The branch main has been updated by stevek:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9bc96108d1f11d91f1d51161317c05d9d87dfdc4

commit 9bc96108d1f11d91f1d51161317c05d9d87dfdc4
Author:     Steve Kiernan <ste...@juniper.net>
AuthorDate: 2023-04-03 00:09:42 +0000
Commit:     Stephen J. Kiernan <ste...@freebsd.org>
CommitDate: 2023-04-17 15:47:33 +0000

    libveriexec: add function to check a label based on a path
    
    veriexec_check_path_label() can be used to check if a specified
    path has a label associated with it that contains the what we
    want.
    
    Obtained from:  Juniper Networks, Inc.
---
 lib/libveriexec/libveriexec.h  |  1 +
 lib/libveriexec/veriexec_get.c | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/lib/libveriexec/libveriexec.h b/lib/libveriexec/libveriexec.h
index d186db0ab8d9..2d726e76af01 100644
--- a/lib/libveriexec/libveriexec.h
+++ b/lib/libveriexec/libveriexec.h
@@ -38,6 +38,7 @@ int   veriexec_check_path(const char *);
 int    veriexec_get_pid_params(pid_t, struct mac_veriexec_syscall_params *);
 int    veriexec_get_path_params(const char *,
            struct mac_veriexec_syscall_params *);
+int    veriexec_check_path_label(const char *, const char *);
 int    veriexec_check_pid_label(pid_t, const char *);
 
 #define        HAVE_VERIEXEC_CHECK_PID_LABEL   1
diff --git a/lib/libveriexec/veriexec_get.c b/lib/libveriexec/veriexec_get.c
index 46df6eecf76e..59ee6cdba8b0 100644
--- a/lib/libveriexec/veriexec_get.c
+++ b/lib/libveriexec/veriexec_get.c
@@ -81,7 +81,7 @@ veriexec_get_path_params(const char *file,
 }
 
 /**
- * @brief check if label contains what we want
+ * @brief check if a process has label that contains what we want
  *
  * @return
  * @li 0 if no
@@ -109,6 +109,35 @@ veriexec_check_pid_label(pid_t pid, const char *want)
        return 0;                       /* no */
 }
 
+/**
+ * @brief check if a path has label that contains what we want
+ *
+ * @return
+ * @li 0 if no
+ * @li 1 if yes
+ */
+int
+veriexec_check_path_label(const char *file, const char *want)
+{
+       struct mac_veriexec_syscall_params params;
+       char *cp;
+       size_t n;
+
+       if (want != NULL && file != NULL &&
+           veriexec_get_path_params(file, &params) == 0) {
+               /* Does label contain [,]<want>[,] ? */
+               if (params.labellen > 0 &&
+                   (cp = strstr(params.label, want)) != NULL) {
+                       if (cp == params.label || cp[-1] == ',') {
+                               n = strlen(want);
+                               if (cp[n] == '\0' || cp[n] == ',')
+                                       return 1; /* yes */
+                       }
+               }
+       }
+       return 0;                       /* no */
+}
+
 #ifdef UNIT_TEST
 #include <stdlib.h>
 #include <stdio.h>

Reply via email to