From 9bc96108d1f11d91f1d51161317c05d9d87dfdc4 Mon Sep 17 00:00:00 2001
From: Steve Kiernan <stevek@juniper.net>
Date: Sun, 2 Apr 2023 17:09:42 -0700
Subject: [PATCH] libveriexec: add function to check a label based on a path

veriexec_check_path_label() can be used to check if a specified
path has a label associated with it that contains the what we
want.

Obtained from:	Juniper Networks, Inc.
---
 lib/libveriexec/libveriexec.h  |  1 +
 lib/libveriexec/veriexec_get.c | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/lib/libveriexec/libveriexec.h b/lib/libveriexec/libveriexec.h
index d186db0ab8d9..2d726e76af01 100644
--- a/lib/libveriexec/libveriexec.h
+++ b/lib/libveriexec/libveriexec.h
@@ -38,6 +38,7 @@ int	veriexec_check_path(const char *);
 int	veriexec_get_pid_params(pid_t, struct mac_veriexec_syscall_params *);
 int	veriexec_get_path_params(const char *,
 	    struct mac_veriexec_syscall_params *);
+int	veriexec_check_path_label(const char *, const char *);
 int	veriexec_check_pid_label(pid_t, const char *);
 
 #define	HAVE_VERIEXEC_CHECK_PID_LABEL	1
diff --git a/lib/libveriexec/veriexec_get.c b/lib/libveriexec/veriexec_get.c
index 46df6eecf76e..59ee6cdba8b0 100644
--- a/lib/libveriexec/veriexec_get.c
+++ b/lib/libveriexec/veriexec_get.c
@@ -81,7 +81,7 @@ veriexec_get_path_params(const char *file,
 }
 
 /**
- * @brief check if label contains what we want
+ * @brief check if a process has label that contains what we want
  *
  * @return
  * @li 0 if no
@@ -109,6 +109,35 @@ veriexec_check_pid_label(pid_t pid, const char *want)
 	return 0;			/* no */
 }
 
+/**
+ * @brief check if a path has label that contains what we want
+ *
+ * @return
+ * @li 0 if no
+ * @li 1 if yes
+ */
+int
+veriexec_check_path_label(const char *file, const char *want)
+{
+	struct mac_veriexec_syscall_params params;
+	char *cp;
+	size_t n;
+
+	if (want != NULL && file != NULL &&
+	    veriexec_get_path_params(file, &params) == 0) {
+		/* Does label contain [,]<want>[,] ? */
+		if (params.labellen > 0 &&
+		    (cp = strstr(params.label, want)) != NULL) {
+			if (cp == params.label || cp[-1] == ',') {
+				n = strlen(want);
+				if (cp[n] == '\0' || cp[n] == ',')
+					return 1; /* yes */
+			}
+		}
+	}
+	return 0;			/* no */
+}
+
 #ifdef UNIT_TEST
 #include <stdlib.h>
 #include <stdio.h>