2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021-2023, Juniper Networks, Inc.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/cdefs.h>
31 #include <sys/types.h>
32 #include <sys/errno.h>
38 #include <security/mac_veriexec/mac_veriexec.h>
41 * @brief get veriexec params for a process
47 veriexec_get_pid_params(pid_t pid,
48 struct mac_veriexec_syscall_params *params)
50 struct mac_veriexec_syscall_params_args args;
57 return mac_syscall(MAC_VERIEXEC_NAME,
58 MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL, &args);
62 * @brief get veriexec params for a path
68 veriexec_get_path_params(const char *file,
69 struct mac_veriexec_syscall_params *params)
71 struct mac_veriexec_syscall_params_args args;
73 if (file == NULL || params == NULL)
76 args.u.filename = file;
78 return mac_syscall(MAC_VERIEXEC_NAME,
79 MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL, &args);
83 * @brief return label associated with a path
86 * pathname of file to lookup.
89 * if not NULL and big enough copy label to buf.
90 * otherwise return a copy of label.
93 * size of buf, must be greater than found label length.
96 * @li NULL if no label
97 * @li pointer to label
100 veriexec_get_path_label(const char *file, char *buf, size_t bufsz)
102 struct mac_veriexec_syscall_params params;
106 if (veriexec_get_path_params(file, ¶ms) == 0) {
107 /* Does label contain a label */
108 if (params.labellen > 0) {
109 if (buf != NULL && bufsz > params.labellen) {
110 strlcpy(buf, params.label, bufsz);
113 cp = strdup(params.label);
120 * @brief return label of a process
124 * process id of interest.
127 * if not NULL and big enough copy label to buf.
128 * otherwise return a copy of label.
131 * size of buf, must be greater than found label length.
134 * @li NULL if no label
135 * @li pointer to label
138 veriexec_get_pid_label(pid_t pid, char *buf, size_t bufsz)
140 struct mac_veriexec_syscall_params params;
144 if (veriexec_get_pid_params(pid, ¶ms) == 0) {
145 /* Does label contain a label */
146 if (params.labellen > 0) {
147 if (buf != NULL && bufsz > params.labellen) {
148 strlcpy(buf, params.label, bufsz);
151 cp = strdup(params.label);
164 * and if want ends with / then we match that prefix too.
167 check_label_want(const char *label, size_t labellen,
168 const char *want, size_t wantlen)
172 /* Does label contain [,]<want>[,] ? */
173 if (labellen > 0 && wantlen > 0 &&
174 (cp = strstr(label, want)) != NULL) {
175 if (cp == label || cp[-1] == ',') {
176 if (cp[wantlen] == '\0' || cp[wantlen] == ',' ||
177 (cp[wantlen-1] == '/' && want[wantlen-1] == '/'))
185 * @brief check if a process has label that contains what we want
188 * process id of interest.
191 * the label we are looking for
192 * if want ends with ``/`` it is assumed a prefix
193 * otherwise we expect it to be followed by ``,`` or end of string.
200 veriexec_check_pid_label(pid_t pid, const char *want)
202 struct mac_veriexec_syscall_params params;
206 (n = strlen(want)) > 0 &&
207 veriexec_get_pid_params(pid, ¶ms) == 0) {
208 return check_label_want(params.label, params.labellen,
215 * @brief check if a path has label that contains what we want
218 * pathname of interest.
221 * the label we are looking for
222 * if want ends with ``/`` it is assumed a prefix
223 * otherwise we expect it to be followed by ``,`` or end of string.
230 veriexec_check_path_label(const char *file, const char *want)
232 struct mac_veriexec_syscall_params params;
235 if (want != NULL && file != NULL &&
236 (n = strlen(want)) > 0 &&
237 veriexec_get_path_params(file, ¶ms) == 0) {
238 return check_label_want(params.label, params.labellen,
250 hash2hex(char *type, unsigned char *digest)
252 static char buf[2*MAXFINGERPRINTLEN+1];
256 if (strcmp(type, "SHA1") == 0) {
258 } else if (strcmp(type, "SHA256") == 0) {
260 } else if (strcmp(type, "SHA384") == 0) {
263 for (i = 0; i < n; i++) {
264 sprintf(&buf[2*i], "%02x", (unsigned)digest[i]);
270 main(int argc, char *argv[])
272 struct mac_veriexec_syscall_params params;
282 while ((c = getopt(argc, argv, "lpw:")) != -1) {
297 for (; optind < argc; optind++) {
300 pid = atoi(argv[optind]);
302 cp = veriexec_get_pid_label(pid, buf, sizeof(buf));
304 printf("pid=%d label='%s'\n", pid, cp);
308 error = veriexec_check_pid_label(pid, want);
309 printf("pid=%d want='%s': %d\n",
313 error = veriexec_get_pid_params(pid, ¶ms);
316 cp = veriexec_get_path_label(argv[optind],
319 printf("path='%s' label='%s'\n",
324 error = veriexec_check_path_label(argv[optind], want);
325 printf("path='%s' want='%s': %d\n",
326 argv[optind], want, error);
329 error = veriexec_get_path_params(argv[optind], ¶ms);
332 err(2, "%s, error=%d", argv[optind], error);
335 printf("arg=%s, type=%s, flags=%u, label='%s', fingerprint='%s'\n",
336 argv[optind], params.fp_type, (unsigned)params.flags,
338 hash2hex(params.fp_type, params.fingerprint));