1 | /* $Id: SUPR3HardenedMain.cpp 85127 2020-07-08 23:42:18Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * VirtualBox Support Library - Hardened main().
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2020 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 | /** @page pg_hardening %VirtualBox %VM Process Hardening
|
---|
28 | *
|
---|
29 | * The %VM process hardening is to prevent malicious software from using
|
---|
30 | * %VirtualBox as a vehicle to obtain kernel level access.
|
---|
31 | *
|
---|
32 | * The %VirtualBox %VMM requires supervisor (kernel) level access to the CPU.
|
---|
33 | * For both practical and historical reasons, part of the %VMM is realized in
|
---|
34 | * ring-3, with a rich interface to the kernel part. While the device
|
---|
35 | * emulations can be executed exclusively in ring-3, we have performance
|
---|
36 | * optimizations that loads device emulation code into ring-0 and our special
|
---|
37 | * raw-mode execution context (none VT-x/AMD-V mode) for handling frequent
|
---|
38 | * operations a lot more efficiently. These share data between all three
|
---|
39 | * context (ring-3, ring-0 and raw-mode). All this poses a rather broad attack
|
---|
40 | * surface, which the hardening protects.
|
---|
41 | *
|
---|
42 | * The hardening focuses primarily on restricting access to the support driver,
|
---|
43 | * VBoxDrv or vboxdrv depending on the OS, as it is ultimately the link and
|
---|
44 | * instigator of the communication between ring-3 and the ring-0 and raw-mode
|
---|
45 | * contexts. A secondary focus is to make sure malicious code cannot be loaded
|
---|
46 | * and executed in the %VM process. Exactly how we go about this depends a lot
|
---|
47 | * on the host OS.
|
---|
48 | *
|
---|
49 | * @section sec_hardening_supdrv The Support Driver Interfaces
|
---|
50 | *
|
---|
51 | * The support driver has several interfaces thru which it can be accessed:
|
---|
52 | * - /dev/vboxdrv (win: \\Device\\VBoxDrv) for full unrestricted access.
|
---|
53 | * Offers a rich I/O control interface, which needs protecting.
|
---|
54 | * - /dev/vboxdrvu (win: \\Device\\VBoxDrvU) for restricted access, which
|
---|
55 | * VBoxSVC uses to query VT-x and AMD-V capabilities. This does not
|
---|
56 | * require protecting, though we limit it to the vboxgroup on some
|
---|
57 | * systems.
|
---|
58 | * - \\Device\\VBoxDrvStub on Windows for protecting the second stub
|
---|
59 | * process and its child, the %VM process. This is an open+close
|
---|
60 | * interface, only available to partially verified stub processes.
|
---|
61 | * - \\Device\\VBoxDrvErrorInfo on Windows for obtaining detailed error
|
---|
62 | * information on a previous attempt to open \\Device\\VBoxDrv or
|
---|
63 | * \\Device\\VBoxDrvStub. Open, read and close only interface.
|
---|
64 | *
|
---|
65 | * The rest of VBox accesses the device interface thru the support library,
|
---|
66 | * @ref grp_sup "SUPR3" / sup.h.
|
---|
67 | *
|
---|
68 | * The support driver also exposes a set of functions and data that other VBox
|
---|
69 | * ring-0 modules can import from. This includes much of the IPRT we need in
|
---|
70 | * the ring-0 part of the %VMM and device emulations.
|
---|
71 | *
|
---|
72 | * The ring-0 part of the %VMM and device emulations are loaded via the
|
---|
73 | * #SUPR3LoadModule and #SUPR3LoadServiceModule support library function, which
|
---|
74 | * both translates to a sequence of I/O controls against /dev/vboxdrv. On
|
---|
75 | * Windows we use the native kernel loader to load the module, while on the
|
---|
76 | * other systems ring-3 prepares the bits with help from the IPRT loader code.
|
---|
77 | *
|
---|
78 | *
|
---|
79 | * @section sec_hardening_unix Hardening on UNIX-like OSes
|
---|
80 | *
|
---|
81 | * On UNIX-like systems (Solaris, Linux, darwin, freebsd, ...) we put our trust
|
---|
82 | * in root and that root knows what he/she/it is doing.
|
---|
83 | *
|
---|
84 | * We only allow root to get full unrestricted access to the support driver.
|
---|
85 | * The device node corresponding to unrestricted access (/dev/vboxdrv) is own by
|
---|
86 | * root and has a 0600 access mode (i.e. only accessible to the owner, root). In
|
---|
87 | * addition to this file system level restriction, the support driver also
|
---|
88 | * checks that the effective user ID (EUID) is root when it is being opened.
|
---|
89 | *
|
---|
90 | * The %VM processes temporarily assume root privileges using the set-uid-bit on
|
---|
91 | * the executable with root as owner. In fact, all the files and directories we
|
---|
92 | * install are owned by root and the wheel (or equivalent gid = 0) group,
|
---|
93 | * including extension pack files.
|
---|
94 | *
|
---|
95 | * The executable with the set-uid-to-root-bit set is a stub binary that has no
|
---|
96 | * unnecessary library dependencies (only libc, pthreads, dynamic linker) and
|
---|
97 | * simply calls #SUPR3HardenedMain. It does the following:
|
---|
98 | * 1. Validate the VirtualBox installation (#supR3HardenedVerifyAll):
|
---|
99 | * - Check that the executable file of the process is one of the known
|
---|
100 | * VirtualBox executables.
|
---|
101 | * - Check that all mandatory files are present.
|
---|
102 | * - Check that all installed files and directories (both optional and
|
---|
103 | * mandatory ones) are owned by root:wheel and are not writable by
|
---|
104 | * anyone except root.
|
---|
105 | * - Check that all the parent directories, all the way up to the root
|
---|
106 | * if possible, only permits root (or system admin) to change them.
|
---|
107 | * This is that to rule out unintentional rename races.
|
---|
108 | * - On some systems we may also validate the cryptographic signtures
|
---|
109 | * of executable images.
|
---|
110 | *
|
---|
111 | * 2. Open a file descriptor for the support device driver
|
---|
112 | * (#supR3HardenedMainOpenDevice).
|
---|
113 | *
|
---|
114 | * 3. Grab ICMP capabilities for NAT ping support, if required by the OS
|
---|
115 | * (#supR3HardenedMainGrabCapabilites).
|
---|
116 | *
|
---|
117 | * 4. Correctly drop the root privileges
|
---|
118 | * (#supR3HardenedMainDropPrivileges).
|
---|
119 | *
|
---|
120 | * 5. Load the VBoxRT dynamic link library and hand over the file
|
---|
121 | * descriptor to the support library code in it
|
---|
122 | * (#supR3HardenedMainInitRuntime).
|
---|
123 | *
|
---|
124 | * 6. Load the dynamic library containing the actual %VM front end code and
|
---|
125 | * run it (tail of #SUPR3HardenedMain).
|
---|
126 | *
|
---|
127 | * The set-uid-to-root stub executable is paired with a dynamic link library
|
---|
128 | * which export one TrustedMain entry point (see #FNSUPTRUSTEDMAIN) that we
|
---|
129 | * call. In case of error reporting, the library may also export a TrustedError
|
---|
130 | * function (#FNSUPTRUSTEDERROR).
|
---|
131 | *
|
---|
132 | * That the set-uid-to-root-bit modifies the dynamic linker behavior on all
|
---|
133 | * systems, even after we've dropped back to the real user ID, is something we
|
---|
134 | * take advantage of. The dynamic linkers takes special care to prevent users
|
---|
135 | * from using clever tricks to inject their own code into set-uid processes and
|
---|
136 | * causing privilege escalation issues. This is the exact help we need.
|
---|
137 | *
|
---|
138 | * The VirtualBox installation location is hardcoded, which means the any
|
---|
139 | * dynamic linker paths embedded or inferred from the executable and dynamic
|
---|
140 | * libraries are also hardcoded. This helps eliminating search path attack
|
---|
141 | * vectors at the cost of being inflexible regarding installation location.
|
---|
142 | *
|
---|
143 | * In addition to what the dynamic linker does for us, the VirtualBox code will
|
---|
144 | * not directly be calling either RTLdrLoad or dlopen to load dynamic link
|
---|
145 | * libraries into the process. Instead it will call #SUPR3HardenedLdrLoad,
|
---|
146 | * #SUPR3HardenedLdrLoadAppPriv and #SUPR3HardenedLdrLoadPlugIn to do the
|
---|
147 | * loading. These functions will perform the same validations on the file being
|
---|
148 | * loaded as #SUPR3HardenedMain did in its validation step. So, anything we
|
---|
149 | * load must be installed with root/wheel as owner/group, the directory we load
|
---|
150 | * it from must also be owned by root:wheel and now allow for renaming the file.
|
---|
151 | * Similar ownership restrictions applies to all the parent directories (except
|
---|
152 | * on darwin).
|
---|
153 | *
|
---|
154 | * So, we place the responsibility of not installing malicious software on the
|
---|
155 | * root user on UNIX-like systems. Which is fair enough, in our opinion.
|
---|
156 | *
|
---|
157 | *
|
---|
158 | * @section sec_hardening_win Hardening on Windows
|
---|
159 | *
|
---|
160 | * On Windows we cannot put the same level or trust in the Administrator user(s)
|
---|
161 | * (equivalent of root/wheel on unix) as on the UNIX-like systems, which
|
---|
162 | * complicates things greatly.
|
---|
163 | *
|
---|
164 | * Some of the blame for this can be given to Windows being a descendant /
|
---|
165 | * replacement for a set of single user systems: DOS, Windows 1.0-3.11 Windows
|
---|
166 | * 95-ME, and OS/2. Users of NT 3.1 and later was inclined to want to always
|
---|
167 | * run it with full root/administrator privileges like they had done on the
|
---|
168 | * predecessors, while Microsoft didn't provide much incentive for more secure
|
---|
169 | * alternatives. Bad idea, security wise, but execellent for the security
|
---|
170 | * software industry. For this reason using a set-uid-to-root approach is
|
---|
171 | * pointless, even if Windows had one.
|
---|
172 | *
|
---|
173 | * So, in order to protect access to the support driver and protect the %VM
|
---|
174 | * process while it's running we have to do a lot more work. A keystone in the
|
---|
175 | * defences is cryptographic code signing. Here's the short version of what we
|
---|
176 | * do:
|
---|
177 | * - Minimal stub executable, signed with the same certificate as the
|
---|
178 | * kernel driver.
|
---|
179 | *
|
---|
180 | * - The stub executable respawns itself twice, hooking the NTDLL init
|
---|
181 | * routine to perform protection tasks as early as possible. The parent
|
---|
182 | * stub helps keep in the child clean for verification as does the
|
---|
183 | * support driver.
|
---|
184 | *
|
---|
185 | * - In order to protect against loading unwanted code into the process,
|
---|
186 | * the stub processes installs DLL load hooks with NTDLL as well as
|
---|
187 | * directly intercepting the LdrLoadDll and NtCreateSection APIs.
|
---|
188 | *
|
---|
189 | * - The support driver will verify all but the initial process very
|
---|
190 | * thoroughly before allowing them protection and in the final case full
|
---|
191 | * unrestricted access.
|
---|
192 | *
|
---|
193 | *
|
---|
194 | * @subsection sec_hardening_win_protsoft 3rd Party "Protection" Software
|
---|
195 | *
|
---|
196 | * What makes our life REALLY difficult on Windows is this 3rd party "security"
|
---|
197 | * software which is more or less required to keep a Windows system safe for
|
---|
198 | * normal users and all corporate IT departments rightly insists on installing.
|
---|
199 | * After the kernel patching clampdown in Vista, anti-* software has to do a
|
---|
200 | * lot more mucking about in user mode to get their job (kind of) done. So, it
|
---|
201 | * is common practice to patch a lot of NTDLL, KERNEL32, the executable import
|
---|
202 | * table, load extra DLLs into the process, allocate executable memory in the
|
---|
203 | * process (classic code injection) and more.
|
---|
204 | *
|
---|
205 | * The BIG problem with all this is that it is indistinguishable from what
|
---|
206 | * malicious software would be doing in order to intercept process activity
|
---|
207 | * (network sniffing, maybe password snooping) or gain a level of kernel access
|
---|
208 | * via the support driver. So, the "protection" software is what is currently
|
---|
209 | * forcing us to do the pre-NTDLL initialization.
|
---|
210 | *
|
---|
211 | *
|
---|
212 | * @subsection sec_hardening_win_1st_stub The Initial Stub Process
|
---|
213 | *
|
---|
214 | * We share the stub executable approach with the UNIX-like systems, so there's
|
---|
215 | * the #SUPR3HardenedMain calling stub executable with its partner DLL exporting
|
---|
216 | * TrustedMain and TrustedError. However, the stub executable does a lot more,
|
---|
217 | * while doing it in a more bare metal fashion:
|
---|
218 | * - It does not use the Microsoft CRT, what we need of CRT functions comes
|
---|
219 | * from IPRT.
|
---|
220 | * - It does not statically import anything. This is to avoid having an
|
---|
221 | * import table that can be patched to intercept our calls or extended to
|
---|
222 | * load additional DLLs.
|
---|
223 | * - Direct NT system calls. System calls normally going thru NTDLL, but
|
---|
224 | * since there is so much software out there which wants to patch known
|
---|
225 | * NTDLL entry points to control our software (either for good or
|
---|
226 | * malicious reasons), we do it ourselves.
|
---|
227 | *
|
---|
228 | * The initial stub process is not really to be trusted, though we try our best
|
---|
229 | * to limit potential harm (user mode debugger checks, disable thread creation).
|
---|
230 | * So, when it enters #SUPR3HardenedMain we only call #supR3HardenedVerifyAll to
|
---|
231 | * verify the installation (known executables and DLLs, checking their code
|
---|
232 | * signing signatures, keeping them all open to deny deletion and replacing) and
|
---|
233 | * does a respawn via #supR3HardenedWinReSpawn.
|
---|
234 | *
|
---|
235 | *
|
---|
236 | * @subsection sec_hardening_win_2nd_stub The Second Stub Process
|
---|
237 | *
|
---|
238 | * The second stub process will be created in suspended state, i.e. the main
|
---|
239 | * thread is suspended before it executes a single instruction. It is also
|
---|
240 | * created with a less generous ACLs, though this doesn't protect us from admin
|
---|
241 | * users. In order for #SUPR3HardenedMain to figure that it is the second stub
|
---|
242 | * process, the zeroth command line argument has been replaced by a known magic
|
---|
243 | * string (UUID).
|
---|
244 | *
|
---|
245 | * Now, before the process starts executing, the parent (initial stub) will
|
---|
246 | * patch the LdrInitializeThunk entry point in NTDLL to call
|
---|
247 | * #supR3HardenedEarlyProcessInit via #supR3HardenedEarlyProcessInitThunk. The
|
---|
248 | * parent will also plant some synchronization stuff via #g_ProcParams (NTDLL
|
---|
249 | * location, inherited event handles and associated ping-pong equipment).
|
---|
250 | *
|
---|
251 | * The LdrInitializeThunk entry point of NTDLL is where the kernel sets up
|
---|
252 | * process execution to start executing (via a user alert, so it is not subject
|
---|
253 | * to SetThreadContext). LdrInitializeThunk performs process, NTDLL and
|
---|
254 | * sub-system client (kernel32) initialization. A lot of "protection" software
|
---|
255 | * uses triggers in this initialization sequence (like the KERNEL32.DLL load
|
---|
256 | * event), so we avoid quite a bit of problems by getting our stuff done early
|
---|
257 | * on.
|
---|
258 | *
|
---|
259 | * However, there are also those that uses events that triggers immediately when
|
---|
260 | * the process is created or/and starts executing the first instruction. But we
|
---|
261 | * can easily counter these as we have a known process state we can restore. So,
|
---|
262 | * the first thing that #supR3HardenedEarlyProcessInit does is to signal the
|
---|
263 | * parent to perform a child purification, so the potentially evil influences
|
---|
264 | * can be exorcised.
|
---|
265 | *
|
---|
266 | * What the parent does during the purification is very similar to what the
|
---|
267 | * kernel driver will do later on when verifying the second stub and the %VM
|
---|
268 | * processes, except that instead of failing when encountering an shortcoming it
|
---|
269 | * will take corrective actions:
|
---|
270 | * - Executable memory regions not belonging to a DLL mapping will be
|
---|
271 | * attempted freed, and we'll only fail if we can't evict them.
|
---|
272 | * - All pages in the executable images in the process (should be just the
|
---|
273 | * stub executable and NTDLL) will be compared to the pristine fixed-up
|
---|
274 | * copy prepared by the IPRT PE loader code, restoring any bytes which
|
---|
275 | * appears differently in the child. (#g_ProcParams is exempted,
|
---|
276 | * LdrInitializeThunk is set to call NtTerminateThread.)
|
---|
277 | * - Unwanted DLLs will be unloaded (we have a set of DLLs we like).
|
---|
278 | *
|
---|
279 | * Before signalling the second stub process that it has been purified and should
|
---|
280 | * get on with it, the parent will close all handles with unrestricted access to
|
---|
281 | * the process and thread so that the initial stub process no longer can
|
---|
282 | * influence the child in any really harmful way. (The caller of CreateProcess
|
---|
283 | * usually receives handles with unrestricted access to the child process and
|
---|
284 | * its main thread. These could in theory be used with DuplicateHandle or
|
---|
285 | * WriteProcessMemory to get at the %VM process if we're not careful.)
|
---|
286 | *
|
---|
287 | * #supR3HardenedEarlyProcessInit will continue with opening the log file
|
---|
288 | * (requires command line parsing). It will continue to initialize a bunch of
|
---|
289 | * global variables, system calls and trustworthy/harmless NTDLL imports.
|
---|
290 | * #supR3HardenedWinInit is then called to setup image verification, that is:
|
---|
291 | * - Hook the NtCreateSection entry point in NTDLL so we can check all
|
---|
292 | * executable mappings before they're created and can be mapped. The
|
---|
293 | * NtCreateSection code jumps to #supR3HardenedMonitor_NtCreateSection.
|
---|
294 | * - Hook (ditto) the LdrLoadDll entry point in NTDLL so we can
|
---|
295 | * pre-validate all images that gets loaded the normal way (partly
|
---|
296 | * because the NtCreateSection context is restrictive because the NTDLL
|
---|
297 | * loader lock is usually held, which prevents us from safely calling
|
---|
298 | * WinVerityTrust). The LdrLoadDll code jumps to
|
---|
299 | * #supR3HardenedMonitor_LdrLoadDll.
|
---|
300 | *
|
---|
301 | * The image/DLL verification hooks are at this point able to verify DLLs
|
---|
302 | * containing embedded code signing signatures, and will restrict the locations
|
---|
303 | * from which DLLs will be loaded. When #SUPR3HardenedMain gets going later on,
|
---|
304 | * they will start insisting on everything having valid signatures, either
|
---|
305 | * embedded or in a signed installer catalog file.
|
---|
306 | *
|
---|
307 | * The function also irrevocably disables debug notifications related to the
|
---|
308 | * current thread, just to make attaching a debugging that much more difficult
|
---|
309 | * and less useful.
|
---|
310 | *
|
---|
311 | * Now, the second stub process will open the so called stub device
|
---|
312 | * (\\Device\\VBoxDrvStub), that is a special support driver device node that
|
---|
313 | * tells the support driver to:
|
---|
314 | * - Protect the process against the OpenProcess and OpenThread attack
|
---|
315 | * vectors by stripping risky access rights.
|
---|
316 | * - Check that the process isn't being debugged.
|
---|
317 | * - Check that the process contains exactly one thread.
|
---|
318 | * - Check that the process doesn't have any unknown DLLs loaded into it.
|
---|
319 | * - Check that the process doesn't have any executable memory (other than
|
---|
320 | * DLL sections) in it.
|
---|
321 | * - Check that the process executable is a known VBox executable which may
|
---|
322 | * access the support driver.
|
---|
323 | * - Check that the process executable is signed with the same code signing
|
---|
324 | * certificate as the driver and that the on disk image is valid
|
---|
325 | * according to its embedded signature.
|
---|
326 | * - Check all the signature of all DLLs in the process (NTDLL) if they are
|
---|
327 | * signed, and only accept unsigned ones in versions where they are known
|
---|
328 | * not to be signed.
|
---|
329 | * - Check that the code and readonly parts of the executable and DLLs
|
---|
330 | * mapped into the process matches the on disk content (no patches other
|
---|
331 | * than our own two in NTDLL are allowed).
|
---|
332 | *
|
---|
333 | * Once granted access to the stub device, #supR3HardenedEarlyProcessInit will
|
---|
334 | * restore the LdrInitializeThunk code and let the process perform normal
|
---|
335 | * initialization. Leading us to #SUPR3HardenedMain where we detect that this
|
---|
336 | * is the 2nd stub process and does another respawn.
|
---|
337 | *
|
---|
338 | *
|
---|
339 | * @subsection sec_hardening_win_3rd_stub The Final Stub / VM Process
|
---|
340 | *
|
---|
341 | * The third stub process is what becomes the %VM process. Because the parent
|
---|
342 | * has opened \\Device\\VBoxDrvSub, it is protected from malicious OpenProcess &
|
---|
343 | * OpenThread calls from the moment of inception, practically speaking.
|
---|
344 | *
|
---|
345 | * It goes thru the same suspended creation, patching, purification and such as
|
---|
346 | * its parent (the second stub process). However, instead of opening
|
---|
347 | * \\Device\\VBoxDrvStub from #supR3HardenedEarlyProcessInit, it opens the
|
---|
348 | * support driver for full unrestricted access, i.e. \\Device\\VBoxDrv.
|
---|
349 | *
|
---|
350 | * The support driver will perform the same checks as it did when
|
---|
351 | * \\Device\\VBoxDrvStub was opened, but in addition it will:
|
---|
352 | * - Check that the process is the first child of a process that opened
|
---|
353 | * \\Device\\VBoxDrvStub.
|
---|
354 | * - Check that the parent process is still alive.
|
---|
355 | * - Scan all open handles in the system for potentially harmful ones to
|
---|
356 | * the process or the primary thread.
|
---|
357 | *
|
---|
358 | * Knowing that the process is genuinly signed with the same certificate as the
|
---|
359 | * kernel driver, and the exectuable code in the process is either shipped by us
|
---|
360 | * or Microsoft, the support driver will trust it with full access and to keep
|
---|
361 | * the handle secure.
|
---|
362 | *
|
---|
363 | * We also trust the protection the support driver gives the process to keep out
|
---|
364 | * malicious ring-3 code, and therefore any code, patching or other mysterious
|
---|
365 | * stuff that enteres the process must be from kernel mode and that we can trust
|
---|
366 | * it (the alternative interpretation is that the kernel has been breanched
|
---|
367 | * already, which isn't our responsibility). This means that, the anti-software
|
---|
368 | * products can do whatever they like from this point on. However, should they
|
---|
369 | * do unrevertable changes to the process before this point, VirtualBox won't
|
---|
370 | * work.
|
---|
371 | *
|
---|
372 | * As in the second stub process, we'll now do normal process initialization and
|
---|
373 | * #SUPR3HardenedMain will take control. It will detect that it is being called
|
---|
374 | * by the 3rd stub process because of a different magic string starting the
|
---|
375 | * command line, and not respawn itself any more. #SUPR3HardenedMain will
|
---|
376 | * recheck the VirtualBox installation, keeping all known files open just like
|
---|
377 | * in two previous stub processes.
|
---|
378 | *
|
---|
379 | * It will then load the Windows cryptographic API and load the trusted root
|
---|
380 | * certificates from the Windows store. The API enables using installation
|
---|
381 | * catalog files for signature checking as well as providing a second
|
---|
382 | * verification in addition to our own implementation (IPRT). The certificates
|
---|
383 | * allows our signature validation implementation to validate all embedded
|
---|
384 | * signatures, not just the microsoft ones and the one signed by our own
|
---|
385 | * certificate.
|
---|
386 | *
|
---|
387 | */
|
---|
388 |
|
---|
389 |
|
---|
390 | /*********************************************************************************************************************************
|
---|
391 | * Header Files *
|
---|
392 | *********************************************************************************************************************************/
|
---|
393 | #if defined(RT_OS_OS2)
|
---|
394 | # define INCL_BASE
|
---|
395 | # define INCL_ERRORS
|
---|
396 | # include <os2.h>
|
---|
397 | # include <stdio.h>
|
---|
398 | # include <stdlib.h>
|
---|
399 | # include <dlfcn.h>
|
---|
400 | # include <unistd.h>
|
---|
401 |
|
---|
402 | #elif RT_OS_WINDOWS
|
---|
403 | # include <iprt/nt/nt-and-windows.h>
|
---|
404 |
|
---|
405 | #else /* UNIXes */
|
---|
406 | # ifdef RT_OS_DARWIN
|
---|
407 | # define _POSIX_C_SOURCE 1 /* pick the correct prototype for unsetenv. */
|
---|
408 | # endif
|
---|
409 | # include <iprt/types.h> /* stdint fun on darwin. */
|
---|
410 |
|
---|
411 | # include <stdio.h>
|
---|
412 | # include <stdlib.h>
|
---|
413 | # include <dlfcn.h>
|
---|
414 | # include <limits.h>
|
---|
415 | # include <errno.h>
|
---|
416 | # include <unistd.h>
|
---|
417 | # include <sys/stat.h>
|
---|
418 | # include <sys/time.h>
|
---|
419 | # include <sys/types.h>
|
---|
420 | # if defined(RT_OS_LINUX)
|
---|
421 | # undef USE_LIB_PCAP /* don't depend on libcap as we had to depend on either
|
---|
422 | libcap1 or libcap2 */
|
---|
423 |
|
---|
424 | # undef _POSIX_SOURCE
|
---|
425 | # include <linux/types.h> /* sys/capabilities from uek-headers require this */
|
---|
426 | # include <sys/capability.h>
|
---|
427 | # include <sys/prctl.h>
|
---|
428 | # ifndef CAP_TO_MASK
|
---|
429 | # define CAP_TO_MASK(cap) RT_BIT(cap)
|
---|
430 | # endif
|
---|
431 | # elif defined(RT_OS_FREEBSD)
|
---|
432 | # include <sys/param.h>
|
---|
433 | # include <sys/sysctl.h>
|
---|
434 | # elif defined(RT_OS_SOLARIS)
|
---|
435 | # include <priv.h>
|
---|
436 | # endif
|
---|
437 | # include <pwd.h>
|
---|
438 | # ifdef RT_OS_DARWIN
|
---|
439 | # include <mach-o/dyld.h>
|
---|
440 | # endif
|
---|
441 |
|
---|
442 | #endif
|
---|
443 |
|
---|
444 | #include <VBox/sup.h>
|
---|
445 | #include <VBox/err.h>
|
---|
446 | #ifdef RT_OS_WINDOWS
|
---|
447 | # include <VBox/version.h>
|
---|
448 | # include <iprt/utf16.h>
|
---|
449 | #endif
|
---|
450 | #include <iprt/ctype.h>
|
---|
451 | #include <iprt/string.h>
|
---|
452 | #include <iprt/initterm.h>
|
---|
453 | #include <iprt/param.h>
|
---|
454 | #include <iprt/path.h>
|
---|
455 |
|
---|
456 | #include "SUPLibInternal.h"
|
---|
457 |
|
---|
458 |
|
---|
459 | /*********************************************************************************************************************************
|
---|
460 | * Defined Constants And Macros *
|
---|
461 | *********************************************************************************************************************************/
|
---|
462 | /* This mess is temporary after eliminating a define duplicated in SUPLibInternal.h. */
|
---|
463 | #if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
|
---|
464 | # ifndef SUP_HARDENED_SUID
|
---|
465 | # error "SUP_HARDENED_SUID is NOT defined?!?"
|
---|
466 | # endif
|
---|
467 | #else
|
---|
468 | # ifdef SUP_HARDENED_SUID
|
---|
469 | # error "SUP_HARDENED_SUID is defined?!?"
|
---|
470 | # endif
|
---|
471 | #endif
|
---|
472 |
|
---|
473 | /** @def SUP_HARDENED_SYM
|
---|
474 | * Decorate a symbol that's resolved dynamically.
|
---|
475 | */
|
---|
476 | #ifdef RT_OS_OS2
|
---|
477 | # define SUP_HARDENED_SYM(sym) "_" sym
|
---|
478 | #else
|
---|
479 | # define SUP_HARDENED_SYM(sym) sym
|
---|
480 | #endif
|
---|
481 |
|
---|
482 |
|
---|
483 | /*********************************************************************************************************************************
|
---|
484 | * Structures and Typedefs *
|
---|
485 | *********************************************************************************************************************************/
|
---|
486 | /** @see RTR3InitEx */
|
---|
487 | typedef DECLCALLBACKTYPE(int, FNRTR3INITEX,(uint32_t iVersion, uint32_t fFlags, int cArgs,
|
---|
488 | char **papszArgs, const char *pszProgramPath));
|
---|
489 | typedef FNRTR3INITEX *PFNRTR3INITEX;
|
---|
490 |
|
---|
491 | /** @see RTLogRelPrintf */
|
---|
492 | typedef DECLCALLBACKTYPE(void, FNRTLOGRELPRINTF,(const char *pszFormat, ...));
|
---|
493 | typedef FNRTLOGRELPRINTF *PFNRTLOGRELPRINTF;
|
---|
494 |
|
---|
495 |
|
---|
496 | /**
|
---|
497 | * Descriptor of an environment variable to purge.
|
---|
498 | */
|
---|
499 | typedef struct SUPENVPURGEDESC
|
---|
500 | {
|
---|
501 | /** Name of the environment variable to purge. */
|
---|
502 | const char *pszEnv;
|
---|
503 | /** The length of the variable name. */
|
---|
504 | uint8_t cchEnv;
|
---|
505 | /** Flag whether a failure in purging the variable leads to
|
---|
506 | * a fatal error resulting in an process exit. */
|
---|
507 | bool fPurgeErrFatal;
|
---|
508 | } SUPENVPURGEDESC;
|
---|
509 | /** Pointer to a environment variable purge descriptor. */
|
---|
510 | typedef SUPENVPURGEDESC *PSUPENVPURGEDESC;
|
---|
511 | /** Pointer to a const environment variable purge descriptor. */
|
---|
512 | typedef const SUPENVPURGEDESC *PCSUPENVPURGEDESC;
|
---|
513 |
|
---|
514 | /**
|
---|
515 | * Descriptor of an command line argument to purge.
|
---|
516 | */
|
---|
517 | typedef struct SUPARGPURGEDESC
|
---|
518 | {
|
---|
519 | /** Name of the argument to purge. */
|
---|
520 | const char *pszArg;
|
---|
521 | /** The length of the argument name. */
|
---|
522 | uint8_t cchArg;
|
---|
523 | /** Flag whether the argument is followed by an extra argument
|
---|
524 | * which must be purged too */
|
---|
525 | bool fTakesValue;
|
---|
526 | } SUPARGPURGEDESC;
|
---|
527 | /** Pointer to a environment variable purge descriptor. */
|
---|
528 | typedef SUPARGPURGEDESC *PSUPARGPURGEDESC;
|
---|
529 | /** Pointer to a const environment variable purge descriptor. */
|
---|
530 | typedef const SUPARGPURGEDESC *PCSUPARGPURGEDESC;
|
---|
531 |
|
---|
532 |
|
---|
533 | /*********************************************************************************************************************************
|
---|
534 | * Global Variables *
|
---|
535 | *********************************************************************************************************************************/
|
---|
536 | /** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
|
---|
537 | static SUPPREINITDATA g_SupPreInitData;
|
---|
538 | /** The program executable path. */
|
---|
539 | #ifndef RT_OS_WINDOWS
|
---|
540 | static
|
---|
541 | #endif
|
---|
542 | char g_szSupLibHardenedExePath[RTPATH_MAX];
|
---|
543 | /** The application bin directory path. */
|
---|
544 | static char g_szSupLibHardenedAppBinPath[RTPATH_MAX];
|
---|
545 | /** The offset into g_szSupLibHardenedExePath of the executable name. */
|
---|
546 | static size_t g_offSupLibHardenedExecName;
|
---|
547 | /** The length of the executable name in g_szSupLibHardenedExePath. */
|
---|
548 | static size_t g_cchSupLibHardenedExecName;
|
---|
549 |
|
---|
550 | /** The program name. */
|
---|
551 | static const char *g_pszSupLibHardenedProgName;
|
---|
552 | /** The flags passed to SUPR3HardenedMain. */
|
---|
553 | static uint32_t g_fSupHardenedMain;
|
---|
554 |
|
---|
555 | #ifdef SUP_HARDENED_SUID
|
---|
556 | /** The real UID at startup. */
|
---|
557 | static uid_t g_uid;
|
---|
558 | /** The real GID at startup. */
|
---|
559 | static gid_t g_gid;
|
---|
560 | # ifdef RT_OS_LINUX
|
---|
561 | static uint32_t g_uCaps;
|
---|
562 | static uint32_t g_uCapsVersion;
|
---|
563 | # endif
|
---|
564 | #endif
|
---|
565 |
|
---|
566 | /** The startup log file. */
|
---|
567 | #ifdef RT_OS_WINDOWS
|
---|
568 | static HANDLE g_hStartupLog = NULL;
|
---|
569 | #else
|
---|
570 | static int g_hStartupLog = -1;
|
---|
571 | #endif
|
---|
572 | /** The number of bytes we've written to the startup log. */
|
---|
573 | static uint32_t volatile g_cbStartupLog = 0;
|
---|
574 |
|
---|
575 | /** The current SUPR3HardenedMain state / location. */
|
---|
576 | SUPR3HARDENEDMAINSTATE g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED;
|
---|
577 | AssertCompileSize(g_enmSupR3HardenedMainState, sizeof(uint32_t));
|
---|
578 |
|
---|
579 | #ifdef RT_OS_WINDOWS
|
---|
580 | /** Pointer to VBoxRT's RTLogRelPrintf function so we can write errors to the
|
---|
581 | * release log at runtime. */
|
---|
582 | static PFNRTLOGRELPRINTF g_pfnRTLogRelPrintf = NULL;
|
---|
583 | /** Log volume name (for attempting volume flush). */
|
---|
584 | static RTUTF16 g_wszStartupLogVol[16];
|
---|
585 | #endif
|
---|
586 |
|
---|
587 | /** Environment variables to purge from the process because
|
---|
588 | * they are known to be harmful. */
|
---|
589 | static const SUPENVPURGEDESC g_aSupEnvPurgeDescs[] =
|
---|
590 | {
|
---|
591 | /* pszEnv fPurgeErrFatal */
|
---|
592 | /* Qt related environment variables: */
|
---|
593 | { RT_STR_TUPLE("QT_QPA_PLATFORM_PLUGIN_PATH"), true },
|
---|
594 | { RT_STR_TUPLE("QT_PLUGIN_PATH"), true },
|
---|
595 | /* ALSA related environment variables: */
|
---|
596 | { RT_STR_TUPLE("ALSA_MIXER_SIMPLE_MODULES"), true },
|
---|
597 | { RT_STR_TUPLE("LADSPA_PATH"), true },
|
---|
598 | };
|
---|
599 |
|
---|
600 | /** Arguments to purge from the argument vector because
|
---|
601 | * they are known to be harmful. */
|
---|
602 | static const SUPARGPURGEDESC g_aSupArgPurgeDescs[] =
|
---|
603 | {
|
---|
604 | /* pszArg fTakesValue */
|
---|
605 | /* Qt related environment variables: */
|
---|
606 | { RT_STR_TUPLE("-platformpluginpath"), true },
|
---|
607 | };
|
---|
608 |
|
---|
609 |
|
---|
610 | /*********************************************************************************************************************************
|
---|
611 | * Internal Functions *
|
---|
612 | *********************************************************************************************************************************/
|
---|
613 | #ifdef SUP_HARDENED_SUID
|
---|
614 | static void supR3HardenedMainDropPrivileges(void);
|
---|
615 | #endif
|
---|
616 | static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
|
---|
617 |
|
---|
618 |
|
---|
619 | /**
|
---|
620 | * Safely copy one or more strings into the given buffer.
|
---|
621 | *
|
---|
622 | * @returns VINF_SUCCESS or VERR_BUFFER_OVERFLOW.
|
---|
623 | * @param pszDst The destionation buffer.
|
---|
624 | * @param cbDst The size of the destination buffer.
|
---|
625 | * @param ... One or more zero terminated strings, ending with
|
---|
626 | * a NULL.
|
---|
627 | */
|
---|
628 | static int suplibHardenedStrCopyEx(char *pszDst, size_t cbDst, ...)
|
---|
629 | {
|
---|
630 | int rc = VINF_SUCCESS;
|
---|
631 |
|
---|
632 | if (cbDst == 0)
|
---|
633 | return VERR_BUFFER_OVERFLOW;
|
---|
634 |
|
---|
635 | va_list va;
|
---|
636 | va_start(va, cbDst);
|
---|
637 | for (;;)
|
---|
638 | {
|
---|
639 | const char *pszSrc = va_arg(va, const char *);
|
---|
640 | if (!pszSrc)
|
---|
641 | break;
|
---|
642 |
|
---|
643 | size_t cchSrc = suplibHardenedStrLen(pszSrc);
|
---|
644 | if (cchSrc < cbDst)
|
---|
645 | {
|
---|
646 | suplibHardenedMemCopy(pszDst, pszSrc, cchSrc);
|
---|
647 | pszDst += cchSrc;
|
---|
648 | cbDst -= cchSrc;
|
---|
649 | }
|
---|
650 | else
|
---|
651 | {
|
---|
652 | rc = VERR_BUFFER_OVERFLOW;
|
---|
653 | if (cbDst > 1)
|
---|
654 | {
|
---|
655 | suplibHardenedMemCopy(pszDst, pszSrc, cbDst - 1);
|
---|
656 | pszDst += cbDst - 1;
|
---|
657 | cbDst = 1;
|
---|
658 | }
|
---|
659 | }
|
---|
660 | *pszDst = '\0';
|
---|
661 | }
|
---|
662 | va_end(va);
|
---|
663 |
|
---|
664 | return rc;
|
---|
665 | }
|
---|
666 |
|
---|
667 |
|
---|
668 | /**
|
---|
669 | * Exit current process in the quickest possible fashion.
|
---|
670 | *
|
---|
671 | * @param rcExit The exit code.
|
---|
672 | */
|
---|
673 | DECLHIDDEN(DECL_NO_RETURN(void)) suplibHardenedExit(RTEXITCODE rcExit)
|
---|
674 | {
|
---|
675 | for (;;)
|
---|
676 | {
|
---|
677 | #ifdef RT_OS_WINDOWS
|
---|
678 | if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
|
---|
679 | ExitProcess(rcExit);
|
---|
680 | if (RtlExitUserProcess != NULL)
|
---|
681 | RtlExitUserProcess(rcExit);
|
---|
682 | NtTerminateProcess(NtCurrentProcess(), rcExit);
|
---|
683 | #else
|
---|
684 | _Exit(rcExit);
|
---|
685 | #endif
|
---|
686 | }
|
---|
687 | }
|
---|
688 |
|
---|
689 |
|
---|
690 | /**
|
---|
691 | * Writes a substring to standard error.
|
---|
692 | *
|
---|
693 | * @param pch The start of the substring.
|
---|
694 | * @param cch The length of the substring.
|
---|
695 | */
|
---|
696 | static void suplibHardenedPrintStrN(const char *pch, size_t cch)
|
---|
697 | {
|
---|
698 | #ifdef RT_OS_WINDOWS
|
---|
699 | HANDLE hStdOut = NtCurrentPeb()->ProcessParameters->StandardOutput;
|
---|
700 | if (hStdOut != NULL)
|
---|
701 | {
|
---|
702 | if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
|
---|
703 | {
|
---|
704 | DWORD cbWritten;
|
---|
705 | WriteFile(hStdOut, pch, (DWORD)cch, &cbWritten, NULL);
|
---|
706 | }
|
---|
707 | /* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */
|
---|
708 | else if (NtWriteFile != NULL && ((uintptr_t)hStdOut & 3) == 0)
|
---|
709 | {
|
---|
710 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
711 | NtWriteFile(hStdOut, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
|
---|
712 | &Ios, (PVOID)pch, (ULONG)cch, NULL /*ByteOffset*/, NULL /*Key*/);
|
---|
713 | }
|
---|
714 | }
|
---|
715 | #else
|
---|
716 | int res = write(2, pch, cch);
|
---|
717 | NOREF(res);
|
---|
718 | #endif
|
---|
719 | }
|
---|
720 |
|
---|
721 |
|
---|
722 | /**
|
---|
723 | * Writes a string to standard error.
|
---|
724 | *
|
---|
725 | * @param psz The string.
|
---|
726 | */
|
---|
727 | static void suplibHardenedPrintStr(const char *psz)
|
---|
728 | {
|
---|
729 | suplibHardenedPrintStrN(psz, suplibHardenedStrLen(psz));
|
---|
730 | }
|
---|
731 |
|
---|
732 |
|
---|
733 | /**
|
---|
734 | * Writes a char to standard error.
|
---|
735 | *
|
---|
736 | * @param ch The character value to write.
|
---|
737 | */
|
---|
738 | static void suplibHardenedPrintChr(char ch)
|
---|
739 | {
|
---|
740 | suplibHardenedPrintStrN(&ch, 1);
|
---|
741 | }
|
---|
742 |
|
---|
743 | #ifndef IPRT_NO_CRT
|
---|
744 |
|
---|
745 | /**
|
---|
746 | * Writes a decimal number to stdard error.
|
---|
747 | *
|
---|
748 | * @param uValue The value.
|
---|
749 | */
|
---|
750 | static void suplibHardenedPrintDecimal(uint64_t uValue)
|
---|
751 | {
|
---|
752 | char szBuf[64];
|
---|
753 | char *pszEnd = &szBuf[sizeof(szBuf) - 1];
|
---|
754 | char *psz = pszEnd;
|
---|
755 |
|
---|
756 | *psz-- = '\0';
|
---|
757 |
|
---|
758 | do
|
---|
759 | {
|
---|
760 | *psz-- = '0' + (uValue % 10);
|
---|
761 | uValue /= 10;
|
---|
762 | } while (uValue > 0);
|
---|
763 |
|
---|
764 | psz++;
|
---|
765 | suplibHardenedPrintStrN(psz, pszEnd - psz);
|
---|
766 | }
|
---|
767 |
|
---|
768 |
|
---|
769 | /**
|
---|
770 | * Writes a hexadecimal or octal number to standard error.
|
---|
771 | *
|
---|
772 | * @param uValue The value.
|
---|
773 | * @param uBase The base (16 or 8).
|
---|
774 | * @param fFlags Format flags.
|
---|
775 | */
|
---|
776 | static void suplibHardenedPrintHexOctal(uint64_t uValue, unsigned uBase, uint32_t fFlags)
|
---|
777 | {
|
---|
778 | static char const s_achDigitsLower[17] = "0123456789abcdef";
|
---|
779 | static char const s_achDigitsUpper[17] = "0123456789ABCDEF";
|
---|
780 | const char *pchDigits = !(fFlags & RTSTR_F_CAPITAL) ? s_achDigitsLower : s_achDigitsUpper;
|
---|
781 | unsigned cShift = uBase == 16 ? 4 : 3;
|
---|
782 | unsigned fDigitMask = uBase == 16 ? 0xf : 7;
|
---|
783 | char szBuf[64];
|
---|
784 | char *pszEnd = &szBuf[sizeof(szBuf) - 1];
|
---|
785 | char *psz = pszEnd;
|
---|
786 |
|
---|
787 | *psz-- = '\0';
|
---|
788 |
|
---|
789 | do
|
---|
790 | {
|
---|
791 | *psz-- = pchDigits[uValue & fDigitMask];
|
---|
792 | uValue >>= cShift;
|
---|
793 | } while (uValue > 0);
|
---|
794 |
|
---|
795 | if ((fFlags & RTSTR_F_SPECIAL) && uBase == 16)
|
---|
796 | {
|
---|
797 | *psz-- = !(fFlags & RTSTR_F_CAPITAL) ? 'x' : 'X';
|
---|
798 | *psz-- = '0';
|
---|
799 | }
|
---|
800 |
|
---|
801 | psz++;
|
---|
802 | suplibHardenedPrintStrN(psz, pszEnd - psz);
|
---|
803 | }
|
---|
804 |
|
---|
805 |
|
---|
806 | /**
|
---|
807 | * Writes a wide character string to standard error.
|
---|
808 | *
|
---|
809 | * @param pwsz The string.
|
---|
810 | */
|
---|
811 | static void suplibHardenedPrintWideStr(PCRTUTF16 pwsz)
|
---|
812 | {
|
---|
813 | for (;;)
|
---|
814 | {
|
---|
815 | RTUTF16 wc = *pwsz++;
|
---|
816 | if (!wc)
|
---|
817 | return;
|
---|
818 | if ( (wc < 0x7f && wc >= 0x20)
|
---|
819 | || wc == '\n'
|
---|
820 | || wc == '\r')
|
---|
821 | suplibHardenedPrintChr((char)wc);
|
---|
822 | else
|
---|
823 | {
|
---|
824 | suplibHardenedPrintStrN(RT_STR_TUPLE("\\x"));
|
---|
825 | suplibHardenedPrintHexOctal(wc, 16, 0);
|
---|
826 | }
|
---|
827 | }
|
---|
828 | }
|
---|
829 |
|
---|
830 | #else /* IPRT_NO_CRT */
|
---|
831 |
|
---|
832 | /** Buffer structure used by suplibHardenedOutput. */
|
---|
833 | struct SUPLIBHARDENEDOUTPUTBUF
|
---|
834 | {
|
---|
835 | size_t off;
|
---|
836 | char szBuf[2048];
|
---|
837 | };
|
---|
838 |
|
---|
839 | /** Callback for RTStrFormatV, see FNRTSTROUTPUT. */
|
---|
840 | static DECLCALLBACK(size_t) suplibHardenedOutput(void *pvArg, const char *pachChars, size_t cbChars)
|
---|
841 | {
|
---|
842 | SUPLIBHARDENEDOUTPUTBUF *pBuf = (SUPLIBHARDENEDOUTPUTBUF *)pvArg;
|
---|
843 | size_t cbTodo = cbChars;
|
---|
844 | for (;;)
|
---|
845 | {
|
---|
846 | size_t cbSpace = sizeof(pBuf->szBuf) - pBuf->off - 1;
|
---|
847 |
|
---|
848 | /* Flush the buffer? */
|
---|
849 | if ( cbSpace == 0
|
---|
850 | || (cbTodo == 0 && pBuf->off))
|
---|
851 | {
|
---|
852 | suplibHardenedPrintStrN(pBuf->szBuf, pBuf->off);
|
---|
853 | # ifdef RT_OS_WINDOWS
|
---|
854 | if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
|
---|
855 | OutputDebugString(pBuf->szBuf);
|
---|
856 | # endif
|
---|
857 | pBuf->off = 0;
|
---|
858 | cbSpace = sizeof(pBuf->szBuf) - 1;
|
---|
859 | }
|
---|
860 |
|
---|
861 | /* Copy the string into the buffer. */
|
---|
862 | if (cbTodo == 1)
|
---|
863 | {
|
---|
864 | pBuf->szBuf[pBuf->off++] = *pachChars;
|
---|
865 | break;
|
---|
866 | }
|
---|
867 | if (cbSpace >= cbTodo)
|
---|
868 | {
|
---|
869 | memcpy(&pBuf->szBuf[pBuf->off], pachChars, cbTodo);
|
---|
870 | pBuf->off += cbTodo;
|
---|
871 | break;
|
---|
872 | }
|
---|
873 | memcpy(&pBuf->szBuf[pBuf->off], pachChars, cbSpace);
|
---|
874 | pBuf->off += cbSpace;
|
---|
875 | cbTodo -= cbSpace;
|
---|
876 | }
|
---|
877 | pBuf->szBuf[pBuf->off] = '\0';
|
---|
878 |
|
---|
879 | return cbChars;
|
---|
880 | }
|
---|
881 |
|
---|
882 | #endif /* IPRT_NO_CRT */
|
---|
883 |
|
---|
884 | /**
|
---|
885 | * Simple printf to standard error.
|
---|
886 | *
|
---|
887 | * @param pszFormat The format string.
|
---|
888 | * @param va Arguments to format.
|
---|
889 | */
|
---|
890 | DECLHIDDEN(void) suplibHardenedPrintFV(const char *pszFormat, va_list va)
|
---|
891 | {
|
---|
892 | #ifdef IPRT_NO_CRT
|
---|
893 | /*
|
---|
894 | * Use buffered output here to avoid character mixing on the windows
|
---|
895 | * console and to enable us to use OutputDebugString.
|
---|
896 | */
|
---|
897 | SUPLIBHARDENEDOUTPUTBUF Buf;
|
---|
898 | Buf.off = 0;
|
---|
899 | Buf.szBuf[0] = '\0';
|
---|
900 | RTStrFormatV(suplibHardenedOutput, &Buf, NULL, NULL, pszFormat, va);
|
---|
901 |
|
---|
902 | #else /* !IPRT_NO_CRT */
|
---|
903 | /*
|
---|
904 | * Format loop.
|
---|
905 | */
|
---|
906 | char ch;
|
---|
907 | const char *pszLast = pszFormat;
|
---|
908 | for (;;)
|
---|
909 | {
|
---|
910 | ch = *pszFormat;
|
---|
911 | if (!ch)
|
---|
912 | break;
|
---|
913 | pszFormat++;
|
---|
914 |
|
---|
915 | if (ch == '%')
|
---|
916 | {
|
---|
917 | /*
|
---|
918 | * Format argument.
|
---|
919 | */
|
---|
920 |
|
---|
921 | /* Flush unwritten bits. */
|
---|
922 | if (pszLast != pszFormat - 1)
|
---|
923 | suplibHardenedPrintStrN(pszLast, pszFormat - pszLast - 1);
|
---|
924 | pszLast = pszFormat;
|
---|
925 | ch = *pszFormat++;
|
---|
926 |
|
---|
927 | /* flags. */
|
---|
928 | uint32_t fFlags = 0;
|
---|
929 | for (;;)
|
---|
930 | {
|
---|
931 | if (ch == '#') fFlags |= RTSTR_F_SPECIAL;
|
---|
932 | else if (ch == '-') fFlags |= RTSTR_F_LEFT;
|
---|
933 | else if (ch == '+') fFlags |= RTSTR_F_PLUS;
|
---|
934 | else if (ch == ' ') fFlags |= RTSTR_F_BLANK;
|
---|
935 | else if (ch == '0') fFlags |= RTSTR_F_ZEROPAD;
|
---|
936 | else if (ch == '\'') fFlags |= RTSTR_F_THOUSAND_SEP;
|
---|
937 | else break;
|
---|
938 | ch = *pszFormat++;
|
---|
939 | }
|
---|
940 |
|
---|
941 | /* Width and precision - ignored. */
|
---|
942 | while (RT_C_IS_DIGIT(ch))
|
---|
943 | ch = *pszFormat++;
|
---|
944 | if (ch == '*')
|
---|
945 | va_arg(va, int);
|
---|
946 | if (ch == '.')
|
---|
947 | {
|
---|
948 | do ch = *pszFormat++;
|
---|
949 | while (RT_C_IS_DIGIT(ch));
|
---|
950 | if (ch == '*')
|
---|
951 | va_arg(va, int);
|
---|
952 | }
|
---|
953 |
|
---|
954 | /* Size. */
|
---|
955 | char chArgSize = 0;
|
---|
956 | switch (ch)
|
---|
957 | {
|
---|
958 | case 'z':
|
---|
959 | case 'L':
|
---|
960 | case 'j':
|
---|
961 | case 't':
|
---|
962 | chArgSize = ch;
|
---|
963 | ch = *pszFormat++;
|
---|
964 | break;
|
---|
965 |
|
---|
966 | case 'l':
|
---|
967 | chArgSize = ch;
|
---|
968 | ch = *pszFormat++;
|
---|
969 | if (ch == 'l')
|
---|
970 | {
|
---|
971 | chArgSize = 'L';
|
---|
972 | ch = *pszFormat++;
|
---|
973 | }
|
---|
974 | break;
|
---|
975 |
|
---|
976 | case 'h':
|
---|
977 | chArgSize = ch;
|
---|
978 | ch = *pszFormat++;
|
---|
979 | if (ch == 'h')
|
---|
980 | {
|
---|
981 | chArgSize = 'H';
|
---|
982 | ch = *pszFormat++;
|
---|
983 | }
|
---|
984 | break;
|
---|
985 | }
|
---|
986 |
|
---|
987 | /*
|
---|
988 | * Do type specific formatting.
|
---|
989 | */
|
---|
990 | switch (ch)
|
---|
991 | {
|
---|
992 | case 'c':
|
---|
993 | ch = (char)va_arg(va, int);
|
---|
994 | suplibHardenedPrintChr(ch);
|
---|
995 | break;
|
---|
996 |
|
---|
997 | case 's':
|
---|
998 | if (chArgSize == 'l')
|
---|
999 | {
|
---|
1000 | PCRTUTF16 pwszStr = va_arg(va, PCRTUTF16 );
|
---|
1001 | if (RT_VALID_PTR(pwszStr))
|
---|
1002 | suplibHardenedPrintWideStr(pwszStr);
|
---|
1003 | else
|
---|
1004 | suplibHardenedPrintStr("<NULL>");
|
---|
1005 | }
|
---|
1006 | else
|
---|
1007 | {
|
---|
1008 | const char *pszStr = va_arg(va, const char *);
|
---|
1009 | if (!RT_VALID_PTR(pszStr))
|
---|
1010 | pszStr = "<NULL>";
|
---|
1011 | suplibHardenedPrintStr(pszStr);
|
---|
1012 | }
|
---|
1013 | break;
|
---|
1014 |
|
---|
1015 | case 'd':
|
---|
1016 | case 'i':
|
---|
1017 | {
|
---|
1018 | int64_t iValue;
|
---|
1019 | if (chArgSize == 'L' || chArgSize == 'j')
|
---|
1020 | iValue = va_arg(va, int64_t);
|
---|
1021 | else if (chArgSize == 'l')
|
---|
1022 | iValue = va_arg(va, signed long);
|
---|
1023 | else if (chArgSize == 'z' || chArgSize == 't')
|
---|
1024 | iValue = va_arg(va, intptr_t);
|
---|
1025 | else
|
---|
1026 | iValue = va_arg(va, signed int);
|
---|
1027 | if (iValue < 0)
|
---|
1028 | {
|
---|
1029 | suplibHardenedPrintChr('-');
|
---|
1030 | iValue = -iValue;
|
---|
1031 | }
|
---|
1032 | suplibHardenedPrintDecimal(iValue);
|
---|
1033 | break;
|
---|
1034 | }
|
---|
1035 |
|
---|
1036 | case 'p':
|
---|
1037 | case 'x':
|
---|
1038 | case 'X':
|
---|
1039 | case 'u':
|
---|
1040 | case 'o':
|
---|
1041 | {
|
---|
1042 | unsigned uBase = 10;
|
---|
1043 | uint64_t uValue;
|
---|
1044 |
|
---|
1045 | switch (ch)
|
---|
1046 | {
|
---|
1047 | case 'p':
|
---|
1048 | fFlags |= RTSTR_F_ZEROPAD; /* Note not standard behaviour (but I like it this way!) */
|
---|
1049 | uBase = 16;
|
---|
1050 | break;
|
---|
1051 | case 'X':
|
---|
1052 | fFlags |= RTSTR_F_CAPITAL;
|
---|
1053 | RT_FALL_THRU();
|
---|
1054 | case 'x':
|
---|
1055 | uBase = 16;
|
---|
1056 | break;
|
---|
1057 | case 'u':
|
---|
1058 | uBase = 10;
|
---|
1059 | break;
|
---|
1060 | case 'o':
|
---|
1061 | uBase = 8;
|
---|
1062 | break;
|
---|
1063 | }
|
---|
1064 |
|
---|
1065 | if (ch == 'p' || chArgSize == 'z' || chArgSize == 't')
|
---|
1066 | uValue = va_arg(va, uintptr_t);
|
---|
1067 | else if (chArgSize == 'L' || chArgSize == 'j')
|
---|
1068 | uValue = va_arg(va, uint64_t);
|
---|
1069 | else if (chArgSize == 'l')
|
---|
1070 | uValue = va_arg(va, unsigned long);
|
---|
1071 | else
|
---|
1072 | uValue = va_arg(va, unsigned int);
|
---|
1073 |
|
---|
1074 | if (uBase == 10)
|
---|
1075 | suplibHardenedPrintDecimal(uValue);
|
---|
1076 | else
|
---|
1077 | suplibHardenedPrintHexOctal(uValue, uBase, fFlags);
|
---|
1078 | break;
|
---|
1079 | }
|
---|
1080 |
|
---|
1081 | case 'R':
|
---|
1082 | if (pszFormat[0] == 'r' && pszFormat[1] == 'c')
|
---|
1083 | {
|
---|
1084 | int iValue = va_arg(va, int);
|
---|
1085 | if (iValue < 0)
|
---|
1086 | {
|
---|
1087 | suplibHardenedPrintChr('-');
|
---|
1088 | iValue = -iValue;
|
---|
1089 | }
|
---|
1090 | suplibHardenedPrintDecimal(iValue);
|
---|
1091 | pszFormat += 2;
|
---|
1092 | break;
|
---|
1093 | }
|
---|
1094 | RT_FALL_THRU();
|
---|
1095 |
|
---|
1096 | /*
|
---|
1097 | * Custom format.
|
---|
1098 | */
|
---|
1099 | default:
|
---|
1100 | suplibHardenedPrintStr("[bad format: ");
|
---|
1101 | suplibHardenedPrintStrN(pszLast, pszFormat - pszLast);
|
---|
1102 | suplibHardenedPrintChr(']');
|
---|
1103 | break;
|
---|
1104 | }
|
---|
1105 |
|
---|
1106 | /* continue */
|
---|
1107 | pszLast = pszFormat;
|
---|
1108 | }
|
---|
1109 | }
|
---|
1110 |
|
---|
1111 | /* Flush the last bits of the string. */
|
---|
1112 | if (pszLast != pszFormat)
|
---|
1113 | suplibHardenedPrintStrN(pszLast, pszFormat - pszLast);
|
---|
1114 | #endif /* !IPRT_NO_CRT */
|
---|
1115 | }
|
---|
1116 |
|
---|
1117 |
|
---|
1118 | /**
|
---|
1119 | * Prints to standard error.
|
---|
1120 | *
|
---|
1121 | * @param pszFormat The format string.
|
---|
1122 | * @param ... Arguments to format.
|
---|
1123 | */
|
---|
1124 | DECLHIDDEN(void) suplibHardenedPrintF(const char *pszFormat, ...)
|
---|
1125 | {
|
---|
1126 | va_list va;
|
---|
1127 | va_start(va, pszFormat);
|
---|
1128 | suplibHardenedPrintFV(pszFormat, va);
|
---|
1129 | va_end(va);
|
---|
1130 | }
|
---|
1131 |
|
---|
1132 |
|
---|
1133 | /**
|
---|
1134 | * @copydoc RTPathStripFilename
|
---|
1135 | */
|
---|
1136 | static void suplibHardenedPathStripFilename(char *pszPath)
|
---|
1137 | {
|
---|
1138 | char *psz = pszPath;
|
---|
1139 | char *pszLastSep = pszPath;
|
---|
1140 |
|
---|
1141 | for (;; psz++)
|
---|
1142 | {
|
---|
1143 | switch (*psz)
|
---|
1144 | {
|
---|
1145 | /* handle separators. */
|
---|
1146 | #if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
|
---|
1147 | case ':':
|
---|
1148 | pszLastSep = psz + 1;
|
---|
1149 | break;
|
---|
1150 |
|
---|
1151 | case '\\':
|
---|
1152 | #endif
|
---|
1153 | case '/':
|
---|
1154 | pszLastSep = psz;
|
---|
1155 | break;
|
---|
1156 |
|
---|
1157 | /* the end */
|
---|
1158 | case '\0':
|
---|
1159 | if (pszLastSep == pszPath)
|
---|
1160 | *pszLastSep++ = '.';
|
---|
1161 | *pszLastSep = '\0';
|
---|
1162 | return;
|
---|
1163 | }
|
---|
1164 | }
|
---|
1165 | /* will never get here */
|
---|
1166 | }
|
---|
1167 |
|
---|
1168 |
|
---|
1169 | /**
|
---|
1170 | * @copydoc RTPathFilename
|
---|
1171 | */
|
---|
1172 | DECLHIDDEN(char *) supR3HardenedPathFilename(const char *pszPath)
|
---|
1173 | {
|
---|
1174 | const char *psz = pszPath;
|
---|
1175 | const char *pszLastComp = pszPath;
|
---|
1176 |
|
---|
1177 | for (;; psz++)
|
---|
1178 | {
|
---|
1179 | switch (*psz)
|
---|
1180 | {
|
---|
1181 | /* handle separators. */
|
---|
1182 | #if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
|
---|
1183 | case ':':
|
---|
1184 | pszLastComp = psz + 1;
|
---|
1185 | break;
|
---|
1186 |
|
---|
1187 | case '\\':
|
---|
1188 | #endif
|
---|
1189 | case '/':
|
---|
1190 | pszLastComp = psz + 1;
|
---|
1191 | break;
|
---|
1192 |
|
---|
1193 | /* the end */
|
---|
1194 | case '\0':
|
---|
1195 | if (*pszLastComp)
|
---|
1196 | return (char *)(void *)pszLastComp;
|
---|
1197 | return NULL;
|
---|
1198 | }
|
---|
1199 | }
|
---|
1200 |
|
---|
1201 | /* will never get here */
|
---|
1202 | }
|
---|
1203 |
|
---|
1204 |
|
---|
1205 | /**
|
---|
1206 | * @copydoc RTPathAppPrivateNoArch
|
---|
1207 | */
|
---|
1208 | DECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
|
---|
1209 | {
|
---|
1210 | #if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
|
---|
1211 | const char *pszSrcPath = RTPATH_APP_PRIVATE;
|
---|
1212 | size_t cchPathPrivateNoArch = suplibHardenedStrLen(pszSrcPath);
|
---|
1213 | if (cchPathPrivateNoArch >= cchPath)
|
---|
1214 | supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateNoArch, cchPath);
|
---|
1215 | suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
|
---|
1216 | return VINF_SUCCESS;
|
---|
1217 |
|
---|
1218 | #else
|
---|
1219 | return supR3HardenedPathAppBin(pszPath, cchPath);
|
---|
1220 | #endif
|
---|
1221 | }
|
---|
1222 |
|
---|
1223 |
|
---|
1224 | /**
|
---|
1225 | * @copydoc RTPathAppPrivateArch
|
---|
1226 | */
|
---|
1227 | DECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
|
---|
1228 | {
|
---|
1229 | #if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
|
---|
1230 | const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
|
---|
1231 | size_t cchPathPrivateArch = suplibHardenedStrLen(pszSrcPath);
|
---|
1232 | if (cchPathPrivateArch >= cchPath)
|
---|
1233 | supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateArch, cchPath);
|
---|
1234 | suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
|
---|
1235 | return VINF_SUCCESS;
|
---|
1236 |
|
---|
1237 | #else
|
---|
1238 | return supR3HardenedPathAppBin(pszPath, cchPath);
|
---|
1239 | #endif
|
---|
1240 | }
|
---|
1241 |
|
---|
1242 |
|
---|
1243 | /**
|
---|
1244 | * @copydoc RTPathSharedLibs
|
---|
1245 | */
|
---|
1246 | DECLHIDDEN(int) supR3HardenedPathAppSharedLibs(char *pszPath, size_t cchPath)
|
---|
1247 | {
|
---|
1248 | #if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
|
---|
1249 | const char *pszSrcPath = RTPATH_SHARED_LIBS;
|
---|
1250 | size_t cchPathSharedLibs = suplibHardenedStrLen(pszSrcPath);
|
---|
1251 | if (cchPathSharedLibs >= cchPath)
|
---|
1252 | supR3HardenedFatal("supR3HardenedPathAppSharedLibs: Buffer overflow, %zu >= %zu\n", cchPathSharedLibs, cchPath);
|
---|
1253 | suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
|
---|
1254 | return VINF_SUCCESS;
|
---|
1255 |
|
---|
1256 | #else
|
---|
1257 | return supR3HardenedPathAppBin(pszPath, cchPath);
|
---|
1258 | #endif
|
---|
1259 | }
|
---|
1260 |
|
---|
1261 |
|
---|
1262 | /**
|
---|
1263 | * @copydoc RTPathAppDocs
|
---|
1264 | */
|
---|
1265 | DECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
|
---|
1266 | {
|
---|
1267 | #if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
|
---|
1268 | const char *pszSrcPath = RTPATH_APP_DOCS;
|
---|
1269 | size_t cchPathAppDocs = suplibHardenedStrLen(pszSrcPath);
|
---|
1270 | if (cchPathAppDocs >= cchPath)
|
---|
1271 | supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %zu >= %zu\n", cchPathAppDocs, cchPath);
|
---|
1272 | suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathAppDocs + 1);
|
---|
1273 | return VINF_SUCCESS;
|
---|
1274 |
|
---|
1275 | #else
|
---|
1276 | return supR3HardenedPathAppBin(pszPath, cchPath);
|
---|
1277 | #endif
|
---|
1278 | }
|
---|
1279 |
|
---|
1280 |
|
---|
1281 | /**
|
---|
1282 | * Returns the full path to the executable in g_szSupLibHardenedExePath.
|
---|
1283 | *
|
---|
1284 | * @returns IPRT status code.
|
---|
1285 | */
|
---|
1286 | static void supR3HardenedGetFullExePath(void)
|
---|
1287 | {
|
---|
1288 | /*
|
---|
1289 | * Get the program filename.
|
---|
1290 | *
|
---|
1291 | * Most UNIXes have no API for obtaining the executable path, but provides a symbolic
|
---|
1292 | * link in the proc file system that tells who was exec'ed. The bad thing about this
|
---|
1293 | * is that we have to use readlink, one of the weirder UNIX APIs.
|
---|
1294 | *
|
---|
1295 | * Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
|
---|
1296 | */
|
---|
1297 | #if defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS)
|
---|
1298 | # ifdef RT_OS_LINUX
|
---|
1299 | int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
|
---|
1300 |
|
---|
1301 | # elif defined(RT_OS_SOLARIS)
|
---|
1302 | char szFileBuf[PATH_MAX + 1];
|
---|
1303 | sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
|
---|
1304 | int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
|
---|
1305 |
|
---|
1306 | # else /* RT_OS_FREEBSD */
|
---|
1307 | int aiName[4];
|
---|
1308 | aiName[0] = CTL_KERN;
|
---|
1309 | aiName[1] = KERN_PROC;
|
---|
1310 | aiName[2] = KERN_PROC_PATHNAME;
|
---|
1311 | aiName[3] = getpid();
|
---|
1312 |
|
---|
1313 | size_t cbPath = sizeof(g_szSupLibHardenedExePath);
|
---|
1314 | if (sysctl(aiName, RT_ELEMENTS(aiName), g_szSupLibHardenedExePath, &cbPath, NULL, 0) < 0)
|
---|
1315 | supR3HardenedFatal("supR3HardenedExecDir: sysctl failed\n");
|
---|
1316 | g_szSupLibHardenedExePath[sizeof(g_szSupLibHardenedExePath) - 1] = '\0';
|
---|
1317 | int cchLink = suplibHardenedStrLen(g_szSupLibHardenedExePath); /* paranoid? can't we use cbPath? */
|
---|
1318 |
|
---|
1319 | # endif
|
---|
1320 | if (cchLink < 0 || cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
|
---|
1321 | supR3HardenedFatal("supR3HardenedExecDir: couldn't read \"%s\", errno=%d cchLink=%d\n",
|
---|
1322 | g_szSupLibHardenedExePath, errno, cchLink);
|
---|
1323 | g_szSupLibHardenedExePath[cchLink] = '\0';
|
---|
1324 |
|
---|
1325 | #elif defined(RT_OS_OS2) || defined(RT_OS_L4)
|
---|
1326 | _execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
|
---|
1327 |
|
---|
1328 | #elif defined(RT_OS_DARWIN)
|
---|
1329 | const char *pszImageName = _dyld_get_image_name(0);
|
---|
1330 | if (!pszImageName)
|
---|
1331 | supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed\n");
|
---|
1332 | size_t cchImageName = suplibHardenedStrLen(pszImageName);
|
---|
1333 | if (!cchImageName || cchImageName >= sizeof(g_szSupLibHardenedExePath))
|
---|
1334 | supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
|
---|
1335 | suplibHardenedMemCopy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
|
---|
1336 | /** @todo abspath the string or this won't work:
|
---|
1337 | * cd /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/ && ./VirtualBoxVM --startvm name */
|
---|
1338 |
|
---|
1339 | #elif defined(RT_OS_WINDOWS)
|
---|
1340 | char *pszDst = g_szSupLibHardenedExePath;
|
---|
1341 | int rc = RTUtf16ToUtf8Ex(g_wszSupLibHardenedExePath, RTSTR_MAX, &pszDst, sizeof(g_szSupLibHardenedExePath), NULL);
|
---|
1342 | if (RT_FAILURE(rc))
|
---|
1343 | supR3HardenedFatal("supR3HardenedExecDir: RTUtf16ToUtf8Ex failed, rc=%Rrc\n", rc);
|
---|
1344 | #else
|
---|
1345 | # error needs porting.
|
---|
1346 | #endif
|
---|
1347 |
|
---|
1348 | /*
|
---|
1349 | * Determine the application binary directory location.
|
---|
1350 | */
|
---|
1351 | suplibHardenedStrCopy(g_szSupLibHardenedAppBinPath, g_szSupLibHardenedExePath);
|
---|
1352 | suplibHardenedPathStripFilename(g_szSupLibHardenedAppBinPath);
|
---|
1353 |
|
---|
1354 | g_offSupLibHardenedExecName = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath);
|
---|
1355 | while (RTPATH_IS_SEP(g_szSupLibHardenedExePath[g_offSupLibHardenedExecName]))
|
---|
1356 | g_offSupLibHardenedExecName++;
|
---|
1357 | g_cchSupLibHardenedExecName = suplibHardenedStrLen(&g_szSupLibHardenedExePath[g_offSupLibHardenedExecName]);
|
---|
1358 |
|
---|
1359 | if (g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED)
|
---|
1360 | supR3HardenedFatal("supR3HardenedExecDir: Called before SUPR3HardenedMain! (%d)\n", g_enmSupR3HardenedMainState);
|
---|
1361 | switch (g_fSupHardenedMain & SUPSECMAIN_FLAGS_LOC_MASK)
|
---|
1362 | {
|
---|
1363 | case SUPSECMAIN_FLAGS_LOC_APP_BIN:
|
---|
1364 | break;
|
---|
1365 | case SUPSECMAIN_FLAGS_LOC_TESTCASE:
|
---|
1366 | suplibHardenedPathStripFilename(g_szSupLibHardenedAppBinPath);
|
---|
1367 | break;
|
---|
1368 | #ifdef RT_OS_DARWIN
|
---|
1369 | case SUPSECMAIN_FLAGS_LOC_OSX_HLP_APP:
|
---|
1370 | {
|
---|
1371 | /* We must ascend to the parent bundle's Contents directory then decend into its MacOS: */
|
---|
1372 | static const RTSTRTUPLE s_aComponentsToSkip[] =
|
---|
1373 | { { RT_STR_TUPLE("MacOS") }, { RT_STR_TUPLE("Contents") }, { NULL /*some.app*/, 0 }, { RT_STR_TUPLE("Resources") } };
|
---|
1374 | size_t cchPath = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath);
|
---|
1375 | for (uintptr_t i = 0; i < RT_ELEMENTS(s_aComponentsToSkip); i++)
|
---|
1376 | {
|
---|
1377 | while (cchPath > 1 && g_szSupLibHardenedAppBinPath[cchPath - 1] == '/')
|
---|
1378 | cchPath--;
|
---|
1379 | size_t const cchMatch = s_aComponentsToSkip[i].cch;
|
---|
1380 | if (cchMatch > 0)
|
---|
1381 | {
|
---|
1382 | if ( cchPath >= cchMatch + sizeof("VirtualBox.app/Contents")
|
---|
1383 | && g_szSupLibHardenedAppBinPath[cchPath - cchMatch - 1] == '/'
|
---|
1384 | && suplibHardenedMemComp(&g_szSupLibHardenedAppBinPath[cchPath - cchMatch],
|
---|
1385 | s_aComponentsToSkip[i].psz, cchMatch) == 0)
|
---|
1386 | cchPath -= cchMatch;
|
---|
1387 | else
|
---|
1388 | supR3HardenedFatal("supR3HardenedExecDir: Bad helper app path (tail component #%u '%s'): %s\n",
|
---|
1389 | i, s_aComponentsToSkip[i].psz, g_szSupLibHardenedAppBinPath);
|
---|
1390 | }
|
---|
1391 | else if ( cchPath > g_cchSupLibHardenedExecName + sizeof("VirtualBox.app/Contents/Resources/.app")
|
---|
1392 | && suplibHardenedMemComp(&g_szSupLibHardenedAppBinPath[cchPath - 4], ".app", 4) == 0
|
---|
1393 | && suplibHardenedMemComp(&g_szSupLibHardenedAppBinPath[cchPath - 4 - g_cchSupLibHardenedExecName],
|
---|
1394 | &g_szSupLibHardenedExePath[g_offSupLibHardenedExecName],
|
---|
1395 | g_cchSupLibHardenedExecName) == 0)
|
---|
1396 | cchPath -= g_cchSupLibHardenedExecName + 4;
|
---|
1397 | else
|
---|
1398 | supR3HardenedFatal("supR3HardenedExecDir: Bad helper app path (tail component #%u '%s.app'): %s\n",
|
---|
1399 | i, &g_szSupLibHardenedExePath[g_offSupLibHardenedExecName], g_szSupLibHardenedAppBinPath);
|
---|
1400 | }
|
---|
1401 | suplibHardenedMemCopy(&g_szSupLibHardenedAppBinPath[cchPath], "MacOS", sizeof("MacOS"));
|
---|
1402 | break;
|
---|
1403 | }
|
---|
1404 | #endif /* RT_OS_DARWIN */
|
---|
1405 | default:
|
---|
1406 | supR3HardenedFatal("supR3HardenedExecDir: Unknown program binary location: %#x\n", g_fSupHardenedMain);
|
---|
1407 | }
|
---|
1408 | }
|
---|
1409 |
|
---|
1410 |
|
---|
1411 | #ifdef RT_OS_LINUX
|
---|
1412 | /**
|
---|
1413 | * Checks if we can read /proc/self/exe.
|
---|
1414 | *
|
---|
1415 | * This is used on linux to see if we have to call init
|
---|
1416 | * with program path or not.
|
---|
1417 | *
|
---|
1418 | * @returns true / false.
|
---|
1419 | */
|
---|
1420 | static bool supR3HardenedMainIsProcSelfExeAccssible(void)
|
---|
1421 | {
|
---|
1422 | char szPath[RTPATH_MAX];
|
---|
1423 | int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
|
---|
1424 | return cchLink != -1;
|
---|
1425 | }
|
---|
1426 | #endif /* RT_OS_LINUX */
|
---|
1427 |
|
---|
1428 |
|
---|
1429 |
|
---|
1430 | /**
|
---|
1431 | * @copydoc RTPathExecDir
|
---|
1432 | * @remarks not quite like RTPathExecDir actually...
|
---|
1433 | */
|
---|
1434 | DECLHIDDEN(int) supR3HardenedPathAppBin(char *pszPath, size_t cchPath)
|
---|
1435 | {
|
---|
1436 | /*
|
---|
1437 | * Lazy init (probably not required).
|
---|
1438 | */
|
---|
1439 | if (!g_szSupLibHardenedAppBinPath[0])
|
---|
1440 | supR3HardenedGetFullExePath();
|
---|
1441 |
|
---|
1442 | /*
|
---|
1443 | * Calc the length and check if there is space before copying.
|
---|
1444 | */
|
---|
1445 | size_t cch = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath) + 1;
|
---|
1446 | if (cch <= cchPath)
|
---|
1447 | {
|
---|
1448 | suplibHardenedMemCopy(pszPath, g_szSupLibHardenedAppBinPath, cch + 1);
|
---|
1449 | return VINF_SUCCESS;
|
---|
1450 | }
|
---|
1451 |
|
---|
1452 | supR3HardenedFatal("supR3HardenedPathAppBin: Buffer too small (%u < %u)\n", cchPath, cch);
|
---|
1453 | /* not reached */
|
---|
1454 | }
|
---|
1455 |
|
---|
1456 |
|
---|
1457 | #ifdef RT_OS_WINDOWS
|
---|
1458 | extern "C" uint32_t g_uNtVerCombined;
|
---|
1459 | #endif
|
---|
1460 |
|
---|
1461 | DECLHIDDEN(void) supR3HardenedOpenLog(int *pcArgs, char **papszArgs)
|
---|
1462 | {
|
---|
1463 | static const char s_szLogOption[] = "--sup-hardening-log=";
|
---|
1464 |
|
---|
1465 | /*
|
---|
1466 | * Scan the argument vector.
|
---|
1467 | */
|
---|
1468 | int cArgs = *pcArgs;
|
---|
1469 | for (int iArg = 1; iArg < cArgs; iArg++)
|
---|
1470 | if (strncmp(papszArgs[iArg], s_szLogOption, sizeof(s_szLogOption) - 1) == 0)
|
---|
1471 | {
|
---|
1472 | #ifdef RT_OS_WINDOWS
|
---|
1473 | const char *pszLogFile = &papszArgs[iArg][sizeof(s_szLogOption) - 1];
|
---|
1474 | #endif
|
---|
1475 |
|
---|
1476 | /*
|
---|
1477 | * Drop the argument from the vector (has trailing NULL entry).
|
---|
1478 | */
|
---|
1479 | // memmove(&papszArgs[iArg], &papszArgs[iArg + 1], (cArgs - iArg) * sizeof(papszArgs[0]));
|
---|
1480 | *pcArgs -= 1;
|
---|
1481 | cArgs -= 1;
|
---|
1482 |
|
---|
1483 | /*
|
---|
1484 | * Open the log file, unless we've already opened one.
|
---|
1485 | * First argument takes precedence
|
---|
1486 | */
|
---|
1487 | #ifdef RT_OS_WINDOWS
|
---|
1488 | if (g_hStartupLog == NULL)
|
---|
1489 | {
|
---|
1490 | int rc = RTNtPathOpen(pszLogFile,
|
---|
1491 | GENERIC_WRITE | SYNCHRONIZE,
|
---|
1492 | FILE_ATTRIBUTE_NORMAL,
|
---|
1493 | FILE_SHARE_READ | FILE_SHARE_WRITE,
|
---|
1494 | FILE_OPEN_IF,
|
---|
1495 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
1496 | OBJ_CASE_INSENSITIVE,
|
---|
1497 | &g_hStartupLog,
|
---|
1498 | NULL);
|
---|
1499 | if (RT_SUCCESS(rc))
|
---|
1500 | {
|
---|
1501 | // SUP_DPRINTF(("Log file opened: " VBOX_VERSION_STRING "r%u g_hStartupLog=%p g_uNtVerCombined=%#x\n",
|
---|
1502 | // VBOX_SVN_REV, g_hStartupLog, g_uNtVerCombined));
|
---|
1503 |
|
---|
1504 | /*
|
---|
1505 | * If the path contains a drive volume, save it so we can
|
---|
1506 | * use it to flush the volume containing the log file.
|
---|
1507 | */
|
---|
1508 | if (RT_C_IS_ALPHA(pszLogFile[0]) && pszLogFile[1] == ':')
|
---|
1509 | {
|
---|
1510 | // RTUtf16CopyAscii(g_wszStartupLogVol, RT_ELEMENTS(g_wszStartupLogVol), "\\??\\");
|
---|
1511 | g_wszStartupLogVol[sizeof("\\??\\") - 1] = RT_C_TO_UPPER(pszLogFile[0]);
|
---|
1512 | g_wszStartupLogVol[sizeof("\\??\\") + 0] = ':';
|
---|
1513 | g_wszStartupLogVol[sizeof("\\??\\") + 1] = '\0';
|
---|
1514 | }
|
---|
1515 | }
|
---|
1516 | else
|
---|
1517 | g_hStartupLog = NULL;
|
---|
1518 | }
|
---|
1519 | #else
|
---|
1520 | /* Just some mumbo jumbo to shut up the compiler. */
|
---|
1521 | g_hStartupLog -= 1;
|
---|
1522 | g_cbStartupLog += 1;
|
---|
1523 | //g_hStartupLog = open()
|
---|
1524 | #endif
|
---|
1525 | }
|
---|
1526 | }
|
---|
1527 |
|
---|
1528 |
|
---|
1529 | DECLHIDDEN(void) supR3HardenedLogV(const char *pszFormat, va_list va)
|
---|
1530 | {
|
---|
1531 | #ifdef RT_OS_WINDOWS
|
---|
1532 | if ( g_hStartupLog != NULL
|
---|
1533 | && g_cbStartupLog < 16*_1M)
|
---|
1534 | {
|
---|
1535 | char szBuf[5120];
|
---|
1536 | PCLIENT_ID pSelfId = &((PTEB)NtCurrentTeb())->ClientId;
|
---|
1537 | size_t cchPrefix = RTStrPrintf(szBuf, sizeof(szBuf), "%x.%x: ", pSelfId->UniqueProcess, pSelfId->UniqueThread);
|
---|
1538 | size_t cch = RTStrPrintfV(&szBuf[cchPrefix], sizeof(szBuf) - cchPrefix, pszFormat, va) + cchPrefix;
|
---|
1539 |
|
---|
1540 | if ((size_t)cch >= sizeof(szBuf))
|
---|
1541 | cch = sizeof(szBuf) - 1;
|
---|
1542 |
|
---|
1543 | if (!cch || szBuf[cch - 1] != '\n')
|
---|
1544 | szBuf[cch++] = '\n';
|
---|
1545 |
|
---|
1546 | ASMAtomicAddU32(&g_cbStartupLog, (uint32_t)cch);
|
---|
1547 |
|
---|
1548 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
1549 | LARGE_INTEGER Offset;
|
---|
1550 | Offset.QuadPart = -1; /* Write to end of file. */
|
---|
1551 | NtWriteFile(g_hStartupLog, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
|
---|
1552 | &Ios, szBuf, (ULONG)cch, &Offset, NULL /*Key*/);
|
---|
1553 | }
|
---|
1554 | #else
|
---|
1555 | RT_NOREF(pszFormat, va);
|
---|
1556 | /* later */
|
---|
1557 | #endif
|
---|
1558 | }
|
---|
1559 |
|
---|
1560 |
|
---|
1561 | DECLHIDDEN(void) supR3HardenedLog(const char *pszFormat, ...)
|
---|
1562 | {
|
---|
1563 | va_list va;
|
---|
1564 | va_start(va, pszFormat);
|
---|
1565 | supR3HardenedLogV(pszFormat, va);
|
---|
1566 | va_end(va);
|
---|
1567 | }
|
---|
1568 |
|
---|
1569 |
|
---|
1570 | DECLHIDDEN(void) supR3HardenedLogFlush(void)
|
---|
1571 | {
|
---|
1572 | #ifdef RT_OS_WINDOWS
|
---|
1573 | if ( g_hStartupLog != NULL
|
---|
1574 | && g_cbStartupLog < 16*_1M)
|
---|
1575 | {
|
---|
1576 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
1577 | NTSTATUS rcNt = NtFlushBuffersFile(g_hStartupLog, &Ios);
|
---|
1578 |
|
---|
1579 | /*
|
---|
1580 | * Try flush the volume containing the log file too.
|
---|
1581 | */
|
---|
1582 | if (g_wszStartupLogVol[0])
|
---|
1583 | {
|
---|
1584 | HANDLE hLogVol = RTNT_INVALID_HANDLE_VALUE;
|
---|
1585 | UNICODE_STRING NtName;
|
---|
1586 | NtName.Buffer = g_wszStartupLogVol;
|
---|
1587 | NtName.Length = (USHORT)(RTUtf16Len(g_wszStartupLogVol) * sizeof(RTUTF16));
|
---|
1588 | NtName.MaximumLength = NtName.Length + 1;
|
---|
1589 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
1590 | InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
1591 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
1592 | rcNt = NtCreateFile(&hLogVol,
|
---|
1593 | GENERIC_WRITE | GENERIC_READ | SYNCHRONIZE | FILE_READ_ATTRIBUTES,
|
---|
1594 | &ObjAttr,
|
---|
1595 | &Ios,
|
---|
1596 | NULL /* Allocation Size*/,
|
---|
1597 | 0 /*FileAttributes*/,
|
---|
1598 | FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
|
---|
1599 | FILE_OPEN,
|
---|
1600 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
1601 | NULL /*EaBuffer*/,
|
---|
1602 | 0 /*EaLength*/);
|
---|
1603 | if (NT_SUCCESS(rcNt))
|
---|
1604 | rcNt = Ios.Status;
|
---|
1605 | if (NT_SUCCESS(rcNt))
|
---|
1606 | {
|
---|
1607 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
1608 | rcNt = NtFlushBuffersFile(hLogVol, &Ios);
|
---|
1609 | NtClose(hLogVol);
|
---|
1610 | }
|
---|
1611 | else
|
---|
1612 | {
|
---|
1613 | /* This may have sideeffects similar to what we want... */
|
---|
1614 | hLogVol = RTNT_INVALID_HANDLE_VALUE;
|
---|
1615 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
1616 | rcNt = NtCreateFile(&hLogVol,
|
---|
1617 | GENERIC_READ | SYNCHRONIZE | FILE_READ_ATTRIBUTES,
|
---|
1618 | &ObjAttr,
|
---|
1619 | &Ios,
|
---|
1620 | NULL /* Allocation Size*/,
|
---|
1621 | 0 /*FileAttributes*/,
|
---|
1622 | FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
|
---|
1623 | FILE_OPEN,
|
---|
1624 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
1625 | NULL /*EaBuffer*/,
|
---|
1626 | 0 /*EaLength*/);
|
---|
1627 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
1628 | NtClose(hLogVol);
|
---|
1629 | }
|
---|
1630 | }
|
---|
1631 | }
|
---|
1632 | #else
|
---|
1633 | /* later */
|
---|
1634 | #endif
|
---|
1635 | }
|
---|
1636 |
|
---|
1637 |
|
---|
1638 | /**
|
---|
1639 | * Prints the message prefix.
|
---|
1640 | */
|
---|
1641 | static void suplibHardenedPrintPrefix(void)
|
---|
1642 | {
|
---|
1643 | if (g_pszSupLibHardenedProgName)
|
---|
1644 | suplibHardenedPrintStr(g_pszSupLibHardenedProgName);
|
---|
1645 | suplibHardenedPrintStr(": ");
|
---|
1646 | }
|
---|
1647 |
|
---|
1648 |
|
---|
1649 | DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc,
|
---|
1650 | const char *pszMsgFmt, va_list va)
|
---|
1651 | {
|
---|
1652 | /*
|
---|
1653 | * First to the log.
|
---|
1654 | */
|
---|
1655 | supR3HardenedLog("Error %d in %s! (enmWhat=%d)\n", rc, pszWhere, enmWhat);
|
---|
1656 | va_list vaCopy;
|
---|
1657 | va_copy(vaCopy, va);
|
---|
1658 | supR3HardenedLogV(pszMsgFmt, vaCopy);
|
---|
1659 | va_end(vaCopy);
|
---|
1660 |
|
---|
1661 | #ifdef RT_OS_WINDOWS
|
---|
1662 | /*
|
---|
1663 | * The release log.
|
---|
1664 | */
|
---|
1665 | if (g_pfnRTLogRelPrintf)
|
---|
1666 | {
|
---|
1667 | va_copy(vaCopy, va);
|
---|
1668 | g_pfnRTLogRelPrintf("supR3HardenedFatalMsgV: %s enmWhat=%d rc=%Rrc (%#x)\n", pszWhere, enmWhat, rc);
|
---|
1669 | g_pfnRTLogRelPrintf("supR3HardenedFatalMsgV: %N\n", pszMsgFmt, &vaCopy);
|
---|
1670 | va_end(vaCopy);
|
---|
1671 | }
|
---|
1672 | #endif
|
---|
1673 |
|
---|
1674 | /*
|
---|
1675 | * Then to the console.
|
---|
1676 | */
|
---|
1677 | suplibHardenedPrintPrefix();
|
---|
1678 | suplibHardenedPrintF("Error %d in %s!\n", rc, pszWhere);
|
---|
1679 |
|
---|
1680 | suplibHardenedPrintPrefix();
|
---|
1681 | va_copy(vaCopy, va);
|
---|
1682 | suplibHardenedPrintFV(pszMsgFmt, vaCopy);
|
---|
1683 | va_end(vaCopy);
|
---|
1684 | suplibHardenedPrintChr('\n');
|
---|
1685 |
|
---|
1686 | switch (enmWhat)
|
---|
1687 | {
|
---|
1688 | case kSupInitOp_Driver:
|
---|
1689 | suplibHardenedPrintChr('\n');
|
---|
1690 | suplibHardenedPrintPrefix();
|
---|
1691 | suplibHardenedPrintStr("Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n");
|
---|
1692 | break;
|
---|
1693 |
|
---|
1694 | case kSupInitOp_Misc:
|
---|
1695 | case kSupInitOp_IPRT:
|
---|
1696 | case kSupInitOp_Integrity:
|
---|
1697 | case kSupInitOp_RootCheck:
|
---|
1698 | suplibHardenedPrintChr('\n');
|
---|
1699 | suplibHardenedPrintPrefix();
|
---|
1700 | suplibHardenedPrintStr("Tip! It may help to reinstall VirtualBox.\n");
|
---|
1701 | break;
|
---|
1702 |
|
---|
1703 | default:
|
---|
1704 | /* no hints here */
|
---|
1705 | break;
|
---|
1706 | }
|
---|
1707 |
|
---|
1708 | /*
|
---|
1709 | * Finally, TrustedError if appropriate.
|
---|
1710 | */
|
---|
1711 | if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
|
---|
1712 | {
|
---|
1713 | #ifdef SUP_HARDENED_SUID
|
---|
1714 | /* Drop any root privileges we might be holding, this won't return
|
---|
1715 | if it fails but end up calling supR3HardenedFatal[V]. */
|
---|
1716 | supR3HardenedMainDropPrivileges();
|
---|
1717 | #endif
|
---|
1718 | /* Close the driver, if we succeeded opening it. Both because
|
---|
1719 | TrustedError may be untrustworthy and because the driver deosn't
|
---|
1720 | like us if we fork(). @bugref{8838} */
|
---|
1721 | suplibOsTerm(&g_SupPreInitData.Data);
|
---|
1722 |
|
---|
1723 | /*
|
---|
1724 | * Now try resolve and call the TrustedError entry point if we can find it.
|
---|
1725 | * Note! Loader involved, so we must guard against loader hooks calling us.
|
---|
1726 | */
|
---|
1727 | static volatile bool s_fRecursive = false;
|
---|
1728 | if (!s_fRecursive)
|
---|
1729 | {
|
---|
1730 | s_fRecursive = true;
|
---|
1731 |
|
---|
1732 | PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
|
---|
1733 | if (pfnTrustedError)
|
---|
1734 | {
|
---|
1735 | /* We'll fork before we make the call because that way the session management
|
---|
1736 | in main will see us exiting immediately (if it's involved with us) and possibly
|
---|
1737 | get an error back to the API / user. */
|
---|
1738 | #if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
|
---|
1739 | int pid = fork();
|
---|
1740 | if (pid <= 0)
|
---|
1741 | #endif
|
---|
1742 | {
|
---|
1743 | pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
|
---|
1744 | }
|
---|
1745 | }
|
---|
1746 |
|
---|
1747 | s_fRecursive = false;
|
---|
1748 | }
|
---|
1749 | }
|
---|
1750 | #if defined(RT_OS_WINDOWS)
|
---|
1751 | /*
|
---|
1752 | * Report the error to the parent if this happens during early VM init.
|
---|
1753 | */
|
---|
1754 | else if ( g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
|
---|
1755 | && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
|
---|
1756 | supR3HardenedWinReportErrorToParent(pszWhere, enmWhat, rc, pszMsgFmt, va);
|
---|
1757 | #endif
|
---|
1758 |
|
---|
1759 | /*
|
---|
1760 | * Quit
|
---|
1761 | */
|
---|
1762 | suplibHardenedExit(RTEXITCODE_FAILURE);
|
---|
1763 | }
|
---|
1764 |
|
---|
1765 |
|
---|
1766 | DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc,
|
---|
1767 | const char *pszMsgFmt, ...)
|
---|
1768 | {
|
---|
1769 | va_list va;
|
---|
1770 | va_start(va, pszMsgFmt);
|
---|
1771 | supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
|
---|
1772 | /* not reached */
|
---|
1773 | }
|
---|
1774 |
|
---|
1775 |
|
---|
1776 | DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatalV(const char *pszFormat, va_list va)
|
---|
1777 | {
|
---|
1778 | supR3HardenedLog("Fatal error:\n");
|
---|
1779 | va_list vaCopy;
|
---|
1780 | va_copy(vaCopy, va);
|
---|
1781 | supR3HardenedLogV(pszFormat, vaCopy);
|
---|
1782 | va_end(vaCopy);
|
---|
1783 |
|
---|
1784 | #if defined(RT_OS_WINDOWS)
|
---|
1785 | /*
|
---|
1786 | * Report the error to the parent if this happens during early VM init.
|
---|
1787 | */
|
---|
1788 | if ( g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
|
---|
1789 | && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
|
---|
1790 | supR3HardenedWinReportErrorToParent(NULL, kSupInitOp_Invalid, VERR_INTERNAL_ERROR, pszFormat, va);
|
---|
1791 | else
|
---|
1792 | #endif
|
---|
1793 | {
|
---|
1794 | #ifdef RT_OS_WINDOWS
|
---|
1795 | if (g_pfnRTLogRelPrintf)
|
---|
1796 | {
|
---|
1797 | va_copy(vaCopy, va);
|
---|
1798 | g_pfnRTLogRelPrintf("supR3HardenedFatalV: %N", pszFormat, &vaCopy);
|
---|
1799 | va_end(vaCopy);
|
---|
1800 | }
|
---|
1801 | #endif
|
---|
1802 |
|
---|
1803 | suplibHardenedPrintPrefix();
|
---|
1804 | suplibHardenedPrintFV(pszFormat, va);
|
---|
1805 | }
|
---|
1806 |
|
---|
1807 | suplibHardenedExit(RTEXITCODE_FAILURE);
|
---|
1808 | }
|
---|
1809 |
|
---|
1810 |
|
---|
1811 | DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatal(const char *pszFormat, ...)
|
---|
1812 | {
|
---|
1813 | va_list va;
|
---|
1814 | va_start(va, pszFormat);
|
---|
1815 | supR3HardenedFatalV(pszFormat, va);
|
---|
1816 | /* not reached */
|
---|
1817 | }
|
---|
1818 |
|
---|
1819 |
|
---|
1820 | DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
|
---|
1821 | {
|
---|
1822 | if (fFatal)
|
---|
1823 | supR3HardenedFatalV(pszFormat, va);
|
---|
1824 |
|
---|
1825 | supR3HardenedLog("Error (rc=%d):\n", rc);
|
---|
1826 | va_list vaCopy;
|
---|
1827 | va_copy(vaCopy, va);
|
---|
1828 | supR3HardenedLogV(pszFormat, vaCopy);
|
---|
1829 | va_end(vaCopy);
|
---|
1830 |
|
---|
1831 | #ifdef RT_OS_WINDOWS
|
---|
1832 | if (g_pfnRTLogRelPrintf)
|
---|
1833 | {
|
---|
1834 | va_copy(vaCopy, va);
|
---|
1835 | g_pfnRTLogRelPrintf("supR3HardenedErrorV: %N", pszFormat, &vaCopy);
|
---|
1836 | va_end(vaCopy);
|
---|
1837 | }
|
---|
1838 | #endif
|
---|
1839 |
|
---|
1840 | suplibHardenedPrintPrefix();
|
---|
1841 | suplibHardenedPrintFV(pszFormat, va);
|
---|
1842 |
|
---|
1843 | return rc;
|
---|
1844 | }
|
---|
1845 |
|
---|
1846 |
|
---|
1847 | DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
|
---|
1848 | {
|
---|
1849 | va_list va;
|
---|
1850 | va_start(va, pszFormat);
|
---|
1851 | supR3HardenedErrorV(rc, fFatal, pszFormat, va);
|
---|
1852 | va_end(va);
|
---|
1853 | return rc;
|
---|
1854 | }
|
---|
1855 |
|
---|
1856 |
|
---|
1857 |
|
---|
1858 | /**
|
---|
1859 | * Attempts to open /dev/vboxdrv (or equvivalent).
|
---|
1860 | *
|
---|
1861 | * @remarks This function will not return on failure.
|
---|
1862 | */
|
---|
1863 | DECLHIDDEN(void) supR3HardenedMainOpenDevice(void)
|
---|
1864 | {
|
---|
1865 | RTERRINFOSTATIC ErrInfo;
|
---|
1866 | SUPINITOP enmWhat = kSupInitOp_Driver;
|
---|
1867 | int rc = suplibOsInit(&g_SupPreInitData.Data, false /*fPreInit*/, true /*fUnrestricted*/,
|
---|
1868 | &enmWhat, RTErrInfoInitStatic(&ErrInfo));
|
---|
1869 | if (RT_SUCCESS(rc))
|
---|
1870 | return;
|
---|
1871 |
|
---|
1872 | if (RTErrInfoIsSet(&ErrInfo.Core))
|
---|
1873 | supR3HardenedFatalMsg("suplibOsInit", enmWhat, rc, "%s", ErrInfo.szMsg);
|
---|
1874 |
|
---|
1875 | switch (rc)
|
---|
1876 | {
|
---|
1877 | /** @todo better messages! */
|
---|
1878 | case VERR_VM_DRIVER_NOT_INSTALLED:
|
---|
1879 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver not installed");
|
---|
1880 | case VERR_VM_DRIVER_NOT_ACCESSIBLE:
|
---|
1881 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver not accessible");
|
---|
1882 | case VERR_VM_DRIVER_LOAD_ERROR:
|
---|
1883 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_VM_DRIVER_LOAD_ERROR");
|
---|
1884 | case VERR_VM_DRIVER_OPEN_ERROR:
|
---|
1885 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_VM_DRIVER_OPEN_ERROR");
|
---|
1886 | case VERR_VM_DRIVER_VERSION_MISMATCH:
|
---|
1887 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver version mismatch");
|
---|
1888 | case VERR_ACCESS_DENIED:
|
---|
1889 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_ACCESS_DENIED");
|
---|
1890 | case VERR_NO_MEMORY:
|
---|
1891 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel memory allocation/mapping failed");
|
---|
1892 | case VERR_SUPDRV_HARDENING_EVIL_HANDLE:
|
---|
1893 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPDRV_HARDENING_EVIL_HANDLE");
|
---|
1894 | case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_0:
|
---|
1895 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_0");
|
---|
1896 | case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_1:
|
---|
1897 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_1");
|
---|
1898 | case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_2:
|
---|
1899 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_2");
|
---|
1900 | default:
|
---|
1901 | supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Unknown rc=%d (%Rrc)", rc, rc);
|
---|
1902 | }
|
---|
1903 | }
|
---|
1904 |
|
---|
1905 |
|
---|
1906 | #ifdef SUP_HARDENED_SUID
|
---|
1907 |
|
---|
1908 | /**
|
---|
1909 | * Grabs extra non-root capabilities / privileges that we might require.
|
---|
1910 | *
|
---|
1911 | * This is currently only used for being able to do ICMP from the NAT engine
|
---|
1912 | * and for being able to raise thread scheduling priority
|
---|
1913 | *
|
---|
1914 | * @note We still have root privileges at the time of this call.
|
---|
1915 | */
|
---|
1916 | static void supR3HardenedMainGrabCapabilites(void)
|
---|
1917 | {
|
---|
1918 | # if defined(RT_OS_LINUX)
|
---|
1919 | /*
|
---|
1920 | * We are about to drop all our privileges. Remove all capabilities but
|
---|
1921 | * keep the cap_net_raw capability for ICMP sockets for the NAT stack,
|
---|
1922 | * also keep cap_sys_nice capability for priority tweaking.
|
---|
1923 | */
|
---|
1924 | if (g_uCaps != 0)
|
---|
1925 | {
|
---|
1926 | # ifdef USE_LIB_PCAP
|
---|
1927 | /* XXX cap_net_bind_service */
|
---|
1928 | if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep cap_sys_nice+ep")))
|
---|
1929 | prctl(PR_SET_KEEPCAPS, 1 /*keep=*/, 0, 0, 0);
|
---|
1930 | prctl(PR_SET_DUMPABLE, 1 /*dump*/, 0, 0, 0);
|
---|
1931 | # else
|
---|
1932 | cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
|
---|
1933 | cap_user_data_t cap = (cap_user_data_t)alloca(2 /*_LINUX_CAPABILITY_U32S_3*/ * sizeof(*cap));
|
---|
1934 | memset(hdr, 0, sizeof(*hdr));
|
---|
1935 | capget(hdr, NULL);
|
---|
1936 | if ( hdr->version != 0x19980330 /* _LINUX_CAPABILITY_VERSION_1, _LINUX_CAPABILITY_U32S_1 = 1 */
|
---|
1937 | && hdr->version != 0x20071026 /* _LINUX_CAPABILITY_VERSION_2, _LINUX_CAPABILITY_U32S_2 = 2 */
|
---|
1938 | && hdr->version != 0x20080522 /* _LINUX_CAPABILITY_VERSION_3, _LINUX_CAPABILITY_U32S_3 = 2 */)
|
---|
1939 | hdr->version = _LINUX_CAPABILITY_VERSION;
|
---|
1940 | g_uCapsVersion = hdr->version;
|
---|
1941 | memset(cap, 0, 2 /* _LINUX_CAPABILITY_U32S_3 */ * sizeof(*cap));
|
---|
1942 | cap->effective = g_uCaps;
|
---|
1943 | cap->permitted = g_uCaps;
|
---|
1944 | if (!capset(hdr, cap))
|
---|
1945 | prctl(PR_SET_KEEPCAPS, 1 /*keep*/, 0, 0, 0);
|
---|
1946 | prctl(PR_SET_DUMPABLE, 1 /*dump*/, 0, 0, 0);
|
---|
1947 | # endif /* !USE_LIB_PCAP */
|
---|
1948 | }
|
---|
1949 |
|
---|
1950 | # elif defined(RT_OS_SOLARIS)
|
---|
1951 | /*
|
---|
1952 | * Add net_icmpaccess privilege to effective privileges and limit
|
---|
1953 | * permitted privileges before completely dropping root privileges.
|
---|
1954 | * This requires dropping root privileges temporarily to get the normal
|
---|
1955 | * user's privileges.
|
---|
1956 | */
|
---|
1957 | seteuid(g_uid);
|
---|
1958 | priv_set_t *pPrivEffective = priv_allocset();
|
---|
1959 | priv_set_t *pPrivNew = priv_allocset();
|
---|
1960 | if (pPrivEffective && pPrivNew)
|
---|
1961 | {
|
---|
1962 | int rc = getppriv(PRIV_EFFECTIVE, pPrivEffective);
|
---|
1963 | seteuid(0);
|
---|
1964 | if (!rc)
|
---|
1965 | {
|
---|
1966 | priv_copyset(pPrivEffective, pPrivNew);
|
---|
1967 | rc = priv_addset(pPrivNew, PRIV_NET_ICMPACCESS);
|
---|
1968 | if (!rc)
|
---|
1969 | {
|
---|
1970 | /* Order is important, as one can't set a privilege which is
|
---|
1971 | * not in the permitted privilege set. */
|
---|
1972 | rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivNew);
|
---|
1973 | if (rc)
|
---|
1974 | supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
|
---|
1975 | rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivNew);
|
---|
1976 | if (rc)
|
---|
1977 | supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
|
---|
1978 | }
|
---|
1979 | else
|
---|
1980 | supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to add NET_ICMPACCESS privilege.\n");
|
---|
1981 | }
|
---|
1982 | }
|
---|
1983 | else
|
---|
1984 | {
|
---|
1985 | /* for memory allocation failures just continue */
|
---|
1986 | seteuid(0);
|
---|
1987 | }
|
---|
1988 |
|
---|
1989 | if (pPrivEffective)
|
---|
1990 | priv_freeset(pPrivEffective);
|
---|
1991 | if (pPrivNew)
|
---|
1992 | priv_freeset(pPrivNew);
|
---|
1993 | # endif
|
---|
1994 | }
|
---|
1995 |
|
---|
1996 | /*
|
---|
1997 | * Look at the environment for some special options.
|
---|
1998 | */
|
---|
1999 | static void supR3GrabOptions(void)
|
---|
2000 | {
|
---|
2001 | # ifdef RT_OS_LINUX
|
---|
2002 | g_uCaps = 0;
|
---|
2003 |
|
---|
2004 | /*
|
---|
2005 | * Do _not_ perform any capability-related system calls for root processes
|
---|
2006 | * (leaving g_uCaps at 0).
|
---|
2007 | * (Hint: getuid gets the real user id, not the effective.)
|
---|
2008 | */
|
---|
2009 | if (getuid() != 0)
|
---|
2010 | {
|
---|
2011 | /*
|
---|
2012 | * CAP_NET_RAW.
|
---|
2013 | * Default: enabled.
|
---|
2014 | * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'.
|
---|
2015 | */
|
---|
2016 | const char *pszOpt = getenv("VBOX_HARD_CAP_NET_RAW");
|
---|
2017 | if ( !pszOpt
|
---|
2018 | || memcmp(pszOpt, "0", sizeof("0")) != 0)
|
---|
2019 | g_uCaps = CAP_TO_MASK(CAP_NET_RAW);
|
---|
2020 |
|
---|
2021 | /*
|
---|
2022 | * CAP_NET_BIND_SERVICE.
|
---|
2023 | * Default: disabled.
|
---|
2024 | * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'.
|
---|
2025 | */
|
---|
2026 | pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE");
|
---|
2027 | if ( pszOpt
|
---|
2028 | && memcmp(pszOpt, "0", sizeof("0")) != 0)
|
---|
2029 | g_uCaps |= CAP_TO_MASK(CAP_NET_BIND_SERVICE);
|
---|
2030 |
|
---|
2031 | /*
|
---|
2032 | * CAP_SYS_NICE.
|
---|
2033 | * Default: enabled.
|
---|
2034 | * Can be disabled with 'export VBOX_HARD_CAP_SYS_NICE=0'.
|
---|
2035 | */
|
---|
2036 | pszOpt = getenv("VBOX_HARD_CAP_SYS_NICE");
|
---|
2037 | if ( !pszOpt
|
---|
2038 | || memcmp(pszOpt, "0", sizeof("0")) != 0)
|
---|
2039 | g_uCaps |= CAP_TO_MASK(CAP_SYS_NICE);
|
---|
2040 | }
|
---|
2041 | # endif
|
---|
2042 | }
|
---|
2043 |
|
---|
2044 | /**
|
---|
2045 | * Drop any root privileges we might be holding.
|
---|
2046 | */
|
---|
2047 | static void supR3HardenedMainDropPrivileges(void)
|
---|
2048 | {
|
---|
2049 | /*
|
---|
2050 | * Try use setre[ug]id since this will clear the save uid/gid and thus
|
---|
2051 | * leave fewer traces behind that libs like GTK+ may pick up.
|
---|
2052 | */
|
---|
2053 | uid_t euid, ruid, suid;
|
---|
2054 | gid_t egid, rgid, sgid;
|
---|
2055 | # if defined(RT_OS_DARWIN)
|
---|
2056 | /* The really great thing here is that setreuid isn't available on
|
---|
2057 | OS X 10.4, libc emulates it. While 10.4 have a slightly different and
|
---|
2058 | non-standard setuid implementation compared to 10.5, the following
|
---|
2059 | works the same way with both version since we're super user (10.5 req).
|
---|
2060 | The following will set all three variants of the group and user IDs. */
|
---|
2061 | setgid(g_gid);
|
---|
2062 | setuid(g_uid);
|
---|
2063 | euid = geteuid();
|
---|
2064 | ruid = suid = getuid();
|
---|
2065 | egid = getegid();
|
---|
2066 | rgid = sgid = getgid();
|
---|
2067 |
|
---|
2068 | # elif defined(RT_OS_SOLARIS)
|
---|
2069 | /* Solaris doesn't have setresuid, but the setreuid interface is BSD
|
---|
2070 | compatible and will set the saved uid to euid when we pass it a ruid
|
---|
2071 | that isn't -1 (which we do). */
|
---|
2072 | setregid(g_gid, g_gid);
|
---|
2073 | setreuid(g_uid, g_uid);
|
---|
2074 | euid = geteuid();
|
---|
2075 | ruid = suid = getuid();
|
---|
2076 | egid = getegid();
|
---|
2077 | rgid = sgid = getgid();
|
---|
2078 |
|
---|
2079 | # else
|
---|
2080 | /* This is the preferred one, full control no questions about semantics.
|
---|
2081 | PORTME: If this isn't work, try join one of two other gangs above. */
|
---|
2082 | int res = setresgid(g_gid, g_gid, g_gid);
|
---|
2083 | NOREF(res);
|
---|
2084 | res = setresuid(g_uid, g_uid, g_uid);
|
---|
2085 | NOREF(res);
|
---|
2086 | if (getresuid(&ruid, &euid, &suid) != 0)
|
---|
2087 | {
|
---|
2088 | euid = geteuid();
|
---|
2089 | ruid = suid = getuid();
|
---|
2090 | }
|
---|
2091 | if (getresgid(&rgid, &egid, &sgid) != 0)
|
---|
2092 | {
|
---|
2093 | egid = getegid();
|
---|
2094 | rgid = sgid = getgid();
|
---|
2095 | }
|
---|
2096 | # endif
|
---|
2097 |
|
---|
2098 |
|
---|
2099 | /* Check that it worked out all right. */
|
---|
2100 | if ( euid != g_uid
|
---|
2101 | || ruid != g_uid
|
---|
2102 | || suid != g_uid
|
---|
2103 | || egid != g_gid
|
---|
2104 | || rgid != g_gid
|
---|
2105 | || sgid != g_gid)
|
---|
2106 | supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
|
---|
2107 | " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
|
---|
2108 | euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);
|
---|
2109 |
|
---|
2110 | # if RT_OS_LINUX
|
---|
2111 | /*
|
---|
2112 | * Re-enable the cap_net_raw and cap_sys_nice capabilities which were disabled during setresuid.
|
---|
2113 | */
|
---|
2114 | if (g_uCaps != 0)
|
---|
2115 | {
|
---|
2116 | # ifdef USE_LIB_PCAP
|
---|
2117 | /** @todo Warn if that does not work? */
|
---|
2118 | /* XXX cap_net_bind_service */
|
---|
2119 | cap_set_proc(cap_from_text("cap_net_raw+ep cap_sys_nice+ep"));
|
---|
2120 | # else
|
---|
2121 | cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
|
---|
2122 | cap_user_data_t cap = (cap_user_data_t)alloca(2 /* _LINUX_CAPABILITY_U32S_3 */ * sizeof(*cap));
|
---|
2123 | memset(hdr, 0, sizeof(*hdr));
|
---|
2124 | hdr->version = g_uCapsVersion;
|
---|
2125 | memset(cap, 0, 2 /* _LINUX_CAPABILITY_U32S_3 */ * sizeof(*cap));
|
---|
2126 | cap->effective = g_uCaps;
|
---|
2127 | cap->permitted = g_uCaps;
|
---|
2128 | /** @todo Warn if that does not work? */
|
---|
2129 | capset(hdr, cap);
|
---|
2130 | # endif /* !USE_LIB_PCAP */
|
---|
2131 | }
|
---|
2132 | # endif
|
---|
2133 | }
|
---|
2134 |
|
---|
2135 | #endif /* SUP_HARDENED_SUID */
|
---|
2136 |
|
---|
2137 | /**
|
---|
2138 | * Purge the process environment from any environment vairable which can lead
|
---|
2139 | * to loading untrusted binaries compromising the process address space.
|
---|
2140 | *
|
---|
2141 | * @param envp The initial environment vector. (Can be NULL.)
|
---|
2142 | */
|
---|
2143 | static void supR3HardenedMainPurgeEnvironment(char **envp)
|
---|
2144 | {
|
---|
2145 | for (unsigned i = 0; i < RT_ELEMENTS(g_aSupEnvPurgeDescs); i++)
|
---|
2146 | {
|
---|
2147 | /*
|
---|
2148 | * Update the initial environment vector, just in case someone actually cares about it.
|
---|
2149 | */
|
---|
2150 | if (envp)
|
---|
2151 | {
|
---|
2152 | const char * const pszEnv = g_aSupEnvPurgeDescs[i].pszEnv;
|
---|
2153 | size_t const cchEnv = g_aSupEnvPurgeDescs[i].cchEnv;
|
---|
2154 | unsigned iSrc = 0;
|
---|
2155 | unsigned iDst = 0;
|
---|
2156 | char *pszTmp;
|
---|
2157 |
|
---|
2158 | while ((pszTmp = envp[iSrc]) != NULL)
|
---|
2159 | {
|
---|
2160 | if ( memcmp(pszTmp, pszEnv, cchEnv) != 0
|
---|
2161 | || (pszTmp[cchEnv] != '=' && pszTmp[cchEnv] != '\0'))
|
---|
2162 | {
|
---|
2163 | if (iDst != iSrc)
|
---|
2164 | envp[iDst] = pszTmp;
|
---|
2165 | iDst++;
|
---|
2166 | }
|
---|
2167 | else
|
---|
2168 | SUP_DPRINTF(("supR3HardenedMainPurgeEnvironment: dropping envp[%d]=%s\n", iSrc, pszTmp));
|
---|
2169 | iSrc++;
|
---|
2170 | }
|
---|
2171 |
|
---|
2172 | if (iDst != iSrc)
|
---|
2173 | while (iDst <= iSrc)
|
---|
2174 | envp[iDst++] = NULL;
|
---|
2175 | }
|
---|
2176 |
|
---|
2177 | /*
|
---|
2178 | * Remove from the process environment if present.
|
---|
2179 | */
|
---|
2180 | #ifndef RT_OS_WINDOWS
|
---|
2181 | const char *pszTmp = getenv(g_aSupEnvPurgeDescs[i].pszEnv);
|
---|
2182 | if (pszTmp != NULL)
|
---|
2183 | {
|
---|
2184 | if (unsetenv((char *)g_aSupEnvPurgeDescs[i].pszEnv) == 0)
|
---|
2185 | SUP_DPRINTF(("supR3HardenedMainPurgeEnvironment: dropped %s\n", pszTmp));
|
---|
2186 | else
|
---|
2187 | if (g_aSupEnvPurgeDescs[i].fPurgeErrFatal)
|
---|
2188 | supR3HardenedFatal("SUPR3HardenedMain: failed to purge %s environment variable! (errno=%d %s)\n",
|
---|
2189 | g_aSupEnvPurgeDescs[i].pszEnv, errno, strerror(errno));
|
---|
2190 | else
|
---|
2191 | SUP_DPRINTF(("supR3HardenedMainPurgeEnvironment: dropping %s failed! errno=%d\n", pszTmp, errno));
|
---|
2192 | }
|
---|
2193 | #else
|
---|
2194 | /** @todo Call NT API to do the same. */
|
---|
2195 | #endif
|
---|
2196 | }
|
---|
2197 | }
|
---|
2198 |
|
---|
2199 |
|
---|
2200 | /**
|
---|
2201 | * Returns the argument purge descriptor of the given argument if available.
|
---|
2202 | *
|
---|
2203 | * @retval 0 if it should not be purged.
|
---|
2204 | * @retval 1 if it only the current argument should be purged.
|
---|
2205 | * @retval 2 if the argument and the following (if present) should be purged.
|
---|
2206 | * @param pszArg The argument to look for.
|
---|
2207 | */
|
---|
2208 | static unsigned supR3HardenedMainShouldPurgeArg(const char *pszArg)
|
---|
2209 | {
|
---|
2210 | for (unsigned i = 0; i < RT_ELEMENTS(g_aSupArgPurgeDescs); i++)
|
---|
2211 | {
|
---|
2212 | size_t const cchPurge = g_aSupArgPurgeDescs[i].cchArg;
|
---|
2213 | if (!memcmp(pszArg, g_aSupArgPurgeDescs[i].pszArg, cchPurge))
|
---|
2214 | {
|
---|
2215 | if (pszArg[cchPurge] == '\0')
|
---|
2216 | return 1 + g_aSupArgPurgeDescs[i].fTakesValue;
|
---|
2217 | if ( g_aSupArgPurgeDescs[i].fTakesValue
|
---|
2218 | && (pszArg[cchPurge] == ':' || pszArg[cchPurge] == '='))
|
---|
2219 | return 1;
|
---|
2220 | }
|
---|
2221 | }
|
---|
2222 |
|
---|
2223 | return 0;
|
---|
2224 | }
|
---|
2225 |
|
---|
2226 |
|
---|
2227 | /**
|
---|
2228 | * Purges any command line arguments considered harmful.
|
---|
2229 | *
|
---|
2230 | * @returns nothing.
|
---|
2231 | * @param cArgsOrig The original number of arguments.
|
---|
2232 | * @param papszArgsOrig The original argument vector.
|
---|
2233 | * @param pcArgsNew Where to store the new number of arguments on success.
|
---|
2234 | * @param ppapszArgsNew Where to store the pointer to the purged argument vector.
|
---|
2235 | */
|
---|
2236 | static void supR3HardenedMainPurgeArgs(int cArgsOrig, char **papszArgsOrig, int *pcArgsNew, char ***ppapszArgsNew)
|
---|
2237 | {
|
---|
2238 | int iDst = 0;
|
---|
2239 | #ifdef RT_OS_WINDOWS
|
---|
2240 | char **papszArgsNew = papszArgsOrig; /* We allocated this, no need to allocate again. */
|
---|
2241 | #else
|
---|
2242 | char **papszArgsNew = (char **)malloc((cArgsOrig + 1) * sizeof(char *));
|
---|
2243 | #endif
|
---|
2244 | if (papszArgsNew)
|
---|
2245 | {
|
---|
2246 | for (int iSrc = 0; iSrc < cArgsOrig; iSrc++)
|
---|
2247 | {
|
---|
2248 | unsigned cPurgedArgs = supR3HardenedMainShouldPurgeArg(papszArgsOrig[iSrc]);
|
---|
2249 | if (!cPurgedArgs)
|
---|
2250 | papszArgsNew[iDst++] = papszArgsOrig[iSrc];
|
---|
2251 | else
|
---|
2252 | iSrc += cPurgedArgs - 1;
|
---|
2253 | }
|
---|
2254 |
|
---|
2255 | papszArgsNew[iDst] = NULL; /* The array is NULL terminated, just like envp. */
|
---|
2256 | }
|
---|
2257 | else
|
---|
2258 | supR3HardenedFatal("SUPR3HardenedMain: failed to allocate memory for purged command line!\n");
|
---|
2259 | *pcArgsNew = iDst;
|
---|
2260 | *ppapszArgsNew = papszArgsNew;
|
---|
2261 |
|
---|
2262 | #ifdef RT_OS_WINDOWS
|
---|
2263 | /** @todo Update command line pointers in PEB, wont really work without it. */
|
---|
2264 | #endif
|
---|
2265 | }
|
---|
2266 |
|
---|
2267 |
|
---|
2268 | /**
|
---|
2269 | * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
|
---|
2270 | * and calls RTR3InitEx.
|
---|
2271 | *
|
---|
2272 | * @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
|
---|
2273 | *
|
---|
2274 | * @remarks VBoxRT contains both IPRT and SUPR3.
|
---|
2275 | * @remarks This function will not return on failure.
|
---|
2276 | */
|
---|
2277 | static void supR3HardenedMainInitRuntime(uint32_t fFlags)
|
---|
2278 | {
|
---|
2279 | /*
|
---|
2280 | * Construct the name.
|
---|
2281 | */
|
---|
2282 | char szPath[RTPATH_MAX];
|
---|
2283 | supR3HardenedPathAppSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
|
---|
2284 | suplibHardenedStrCat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);
|
---|
2285 |
|
---|
2286 | /*
|
---|
2287 | * Open it and resolve the symbols.
|
---|
2288 | */
|
---|
2289 | #if defined(RT_OS_WINDOWS)
|
---|
2290 | HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, g_fSupHardenedMain);
|
---|
2291 | if (!hMod)
|
---|
2292 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
|
---|
2293 | "LoadLibrary \"%s\" failed (rc=%d)",
|
---|
2294 | szPath, RtlGetLastWin32Error());
|
---|
2295 | PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
|
---|
2296 | if (!pfnRTInitEx)
|
---|
2297 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
|
---|
2298 | "Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
|
---|
2299 | szPath, RtlGetLastWin32Error());
|
---|
2300 |
|
---|
2301 | PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
|
---|
2302 | if (!pfnSUPPreInit)
|
---|
2303 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
|
---|
2304 | "Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
|
---|
2305 | szPath, RtlGetLastWin32Error());
|
---|
2306 |
|
---|
2307 | g_pfnRTLogRelPrintf = (PFNRTLOGRELPRINTF)GetProcAddress(hMod, SUP_HARDENED_SYM("RTLogRelPrintf"));
|
---|
2308 | Assert(g_pfnRTLogRelPrintf); /* Not fatal in non-strict builds. */
|
---|
2309 |
|
---|
2310 | #else
|
---|
2311 | /* the dlopen crowd */
|
---|
2312 | void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
|
---|
2313 | if (!pvMod)
|
---|
2314 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
|
---|
2315 | "dlopen(\"%s\",) failed: %s",
|
---|
2316 | szPath, dlerror());
|
---|
2317 | PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
|
---|
2318 | if (!pfnRTInitEx)
|
---|
2319 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
|
---|
2320 | "Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
|
---|
2321 | szPath, dlerror());
|
---|
2322 | PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
|
---|
2323 | if (!pfnSUPPreInit)
|
---|
2324 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
|
---|
2325 | "Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
|
---|
2326 | szPath, dlerror());
|
---|
2327 | #endif
|
---|
2328 |
|
---|
2329 | /*
|
---|
2330 | * Make the calls.
|
---|
2331 | */
|
---|
2332 | supR3HardenedGetPreInitData(&g_SupPreInitData);
|
---|
2333 | int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
|
---|
2334 | if (RT_FAILURE(rc))
|
---|
2335 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
|
---|
2336 | "supR3PreInit failed with rc=%d", rc);
|
---|
2337 | const char *pszExePath = NULL;
|
---|
2338 | #ifdef RT_OS_LINUX
|
---|
2339 | if (!supR3HardenedMainIsProcSelfExeAccssible())
|
---|
2340 | pszExePath = g_szSupLibHardenedExePath;
|
---|
2341 | #endif
|
---|
2342 | rc = pfnRTInitEx(RTR3INIT_VER_1,
|
---|
2343 | fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV ? 0 : RTR3INIT_FLAGS_SUPLIB,
|
---|
2344 | 0 /*cArgs*/, NULL /*papszArgs*/, pszExePath);
|
---|
2345 | if (RT_FAILURE(rc))
|
---|
2346 | supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
|
---|
2347 | "RTR3InitEx failed with rc=%d", rc);
|
---|
2348 |
|
---|
2349 | #if defined(RT_OS_WINDOWS)
|
---|
2350 | /*
|
---|
2351 | * Windows: Create thread that terminates the process when the parent stub
|
---|
2352 | * process terminates (VBoxNetDHCP, Ctrl-C, etc).
|
---|
2353 | */
|
---|
2354 | if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
|
---|
2355 | supR3HardenedWinCreateParentWatcherThread(hMod);
|
---|
2356 | #endif
|
---|
2357 | }
|
---|
2358 |
|
---|
2359 |
|
---|
2360 | /**
|
---|
2361 | * Construct the path to the DLL/SO/DYLIB containing the actual program.
|
---|
2362 | *
|
---|
2363 | * @returns VBox status code.
|
---|
2364 | * @param pszProgName The program name.
|
---|
2365 | * @param fMainFlags The flags passed to SUPR3HardenedMain.
|
---|
2366 | * @param pszPath The output buffer.
|
---|
2367 | * @param cbPath The size of the output buffer, in bytes. Must be at
|
---|
2368 | * least 128 bytes!
|
---|
2369 | */
|
---|
2370 | static int supR3HardenedMainGetTrustedLib(const char *pszProgName, uint32_t fMainFlags, char *pszPath, size_t cbPath)
|
---|
2371 | {
|
---|
2372 | supR3HardenedPathAppPrivateArch(pszPath, sizeof(cbPath) - 10);
|
---|
2373 | const char *pszSubDirSlash;
|
---|
2374 | switch (g_fSupHardenedMain & SUPSECMAIN_FLAGS_LOC_MASK)
|
---|
2375 | {
|
---|
2376 | case SUPSECMAIN_FLAGS_LOC_APP_BIN:
|
---|
2377 | #ifdef RT_OS_DARWIN
|
---|
2378 | case SUPSECMAIN_FLAGS_LOC_OSX_HLP_APP:
|
---|
2379 | #endif
|
---|
2380 | pszSubDirSlash = "/";
|
---|
2381 | break;
|
---|
2382 | case SUPSECMAIN_FLAGS_LOC_TESTCASE:
|
---|
2383 | pszSubDirSlash = "/testcase/";
|
---|
2384 | break;
|
---|
2385 | default:
|
---|
2386 | pszSubDirSlash = "/";
|
---|
2387 | supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Unknown program binary location: %#x\n", g_fSupHardenedMain);
|
---|
2388 | }
|
---|
2389 | #ifdef RT_OS_DARWIN
|
---|
2390 | if (fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP)
|
---|
2391 | pszProgName = "VirtualBox";
|
---|
2392 | #else
|
---|
2393 | RT_NOREF1(fMainFlags);
|
---|
2394 | #endif
|
---|
2395 | size_t cch = suplibHardenedStrLen(pszPath);
|
---|
2396 | return suplibHardenedStrCopyEx(&pszPath[cch], cbPath - cch, pszSubDirSlash, pszProgName, SUPLIB_DLL_SUFF, NULL);
|
---|
2397 | }
|
---|
2398 |
|
---|
2399 |
|
---|
2400 | /**
|
---|
2401 | * Loads the DLL/SO/DYLIB containing the actual program and
|
---|
2402 | * resolves the TrustedError symbol.
|
---|
2403 | *
|
---|
2404 | * This is very similar to supR3HardenedMainGetTrustedMain().
|
---|
2405 | *
|
---|
2406 | * @returns Pointer to the trusted error symbol if it is exported, NULL
|
---|
2407 | * and no error messages otherwise.
|
---|
2408 | * @param pszProgName The program name.
|
---|
2409 | */
|
---|
2410 | static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
|
---|
2411 | {
|
---|
2412 | /*
|
---|
2413 | * Don't bother if the main() function didn't advertise any TrustedError
|
---|
2414 | * export. It's both a waste of time and may trigger additional problems,
|
---|
2415 | * confusing or obscuring the original issue.
|
---|
2416 | */
|
---|
2417 | if (!(g_fSupHardenedMain & SUPSECMAIN_FLAGS_TRUSTED_ERROR))
|
---|
2418 | return NULL;
|
---|
2419 |
|
---|
2420 | /*
|
---|
2421 | * Construct the name.
|
---|
2422 | */
|
---|
2423 | char szPath[RTPATH_MAX];
|
---|
2424 | supR3HardenedMainGetTrustedLib(pszProgName, g_fSupHardenedMain, szPath, sizeof(szPath));
|
---|
2425 |
|
---|
2426 | /*
|
---|
2427 | * Open it and resolve the symbol.
|
---|
2428 | */
|
---|
2429 | #if defined(RT_OS_WINDOWS)
|
---|
2430 | supR3HardenedWinEnableThreadCreation();
|
---|
2431 | HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, 0 /*fMainFlags*/);
|
---|
2432 | if (!hMod)
|
---|
2433 | return NULL;
|
---|
2434 | FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
|
---|
2435 | if (!pfn)
|
---|
2436 | return NULL;
|
---|
2437 | return (PFNSUPTRUSTEDERROR)pfn;
|
---|
2438 |
|
---|
2439 | #else
|
---|
2440 | /* the dlopen crowd */
|
---|
2441 | void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
|
---|
2442 | if (!pvMod)
|
---|
2443 | return NULL;
|
---|
2444 | void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
|
---|
2445 | if (!pvSym)
|
---|
2446 | return NULL;
|
---|
2447 | return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
|
---|
2448 | #endif
|
---|
2449 | }
|
---|
2450 |
|
---|
2451 |
|
---|
2452 | /**
|
---|
2453 | * Loads the DLL/SO/DYLIB containing the actual program and
|
---|
2454 | * resolves the TrustedMain symbol.
|
---|
2455 | *
|
---|
2456 | * @returns Pointer to the trusted main of the actual program.
|
---|
2457 | * @param pszProgName The program name.
|
---|
2458 | * @param fMainFlags The flags passed to SUPR3HardenedMain.
|
---|
2459 | * @remarks This function will not return on failure.
|
---|
2460 | */
|
---|
2461 | static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName, uint32_t fMainFlags)
|
---|
2462 | {
|
---|
2463 | /*
|
---|
2464 | * Construct the name.
|
---|
2465 | */
|
---|
2466 | char szPath[RTPATH_MAX];
|
---|
2467 | supR3HardenedMainGetTrustedLib(pszProgName, fMainFlags, szPath, sizeof(szPath));
|
---|
2468 |
|
---|
2469 | /*
|
---|
2470 | * Open it and resolve the symbol.
|
---|
2471 | */
|
---|
2472 | #if defined(RT_OS_WINDOWS)
|
---|
2473 | HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, 0 /*fMainFlags*/);
|
---|
2474 | if (!hMod)
|
---|
2475 | supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibrary \"%s\" failed, rc=%d\n",
|
---|
2476 | szPath, RtlGetLastWin32Error());
|
---|
2477 | FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
|
---|
2478 | if (!pfn)
|
---|
2479 | supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
|
---|
2480 | szPath, RtlGetLastWin32Error());
|
---|
2481 | return (PFNSUPTRUSTEDMAIN)pfn;
|
---|
2482 |
|
---|
2483 | #else
|
---|
2484 | /* the dlopen crowd */
|
---|
2485 | void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
|
---|
2486 | if (!pvMod)
|
---|
2487 | supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
|
---|
2488 | szPath, dlerror());
|
---|
2489 | void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
|
---|
2490 | if (!pvSym)
|
---|
2491 | supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
|
---|
2492 | szPath, dlerror());
|
---|
2493 | return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
|
---|
2494 | #endif
|
---|
2495 | }
|
---|
2496 |
|
---|
2497 |
|
---|
2498 | /**
|
---|
2499 | * Secure main.
|
---|
2500 | *
|
---|
2501 | * This is used for the set-user-ID-on-execute binaries on unixy systems
|
---|
2502 | * and when using the open-vboxdrv-via-root-service setup on Windows.
|
---|
2503 | *
|
---|
2504 | * This function will perform the integrity checks of the VirtualBox
|
---|
2505 | * installation, open the support driver, open the root service (later),
|
---|
2506 | * and load the DLL corresponding to \a pszProgName and execute its main
|
---|
2507 | * function.
|
---|
2508 | *
|
---|
2509 | * @returns Return code appropriate for main().
|
---|
2510 | *
|
---|
2511 | * @param pszProgName The program name. This will be used to figure out which
|
---|
2512 | * DLL/SO/DYLIB to load and execute.
|
---|
2513 | * @param fFlags Flags.
|
---|
2514 | * @param argc The argument count.
|
---|
2515 | * @param argv The argument vector.
|
---|
2516 | * @param envp The environment vector.
|
---|
2517 | */
|
---|
2518 | DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
|
---|
2519 | {
|
---|
2520 | SUP_DPRINTF(("SUPR3HardenedMain: pszProgName=%s fFlags=%#x\n", pszProgName, fFlags));
|
---|
2521 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED;
|
---|
2522 |
|
---|
2523 | /*
|
---|
2524 | * Note! At this point there is no IPRT, so we will have to stick
|
---|
2525 | * to basic CRT functions that everyone agree upon.
|
---|
2526 | */
|
---|
2527 | g_pszSupLibHardenedProgName = pszProgName;
|
---|
2528 | g_fSupHardenedMain = fFlags;
|
---|
2529 | g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
|
---|
2530 | g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;
|
---|
2531 | #ifdef RT_OS_WINDOWS
|
---|
2532 | if (!g_fSupEarlyProcessInit)
|
---|
2533 | #endif
|
---|
2534 | g_SupPreInitData.Data.hDevice = SUP_HDEVICE_NIL;
|
---|
2535 |
|
---|
2536 | /*
|
---|
2537 | * Determine the full exe path as we'll be needing it for the verify all
|
---|
2538 | * call(s) below. (We have to do this early on Linux because we * *might*
|
---|
2539 | * not be able to access /proc/self/exe after the seteuid call.)
|
---|
2540 | */
|
---|
2541 | supR3HardenedGetFullExePath();
|
---|
2542 | #ifdef RT_OS_WINDOWS
|
---|
2543 | supR3HardenedWinInitAppBin(fFlags);
|
---|
2544 | #endif
|
---|
2545 |
|
---|
2546 | #ifdef SUP_HARDENED_SUID
|
---|
2547 | /*
|
---|
2548 | * Grab any options from the environment.
|
---|
2549 | */
|
---|
2550 | supR3GrabOptions();
|
---|
2551 |
|
---|
2552 | /*
|
---|
2553 | * Check that we're root, if we aren't then the installation is butchered.
|
---|
2554 | */
|
---|
2555 | g_uid = getuid();
|
---|
2556 | g_gid = getgid();
|
---|
2557 | if (geteuid() != 0 /* root */)
|
---|
2558 | supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
|
---|
2559 | "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
|
---|
2560 | geteuid(), getegid(), g_uid, g_gid);
|
---|
2561 | #endif /* SUP_HARDENED_SUID */
|
---|
2562 |
|
---|
2563 | #ifdef RT_OS_WINDOWS
|
---|
2564 | /*
|
---|
2565 | * Windows: First respawn. On Windows we will respawn the process twice to establish
|
---|
2566 | * something we can put some kind of reliable trust in. The first respawning aims
|
---|
2567 | * at dropping compatibility layers and process "security" solutions.
|
---|
2568 | */
|
---|
2569 | if ( !g_fSupEarlyProcessInit
|
---|
2570 | && !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
|
---|
2571 | && supR3HardenedWinIsReSpawnNeeded(1 /*iWhich*/, argc, argv))
|
---|
2572 | {
|
---|
2573 | SUP_DPRINTF(("SUPR3HardenedMain: Respawn #1\n"));
|
---|
2574 | supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV | SUPSECMAIN_FLAGS_FIRST_PROCESS, false /*fAvastKludge*/);
|
---|
2575 | supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
|
---|
2576 | return supR3HardenedWinReSpawn(1 /*iWhich*/);
|
---|
2577 | }
|
---|
2578 |
|
---|
2579 | /*
|
---|
2580 | * Windows: Initialize the image verification global data so we can verify the
|
---|
2581 | * signature of the process image and hook the core of the DLL loader API so we
|
---|
2582 | * can check the signature of all DLLs mapped into the process. (Already done
|
---|
2583 | * by early VM process init.)
|
---|
2584 | */
|
---|
2585 | if (!g_fSupEarlyProcessInit)
|
---|
2586 | supR3HardenedWinInit(fFlags, true /*fAvastKludge*/);
|
---|
2587 | #endif /* RT_OS_WINDOWS */
|
---|
2588 |
|
---|
2589 | /*
|
---|
2590 | * Validate the installation.
|
---|
2591 | */
|
---|
2592 | supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
|
---|
2593 |
|
---|
2594 | /*
|
---|
2595 | * The next steps are only taken if we actually need to access the support
|
---|
2596 | * driver. (Already done by early process init.)
|
---|
2597 | */
|
---|
2598 | if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
|
---|
2599 | {
|
---|
2600 | #ifdef RT_OS_WINDOWS
|
---|
2601 | /*
|
---|
2602 | * Windows: Must have done early process init if we get here.
|
---|
2603 | */
|
---|
2604 | if (!g_fSupEarlyProcessInit)
|
---|
2605 | supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_Integrity, VERR_WRONG_ORDER,
|
---|
2606 | "Early process init was somehow skipped.");
|
---|
2607 |
|
---|
2608 | /*
|
---|
2609 | * Windows: The second respawn. This time we make a special arrangement
|
---|
2610 | * with vboxdrv to monitor access to the new process from its inception.
|
---|
2611 | */
|
---|
2612 | if (supR3HardenedWinIsReSpawnNeeded(2 /* iWhich*/, argc, argv))
|
---|
2613 | {
|
---|
2614 | SUP_DPRINTF(("SUPR3HardenedMain: Respawn #2\n"));
|
---|
2615 | return supR3HardenedWinReSpawn(2 /* iWhich*/);
|
---|
2616 | }
|
---|
2617 | SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
|
---|
2618 | supR3HardenedWinFlushLoaderCache();
|
---|
2619 |
|
---|
2620 | #else
|
---|
2621 | /*
|
---|
2622 | * Open the vboxdrv device.
|
---|
2623 | */
|
---|
2624 | supR3HardenedMainOpenDevice();
|
---|
2625 | #endif /* !RT_OS_WINDOWS */
|
---|
2626 | }
|
---|
2627 |
|
---|
2628 | #ifdef RT_OS_WINDOWS
|
---|
2629 | /*
|
---|
2630 | * Windows: Enable the use of windows APIs to verify images at load time.
|
---|
2631 | */
|
---|
2632 | supR3HardenedWinEnableThreadCreation();
|
---|
2633 | supR3HardenedWinFlushLoaderCache();
|
---|
2634 | supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation(g_pszSupLibHardenedProgName);
|
---|
2635 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERIFY_TRUST_READY;
|
---|
2636 | #else /* !RT_OS_WINDOWS */
|
---|
2637 | # ifndef RT_OS_FREEBSD /** @todo portme */
|
---|
2638 | /*
|
---|
2639 | * Posix: Hook the load library interface interface.
|
---|
2640 | */
|
---|
2641 | supR3HardenedPosixInit();
|
---|
2642 | # endif
|
---|
2643 | #endif /* !RT_OS_WINDOWS */
|
---|
2644 |
|
---|
2645 | #ifdef SUP_HARDENED_SUID
|
---|
2646 | /*
|
---|
2647 | * Grab additional capabilities / privileges.
|
---|
2648 | */
|
---|
2649 | supR3HardenedMainGrabCapabilites();
|
---|
2650 |
|
---|
2651 | /*
|
---|
2652 | * Drop any root privileges we might be holding (won't return on failure)
|
---|
2653 | */
|
---|
2654 | supR3HardenedMainDropPrivileges();
|
---|
2655 | #endif
|
---|
2656 |
|
---|
2657 | /*
|
---|
2658 | * Purge any environment variables and command line arguments considered harmful.
|
---|
2659 | */
|
---|
2660 | /** @todo May need to move this to a much earlier stage on windows. */
|
---|
2661 | supR3HardenedMainPurgeEnvironment(envp);
|
---|
2662 | supR3HardenedMainPurgeArgs(argc, argv, &argc, &argv);
|
---|
2663 |
|
---|
2664 | /*
|
---|
2665 | * Load the IPRT, hand the SUPLib part the open driver and
|
---|
2666 | * call RTR3InitEx.
|
---|
2667 | */
|
---|
2668 | SUP_DPRINTF(("SUPR3HardenedMain: Load Runtime...\n"));
|
---|
2669 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_INIT_RUNTIME;
|
---|
2670 | supR3HardenedMainInitRuntime(fFlags);
|
---|
2671 | #ifdef RT_OS_WINDOWS
|
---|
2672 | supR3HardenedWinModifyDllSearchPath(fFlags, g_szSupLibHardenedAppBinPath);
|
---|
2673 | #endif
|
---|
2674 |
|
---|
2675 | /*
|
---|
2676 | * Load the DLL/SO/DYLIB containing the actual program
|
---|
2677 | * and pass control to it.
|
---|
2678 | */
|
---|
2679 | SUP_DPRINTF(("SUPR3HardenedMain: Load TrustedMain...\n"));
|
---|
2680 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_GET_TRUSTED_MAIN;
|
---|
2681 | PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName, fFlags);
|
---|
2682 |
|
---|
2683 | SUP_DPRINTF(("SUPR3HardenedMain: Calling TrustedMain (%p)...\n", pfnTrustedMain));
|
---|
2684 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_CALLED_TRUSTED_MAIN;
|
---|
2685 | return pfnTrustedMain(argc, argv, envp);
|
---|
2686 | }
|
---|
2687 |
|
---|