VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp@ 14158

Last change on this file since 14158 was 13908, checked in by vboxsync, 16 years ago

Fixed include order, a bunch of GCC 3.3 warnings, OS/2 build.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 29.2 KB
Line 
1/* $Id: SUPR3HardenedMain.cpp 13908 2008-11-06 11:53:47Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Hardened main().
4 */
5
6/*
7 * Copyright (C) 2006-2008 Sun Microsystems, Inc.
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 *
26 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
27 * Clara, CA 95054 USA or visit http://www.sun.com if you need
28 * additional information or have any questions.
29 */
30
31/*******************************************************************************
32* Header Files *
33*******************************************************************************/
34#if defined(RT_OS_OS2)
35# define INCL_BASE
36# define INCL_ERRORS
37# include <os2.h>
38# include <stdio.h>
39# include <stdlib.h>
40# include <dlfcn.h>
41
42#elif RT_OS_WINDOWS
43# include <Windows.h>
44# include <stdio.h>
45
46#else /* UNIXes */
47# include <iprt/types.h> /* stdint fun on darwin. */
48
49# include <stdio.h>
50# include <stdlib.h>
51# include <dlfcn.h>
52# include <limits.h>
53# include <errno.h>
54# include <unistd.h>
55# include <sys/stat.h>
56# include <sys/time.h>
57# include <stdio.h>
58# include <sys/types.h>
59# include <pwd.h>
60# ifdef RT_OS_DARWIN
61# include <mach-o/dyld.h>
62# endif
63
64#endif
65
66#include <VBox/sup.h>
67#include <VBox/err.h>
68#include <iprt/string.h>
69#include <iprt/param.h>
70
71#include "SUPLibInternal.h"
72
73
74/*******************************************************************************
75* Defined Constants And Macros *
76*******************************************************************************/
77/** @def SUP_HARDENED_SUID
78 * Whether we're employing set-user-ID-on-execute in the hardening.
79 */
80#if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
81# define SUP_HARDENED_SUID
82#else
83# undef SUP_HARDENED_SUID
84#endif
85
86/** @def SUP_HARDENED_SYM
87 * Decorate a symbol that's resolved dynamically.
88 */
89#ifdef RT_OS_OS2
90# define SUP_HARDENED_SYM(sym) "_" sym
91#else
92# define SUP_HARDENED_SYM(sym) sym
93#endif
94
95
96/*******************************************************************************
97* Structures and Typedefs *
98*******************************************************************************/
99/** @see RTR3InitEx */
100typedef DECLCALLBACK(int) FNRTR3INITEX(uint32_t iVersion, const char *pszProgramPath, bool fInitSUPLib);
101typedef FNRTR3INITEX *PFNRTR3INITEX;
102
103
104/*******************************************************************************
105* Global Variables *
106*******************************************************************************/
107/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
108static SUPPREINITDATA g_SupPreInitData;
109/** The progam executable path. */
110static char g_szSupLibHardenedExePath[RTPATH_MAX];
111/** The program directory path. */
112static char g_szSupLibHardenedDirPath[RTPATH_MAX];
113
114/** The program name. */
115static const char *g_pszSupLibHardenedProgName;
116
117#ifdef SUP_HARDENED_SUID
118/** The real UID at startup. */
119static uid_t g_uid;
120/** The real GID at startup. */
121static gid_t g_gid;
122#endif
123
124/*******************************************************************************
125* Internal Functions *
126*******************************************************************************/
127#ifdef SUP_HARDENED_SUID
128static void supR3HardenedMainDropPrivileges(void);
129#endif
130static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
131
132
133/**
134 * @copydoc RTPathStripFilename.
135 */
136static void suplibHardenedPathStripFilename(char *pszPath)
137{
138 char *psz = pszPath;
139 char *pszLastSep = pszPath;
140
141 for (;; psz++)
142 {
143 switch (*psz)
144 {
145 /* handle separators. */
146#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
147 case ':':
148 pszLastSep = psz + 1;
149 break;
150
151 case '\\':
152#endif
153 case '/':
154 pszLastSep = psz;
155 break;
156
157 /* the end */
158 case '\0':
159 if (pszLastSep == pszPath)
160 *pszLastSep++ = '.';
161 *pszLastSep = '\0';
162 return;
163 }
164 }
165 /* will never get here */
166}
167
168
169/**
170 * @copydoc RTPathFilename
171 */
172DECLHIDDEN(char *) supR3HardenedPathFilename(const char *pszPath)
173{
174 const char *psz = pszPath;
175 const char *pszLastComp = pszPath;
176
177 for (;; psz++)
178 {
179 switch (*psz)
180 {
181 /* handle separators. */
182#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
183 case ':':
184 pszLastComp = psz + 1;
185 break;
186
187 case '\\':
188#endif
189 case '/':
190 pszLastComp = psz + 1;
191 break;
192
193 /* the end */
194 case '\0':
195 if (*pszLastComp)
196 return (char *)(void *)pszLastComp;
197 return NULL;
198 }
199 }
200
201 /* will never get here */
202 return NULL;
203}
204
205
206/**
207 * @copydoc RTPathAppPrivateNoArch
208 */
209DECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
210{
211#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
212 const char *pszSrcPath = RTPATH_APP_PRIVATE;
213 size_t cchPathPrivateNoArch = strlen(pszSrcPath);
214 if (cchPathPrivateNoArch >= cchPath)
215 supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %lu >= %lu\n",
216 (unsigned long)cchPathPrivateNoArch, (unsigned long)cchPath);
217 memcpy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
218 return VINF_SUCCESS;
219
220#else
221 return supR3HardenedPathProgram(pszPath, cchPath);
222#endif
223}
224
225
226/**
227 * @copydoc RTPathAppPrivateArch
228 */
229DECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
230{
231#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
232 const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
233 size_t cchPathPrivateArch = strlen(pszSrcPath);
234 if (cchPathPrivateArch >= cchPath)
235 supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %lu >= %lu\n",
236 (unsigned long)cchPathPrivateArch, (unsigned long)cchPath);
237 memcpy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
238 return VINF_SUCCESS;
239
240#else
241 return supR3HardenedPathProgram(pszPath, cchPath);
242#endif
243}
244
245
246/**
247 * @copydoc RTPathSharedLibs
248 */
249DECLHIDDEN(int) supR3HardenedPathSharedLibs(char *pszPath, size_t cchPath)
250{
251#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
252 const char *pszSrcPath = RTPATH_SHARED_LIBS;
253 size_t cchPathSharedLibs = strlen(pszSrcPath);
254 if (cchPathSharedLibs >= cchPath)
255 supR3HardenedFatal("supR3HardenedPathSharedLibs: Buffer overflow, %lu >= %lu\n",
256 (unsigned long)cchPathSharedLibs, (unsigned long)cchPath);
257 memcpy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
258 return VINF_SUCCESS;
259
260#else
261 return supR3HardenedPathProgram(pszPath, cchPath);
262#endif
263}
264
265
266/**
267 * @copydoc RTPathAppDocs
268 */
269DECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
270{
271#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
272 const char *pszSrcPath = RTPATH_APP_DOCS;
273 size_t cchPathAppDocs = strlen(pszSrcPath);
274 if (cchPathAppDocs >= cchPath)
275 supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %lu >= %lu\n",
276 (unsigned long)cchPathAppDocs, (unsigned long)cchPath);
277 memcpy(pszPath, pszSrcPath, cchPathAppDocs + 1);
278 return VINF_SUCCESS;
279
280#else
281 return supR3HardenedPathProgram(pszPath, cchPath);
282#endif
283}
284
285
286/**
287 * Returns the full path to the executable.
288 *
289 * @returns IPRT status code.
290 * @param pszPath Where to store it.
291 * @param cchPath How big that buffer is.
292 */
293static void supR3HardenedGetFullExePath(void)
294{
295 /*
296 * Get the program filename.
297 *
298 * Most UNIXes have no API for obtaining the executable path, but provides a symbolic
299 * link in the proc file system that tells who was exec'ed. The bad thing about this
300 * is that we have to use readlink, one of the weirder UNIX APIs.
301 *
302 * Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
303 */
304#if defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS)
305# ifdef RT_OS_LINUX
306 int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
307# elif defined(RT_OS_SOLARIS)
308 char szFileBuf[PATH_MAX + 1];
309 sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
310 int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
311# else /* RT_OS_FREEBSD: */
312 int cchLink = readlink("/proc/curproc/file", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
313# endif
314 if (cchLink < 0 || cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
315 supR3HardenedFatal("supR3HardenedPathProgram: couldn't read \"%s\", errno=%d cchLink=%d\n",
316 g_szSupLibHardenedExePath, errno, cchLink);
317 g_szSupLibHardenedExePath[cchLink] = '\0';
318
319#elif defined(RT_OS_OS2) || defined(RT_OS_L4)
320 _execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
321
322#elif defined(RT_OS_DARWIN)
323 const char *pszImageName = _dyld_get_image_name(0);
324 if (!pszImageName)
325 supR3HardenedFatal("supR3HardenedPathProgram: _dyld_get_image_name(0) failed\n");
326 size_t cchImageName = strlen(pszImageName);
327 if (!cchImageName || cchImageName >= sizeof(g_szSupLibHardenedExePath))
328 supR3HardenedFatal("supR3HardenedPathProgram: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
329 memcpy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
330
331#elif defined(RT_OS_WINDOWS)
332 HMODULE hExe = GetModuleHandle(NULL);
333 if (!GetModuleFileName(hExe, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath)))
334 supR3HardenedFatal("supR3HardenedPathProgram: GetModuleFileName failed, rc=%d\n", GetLastError());
335#else
336# error needs porting.
337#endif
338
339 /*
340 * Strip off the filename part (RTPathStripFilename()).
341 */
342 strcpy(g_szSupLibHardenedDirPath, g_szSupLibHardenedExePath);
343 suplibHardenedPathStripFilename(g_szSupLibHardenedDirPath);
344}
345
346
347#ifdef RT_OS_LINUX
348/**
349 * Checks if we can read /proc/self/exe.
350 *
351 * This is used on linux to see if we have to call init
352 * with program path or not.
353 *
354 * @returns true / false.
355 */
356static bool supR3HardenedMainIsProcSelfExeAccssible(void)
357{
358 char szPath[RTPATH_MAX];
359 int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
360 return cchLink != -1;
361}
362#endif /* RT_OS_LINUX */
363
364
365
366/**
367 * @copydoc RTPathProgram
368 */
369DECLHIDDEN(int) supR3HardenedPathProgram(char *pszPath, size_t cchPath)
370{
371 /*
372 * Lazy init (probably not required).
373 */
374 if (!g_szSupLibHardenedDirPath[0])
375 supR3HardenedGetFullExePath();
376
377 /*
378 * Calc the length and check if there is space before copying.
379 */
380 unsigned cch = strlen(g_szSupLibHardenedDirPath) + 1;
381 if (cch <= cchPath)
382 {
383 memcpy(pszPath, g_szSupLibHardenedDirPath, cch + 1);
384 return VINF_SUCCESS;
385 }
386
387 supR3HardenedFatal("supR3HardenedPathProgram: Buffer too small (%u < %u)\n", cchPath, cch);
388 return VERR_BUFFER_OVERFLOW;
389}
390
391
392DECLHIDDEN(void) supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, va_list va)
393{
394 /*
395 * To the console first, like supR3HardenedFatalV.
396 */
397 fprintf(stderr, "%s: Error %d in %s!\n", g_pszSupLibHardenedProgName, rc, pszWhere);
398 fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
399 va_list vaCopy;
400 va_copy(vaCopy, va);
401 vfprintf(stderr, pszMsgFmt, vaCopy);
402 va_end(vaCopy);
403 fprintf(stderr, "\n");
404
405 switch (enmWhat)
406 {
407 case kSupInitOp_Driver:
408 fprintf(stderr,
409 "\n"
410 "%s: Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n",
411 g_pszSupLibHardenedProgName);
412 break;
413
414 case kSupInitOp_IPRT:
415 case kSupInitOp_Integrity:
416 case kSupInitOp_RootCheck:
417 fprintf(stderr,
418 "\n"
419 "%s: Tip! It may help to reinstall VirtualBox.\n",
420 g_pszSupLibHardenedProgName);
421 break;
422
423 default:
424 /* no hints here */
425 break;
426 }
427
428#ifdef SUP_HARDENED_SUID
429 /*
430 * Drop any root privileges we might be holding, this won't return
431 * if it fails but end up calling supR3HardenedFatal[V].
432 */
433 supR3HardenedMainDropPrivileges();
434#endif /* SUP_HARDENED_SUID */
435
436 /*
437 * Now try resolve and call the TrustedError entry point if we can
438 * find it. We'll fork before we attempt this because that way the
439 * session management in main will see us exiting immediately (if
440 * it's invovled with us).
441 */
442#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
443 int pid = fork();
444 if (pid <= 0)
445#endif
446 {
447 PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
448 if (pfnTrustedError)
449 pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
450 }
451
452 /*
453 * Quit
454 */
455 for (;;)
456#ifdef _MSC_VER
457 exit(1);
458#else
459 _Exit(1);
460#endif
461}
462
463
464DECLHIDDEN(void) supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, ...)
465{
466 va_list va;
467 va_start(va, pszMsgFmt);
468 supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
469 va_end(va);
470}
471
472
473DECLHIDDEN(void) supR3HardenedFatalV(const char *pszFormat, va_list va)
474{
475 fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
476 vfprintf(stderr, pszFormat, va);
477 for (;;)
478#ifdef _MSC_VER
479 exit(1);
480#else
481 _Exit(1);
482#endif
483}
484
485
486DECLHIDDEN(void) supR3HardenedFatal(const char *pszFormat, ...)
487{
488 va_list va;
489 va_start(va, pszFormat);
490 supR3HardenedFatalV(pszFormat, va);
491 va_end(va);
492}
493
494
495DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
496{
497 if (fFatal)
498 supR3HardenedFatalV(pszFormat, va);
499
500 fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
501 vfprintf(stderr, pszFormat, va);
502 return rc;
503}
504
505
506DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
507{
508 va_list va;
509 va_start(va, pszFormat);
510 supR3HardenedErrorV(rc, fFatal, pszFormat, va);
511 va_end(va);
512 return rc;
513}
514
515
516/**
517 * Wrapper around snprintf which will throw a fatal error on buffer overflow.
518 *
519 * @returns Number of chars in the result string.
520 * @param pszDst The destination buffer.
521 * @param cchDst The size of the buffer.
522 * @param pszFormat The format string.
523 * @param ... Format arguments.
524 */
525static size_t supR3HardenedStrPrintf(char *pszDst, size_t cchDst, const char *pszFormat, ...)
526{
527 va_list va;
528 va_start(va, pszFormat);
529#ifdef _MSC_VER
530 int cch = _vsnprintf(pszDst, cchDst, pszFormat, va);
531#else
532 int cch = vsnprintf(pszDst, cchDst, pszFormat, va);
533#endif
534 va_end(va);
535 if ((unsigned)cch >= cchDst || cch < 0)
536 supR3HardenedFatal("supR3HardenedStrPrintf: buffer overflow, %d >= %lu\n", cch, (long)cchDst);
537 return cch;
538}
539
540
541/**
542 * Attempts to open /dev/vboxdrv (or equvivalent).
543 *
544 * @remarks This function will not return on failure.
545 */
546static void supR3HardenedMainOpenDevice(void)
547{
548 int rc = suplibOsInit(&g_SupPreInitData.Data, false);
549 if (RT_SUCCESS(rc))
550 return;
551
552 switch (rc)
553 {
554 /** @todo better messages! */
555 case VERR_VM_DRIVER_NOT_INSTALLED:
556 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
557 "VERR_VM_DRIVER_NOT_INSTALLED");
558 case VERR_VM_DRIVER_NOT_ACCESSIBLE:
559 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
560 "VERR_VM_DRIVER_NOT_ACCESSIBLE");
561 case VERR_VM_DRIVER_LOAD_ERROR:
562 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
563 "VERR_VM_DRIVER_LOAD_ERROR");
564 case VERR_VM_DRIVER_OPEN_ERROR:
565 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
566 "VERR_VM_DRIVER_OPEN_ERROR");
567 case VERR_VM_DRIVER_VERSION_MISMATCH:
568 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
569 "VERR_VM_DRIVER_VERSION_MISMATCH");
570 case VERR_ACCESS_DENIED:
571 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
572 "VERR_ACCESS_DENIED");
573 default:
574 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
575 "Unknown rc=%d", rc);
576 }
577}
578
579
580#ifdef SUP_HARDENED_SUID
581/**
582 * Drop any root privileges we might be holding.
583 */
584static void supR3HardenedMainDropPrivileges(void)
585{
586 /*
587 * Try use setre[ug]id since this will clear the save uid/gid and thus
588 * leave fewer traces behind that libs like GTK+ may pick up.
589 */
590 uid_t euid, ruid, suid;
591 gid_t egid, rgid, sgid;
592# if defined(RT_OS_DARWIN)
593 /* The really great thing here is that setreuid isn't available on
594 OS X 10.4, libc emulates it. While 10.4 have a sligtly different and
595 non-standard setuid implementation compared to 10.5, the following
596 works the same way with both version since we're super user (10.5 req).
597 The following will set all three variants of the group and user IDs. */
598 setgid(g_gid);
599 setuid(g_uid);
600 euid = geteuid();
601 ruid = suid = getuid();
602 egid = getegid();
603 rgid = sgid = getgid();
604
605# elif defined(RT_OS_SOLARIS)
606 /* Solaris doesn't have setresuid, but the setreuid interface is BSD
607 compatible and will set the saved uid to euid when we pass it a ruid
608 that isn't -1 (which we do). */
609 setregid(g_gid, g_gid);
610 setreuid(g_uid, g_uid);
611 euid = geteuid();
612 ruid = suid = getuid();
613 egid = getegid();
614 rgid = sgid = getgid();
615
616# else
617 /* This is the preferred one, full control no questions about semantics.
618 PORTME: If this isn't work, try join one of two other gangs above. */
619 setresgid(g_gid, g_gid, g_gid);
620 setresuid(g_uid, g_uid, g_uid);
621 if (getresuid(&ruid, &euid, &suid) != 0)
622 {
623 euid = geteuid();
624 ruid = suid = getuid();
625 }
626 if (getresgid(&rgid, &egid, &sgid) != 0)
627 {
628 egid = getegid();
629 rgid = sgid = getgid();
630 }
631# endif
632
633 /* Check that it worked out all right. */
634 if ( euid != g_uid
635 || ruid != g_uid
636 || suid != g_uid
637 || egid != g_gid
638 || rgid != g_gid
639 || sgid != g_gid)
640 supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
641 " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
642 euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);
643}
644#endif /* SUP_HARDENED_SUID */
645
646
647/**
648 * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
649 * and calls RTR3Init.
650 *
651 * @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
652 *
653 * @remarks VBoxRT contains both IPRT and SUPR3.
654 * @remarks This function will not return on failure.
655 */
656static void supR3HardenedMainInitRuntime(uint32_t fFlags)
657{
658 /*
659 * Construct the name.
660 */
661 char szPath[RTPATH_MAX];
662 supR3HardenedPathSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
663 strcat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);
664
665 /*
666 * Open it and resolve the symbols.
667 */
668#if defined(RT_OS_WINDOWS)
669 /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
670 HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
671 if (!hMod)
672 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
673 "LoadLibraryEx(\"%s\",,) failed (rc=%d)",
674 szPath, GetLastError());
675 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
676 if (!pfnRTInitEx)
677 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
678 "Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
679 szPath, GetLastError());
680
681 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
682 if (!pfnSUPPreInit)
683 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
684 "Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
685 szPath, GetLastError());
686
687#else
688 /* the dlopen crowd */
689 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
690 if (!pvMod)
691 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
692 "dlopen(\"%s\",) failed: %s",
693 szPath, dlerror());
694 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
695 if (!pfnRTInitEx)
696 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
697 "Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
698 szPath, dlerror());
699 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
700 if (!pfnSUPPreInit)
701 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
702 "Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
703 szPath, dlerror());
704#endif
705
706 /*
707 * Make the calls.
708 */
709 supR3HardenedGetPreInitData(&g_SupPreInitData);
710 int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
711 if (RT_FAILURE(rc))
712 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
713 "supR3PreInit failed with rc=%d", rc);
714 const char *pszExePath = NULL;
715#ifdef RT_OS_LINUX
716 if (!supR3HardenedMainIsProcSelfExeAccssible())
717 pszExePath = g_szSupLibHardenedExePath;
718#endif
719 rc = pfnRTInitEx(0, pszExePath, !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV));
720 if (RT_FAILURE(rc))
721 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
722 "RTR3Init failed with rc=%d", rc);
723}
724
725
726/**
727 * Loads the DLL/SO/DYLIB containing the actual program and
728 * resolves the TrustedError symbol.
729 *
730 * This is very similar to supR3HardenedMainGetTrustedMain().
731 *
732 * @returns Pointer to the trusted error symbol if it is exported, NULL
733 * and no error messages otherwise.
734 * @param pszProgName The program name.
735 */
736static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
737{
738 /*
739 * Construct the name.
740 */
741 char szPath[RTPATH_MAX];
742 supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
743 size_t cch = strlen(szPath);
744 supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);
745
746 /*
747 * Open it and resolve the symbol.
748 */
749#if defined(RT_OS_WINDOWS)
750 /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
751 HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
752 if (!hMod)
753 return NULL;
754 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
755 if (!pfn)
756 return NULL;
757 return (PFNSUPTRUSTEDERROR)pfn;
758
759#else
760 /* the dlopen crowd */
761 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
762 if (!pvMod)
763 return NULL;
764 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
765 if (!pvSym)
766 return NULL;
767 return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
768#endif
769}
770
771
772/**
773 * Loads the DLL/SO/DYLIB containing the actual program and
774 * resolves the TrustedMain symbol.
775 *
776 * @returns Pointer to the trusted main of the actual program.
777 * @param pszProgName The program name.
778 * @remarks This function will not return on failure.
779 */
780static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName)
781{
782 /*
783 * Construct the name.
784 */
785 char szPath[RTPATH_MAX];
786 supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
787 size_t cch = strlen(szPath);
788 supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);
789
790 /*
791 * Open it and resolve the symbol.
792 */
793#if defined(RT_OS_WINDOWS)
794 /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
795 HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
796 if (!hMod)
797 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibraryEx(\"%s\",,) failed, rc=%d\n",
798 szPath, GetLastError());
799 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
800 if (!pfn)
801 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
802 szPath, GetLastError());
803 return (PFNSUPTRUSTEDMAIN)pfn;
804
805#else
806 /* the dlopen crowd */
807 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
808 if (!pvMod)
809 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
810 szPath, dlerror());
811 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
812 if (!pvSym)
813 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
814 szPath, dlerror());
815 return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
816#endif
817}
818
819
820/**
821 * Secure main.
822 *
823 * This is used for the set-user-ID-on-execute binaries on unixy systems
824 * and when using the open-vboxdrv-via-root-service setup on Windows.
825 *
826 * This function will perform the integrity checks of the VirtualBox
827 * installation, open the support driver, open the root service (later),
828 * and load the DLL corresponding to \a pszProgName and execute its main
829 * function.
830 *
831 * @returns Return code appropriate for main().
832 *
833 * @param pszProgName The program name. This will be used to figure out which
834 * DLL/SO/DYLIB to load and execute.
835 * @param fFlags Flags.
836 * @param argc The argument count.
837 * @param argv The argument vector.
838 * @param envp The environment vector.
839 */
840DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
841{
842 /*
843 * Note! At this point there is no IPRT, so we will have to stick
844 * to basic CRT functions that everyone agree upon.
845 */
846 g_pszSupLibHardenedProgName = pszProgName;
847 g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
848 g_SupPreInitData.Data.hDevice = NIL_RTFILE;
849 g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;
850
851#ifdef SUP_HARDENED_SUID
852# ifdef RT_OS_LINUX
853 /*
854 * On linux we have to make sure the path is initialized because we
855 * *might* not be able to access /proc/self/exe after the seteuid call.
856 */
857 supR3HardenedGetFullExePath();
858# endif
859
860 /*
861 * Check that we're root, if we aren't then the installation is butchered.
862 */
863 g_uid = getuid();
864 g_gid = getgid();
865 if (geteuid() != 0 /* root */)
866 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
867 "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
868 geteuid(), getegid(), g_uid, g_gid);
869#endif
870
871 /*
872 * Validate the installation.
873 */
874 supR3HardenedVerifyAll(true /* fFatal */, false /* fLeaveFilesOpen */, pszProgName);
875
876 /*
877 * Open the vboxdrv device.
878 */
879 if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
880 supR3HardenedMainOpenDevice();
881
882 /*
883 * Open the root service connection.
884 */
885 //if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_SVC))
886 //supR3HardenedMainOpenService(&g_SupPreInitData, true /* fFatal */);
887
888#ifdef SUP_HARDENED_SUID
889 /*
890 * Drop any root privileges we might be holding (won't return on failure)
891 */
892 supR3HardenedMainDropPrivileges();
893#endif
894
895 /*
896 * Load the IPRT, hand the SUPLib part the open driver and
897 * call RTR3Init.
898 */
899 supR3HardenedMainInitRuntime(fFlags);
900
901 /*
902 * Load the DLL/SO/DYLIB containing the actual program
903 * and pass control to it.
904 */
905 PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName);
906 return pfnTrustedMain(argc, argv, envp);
907}
908
909
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette