2 files changed, 27 insertions, 0 deletions

diff --git a/sys/security/mac_veriexec/mac_veriexec.h b/sys/security/mac_veriexec/mac_veriexec.h
index e4d336ce4ff4..9e30143a8615 100644
--- a/sys/security/mac_veriexec/mac_veriexec.h
+++ b/sys/security/mac_veriexec/mac_veriexec.h
@@ -178,6 +178,8 @@ int	mac_veriexec_metadata_add_file(int file_dev, dev_t fsid, long fileid,
 	    unsigned long gen, unsigned char fingerprint[MAXFINGERPRINTLEN], 
 	    char *label, size_t labellen, int flags, const char *fp_type,
 	    int override);
+const char *mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
+	    unsigned long gen, int check_files);
 int	mac_veriexec_metadata_has_file(dev_t fsid, long fileid, 
 	    unsigned long gen);
 int	mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p);
diff --git a/sys/security/mac_veriexec/veriexec_metadata.c b/sys/security/mac_veriexec/veriexec_metadata.c
index 4b9cc9b3052f..4ff635335e9f 100644
--- a/sys/security/mac_veriexec/veriexec_metadata.c
+++ b/sys/security/mac_veriexec/veriexec_metadata.c
@@ -587,6 +587,31 @@ mac_veriexec_metadata_fetch_fingerprint_status(struct vnode *vp,
 }
 
 /**
+ * Return label if we have one
+ *
+ * @param fsid         file system identifier to look for
+ * @param fileid       file to look for
+ * @param gen          generation of file
+ * @param check_files  look at non-executable files?
+ *
+ * @return A pointer to the label or @c NULL
+ */
+const char *
+mac_veriexec_metadata_get_file_label(dev_t fsid, long fileid,
+    unsigned long gen, int check_files)
+{
+	struct mac_veriexec_file_info *ip;
+	int error;
+
+	error = mac_veriexec_metadata_get_file_info(fsid, fileid, gen, NULL,
+	    &ip, check_files);
+	if (error)
+		return (NULL);
+
+	return ((ip->flags & VERIEXEC_LABEL) != 0 ? ip->label : NULL);
+}
+
+/**
  * Add a file and its fingerprint to the list of files attached
  * to the device @p fsid.
  *