xref: /freebsd/lib/libveriexec/gbl_check.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c) 
1 /*
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2019-2023, Juniper Networks, Inc.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  *
28  */
29 
30 #include <sys/types.h>
31 #include <sys/errno.h>
32 #include <sys/mac.h>
33 
34 #include <unistd.h>
35 #include <fcntl.h>
36 
37 #include <security/mac_grantbylabel/mac_grantbylabel.h>
38 
39 /**
40  * @brief does path have a gbl label
41  *
42  * @return
43  * @li 0 if no/empty label or module not loaded
44  * @li value of label
45  */
46 unsigned int
47 gbl_check_path(const char *path)
48 {
49 	struct mac_grantbylabel_fetch_gbl_args gbl;
50 	int fd;
51 	int rc;
52 
53 	rc = 0;
54 	if ((fd = open(path, O_RDONLY|O_VERIFY)) >= 0) {
55 		gbl.u.fd = fd;
56 		if (mac_syscall(MAC_GRANTBYLABEL_NAME,
57 			MAC_GRANTBYLABEL_FETCH_GBL,
58 			&gbl) == 0) {
59 			if (gbl.gbl != GBL_EMPTY)
60 				rc = gbl.gbl;
61 		}
62 		close(fd);
63 	}
64 	return(rc);
65 }
66 
67 /**
68  * @brief does pid have a gbl label
69  *
70  * @return
71  * @li 0 if no/empty label or module not loaded
72  * @li value of label
73  */
74 unsigned int
75 gbl_check_pid(pid_t pid)
76 {
77 	struct mac_grantbylabel_fetch_gbl_args gbl;
78 	int rc;
79 
80 	rc = 0;
81 	gbl.u.pid = pid;
82 	if (mac_syscall(MAC_GRANTBYLABEL_NAME,
83 		MAC_GRANTBYLABEL_FETCH_PID_GBL, &gbl) == 0) {
84 		if (gbl.gbl != GBL_EMPTY)
85 			rc = gbl.gbl;
86 	}
87 	return(rc);
88 }
89 
90 
91 #ifdef UNIT_TEST
92 #include <stdlib.h>
93 #include <stdio.h>
94 #include <err.h>
95 
96 int
97 main(int argc, char *argv[])
98 {
99 	pid_t pid;
100 	int pflag = 0;
101 	int c;
102 	unsigned int gbl;
103 
104 	while ((c = getopt(argc, argv, "p")) != -1) {
105 		switch (c) {
106 		case 'p':
107 			pflag = 1;
108 			break;
109 		default:
110 			break;
111 		}
112 	}
113 	for (; optind < argc; optind++) {
114 
115 		if (pflag) {
116 			pid = atoi(argv[optind]);
117 			gbl = gbl_check_pid(pid);
118 		} else {
119 			gbl = gbl_check_path(argv[optind]);
120 		}
121 		printf("arg=%s, gbl=%#o\n", argv[optind], gbl);
122 	}
123 	return 0;
124 }
125 #endif
126