git: 48ffacbc8487 - main - veriexec: Add function to get label associated with a file

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Stephen J. Kiernan <stevek_at_FreeBSD.org>
Date: Mon, 17 Apr 2023 15:47:55 UTC
The branch main has been updated by stevek:

URL: https://cgit.FreeBSD.org/src/commit/?id=48ffacbc8487e583794f740ac5d08f5d9a457a20

commit 48ffacbc8487e583794f740ac5d08f5d9a457a20
Author:     Steve Kiernan <stevek@juniper.net>
AuthorDate: 2023-04-03 00:33:12 +0000
Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-04-17 15:47:33 +0000

    veriexec: Add function to get label associated with a file
    
    Add mac_veriexec_metadata_get_file_label to avoid the need to
    expose internals to other MAC modules.
    
    Obtained from:  Juniper Networks, Inc.
---
 sys/security/mac_veriexec/mac_veriexec.h      |  2 ++
 sys/security/mac_veriexec/veriexec_metadata.c | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/sys/security/mac_veriexec/mac_veriexec.h b/sys/security/mac_veriexec/mac_veriexec.h
index e4d336ce4ff4..9e30143a8615 100644
--- a/sys/security/mac_veriexec/mac_veriexec.h
+++ b/sys/security/mac_veriexec/mac_veriexec.h
@@ -178,6 +178,8 @@ int	mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
 	    unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN], 
 	    char *label, size_t labellen, int flags, const char *fp_type,
 	    int override);
+const char *mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
+	    unsigned long gen, int check_files);
 int	mac_veriexec_metadata_has_file(dev_t fsid, long fileid, 
 	    unsigned long gen);
 int	mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p);
diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c
index 4b9cc9b3052f..4ff635335e9f 100644
--- a/sys/security/mac_veriexec/veriexec_metadata.c
+++ b/sys/security/mac_veriexec/veriexec_metadata.c
@@ -586,6 +586,31 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
 	return (error);
 }
 
+/**
+ * Return label if we have one
+ *
+ * @param fsid         file system identifier to look for
+ * @param fileid       file to look for
+ * @param gen          generation of file
+ * @param check_files  look at non-executable files?
+ *
+ * @return A pointer to the label or @c NULL
+ */
+const char *
+mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
+    unsigned long gen, int check_files)
+{
+	struct mac_veriexec_file_info *ip;
+	int error;
+
+	error = mac_veriexec_metadata_get_file_info(fsid, fileid, gen, NULL,
+	    &ip, check_files);
+	if (error)
+		return (NULL);
+
+	return ((ip->flags & VERIEXEC_LABEL) != 0 ? ip->label : NULL);
+}
+
 /**
  * Add a file and its fingerprint to the list of files attached
  * to the device @p fsid.