib.mkOption { default = false; example = true; description = '' Whether to enable ClamAV on-access scanner. The settings for ClamAV's on-access scanner is configured in `clamd.conf` via `services.clamav.daemon.settings`. Refer to <https://docs.clamav.net/manual/OnAccess.html> on how to configure it. Example to scan `/home/foo/Downloads` (and block access until scanning is completed) would be: ``` services.clamav = { daemon.enable = true; clamonacc.enable = true; daemon.settings = { OnAccessPrevention = true; OnAccessIncludePath = "/home/foo/Downloads"; }; }; ``` ''; type = lib.types.bool; }; }; updater = { enable = lib.mkEnableOption "ClamAV freshclam updater"; Loading Loading @@ -172,6 +200,17 @@ in }; config = lib.mkIf (cfg.updater.enable || cfg.daemon.enable) { assertions = [ { assertion = cfg.scanner.enable -> cfg.daemon.enable; message = "ClamAV scanner requires ClamAV daemon to operate"; } { assertion = cfg.clamonacc.enable -> cfg.daemon.enable; message = "ClamAV on-access scanner requires ClamAV daemon to operate"; } ]; environment.systemPackages = [ cfg.package ]; users.users.${clamavUser} = { Loading @@ -189,8 +228,10 @@ in DatabaseDirectory = stateDir; LocalSocket = "/run/clamav/clamd.ctl"; PidFile = "/run/clamav/clamd.pid"; User = "clamav"; User = clamavUser; Foreground = true; # Prevent infinite recursion in scanning OnAccessExcludeUname = clamavUser; }; services.clamav.updater.settings = { Loading @@ -216,11 +257,26 @@ in description = "ClamAV Antivirus Slice"; }; systemd.sockets.clamav-daemon = lib.mkIf cfg.daemon.enable { description = "Socket for ClamAV daemon (clamd)"; wantedBy = [ "sockets.target" ]; listenStreams = [ cfg.daemon.settings.LocalSocket ]; socketConfig = { SocketUser = clamavUser; SocketGroup = clamavGroup; # LocalSocketMode setting in clamd.conf is not prefixed with octal 0, add it here. SocketMode = "0${cfg.daemon.settings.LocalSocketMode or "666"}"; }; }; systemd.services.clamav-daemon = lib.mkIf cfg.daemon.enable { description = "ClamAV daemon (clamd)"; documentation = [ "man:clamd(8)" ]; after = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; wants = lib.optionals cfg.updater.enable [ "clamav-freshclam.service" ]; requires = [ "clamav-daemon.socket" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ clamdConfigFile ]; Loading @@ -238,6 +294,20 @@ in }; }; systemd.services.clamav-clamonacc = lib.mkIf cfg.clamonacc.enable { description = "ClamAV on-access scanner (clamonacc)"; after = [ "clamav-daemon.socket" ]; requires = [ "clamav-daemon.socket" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ clamdConfigFile ]; # This unit must start as root to be able to use fanotify. serviceConfig = { ExecStart = "${cfg.package}/bin/clamonacc -F --fdpass"; Slice = "system-clamav.slice"; }; }; systemd.timers.clamav-freshclam = lib.mkIf cfg.updater.enable { description = "Timer for ClamAV virus database updater (freshclam)"; wantedBy = [ "timers.target" ]; Loading
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -359,6 +359,7 @@ in cinnamon = runTest ./cinnamon.nix; cinnamon-wayland = runTest ./cinnamon-wayland.nix; cjdns = runTest ./cjdns.nix; clamav = runTest ./clamav.nix; clatd = runTest ./clatd.nix; clickhouse = import ./clickhouse { inherit runTest; Loading
nixos/tests/clamav.nix 0 → 100644 +45 −0 Original line number Diff line number Diff line # Test ClamAV. { lib, pkgs, ... }: { name = "clamav"; nodes = { machine = { services.clamav = { daemon.enable = true; clamonacc.enable = true; daemon.settings = { OnAccessPrevention = true; OnAccessIncludePath = "/opt"; }; }; # Add the definition for our test file. # We cannot download definitions from Internet using freshclam in sandboxed test. systemd.tmpfiles.settings."10-eicar"."/var/lib/clamav/test.hdb".L.argument = "${pkgs.runCommand "test.hdb" { } '' echo CLAMAVTEST > testfile ${lib.getExe' pkgs.clamav "sigtool"} --sha256 testfile > $out '' }"; # Test using /opt as the ClamAV on-access scanner-protected directory. systemd.tmpfiles.settings."10-testdir"."/opt".d = { }; }; }; testScript = '' start_all() machine.wait_for_unit("default.target") # Write test file into the test directory. # This won't trigger ClamAV as it scans on file open. machine.succeed("echo CLAMAVTEST > /opt/testfile") machine.fail("cat /opt/testfile") ''; }
