VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp@ 27116

Last change on this file since 27116 was 26498, checked in by vboxsync, 15 years ago

lots under src/VBox: whitespace cleanup.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 34.4 KB
Line 
1/* $Id: SUPR3HardenedMain.cpp 26498 2010-02-14 08:18:26Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Hardened main().
4 */
5
6/*
7 * Copyright (C) 2006-2008 Sun Microsystems, Inc.
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 *
26 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
27 * Clara, CA 95054 USA or visit http://www.sun.com if you need
28 * additional information or have any questions.
29 */
30
31/*******************************************************************************
32* Header Files *
33*******************************************************************************/
34#if defined(RT_OS_OS2)
35# define INCL_BASE
36# define INCL_ERRORS
37# include <os2.h>
38# include <stdio.h>
39# include <stdlib.h>
40# include <dlfcn.h>
41
42#elif RT_OS_WINDOWS
43# include <Windows.h>
44# include <stdio.h>
45
46#else /* UNIXes */
47# include <iprt/types.h> /* stdint fun on darwin. */
48
49# include <stdio.h>
50# include <stdlib.h>
51# include <dlfcn.h>
52# include <limits.h>
53# include <errno.h>
54# include <unistd.h>
55# include <sys/stat.h>
56# include <sys/time.h>
57# include <stdio.h>
58# include <sys/types.h>
59# if defined(RT_OS_LINUX)
60# undef USE_LIB_PCAP /* don't depend on libcap as we had to depend on either
61 libcap1 or libcap2 */
62
63# undef _POSIX_SOURCE
64# include <sys/capability.h>
65# include <sys/prctl.h>
66# ifndef CAP_TO_MASK
67# define CAP_TO_MASK(cap) RT_BIT(cap)
68# endif
69# elif defined(RT_OS_FREEBSD)
70# include <sys/param.h>
71# include <sys/sysctl.h>
72# elif defined(RT_OS_SOLARIS)
73# include <priv.h>
74# endif
75# include <pwd.h>
76# ifdef RT_OS_DARWIN
77# include <mach-o/dyld.h>
78# endif
79
80#endif
81
82#include <VBox/sup.h>
83#include <VBox/err.h>
84#include <iprt/string.h>
85#include <iprt/param.h>
86
87#include "SUPLibInternal.h"
88
89
90/*******************************************************************************
91* Defined Constants And Macros *
92*******************************************************************************/
93/** @def SUP_HARDENED_SUID
94 * Whether we're employing set-user-ID-on-execute in the hardening.
95 */
96#if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
97# define SUP_HARDENED_SUID
98#else
99# undef SUP_HARDENED_SUID
100#endif
101
102/** @def SUP_HARDENED_SYM
103 * Decorate a symbol that's resolved dynamically.
104 */
105#ifdef RT_OS_OS2
106# define SUP_HARDENED_SYM(sym) "_" sym
107#else
108# define SUP_HARDENED_SYM(sym) sym
109#endif
110
111
112/*******************************************************************************
113* Structures and Typedefs *
114*******************************************************************************/
115/** @see RTR3InitEx */
116typedef DECLCALLBACK(int) FNRTR3INITEX(uint32_t iVersion, const char *pszProgramPath, bool fInitSUPLib);
117typedef FNRTR3INITEX *PFNRTR3INITEX;
118
119
120/*******************************************************************************
121* Global Variables *
122*******************************************************************************/
123/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
124static SUPPREINITDATA g_SupPreInitData;
125/** The progam executable path. */
126static char g_szSupLibHardenedExePath[RTPATH_MAX];
127/** The program directory path. */
128static char g_szSupLibHardenedDirPath[RTPATH_MAX];
129
130/** The program name. */
131static const char *g_pszSupLibHardenedProgName;
132
133#ifdef SUP_HARDENED_SUID
134/** The real UID at startup. */
135static uid_t g_uid;
136/** The real GID at startup. */
137static gid_t g_gid;
138# ifdef RT_OS_LINUX
139static uint32_t g_uCaps;
140# endif
141#endif
142
143
144/*******************************************************************************
145* Internal Functions *
146*******************************************************************************/
147#ifdef SUP_HARDENED_SUID
148static void supR3HardenedMainDropPrivileges(void);
149#endif
150static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
151
152
153/**
154 * @copydoc RTPathStripFilename.
155 */
156static void suplibHardenedPathStripFilename(char *pszPath)
157{
158 char *psz = pszPath;
159 char *pszLastSep = pszPath;
160
161 for (;; psz++)
162 {
163 switch (*psz)
164 {
165 /* handle separators. */
166#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
167 case ':':
168 pszLastSep = psz + 1;
169 break;
170
171 case '\\':
172#endif
173 case '/':
174 pszLastSep = psz;
175 break;
176
177 /* the end */
178 case '\0':
179 if (pszLastSep == pszPath)
180 *pszLastSep++ = '.';
181 *pszLastSep = '\0';
182 return;
183 }
184 }
185 /* will never get here */
186}
187
188
189/**
190 * @copydoc RTPathFilename
191 */
192DECLHIDDEN(char *) supR3HardenedPathFilename(const char *pszPath)
193{
194 const char *psz = pszPath;
195 const char *pszLastComp = pszPath;
196
197 for (;; psz++)
198 {
199 switch (*psz)
200 {
201 /* handle separators. */
202#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
203 case ':':
204 pszLastComp = psz + 1;
205 break;
206
207 case '\\':
208#endif
209 case '/':
210 pszLastComp = psz + 1;
211 break;
212
213 /* the end */
214 case '\0':
215 if (*pszLastComp)
216 return (char *)(void *)pszLastComp;
217 return NULL;
218 }
219 }
220
221 /* will never get here */
222 return NULL;
223}
224
225
226/**
227 * @copydoc RTPathAppPrivateNoArch
228 */
229DECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
230{
231#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
232 const char *pszSrcPath = RTPATH_APP_PRIVATE;
233 size_t cchPathPrivateNoArch = strlen(pszSrcPath);
234 if (cchPathPrivateNoArch >= cchPath)
235 supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %lu >= %lu\n",
236 (unsigned long)cchPathPrivateNoArch, (unsigned long)cchPath);
237 memcpy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
238 return VINF_SUCCESS;
239
240#else
241 return supR3HardenedPathExecDir(pszPath, cchPath);
242#endif
243}
244
245
246/**
247 * @copydoc RTPathAppPrivateArch
248 */
249DECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
250{
251#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
252 const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
253 size_t cchPathPrivateArch = strlen(pszSrcPath);
254 if (cchPathPrivateArch >= cchPath)
255 supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %lu >= %lu\n",
256 (unsigned long)cchPathPrivateArch, (unsigned long)cchPath);
257 memcpy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
258 return VINF_SUCCESS;
259
260#else
261 return supR3HardenedPathExecDir(pszPath, cchPath);
262#endif
263}
264
265
266/**
267 * @copydoc RTPathSharedLibs
268 */
269DECLHIDDEN(int) supR3HardenedPathSharedLibs(char *pszPath, size_t cchPath)
270{
271#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
272 const char *pszSrcPath = RTPATH_SHARED_LIBS;
273 size_t cchPathSharedLibs = strlen(pszSrcPath);
274 if (cchPathSharedLibs >= cchPath)
275 supR3HardenedFatal("supR3HardenedPathSharedLibs: Buffer overflow, %lu >= %lu\n",
276 (unsigned long)cchPathSharedLibs, (unsigned long)cchPath);
277 memcpy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
278 return VINF_SUCCESS;
279
280#else
281 return supR3HardenedPathExecDir(pszPath, cchPath);
282#endif
283}
284
285
286/**
287 * @copydoc RTPathAppDocs
288 */
289DECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
290{
291#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
292 const char *pszSrcPath = RTPATH_APP_DOCS;
293 size_t cchPathAppDocs = strlen(pszSrcPath);
294 if (cchPathAppDocs >= cchPath)
295 supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %lu >= %lu\n",
296 (unsigned long)cchPathAppDocs, (unsigned long)cchPath);
297 memcpy(pszPath, pszSrcPath, cchPathAppDocs + 1);
298 return VINF_SUCCESS;
299
300#else
301 return supR3HardenedPathExecDir(pszPath, cchPath);
302#endif
303}
304
305
306/**
307 * Returns the full path to the executable.
308 *
309 * @returns IPRT status code.
310 * @param pszPath Where to store it.
311 * @param cchPath How big that buffer is.
312 */
313static void supR3HardenedGetFullExePath(void)
314{
315 /*
316 * Get the program filename.
317 *
318 * Most UNIXes have no API for obtaining the executable path, but provides a symbolic
319 * link in the proc file system that tells who was exec'ed. The bad thing about this
320 * is that we have to use readlink, one of the weirder UNIX APIs.
321 *
322 * Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
323 */
324#if defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS)
325# ifdef RT_OS_LINUX
326 int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
327
328# elif defined(RT_OS_SOLARIS)
329 char szFileBuf[PATH_MAX + 1];
330 sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
331 int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
332
333# else /* RT_OS_FREEBSD */
334 int aiName[4];
335 aiName[0] = CTL_KERN;
336 aiName[1] = KERN_PROC;
337 aiName[2] = KERN_PROC_PATHNAME;
338 aiName[3] = getpid();
339
340 size_t cbPath = sizeof(g_szSupLibHardenedExePath);
341 if (sysctl(aiName, RT_ELEMENTS(aiName), g_szSupLibHardenedExePath, &cbPath, NULL, 0) < 0)
342 supR3HardenedFatal("supR3HardenedExecDir: sysctl failed\n");
343 g_szSupLibHardenedExePath[sizeof(g_szSupLibHardenedExePath) - 1] = '\0';
344 int cchLink = strlen(g_szSupLibHardenedExePath); /* paranoid? can't we use cbPath? */
345
346# endif
347 if (cchLink < 0 || cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
348 supR3HardenedFatal("supR3HardenedExecDir: couldn't read \"%s\", errno=%d cchLink=%d\n",
349 g_szSupLibHardenedExePath, errno, cchLink);
350 g_szSupLibHardenedExePath[cchLink] = '\0';
351
352#elif defined(RT_OS_OS2) || defined(RT_OS_L4)
353 _execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
354
355#elif defined(RT_OS_DARWIN)
356 const char *pszImageName = _dyld_get_image_name(0);
357 if (!pszImageName)
358 supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed\n");
359 size_t cchImageName = strlen(pszImageName);
360 if (!cchImageName || cchImageName >= sizeof(g_szSupLibHardenedExePath))
361 supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
362 memcpy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
363
364#elif defined(RT_OS_WINDOWS)
365 HMODULE hExe = GetModuleHandle(NULL);
366 if (!GetModuleFileName(hExe, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath)))
367 supR3HardenedFatal("supR3HardenedExecDir: GetModuleFileName failed, rc=%d\n", GetLastError());
368#else
369# error needs porting.
370#endif
371
372 /*
373 * Strip off the filename part (RTPathStripFilename()).
374 */
375 strcpy(g_szSupLibHardenedDirPath, g_szSupLibHardenedExePath);
376 suplibHardenedPathStripFilename(g_szSupLibHardenedDirPath);
377}
378
379
380#ifdef RT_OS_LINUX
381/**
382 * Checks if we can read /proc/self/exe.
383 *
384 * This is used on linux to see if we have to call init
385 * with program path or not.
386 *
387 * @returns true / false.
388 */
389static bool supR3HardenedMainIsProcSelfExeAccssible(void)
390{
391 char szPath[RTPATH_MAX];
392 int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
393 return cchLink != -1;
394}
395#endif /* RT_OS_LINUX */
396
397
398
399/**
400 * @copydoc RTPathExecDir
401 */
402DECLHIDDEN(int) supR3HardenedPathExecDir(char *pszPath, size_t cchPath)
403{
404 /*
405 * Lazy init (probably not required).
406 */
407 if (!g_szSupLibHardenedDirPath[0])
408 supR3HardenedGetFullExePath();
409
410 /*
411 * Calc the length and check if there is space before copying.
412 */
413 size_t cch = strlen(g_szSupLibHardenedDirPath) + 1;
414 if (cch <= cchPath)
415 {
416 memcpy(pszPath, g_szSupLibHardenedDirPath, cch + 1);
417 return VINF_SUCCESS;
418 }
419
420 supR3HardenedFatal("supR3HardenedPathExecDir: Buffer too small (%u < %u)\n", cchPath, cch);
421 return VERR_BUFFER_OVERFLOW;
422}
423
424
425DECLHIDDEN(void) supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, va_list va)
426{
427 /*
428 * To the console first, like supR3HardenedFatalV.
429 */
430 fprintf(stderr, "%s: Error %d in %s!\n", g_pszSupLibHardenedProgName, rc, pszWhere);
431 fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
432 va_list vaCopy;
433 va_copy(vaCopy, va);
434 vfprintf(stderr, pszMsgFmt, vaCopy);
435 va_end(vaCopy);
436 fprintf(stderr, "\n");
437
438 switch (enmWhat)
439 {
440 case kSupInitOp_Driver:
441 fprintf(stderr,
442 "\n"
443 "%s: Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n",
444 g_pszSupLibHardenedProgName);
445 break;
446
447 case kSupInitOp_IPRT:
448 case kSupInitOp_Integrity:
449 case kSupInitOp_RootCheck:
450 fprintf(stderr,
451 "\n"
452 "%s: Tip! It may help to reinstall VirtualBox.\n",
453 g_pszSupLibHardenedProgName);
454 break;
455
456 default:
457 /* no hints here */
458 break;
459 }
460
461#ifdef SUP_HARDENED_SUID
462 /*
463 * Drop any root privileges we might be holding, this won't return
464 * if it fails but end up calling supR3HardenedFatal[V].
465 */
466 supR3HardenedMainDropPrivileges();
467#endif /* SUP_HARDENED_SUID */
468
469 /*
470 * Now try resolve and call the TrustedError entry point if we can
471 * find it. We'll fork before we attempt this because that way the
472 * session management in main will see us exiting immediately (if
473 * it's invovled with us).
474 */
475#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
476 int pid = fork();
477 if (pid <= 0)
478#endif
479 {
480 PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
481 if (pfnTrustedError)
482 pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
483 }
484
485 /*
486 * Quit
487 */
488 for (;;)
489#ifdef _MSC_VER
490 exit(1);
491#else
492 _Exit(1);
493#endif
494}
495
496
497DECLHIDDEN(void) supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, ...)
498{
499 va_list va;
500 va_start(va, pszMsgFmt);
501 supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
502 va_end(va);
503}
504
505
506DECLHIDDEN(void) supR3HardenedFatalV(const char *pszFormat, va_list va)
507{
508 fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
509 vfprintf(stderr, pszFormat, va);
510 for (;;)
511#ifdef _MSC_VER
512 exit(1);
513#else
514 _Exit(1);
515#endif
516}
517
518
519DECLHIDDEN(void) supR3HardenedFatal(const char *pszFormat, ...)
520{
521 va_list va;
522 va_start(va, pszFormat);
523 supR3HardenedFatalV(pszFormat, va);
524 va_end(va);
525}
526
527
528DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
529{
530 if (fFatal)
531 supR3HardenedFatalV(pszFormat, va);
532
533 fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
534 vfprintf(stderr, pszFormat, va);
535 return rc;
536}
537
538
539DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
540{
541 va_list va;
542 va_start(va, pszFormat);
543 supR3HardenedErrorV(rc, fFatal, pszFormat, va);
544 va_end(va);
545 return rc;
546}
547
548
549/**
550 * Wrapper around snprintf which will throw a fatal error on buffer overflow.
551 *
552 * @returns Number of chars in the result string.
553 * @param pszDst The destination buffer.
554 * @param cchDst The size of the buffer.
555 * @param pszFormat The format string.
556 * @param ... Format arguments.
557 */
558static size_t supR3HardenedStrPrintf(char *pszDst, size_t cchDst, const char *pszFormat, ...)
559{
560 va_list va;
561 va_start(va, pszFormat);
562#ifdef _MSC_VER
563 int cch = _vsnprintf(pszDst, cchDst, pszFormat, va);
564#else
565 int cch = vsnprintf(pszDst, cchDst, pszFormat, va);
566#endif
567 va_end(va);
568 if ((unsigned)cch >= cchDst || cch < 0)
569 supR3HardenedFatal("supR3HardenedStrPrintf: buffer overflow, %d >= %lu\n", cch, (long)cchDst);
570 return cch;
571}
572
573
574/**
575 * Attempts to open /dev/vboxdrv (or equvivalent).
576 *
577 * @remarks This function will not return on failure.
578 */
579static void supR3HardenedMainOpenDevice(void)
580{
581 int rc = suplibOsInit(&g_SupPreInitData.Data, false);
582 if (RT_SUCCESS(rc))
583 return;
584
585 switch (rc)
586 {
587 /** @todo better messages! */
588 case VERR_VM_DRIVER_NOT_INSTALLED:
589 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
590 "Kernel driver not installed");
591 case VERR_VM_DRIVER_NOT_ACCESSIBLE:
592 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
593 "Kernel driver not accessible");
594 case VERR_VM_DRIVER_LOAD_ERROR:
595 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
596 "VERR_VM_DRIVER_LOAD_ERROR");
597 case VERR_VM_DRIVER_OPEN_ERROR:
598 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
599 "VERR_VM_DRIVER_OPEN_ERROR");
600 case VERR_VM_DRIVER_VERSION_MISMATCH:
601 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
602 "Kernel driver version mismatch");
603 case VERR_ACCESS_DENIED:
604 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
605 "VERR_ACCESS_DENIED");
606 case VERR_NO_MEMORY:
607 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
608 "Kernel memory allocation/mapping failed");
609 default:
610 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
611 "Unknown rc=%d", rc);
612 }
613}
614
615
616#ifdef SUP_HARDENED_SUID
617
618/**
619 * Grabs extra non-root capabilities / privileges that we might require.
620 *
621 * This is currently only used for being able to do ICMP from the NAT engine.
622 *
623 * @note We still have root privileges at the time of this call.
624 */
625static void supR3HardenedMainGrabCapabilites(void)
626{
627# if defined(RT_OS_LINUX)
628 /*
629 * We are about to drop all our privileges. Remove all capabilities but
630 * keep the cap_net_raw capability for ICMP sockets for the NAT stack.
631 */
632 if (g_uCaps != 0)
633 {
634# ifdef USE_LIB_PCAP
635 /* XXX cap_net_bind_service */
636 if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep")))
637 prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0);
638# else
639 cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
640 cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap));
641 memset(hdr, 0, sizeof(*hdr));
642 hdr->version = _LINUX_CAPABILITY_VERSION;
643 memset(cap, 0, sizeof(*cap));
644 cap->effective = g_uCaps;
645 cap->permitted = g_uCaps;
646 if (!capset(hdr, cap))
647 prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0);
648# endif /* !USE_LIB_PCAP */
649 }
650
651# elif defined(RT_OS_SOLARIS)
652 /*
653 * Add net_icmpaccess privilege to permitted, effective and inheritable privileges
654 * before dropping root privileges.
655 */
656 priv_set_t *pPrivSet = priv_str_to_set("basic", ",", NULL);
657 if (pPrivSet)
658 {
659 priv_addset(pPrivSet, PRIV_NET_ICMPACCESS);
660 int rc = setppriv(PRIV_SET, PRIV_INHERITABLE, pPrivSet);
661 if (!rc)
662 {
663 rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivSet);
664 if (!rc)
665 {
666 rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivSet);
667 if (rc)
668 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effectives privilege set.\n");
669 }
670 else
671 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
672 }
673 else
674 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set inheritable privilege set.\n");
675
676 priv_freeset(pPrivSet);
677 }
678 else
679 supR3HardenedError(-1, false, "SUPR3HardenedMain: failed to get basic privilege set.\n");
680
681# endif
682}
683
684/*
685 * Look at the environment for some special options.
686 */
687static void supR3GrabOptions(void)
688{
689 const char *pszOpt;
690
691# ifdef RT_OS_LINUX
692 g_uCaps = 0;
693
694 /*
695 * Do _not_ perform any capability-related system calls for root processes
696 * (leaving g_uCaps at 0).
697 * (Hint: getuid gets the real user id, not the effective.)
698 */
699 if (getuid() != 0)
700 {
701 /*
702 * CAP_NET_RAW.
703 * Default: enabled.
704 * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'.
705 */
706 pszOpt = getenv("VBOX_HARD_CAP_NET_RAW");
707 if ( !pszOpt
708 || memcmp(pszOpt, "0", sizeof("0")) != 0)
709 g_uCaps = CAP_TO_MASK(CAP_NET_RAW);
710
711 /*
712 * CAP_NET_BIND_SERVICE.
713 * Default: disabled.
714 * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'.
715 */
716 pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE");
717 if ( pszOpt
718 && memcmp(pszOpt, "0", sizeof("0")) != 0)
719 g_uCaps |= CAP_TO_MASK(CAP_NET_BIND_SERVICE);
720 }
721# endif
722}
723
724/**
725 * Drop any root privileges we might be holding.
726 */
727static void supR3HardenedMainDropPrivileges(void)
728{
729 /*
730 * Try use setre[ug]id since this will clear the save uid/gid and thus
731 * leave fewer traces behind that libs like GTK+ may pick up.
732 */
733 uid_t euid, ruid, suid;
734 gid_t egid, rgid, sgid;
735# if defined(RT_OS_DARWIN)
736 /* The really great thing here is that setreuid isn't available on
737 OS X 10.4, libc emulates it. While 10.4 have a sligtly different and
738 non-standard setuid implementation compared to 10.5, the following
739 works the same way with both version since we're super user (10.5 req).
740 The following will set all three variants of the group and user IDs. */
741 setgid(g_gid);
742 setuid(g_uid);
743 euid = geteuid();
744 ruid = suid = getuid();
745 egid = getegid();
746 rgid = sgid = getgid();
747
748# elif defined(RT_OS_SOLARIS)
749 /* Solaris doesn't have setresuid, but the setreuid interface is BSD
750 compatible and will set the saved uid to euid when we pass it a ruid
751 that isn't -1 (which we do). */
752 setregid(g_gid, g_gid);
753 setreuid(g_uid, g_uid);
754 euid = geteuid();
755 ruid = suid = getuid();
756 egid = getegid();
757 rgid = sgid = getgid();
758
759# else
760 /* This is the preferred one, full control no questions about semantics.
761 PORTME: If this isn't work, try join one of two other gangs above. */
762 setresgid(g_gid, g_gid, g_gid);
763 setresuid(g_uid, g_uid, g_uid);
764 if (getresuid(&ruid, &euid, &suid) != 0)
765 {
766 euid = geteuid();
767 ruid = suid = getuid();
768 }
769 if (getresgid(&rgid, &egid, &sgid) != 0)
770 {
771 egid = getegid();
772 rgid = sgid = getgid();
773 }
774# endif
775
776
777 /* Check that it worked out all right. */
778 if ( euid != g_uid
779 || ruid != g_uid
780 || suid != g_uid
781 || egid != g_gid
782 || rgid != g_gid
783 || sgid != g_gid)
784 supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
785 " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
786 euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);
787
788# if RT_OS_LINUX
789 /*
790 * Re-enable the cap_net_raw capability which was disabled during setresuid.
791 */
792 if (g_uCaps != 0)
793 {
794# ifdef USE_LIB_PCAP
795 /** @todo Warn if that does not work? */
796 /* XXX cap_net_bind_service */
797 cap_set_proc(cap_from_text("cap_net_raw+ep"));
798# else
799 cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
800 cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap));
801 memset(hdr, 0, sizeof(*hdr));
802 hdr->version = _LINUX_CAPABILITY_VERSION;
803 memset(cap, 0, sizeof(*cap));
804 cap->effective = g_uCaps;
805 cap->permitted = g_uCaps;
806 /** @todo Warn if that does not work? */
807 capset(hdr, cap);
808# endif /* !USE_LIB_PCAP */
809 }
810# endif
811}
812
813#endif /* SUP_HARDENED_SUID */
814
815/**
816 * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
817 * and calls RTR3Init.
818 *
819 * @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
820 *
821 * @remarks VBoxRT contains both IPRT and SUPR3.
822 * @remarks This function will not return on failure.
823 */
824static void supR3HardenedMainInitRuntime(uint32_t fFlags)
825{
826 /*
827 * Construct the name.
828 */
829 char szPath[RTPATH_MAX];
830 supR3HardenedPathSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
831 strcat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);
832
833 /*
834 * Open it and resolve the symbols.
835 */
836#if defined(RT_OS_WINDOWS)
837 /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
838 HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
839 if (!hMod)
840 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
841 "LoadLibraryEx(\"%s\",,) failed (rc=%d)",
842 szPath, GetLastError());
843 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
844 if (!pfnRTInitEx)
845 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
846 "Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
847 szPath, GetLastError());
848
849 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
850 if (!pfnSUPPreInit)
851 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
852 "Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
853 szPath, GetLastError());
854
855#else
856 /* the dlopen crowd */
857 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
858 if (!pvMod)
859 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
860 "dlopen(\"%s\",) failed: %s",
861 szPath, dlerror());
862 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
863 if (!pfnRTInitEx)
864 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
865 "Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
866 szPath, dlerror());
867 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
868 if (!pfnSUPPreInit)
869 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
870 "Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
871 szPath, dlerror());
872#endif
873
874 /*
875 * Make the calls.
876 */
877 supR3HardenedGetPreInitData(&g_SupPreInitData);
878 int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
879 if (RT_FAILURE(rc))
880 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
881 "supR3PreInit failed with rc=%d", rc);
882 const char *pszExePath = NULL;
883#ifdef RT_OS_LINUX
884 if (!supR3HardenedMainIsProcSelfExeAccssible())
885 pszExePath = g_szSupLibHardenedExePath;
886#endif
887 rc = pfnRTInitEx(0, pszExePath, !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV));
888 if (RT_FAILURE(rc))
889 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
890 "RTR3Init failed with rc=%d", rc);
891}
892
893
894/**
895 * Loads the DLL/SO/DYLIB containing the actual program and
896 * resolves the TrustedError symbol.
897 *
898 * This is very similar to supR3HardenedMainGetTrustedMain().
899 *
900 * @returns Pointer to the trusted error symbol if it is exported, NULL
901 * and no error messages otherwise.
902 * @param pszProgName The program name.
903 */
904static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
905{
906 /*
907 * Construct the name.
908 */
909 char szPath[RTPATH_MAX];
910 supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
911 size_t cch = strlen(szPath);
912 supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);
913
914 /*
915 * Open it and resolve the symbol.
916 */
917#if defined(RT_OS_WINDOWS)
918 /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
919 HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
920 if (!hMod)
921 return NULL;
922 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
923 if (!pfn)
924 return NULL;
925 return (PFNSUPTRUSTEDERROR)pfn;
926
927#else
928 /* the dlopen crowd */
929 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
930 if (!pvMod)
931 return NULL;
932 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
933 if (!pvSym)
934 return NULL;
935 return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
936#endif
937}
938
939
940/**
941 * Loads the DLL/SO/DYLIB containing the actual program and
942 * resolves the TrustedMain symbol.
943 *
944 * @returns Pointer to the trusted main of the actual program.
945 * @param pszProgName The program name.
946 * @remarks This function will not return on failure.
947 */
948static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName)
949{
950 /*
951 * Construct the name.
952 */
953 char szPath[RTPATH_MAX];
954 supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
955 size_t cch = strlen(szPath);
956 supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);
957
958 /*
959 * Open it and resolve the symbol.
960 */
961#if defined(RT_OS_WINDOWS)
962 /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
963 HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
964 if (!hMod)
965 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibraryEx(\"%s\",,) failed, rc=%d\n",
966 szPath, GetLastError());
967 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
968 if (!pfn)
969 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
970 szPath, GetLastError());
971 return (PFNSUPTRUSTEDMAIN)pfn;
972
973#else
974 /* the dlopen crowd */
975 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
976 if (!pvMod)
977 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
978 szPath, dlerror());
979 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
980 if (!pvSym)
981 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
982 szPath, dlerror());
983 return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
984#endif
985}
986
987
988/**
989 * Secure main.
990 *
991 * This is used for the set-user-ID-on-execute binaries on unixy systems
992 * and when using the open-vboxdrv-via-root-service setup on Windows.
993 *
994 * This function will perform the integrity checks of the VirtualBox
995 * installation, open the support driver, open the root service (later),
996 * and load the DLL corresponding to \a pszProgName and execute its main
997 * function.
998 *
999 * @returns Return code appropriate for main().
1000 *
1001 * @param pszProgName The program name. This will be used to figure out which
1002 * DLL/SO/DYLIB to load and execute.
1003 * @param fFlags Flags.
1004 * @param argc The argument count.
1005 * @param argv The argument vector.
1006 * @param envp The environment vector.
1007 */
1008DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
1009{
1010 /*
1011 * Note! At this point there is no IPRT, so we will have to stick
1012 * to basic CRT functions that everyone agree upon.
1013 */
1014 g_pszSupLibHardenedProgName = pszProgName;
1015 g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
1016 g_SupPreInitData.Data.hDevice = NIL_RTFILE;
1017 g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;
1018
1019#ifdef SUP_HARDENED_SUID
1020# ifdef RT_OS_LINUX
1021 /*
1022 * On linux we have to make sure the path is initialized because we
1023 * *might* not be able to access /proc/self/exe after the seteuid call.
1024 */
1025 supR3HardenedGetFullExePath();
1026
1027# endif
1028
1029 /*
1030 * Grab any options from the environment.
1031 */
1032 supR3GrabOptions();
1033
1034 /*
1035 * Check that we're root, if we aren't then the installation is butchered.
1036 */
1037 g_uid = getuid();
1038 g_gid = getgid();
1039 if (geteuid() != 0 /* root */)
1040 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
1041 "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
1042 geteuid(), getegid(), g_uid, g_gid);
1043#endif
1044
1045 /*
1046 * Validate the installation.
1047 */
1048 supR3HardenedVerifyAll(true /* fFatal */, false /* fLeaveFilesOpen */, pszProgName);
1049
1050 /*
1051 * Open the vboxdrv device.
1052 */
1053 if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
1054 supR3HardenedMainOpenDevice();
1055
1056 /*
1057 * Open the root service connection.
1058 */
1059 //if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_SVC))
1060 //supR3HardenedMainOpenService(&g_SupPreInitData, true /* fFatal */);
1061
1062#ifdef SUP_HARDENED_SUID
1063 /*
1064 * Grab additional capabilities / privileges.
1065 */
1066 supR3HardenedMainGrabCapabilites();
1067
1068 /*
1069 * Drop any root privileges we might be holding (won't return on failure)
1070 */
1071 supR3HardenedMainDropPrivileges();
1072#endif
1073
1074 /*
1075 * Load the IPRT, hand the SUPLib part the open driver and
1076 * call RTR3Init.
1077 */
1078 supR3HardenedMainInitRuntime(fFlags);
1079
1080 /*
1081 * Load the DLL/SO/DYLIB containing the actual program
1082 * and pass control to it.
1083 */
1084 PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName);
1085 return pfnTrustedMain(argc, argv, envp);
1086}
1087
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette