veriexec: Add function to get label associated with a file

Add mac_veriexec_metadata_get_file_label to avoid the need to expose internals to other MAC modules. Obtained from: Juniper Networks, Inc.
2023-04-02 17:33:12 -07:00 · 2023-04-02 17:33:12 -07:00 · 48ffacbc84
commit 48ffacbc84
parent 9bc96108d1
2 changed files with 27 additions and 0 deletions
--- a/sys/security/mac_veriexec/mac_veriexec.h
+++ b/sys/security/mac_veriexec/mac_veriexec.h
@ -178,6 +178,8 @@ int	mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
 	    unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN], 
 	    char *label, size_t labellen, int flags, const char *fp_type,
 	    int override);
+const char *mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
+	    unsigned long gen, int check_files);
 int	mac_veriexec_metadata_has_file(dev_t fsid, long fileid, 
 	    unsigned long gen);
 int	mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p);
--- a/sys/security/mac_veriexec/veriexec_metadata.c
+++ b/sys/security/mac_veriexec/veriexec_metadata.c
@ -586,6 +586,31 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
 	return (error);
 }

+/**
+ * Return label if we have one
+ *
+ * @param fsid         file system identifier to look for
+ * @param fileid       file to look for
+ * @param gen          generation of file
+ * @param check_files  look at non-executable files?
+ *
+ * @return A pointer to the label or @c NULL
+ */
+const char *
+mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
+    unsigned long gen, int check_files)
+{
+	struct mac_veriexec_file_info *ip;
+	int error;
+
+	error = mac_veriexec_metadata_get_file_info(fsid, fileid, gen, NULL,
+	    &ip, check_files);
+	if (error)
+		return (NULL);
+
+	return ((ip->flags & VERIEXEC_LABEL) != 0 ? ip->label : NULL);
+}
+
 /**
 * Add a file and its fingerprint to the list of files attached
 * to the device @p fsid.