File: //proc/self/root/opt/imunify360/venv/lib64/python3.11/site-packages/imav/malwarelib/engine.py
"""
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Copyright © 2019 Cloud Linux Software Inc.
This software is also available under ImunifyAV commercial license,
see <https://www.imunify360.com/legal/eula>
Single-source binary selector for the malware stack
(scanner / cleaner / vulnerability patcher).
All three on-demand call sites import from here so they cannot disagree by
construction. Realtime selection is gated independently in
``aibolit-resident.service``'s ``ExecStart=`` shell (aibolit repo) and
defended by a ``rustbolit --resident`` self-check (rustbolit repo) — see
DEF-43111.
PUBLIC HELPER for unit tests: patch ``imav.malwarelib.engine.use_rustbolit_stack``
or ``engine._is_enabled`` directly. NEVER patch consumer-side imports —
single-source patching guarantees scanner / cleaner / patcher all see the
same value in one fixture, and avoids the where-to-patch trap.
"""
import logging
import os
from defence360agent.contracts.config import ANTIVIRUS_MODE
from defence360agent.internals.feature_flags import is_enabled as _is_enabled
from imav.malwarelib.cleanup import PROCU2_BINARY, RUSTCURATOR_BINARY
from imav.malwarelib.scan.ai_bolit import AIBOLIT_BINARY, RUSTBOLIT_BINARY
logger = logging.getLogger(__name__)
FF_NAME = "force_aibolit_stack"
# Edge-trigger latch: log only on flag-state transitions, not on every call.
# A scheduled scan with thousands of malware hits would otherwise produce
# thousands of duplicate WARNING lines. Per-spawn observability lives in
# scanner/cleaner/patcher _cmd info-level logs; this stays as a once-per-
# transition signpost.
_last_logged_state: bool | None = None
def use_rustbolit_stack() -> bool:
"""Return True iff scans/cleans/patches should use the rustbolit stack.
A single decision drives scanner, cleaner, and vulnerability patcher.
Reads the FF on every call; underlying file read is mtime-cached.
"""
global _last_logged_state
force_aibolit = _is_enabled(FF_NAME, default=False)
if force_aibolit != _last_logged_state:
_last_logged_state = force_aibolit
if force_aibolit:
message = (
"feature flag %r is on; using ai-bolit stack instead of"
" rustbolit"
)
else:
message = (
"feature flag %r is off; using rustbolit stack when available"
)
logger.warning(message, FF_NAME)
if force_aibolit:
return False
if not os.path.exists(RUSTBOLIT_BINARY):
return False
if not (os.path.exists(RUSTCURATOR_BINARY) or ANTIVIRUS_MODE):
return False
return True
def scanner_path() -> str:
"""Return the chosen scanner binary path and log it for per-spawn forensics."""
chosen = RUSTBOLIT_BINARY if use_rustbolit_stack() else AIBOLIT_BINARY
logger.info("Using scanner: %s", chosen)
return chosen
def curator_path() -> str:
"""Return the chosen curator binary path and log it for per-spawn forensics.
AV-mode caveat: ``use_rustbolit_stack()`` returns True in AV mode even when
rustcurator is absent on disk (the scanner only needs rustbolit). The curator
must independently check rustcurator presence and fall back to procu2 when
it's missing — otherwise cleanup / patcher subprocesses spawn ENOENT.
Restores the pre-DEF-43111 ``os.path.exists(RUSTCURATOR_BINARY)`` fallback.
"""
chosen = (
RUSTCURATOR_BINARY
if use_rustbolit_stack() and os.path.exists(RUSTCURATOR_BINARY)
else PROCU2_BINARY
)
logger.info("Using curator: %s", chosen)
return chosen