From 9c20653f157663ba1da5b2f51108d4524325c8f9 Mon Sep 17 00:00:00 2001
From: Jason Rothstein <fdragon@fdragon.org>
Date: Mon, 12 Jul 2021 04:00:57 +0000
Subject: [PATCH] Increase inotify capacity to prevent Clam OnAccess Scanner
 from failing

---
 tasks/main.yml                            | 13 +++++++++++++
 templates/Fedora/34/etc/clamd.d/scan.conf |  7 ++++---
 vars/Fedora-34-default.yml                |  5 +++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 9f11cd2..8ce89fe 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -29,6 +29,19 @@
     - ansible_system == 'Linux'
     - services is not defined
   ansible.builtin.service_facts:
+- name: 'ensure sysctl'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_clamav is defined
+    - ensure_clamav.sysctl_list is defined
+    - ensure_clamav.sysctl_list is iterable
+  ansible.posix.sysctl:
+    name: '{{ item.name }}'
+    reload: '{{ item.reload | default(omit) }}'
+    state: '{{ item.state }}'
+    sysctl_file: '{{ item.sysctl_file | default(omit) }}'
+    sysctl_set: '{{ item.sysctl_set | default(omit) }}'
+    value: '{{ item.value | default(omit) }}'
 - name: 'ensure packages'
   when:
     - ansible_system == 'Linux'
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 0b28a1e..d0ff41c 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -739,6 +739,7 @@ OnAccessMountPath {{ item.mount }}
 # root user from triggering a scan (unless OnAccessPrevention is enabled).
 # Default: no
 #OnAccessExcludeRootUID no
+OnAccessExcludeRootUID yes
 
 # With this option you can whitelist specific UIDs. Processes with these UIDs
 # will be able to access all files without triggering scans or permission
@@ -761,9 +762,9 @@ OnAccessMountPath {{ item.mount }}
 # OnAccessExcludeUID option.
 # Default: disabled
 #OnAccessExcludeUname clamav
-OnAccessExcludeUname clamilt
-OnAccessExcludeUname clamscan
-OnAccessExcludeUname clamupdate
+# XXX OnAccessExcludeUname clamilt
+# XXX OnAccessExcludeUname clamscan
+# XXX OnAccessExcludeUname clamupdate
 
 # Number of times the OnAccess client will retry a failed scan due to
 # connection problems (or other issues).
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index e167034..85d2efc 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -28,6 +28,11 @@ service_list:
   - name: 'clamav-freshclam.service'
     state: 'started'
     enabled: 'yes'
+sysctl_list:
+  - name: 'fs.inotify.max_user_watches'
+    state: 'present'
+    sysctl_file: '/etc/sysctl.d/99-clamav.conf'
+    value: '524288'
 template_list:
   - dest: '/etc/clamd.d/scan.conf'
     group: 'root'