From nobody Mon Apr 17 15:47:54 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q0WfM5JNpz44q6j;
	Mon, 17 Apr 2023 15:47:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Q0WfM2Srkz49GS;
	Mon, 17 Apr 2023 15:47:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1681746475;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Lf6sFIMMdA8rKyKRXyx5djUoVNsQA6c/I4GoydCF4vw=;
	b=u8SRxkrvyI3vUMJTFxBTBiKNg0bTkE3TgVKr0D309a7XqwOXjizO/h0hYAibJCNi6kkolu
	jBAxjHTisGa6jg8LoUl8A/Dbe/7ljT1su0MthzO9fU/+YPJjiwKYk+uvEgxHNcCSOXPXzR
	t0zt/BLUNT3MhD9Se+Isv03DmOpx20PEYIJ1KOJwHIPibO5UlM8f3GMVAPNC3mkmYKAqyC
	CF2fuZPqgk5djeNaQ6pFW/96bVoBusdsVk+71xYdz8RIiNNwUu+NovvDyvi3id7K/0LyxB
	MIS+F4xJnU2pXZN1Nni8vMufOO46iLHLZDBc5cR66zyesgZu2V8NjoiFk9kx1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1681746475;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Lf6sFIMMdA8rKyKRXyx5djUoVNsQA6c/I4GoydCF4vw=;
	b=QTgjUih1N25OeVGdA1BkDyCwC2jSUvzcg9BadGvjKDkkzGOUEuDo+PVXRogI7zH5Xt1ull
	MxZmzg6DqMTbLsIER44c34BGW7o41E+/QPcGyktDlvPJoMXD+FhOZ2r2ZYpMquRA1l5NTR
	D+ySRVG3tJ4IQToIbwgFGKxLsxHmk/raHKUcGaxp/cSJygpMGunG5PQHewq8rihl+/EaF7
	hA9YN1q0T+3/pVamQmKbQYSxWaaHxXZF7p1T4W58SlKWM31GNjT/tehE17HjzmH21N6T8H
	Ts2piKdNoE2QoQQ07fgXCwxRFEaVXoUAci6zGXnqC4iT1FenlFYRj1+ew5r7bA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681746475; a=rsa-sha256; cv=none;
	b=j4MvDQFGtG5ScQmqblITK4SXAOYYDgjz1LymzVxKWo2ulKmIPi1qstZFmMqtZn8PnC8B2J
	LQZY9SL734kwd1EQmdk5NrjcZi5sX8SfTZGMfo1nm2fGWa5CTgX1USXWp2PnbKqsPqzkYQ
	M/wz1dRxU1ioZmLqKcoUAUaH84ZIUicLAVY8+63wNvN5aht0yhKh5Td1/6JgWmXN+UN7av
	hDErP+8jwf4GHS9qGlunKlO+lf//Hr+xJvdA6UloTV5fO9CUjrShc00pKvZlYp4W0nbV2E
	kKm6jZEz9j8nzxBtx2zk6CJFrOaam4WaBUF9kJG/n698SlBKZAKI+cBTem8jsw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q0WfL69W6zbKv;
	Mon, 17 Apr 2023 15:47:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33HFls4V070536;
	Mon, 17 Apr 2023 15:47:54 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33HFlsIq070535;
	Mon, 17 Apr 2023 15:47:54 GMT
	(envelope-from git)
Date: Mon, 17 Apr 2023 15:47:54 GMT
Message-Id: <202304171547.33HFlsIq070535@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Stephen J. Kiernan" <stevek@FreeBSD.org>
Subject: git: 9bc96108d1f1 - main - libveriexec: add function to check a label based on a path
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: stevek
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 9bc96108d1f11d91f1d51161317c05d9d87dfdc4
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by stevek:

URL: https://cgit.FreeBSD.org/src/commit/?id=9bc96108d1f11d91f1d51161317c05d9d87dfdc4

commit 9bc96108d1f11d91f1d51161317c05d9d87dfdc4
Author:     Steve Kiernan <stevek@juniper.net>
AuthorDate: 2023-04-03 00:09:42 +0000
Commit:     Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-04-17 15:47:33 +0000

    libveriexec: add function to check a label based on a path
    
    veriexec_check_path_label() can be used to check if a specified
    path has a label associated with it that contains the what we
    want.
    
    Obtained from:  Juniper Networks, Inc.
---
 lib/libveriexec/libveriexec.h  |  1 +
 lib/libveriexec/veriexec_get.c | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/lib/libveriexec/libveriexec.h b/lib/libveriexec/libveriexec.h
index d186db0ab8d9..2d726e76af01 100644
--- a/lib/libveriexec/libveriexec.h
+++ b/lib/libveriexec/libveriexec.h
@@ -38,6 +38,7 @@ int	veriexec_check_path(const char *);
 int	veriexec_get_pid_params(pid_t, struct mac_veriexec_syscall_params *);
 int	veriexec_get_path_params(const char *,
 	    struct mac_veriexec_syscall_params *);
+int	veriexec_check_path_label(const char *, const char *);
 int	veriexec_check_pid_label(pid_t, const char *);
 
 #define	HAVE_VERIEXEC_CHECK_PID_LABEL	1
diff --git a/lib/libveriexec/veriexec_get.c b/lib/libveriexec/veriexec_get.c
index 46df6eecf76e..59ee6cdba8b0 100644
--- a/lib/libveriexec/veriexec_get.c
+++ b/lib/libveriexec/veriexec_get.c
@@ -81,7 +81,7 @@ veriexec_get_path_params(const char *file,
 }
 
 /**
- * @brief check if label contains what we want
+ * @brief check if a process has label that contains what we want
  *
  * @return
  * @li 0 if no
@@ -109,6 +109,35 @@ veriexec_check_pid_label(pid_t pid, const char *want)
 	return 0;			/* no */
 }
 
+/**
+ * @brief check if a path has label that contains what we want
+ *
+ * @return
+ * @li 0 if no
+ * @li 1 if yes
+ */
+int
+veriexec_check_path_label(const char *file, const char *want)
+{
+	struct mac_veriexec_syscall_params params;
+	char *cp;
+	size_t n;
+
+	if (want != NULL && file != NULL &&
+	    veriexec_get_path_params(file, &params) == 0) {
+		/* Does label contain [,]<want>[,] ? */
+		if (params.labellen > 0 &&
+		    (cp = strstr(params.label, want)) != NULL) {
+			if (cp == params.label || cp[-1] == ',') {
+				n = strlen(want);
+				if (cp[n] == '\0' || cp[n] == ',')
+					return 1; /* yes */
+			}
+		}
+	}
+	return 0;			/* no */
+}
+
 #ifdef UNIT_TEST
 #include <stdlib.h>
 #include <stdio.h>