git: 48ffacbc8487 - main - veriexec: Add function to get label associated with a file
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 17 Apr 2023 15:47:55 UTC
The branch main has been updated by stevek: URL: https://cgit.FreeBSD.org/src/commit/?id=48ffacbc8487e583794f740ac5d08f5d9a457a20 commit 48ffacbc8487e583794f740ac5d08f5d9a457a20 Author: Steve Kiernan <stevek@juniper.net> AuthorDate: 2023-04-03 00:33:12 +0000 Commit: Stephen J. Kiernan <stevek@FreeBSD.org> CommitDate: 2023-04-17 15:47:33 +0000 veriexec: Add function to get label associated with a file Add mac_veriexec_metadata_get_file_label to avoid the need to expose internals to other MAC modules. Obtained from: Juniper Networks, Inc. --- sys/security/mac_veriexec/mac_veriexec.h | 2 ++ sys/security/mac_veriexec/veriexec_metadata.c | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/sys/security/mac_veriexec/mac_veriexec.h b/sys/security/mac_veriexec/mac_veriexec.h index e4d336ce4ff4..9e30143a8615 100644 --- a/sys/security/mac_veriexec/mac_veriexec.h +++ b/sys/security/mac_veriexec/mac_veriexec.h @@ -178,6 +178,8 @@ int mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid, unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN], char *label, size_t labellen, int flags, const char *fp_type, int override); +const char *mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid, + unsigned long gen, int check_files); int mac_veriexec_metadata_has_file(dev_t fsid, long fileid, unsigned long gen); int mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p); diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c index 4b9cc9b3052f..4ff635335e9f 100644 --- a/sys/security/mac_veriexec/veriexec_metadata.c +++ b/sys/security/mac_veriexec/veriexec_metadata.c @@ -586,6 +586,31 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp, return (error); } +/** + * Return label if we have one + * + * @param fsid file system identifier to look for + * @param fileid file to look for + * @param gen generation of file + * @param check_files look at non-executable files? + * + * @return A pointer to the label or @c NULL + */ +const char * +mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid, + unsigned long gen, int check_files) +{ + struct mac_veriexec_file_info *ip; + int error; + + error = mac_veriexec_metadata_get_file_info(fsid, fileid, gen, NULL, + &ip, check_files); + if (error) + return (NULL); + + return ((ip->flags & VERIEXEC_LABEL) != 0 ? ip->label : NULL); +} + /** * Add a file and its fingerprint to the list of files attached * to the device @p fsid.