libveriexec: add function to check a label based on a path

veriexec_check_path_label() can be used to check if a specified path has a label associated with it that contains the what we want. Obtained from: Juniper Networks, Inc.
2023-04-02 17:09:42 -07:00 · 2023-04-02 17:09:42 -07:00 · 9bc96108d1
commit 9bc96108d1
parent bd4742c970
2 changed files with 31 additions and 1 deletions
--- a/lib/libveriexec/libveriexec.h
+++ b/lib/libveriexec/libveriexec.h
@ -38,6 +38,7 @@ int	veriexec_check_path(const char *);
 int	veriexec_get_pid_params(pid_t, struct mac_veriexec_syscall_params *);
 int	veriexec_get_path_params(const char *,
 	    struct mac_veriexec_syscall_params *);
+int	veriexec_check_path_label(const char *, const char *);
 int	veriexec_check_pid_label(pid_t, const char *);

 #define	HAVE_VERIEXEC_CHECK_PID_LABEL	1
--- a/lib/libveriexec/veriexec_get.c
+++ b/lib/libveriexec/veriexec_get.c
@ -81,7 +81,7 @@ veriexec_get_path_params(const char *file,
 }

 /**
- * @brief check if label contains what we want
+ * @brief check if a process has label that contains what we want
 *
 * @return
 * @li 0 if no
@ -109,6 +109,35 @@ veriexec_check_pid_label(pid_t pid, const char *want)
 	return 0;			/* no */
 }

+/**
+ * @brief check if a path has label that contains what we want
+ *
+ * @return
+ * @li 0 if no
+ * @li 1 if yes
+ */
+int
+veriexec_check_path_label(const char *file, const char *want)
+{
+	struct mac_veriexec_syscall_params params;
+	char *cp;
+	size_t n;
+
+	if (want != NULL && file != NULL &&
+	    veriexec_get_path_params(file, &params) == 0) {
+		/* Does label contain [,]<want>[,] ? */
+		if (params.labellen > 0 &&
+		    (cp = strstr(params.label, want)) != NULL) {
+			if (cp == params.label || cp[-1] == ',') {
+				n = strlen(want);
+				if (cp[n] == '\0' || cp[n] == ',')
+					return 1; /* yes */
+			}
+		}
+	}
+	return 0;			/* no */
+}
+
 #ifdef UNIT_TEST
 #include <stdlib.h>
 #include <stdio.h>