_gnutls_resolve_priorities: always try to re-read sys priority file

Previously if the system priority file was edited, that would
take effect on the very next TLS session an application created.

As of:

  commit 006b89d4464ae1bb6d545ea5716998654124df45
  Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
  Date:   Fri Apr 1 10:46:12 2016 +0200

    priorities: preload the system priorities on library loading time

It is required to restart every application after changing the
system priority file to get changes to take effect.

Further, for applications running in a chroot, it will no longer
honour a system priority file that may exist inside the chroot,
always using the originally cached data from outside the chroot.

This patch changes the caching so that we always try to reload
the cache of system priorities. A mtime check is used to avoid
actually re-reading the file unless its content has obviously
changed. If the file no longer exists, the cache will not be
invalidated. This ensures that the current priority file is
always honoured, whether inside a chroot or not, while at the
same time allowing apps to work in a chroot when no system
priority file is present.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/lib/priority.c b/lib/priority.c
index 14b6251a172c73188cefca615f95aca6162027a8..5fcc97f29fe3635ddc46aede5dd3eb6eef20ef23 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -32,6 +32,7 @@
 #include <c-ctype.h>
 #include <extensions.h>
 #include "fips.h"
+#include "errno.h"
 
 #define MAX_ELEMENTS 64
 
@@ -926,26 +927,54 @@ static char *check_str(char *line, size_t line_size, const char *needle, size_t
 static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
 static char *system_priority_buf = NULL;
 static size_t system_priority_buf_size = 0;
+static time_t system_priority_last_mod = 0;
 
-void _gnutls_load_system_priorities(void)
+
+static void _gnutls_update_system_priorities(void)
 {
+#ifdef HAVE_FMEMOPEN
        gnutls_datum_t data;
-       const char *p;
        int ret;
+       struct stat sb;
 
-       p = secure_getenv("GNUTLS_SYSTEM_PRIORITY_FILE");
-       if (p != NULL)
-               system_priority_file = p;
+       if (stat(system_priority_file, &sb) < 0) {
+               _gnutls_debug_log("unable to access: %s: %d\n",
+                                 system_priority_file, errno);
+               return;
+       }
+
+       if (sb.st_mtime == system_priority_last_mod) {
+               _gnutls_debug_log("system priority %s has not changed\n",
+                                 system_priority_file);
+               return;
+       }
 
-#ifdef HAVE_FMEMOPEN
        ret = gnutls_load_file(system_priority_file, &data);
-       if (ret < 0)
+       if (ret < 0) {
+               _gnutls_debug_log("unable to load: %s: %d\n",
+                                 system_priority_file, ret);
                return;
+       }
 
+       _gnutls_debug_log("cached system priority %s mtime %lld\n",
+                         system_priority_file,
+                         (unsigned long long)sb.st_mtime);
+       gnutls_free(system_priority_buf);
        system_priority_buf = (char*)data.data;
        system_priority_buf_size = data.size;
+       system_priority_last_mod = sb.st_mtime;
 #endif
-       return;
+}
+
+void _gnutls_load_system_priorities(void)
+{
+       const char *p;
+
+       p = secure_getenv("GNUTLS_SYSTEM_PRIORITY_FILE");
+       if (p != NULL)
+               system_priority_file = p;
+
+       _gnutls_update_system_priorities();
 }
 
 void _gnutls_unload_system_priorities(void)
@@ -955,6 +984,7 @@ void _gnutls_unload_system_priorities(void)
 #endif
        system_priority_buf = NULL;
        system_priority_buf_size = 0;
+       system_priority_last_mod = 0;
 }
 
 /* Returns the new priorities if SYSTEM is specified in
@@ -990,10 +1020,15 @@ size_t n, n2 = 0, line_size;
                }
 
 #ifdef HAVE_FMEMOPEN
+               /* Always try to refresh the cached data, to
+                * allow it to be updated without restarting
+                * all applications
+                */
+               _gnutls_update_system_priorities();
                fp = fmemopen(system_priority_buf, system_priority_buf_size, "r");
+#else
+               fp = fopen(system_priority_file, "r");
 #endif
-               if (fp == NULL)
-                       fp = fopen(system_priority_file, "r");
                if (fp == NULL) {/* fail */
                        ret = NULL;
                        goto finish;