[apparmor] [PATCH 1/2] Use mtime instead of ctime for cache file

Mon Jun 15 19:10:29 UTC 2015

And the 2.9 version of this patch series. It is simpler because 2.9
doesn't have the debug cache, and early tracking of the cache file
that is in 2.10. It also doesn't have the ctime bug

---

commit 14b91d4a60a942ded8c5a484ef2a737f3a2a2185
Author: John Johansen <john.johansen at canonical.com>
Date:   Mon Jun 15 12:05:35 2015 -0700

    Set cache file tstamp to the mtime of most recent policy file tstamp
    
    Currently the cache file has its mtime set at creation time, but this
    can lead to cache issues when a policy file is updated separately from
    the cache. This makes it possible for an update to ship a policy file
    that is newer than the what the cache file was generated from, but
    result in a cache hit because the cache file was local compiled after
    the policy file was package into an update (this requires the update
    to set the mtime of the file when locally installed to the mtime of
    the file in its update archive but this is commonly done, especially
    in image based updates).
    
    Signed-off-by: John Johansen <john.johansen at canonical.com>

diff --git a/parser/parser_main.c b/parser/parser_main.c
index 1d1cbe6..cd10a92 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -38,6 +38,8 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/apparmor.h>
+#include <sys/time.h>
+#include <utime.h>
 
 #include "lib.h"
 #include "parser.h"
@@ -873,17 +875,18 @@ static bool valid_cached_file_version(const char *cachename)
 	return true;
 }
 
-/* returns true if time is more recent than mru_tstamp */
-#define mru_t_cmp(a) \
-(((a).tv_sec == (mru_tstamp).tv_sec) ? \
-  (a).tv_nsec > (mru_tstamp).tv_nsec : (a).tv_sec > (mru_tstamp).tv_sec)
+#define tstamp_cmp(a, b)					\
+  (((a).tv_sec == (b).tv_sec) ?					\
+   ((a).tv_nsec - (b).tv_nsec) :				\
+   ((a).tv_sec - (b).tv_sec))
+#define tstamp_is_null(a) ((a).tv_sec == 0 && (a).tv_nsec == 0)
 
 void update_mru_tstamp(FILE *file)
 {
 	struct stat stat_file;
 	if (fstat(fileno(file), &stat_file))
 		return;
-	if (mru_t_cmp(stat_file.st_mtim))
+	if (tstamp_cmp(stat_file.st_mtim, mru_tstamp) > 0)
 		mru_tstamp = stat_file.st_mtim;
 }
 
@@ -969,7 +972,8 @@ int process_profile(int option, const char *profilename)
 		/* Load a binary cache if it exists and is newest */
 		if (!skip_read_cache &&
 		    stat(cachename, &stat_bin) == 0 &&
-		    stat_bin.st_size > 0 && (mru_t_cmp(stat_bin.st_mtim)) &&
+		    stat_bin.st_size > 0 &&
+		    (tstamp_cmp(mru_tstamp, stat_bin.st_mtim) < 0) &&
 		    valid_cached_file_version(cachename)) {
 			if (show_cache)
 				PERROR("Cache hit: %s\n", cachename);
@@ -1037,6 +1041,12 @@ out:
 		}
 
 		if (useable_cache) {
+			struct timeval t;
+			/* set the mtime of the cache file to the most newest
+			 * mtime of policy files used to generate it
+			 */
+			TIMESPEC_TO_TIMEVAL(&t, &mru_tstamp);
+			utimes(cachetemp, &t);
 			if (rename(cachetemp, cachename) < 0) {
 				pwarn("Warning failed to write cache: %s\n", cachename);
 				unlink(cachetemp);


