/* Must not be called unless ACTIVE_THREADS is zero: */
static void ClearAuthAndACLs(void)
{
/* Old ACLs */
DeleteAuthList(&SV.admit, &SV.admittail);
DeleteAuthList(&SV.deny, &SV.denytail);
DeleteAuthList(&SV.varadmit, &SV.varadmittail);
DeleteAuthList(&SV.vardeny, &SV.vardenytail);
DeleteAuthList(&SV.roles, &SV.rolestail);
/* Should be no currently open connections */
assert(SV.connectionlist == NULL);
/* body server control ACLs */
DeleteItemList(SV.trustkeylist); SV.trustkeylist = NULL;
DeleteItemList(SV.attackerlist); SV.attackerlist = NULL;
DeleteItemList(SV.nonattackerlist); SV.nonattackerlist = NULL;
DeleteItemList(SV.allowuserlist); SV.allowuserlist = NULL;
DeleteItemList(SV.multiconnlist); SV.multiconnlist = NULL;
DeleteItemList(SV.allowuserlist); SV.allowuserlist = NULL;
DeleteItemList(SV.allowlegacyconnects); SV.allowlegacyconnects = NULL;
StringMapDestroy(SV.path_shortcuts); SV.path_shortcuts = NULL;
free(SV.allowciphers); SV.allowciphers = NULL;
free(SV.allowtlsversion); SV.allowtlsversion = NULL;
/* New ACLs */
NEED_REVERSE_LOOKUP = false;
acl_Free(paths_acl); paths_acl = NULL;
acl_Free(classes_acl); classes_acl = NULL;
acl_Free(vars_acl); vars_acl = NULL;
acl_Free(literals_acl); literals_acl = NULL;
acl_Free(query_acl); query_acl = NULL;
}
void CheckFileChanges(EvalContext *ctx, Policy **policy, GenericAgentConfig *config, time_t *last_policy_reload)
{
time_t validated_at;
Log(LOG_LEVEL_DEBUG, "Checking file updates for input file '%s'", config->input_file);
validated_at = ReadTimestampFromPolicyValidatedMasterfiles(config);
if (*last_policy_reload < validated_at)
{
*last_policy_reload = validated_at;
Log(LOG_LEVEL_VERBOSE, "New promises detected...");
if (GenericAgentArePromisesValid(config))
{
Log(LOG_LEVEL_INFO, "Rereading policy file '%s'", config->input_file);
/* Free & reload -- lock this to avoid access errors during reload */
EvalContextClear(ctx);
free(SV.allowciphers);
SV.allowciphers = NULL;
DeleteItemList(SV.trustkeylist);
DeleteItemList(SV.attackerlist);
DeleteItemList(SV.nonattackerlist);
DeleteItemList(SV.multiconnlist);
DeleteAuthList(&SV.admit, &SV.admittail);
DeleteAuthList(&SV.deny, &SV.denytail);
DeleteAuthList(&SV.varadmit, &SV.varadmittail);
DeleteAuthList(&SV.vardeny, &SV.vardenytail);
DeleteAuthList(&SV.roles, &SV.rolestail);
strcpy(VDOMAIN, "undefined.domain");
SV.trustkeylist = NULL;
SV.attackerlist = NULL;
SV.nonattackerlist = NULL;
SV.multiconnlist = NULL;
acl_Free(paths_acl); paths_acl = NULL;
acl_Free(classes_acl); classes_acl = NULL;
acl_Free(vars_acl); vars_acl = NULL;
acl_Free(literals_acl); literals_acl = NULL;
acl_Free(query_acl); query_acl = NULL;
StringMapDestroy(SV.path_shortcuts);
SV.path_shortcuts = NULL;
PolicyDestroy(*policy);
*policy = NULL;
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
}
UpdateLastPolicyUpdateTime(ctx);
DetectEnvironment(ctx);
KeepHardClasses(ctx);
EvalContextClassPutHard(ctx, CF_AGENTTYPES[AGENT_TYPE_SERVER], "cfe_internal,source=agent");
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
*policy = GenericAgentLoadPolicy(ctx, config);
KeepPromises(ctx, *policy, config);
Summarize();
}
else
{
Log(LOG_LEVEL_INFO, "File changes contain errors -- ignoring");
}
}
else
{
Log(LOG_LEVEL_DEBUG, "No new promises found");
}
}
