SUPR3HardenedMain.cpp@ 34372

Last change on this file since 34372 was 34372, checked in by vboxsync, 14 years ago
comment update
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 34.6 KB

Line
1	/* $Id: SUPR3HardenedMain.cpp 34372 2010-11-25 14:29:19Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Hardened main().
4	*/
5
6	/*
7	* Copyright (C) 2006-2010 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27	/*******************************************************************************
28	* Header Files *
29	*******************************************************************************/
30	#if defined(RT_OS_OS2)
31	# define INCL_BASE
32	# define INCL_ERRORS
33	# include <os2.h>
34	# include <stdio.h>
35	# include <stdlib.h>
36	# include <dlfcn.h>
37
38	#elif RT_OS_WINDOWS
39	# include <Windows.h>
40	# include <stdio.h>
41
42	#else /* UNIXes */
43	# include <iprt/types.h> /* stdint fun on darwin. */
44
45	# include <stdio.h>
46	# include <stdlib.h>
47	# include <dlfcn.h>
48	# include <limits.h>
49	# include <errno.h>
50	# include <unistd.h>
51	# include <sys/stat.h>
52	# include <sys/time.h>
53	# include <stdio.h>
54	# include <sys/types.h>
55	# if defined(RT_OS_LINUX)
56	# undef USE_LIB_PCAP /* don't depend on libcap as we had to depend on either
57	libcap1 or libcap2 */
58
59	# undef _POSIX_SOURCE
60	# include <sys/capability.h>
61	# include <sys/prctl.h>
62	# ifndef CAP_TO_MASK
63	# define CAP_TO_MASK(cap) RT_BIT(cap)
64	# endif
65	# elif defined(RT_OS_FREEBSD)
66	# include <sys/param.h>
67	# include <sys/sysctl.h>
68	# elif defined(RT_OS_SOLARIS)
69	# include <priv.h>
70	# endif
71	# include <pwd.h>
72	# ifdef RT_OS_DARWIN
73	# include <mach-o/dyld.h>
74	# endif
75
76	#endif
77
78	#include <VBox/sup.h>
79	#include <VBox/err.h>
80	#include <iprt/string.h>
81	#include <iprt/param.h>
82
83	#include "SUPLibInternal.h"
84
85
86	/*******************************************************************************
87	* Defined Constants And Macros *
88	*******************************************************************************/
89	/** @def SUP_HARDENED_SUID
90	* Whether we're employing set-user-ID-on-execute in the hardening.
91	*/
92	#if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
93	# define SUP_HARDENED_SUID
94	#else
95	# undef SUP_HARDENED_SUID
96	#endif
97
98	/** @def SUP_HARDENED_SYM
99	* Decorate a symbol that's resolved dynamically.
100	*/
101	#ifdef RT_OS_OS2
102	# define SUP_HARDENED_SYM(sym) "_" sym
103	#else
104	# define SUP_HARDENED_SYM(sym) sym
105	#endif
106
107
108	/*******************************************************************************
109	* Structures and Typedefs *
110	*******************************************************************************/
111	/** @see RTR3InitEx */
112	typedef DECLCALLBACK(int) FNRTR3INITEX(uint32_t iVersion, const char *pszProgramPath, bool fInitSUPLib);
113	typedef FNRTR3INITEX *PFNRTR3INITEX;
114
115
116	/*******************************************************************************
117	* Global Variables *
118	*******************************************************************************/
119	/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
120	static SUPPREINITDATA g_SupPreInitData;
121	/** The program executable path. */
122	static char g_szSupLibHardenedExePath[RTPATH_MAX];
123	/** The program directory path. */
124	static char g_szSupLibHardenedDirPath[RTPATH_MAX];
125
126	/** The program name. */
127	static const char *g_pszSupLibHardenedProgName;
128
129	#ifdef SUP_HARDENED_SUID
130	/** The real UID at startup. */
131	static uid_t g_uid;
132	/** The real GID at startup. */
133	static gid_t g_gid;
134	# ifdef RT_OS_LINUX
135	static uint32_t g_uCaps;
136	# endif
137	#endif
138
139
140	/*******************************************************************************
141	* Internal Functions *
142	*******************************************************************************/
143	#ifdef SUP_HARDENED_SUID
144	static void supR3HardenedMainDropPrivileges(void);
145	#endif
146	static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
147
148
149	/**
150	* @copydoc RTPathStripFilename.
151	*/
152	static void suplibHardenedPathStripFilename(char *pszPath)
153	{
154	char *psz = pszPath;
155	char *pszLastSep = pszPath;
156
157	for (;; psz++)
158	{
159	switch (*psz)
160	{
161	/* handle separators. */
162	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
163	case ':':
164	pszLastSep = psz + 1;
165	break;
166
167	case '\\':
168	#endif
169	case '/':
170	pszLastSep = psz;
171	break;
172
173	/* the end */
174	case '\0':
175	if (pszLastSep == pszPath)
176	*pszLastSep++ = '.';
177	*pszLastSep = '\0';
178	return;
179	}
180	}
181	/* will never get here */
182	}
183
184
185	/**
186	* @copydoc RTPathFilename
187	*/
188	DECLHIDDEN(char ) supR3HardenedPathFilename(const char pszPath)
189	{
190	const char *psz = pszPath;
191	const char *pszLastComp = pszPath;
192
193	for (;; psz++)
194	{
195	switch (*psz)
196	{
197	/* handle separators. */
198	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
199	case ':':
200	pszLastComp = psz + 1;
201	break;
202
203	case '\\':
204	#endif
205	case '/':
206	pszLastComp = psz + 1;
207	break;
208
209	/* the end */
210	case '\0':
211	if (*pszLastComp)
212	return (char )(void )pszLastComp;
213	return NULL;
214	}
215	}
216
217	/* will never get here */
218	return NULL;
219	}
220
221
222	/**
223	* @copydoc RTPathAppPrivateNoArch
224	*/
225	DECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
226	{
227	#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
228	const char *pszSrcPath = RTPATH_APP_PRIVATE;
229	size_t cchPathPrivateNoArch = strlen(pszSrcPath);
230	if (cchPathPrivateNoArch >= cchPath)
231	supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %lu >= %lu\n",
232	(unsigned long)cchPathPrivateNoArch, (unsigned long)cchPath);
233	memcpy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
234	return VINF_SUCCESS;
235
236	#else
237	return supR3HardenedPathExecDir(pszPath, cchPath);
238	#endif
239	}
240
241
242	/**
243	* @copydoc RTPathAppPrivateArch
244	*/
245	DECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
246	{
247	#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
248	const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
249	size_t cchPathPrivateArch = strlen(pszSrcPath);
250	if (cchPathPrivateArch >= cchPath)
251	supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %lu >= %lu\n",
252	(unsigned long)cchPathPrivateArch, (unsigned long)cchPath);
253	memcpy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
254	return VINF_SUCCESS;
255
256	#else
257	return supR3HardenedPathExecDir(pszPath, cchPath);
258	#endif
259	}
260
261
262	/**
263	* @copydoc RTPathSharedLibs
264	*/
265	DECLHIDDEN(int) supR3HardenedPathSharedLibs(char *pszPath, size_t cchPath)
266	{
267	#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
268	const char *pszSrcPath = RTPATH_SHARED_LIBS;
269	size_t cchPathSharedLibs = strlen(pszSrcPath);
270	if (cchPathSharedLibs >= cchPath)
271	supR3HardenedFatal("supR3HardenedPathSharedLibs: Buffer overflow, %lu >= %lu\n",
272	(unsigned long)cchPathSharedLibs, (unsigned long)cchPath);
273	memcpy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
274	return VINF_SUCCESS;
275
276	#else
277	return supR3HardenedPathExecDir(pszPath, cchPath);
278	#endif
279	}
280
281
282	/**
283	* @copydoc RTPathAppDocs
284	*/
285	DECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
286	{
287	#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
288	const char *pszSrcPath = RTPATH_APP_DOCS;
289	size_t cchPathAppDocs = strlen(pszSrcPath);
290	if (cchPathAppDocs >= cchPath)
291	supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %lu >= %lu\n",
292	(unsigned long)cchPathAppDocs, (unsigned long)cchPath);
293	memcpy(pszPath, pszSrcPath, cchPathAppDocs + 1);
294	return VINF_SUCCESS;
295
296	#else
297	return supR3HardenedPathExecDir(pszPath, cchPath);
298	#endif
299	}
300
301
302	/**
303	* Returns the full path to the executable.
304	*
305	* @returns IPRT status code.
306	* @param pszPath Where to store it.
307	* @param cchPath How big that buffer is.
308	*/
309	static void supR3HardenedGetFullExePath(void)
310	{
311	/*
312	* Get the program filename.
313	*
314	* Most UNIXes have no API for obtaining the executable path, but provides a symbolic
315	* link in the proc file system that tells who was exec'ed. The bad thing about this
316	* is that we have to use readlink, one of the weirder UNIX APIs.
317	*
318	* Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
319	*/
320	#if defined(RT_OS_LINUX) \|\| defined(RT_OS_FREEBSD) \|\| defined(RT_OS_SOLARIS)
321	# ifdef RT_OS_LINUX
322	int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
323
324	# elif defined(RT_OS_SOLARIS)
325	char szFileBuf[PATH_MAX + 1];
326	sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
327	int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
328
329	# else /* RT_OS_FREEBSD */
330	int aiName[4];
331	aiName[0] = CTL_KERN;
332	aiName[1] = KERN_PROC;
333	aiName[2] = KERN_PROC_PATHNAME;
334	aiName[3] = getpid();
335
336	size_t cbPath = sizeof(g_szSupLibHardenedExePath);
337	if (sysctl(aiName, RT_ELEMENTS(aiName), g_szSupLibHardenedExePath, &cbPath, NULL, 0) < 0)
338	supR3HardenedFatal("supR3HardenedExecDir: sysctl failed\n");
339	g_szSupLibHardenedExePath[sizeof(g_szSupLibHardenedExePath) - 1] = '\0';
340	int cchLink = strlen(g_szSupLibHardenedExePath); /* paranoid? can't we use cbPath? */
341
342	# endif
343	if (cchLink < 0 \|\| cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
344	supR3HardenedFatal("supR3HardenedExecDir: couldn't read \"%s\", errno=%d cchLink=%d\n",
345	g_szSupLibHardenedExePath, errno, cchLink);
346	g_szSupLibHardenedExePath[cchLink] = '\0';
347
348	#elif defined(RT_OS_OS2) \|\| defined(RT_OS_L4)
349	_execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
350
351	#elif defined(RT_OS_DARWIN)
352	const char *pszImageName = _dyld_get_image_name(0);
353	if (!pszImageName)
354	supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed\n");
355	size_t cchImageName = strlen(pszImageName);
356	if (!cchImageName \|\| cchImageName >= sizeof(g_szSupLibHardenedExePath))
357	supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
358	memcpy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
359
360	#elif defined(RT_OS_WINDOWS)
361	HMODULE hExe = GetModuleHandle(NULL);
362	if (!GetModuleFileName(hExe, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath)))
363	supR3HardenedFatal("supR3HardenedExecDir: GetModuleFileName failed, rc=%d\n", GetLastError());
364	#else
365	# error needs porting.
366	#endif
367
368	/*
369	* Strip off the filename part (RTPathStripFilename()).
370	*/
371	strcpy(g_szSupLibHardenedDirPath, g_szSupLibHardenedExePath);
372	suplibHardenedPathStripFilename(g_szSupLibHardenedDirPath);
373	}
374
375
376	#ifdef RT_OS_LINUX
377	/**
378	* Checks if we can read /proc/self/exe.
379	*
380	* This is used on linux to see if we have to call init
381	* with program path or not.
382	*
383	* @returns true / false.
384	*/
385	static bool supR3HardenedMainIsProcSelfExeAccssible(void)
386	{
387	char szPath[RTPATH_MAX];
388	int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
389	return cchLink != -1;
390	}
391	#endif /* RT_OS_LINUX */
392
393
394
395	/**
396	* @copydoc RTPathExecDir
397	*/
398	DECLHIDDEN(int) supR3HardenedPathExecDir(char *pszPath, size_t cchPath)
399	{
400	/*
401	* Lazy init (probably not required).
402	*/
403	if (!g_szSupLibHardenedDirPath[0])
404	supR3HardenedGetFullExePath();
405
406	/*
407	* Calc the length and check if there is space before copying.
408	*/
409	size_t cch = strlen(g_szSupLibHardenedDirPath) + 1;
410	if (cch <= cchPath)
411	{
412	memcpy(pszPath, g_szSupLibHardenedDirPath, cch + 1);
413	return VINF_SUCCESS;
414	}
415
416	supR3HardenedFatal("supR3HardenedPathExecDir: Buffer too small (%u < %u)\n", cchPath, cch);
417	return VERR_BUFFER_OVERFLOW;
418	}
419
420
421	DECLHIDDEN(void) supR3HardenedFatalMsgV(const char pszWhere, SUPINITOP enmWhat, int rc, const char pszMsgFmt, va_list va)
422	{
423	/*
424	* To the console first, like supR3HardenedFatalV.
425	*/
426	fprintf(stderr, "%s: Error %d in %s!\n", g_pszSupLibHardenedProgName, rc, pszWhere);
427	fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
428	va_list vaCopy;
429	va_copy(vaCopy, va);
430	vfprintf(stderr, pszMsgFmt, vaCopy);
431	va_end(vaCopy);
432	fprintf(stderr, "\n");
433
434	switch (enmWhat)
435	{
436	case kSupInitOp_Driver:
437	fprintf(stderr,
438	"\n"
439	"%s: Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n",
440	g_pszSupLibHardenedProgName);
441	break;
442
443	case kSupInitOp_IPRT:
444	case kSupInitOp_Integrity:
445	case kSupInitOp_RootCheck:
446	fprintf(stderr,
447	"\n"
448	"%s: Tip! It may help to reinstall VirtualBox.\n",
449	g_pszSupLibHardenedProgName);
450	break;
451
452	default:
453	/* no hints here */
454	break;
455	}
456
457	#ifdef SUP_HARDENED_SUID
458	/*
459	* Drop any root privileges we might be holding, this won't return
460	* if it fails but end up calling supR3HardenedFatal[V].
461	*/
462	supR3HardenedMainDropPrivileges();
463	#endif /* SUP_HARDENED_SUID */
464
465	/*
466	* Now try resolve and call the TrustedError entry point if we can
467	* find it. We'll fork before we attempt this because that way the
468	* session management in main will see us exiting immediately (if
469	* it's involved with us).
470	*/
471	#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
472	int pid = fork();
473	if (pid <= 0)
474	#endif
475	{
476	PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
477	if (pfnTrustedError)
478	pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
479	}
480
481	/*
482	* Quit
483	*/
484	for (;;)
485	#ifdef _MSC_VER
486	exit(1);
487	#else
488	_Exit(1);
489	#endif
490	}
491
492
493	DECLHIDDEN(void) supR3HardenedFatalMsg(const char pszWhere, SUPINITOP enmWhat, int rc, const char pszMsgFmt, ...)
494	{
495	va_list va;
496	va_start(va, pszMsgFmt);
497	supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
498	va_end(va);
499	}
500
501
502	DECLHIDDEN(void) supR3HardenedFatalV(const char *pszFormat, va_list va)
503	{
504	fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
505	vfprintf(stderr, pszFormat, va);
506	for (;;)
507	#ifdef _MSC_VER
508	exit(1);
509	#else
510	_Exit(1);
511	#endif
512	}
513
514
515	DECLHIDDEN(void) supR3HardenedFatal(const char *pszFormat, ...)
516	{
517	va_list va;
518	va_start(va, pszFormat);
519	supR3HardenedFatalV(pszFormat, va);
520	va_end(va);
521	}
522
523
524	DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
525	{
526	if (fFatal)
527	supR3HardenedFatalV(pszFormat, va);
528
529	fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
530	vfprintf(stderr, pszFormat, va);
531	return rc;
532	}
533
534
535	DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
536	{
537	va_list va;
538	va_start(va, pszFormat);
539	supR3HardenedErrorV(rc, fFatal, pszFormat, va);
540	va_end(va);
541	return rc;
542	}
543
544
545	/**
546	* Wrapper around snprintf which will throw a fatal error on buffer overflow.
547	*
548	* @returns Number of chars in the result string.
549	* @param pszDst The destination buffer.
550	* @param cchDst The size of the buffer.
551	* @param pszFormat The format string.
552	* @param ... Format arguments.
553	*/
554	static size_t supR3HardenedStrPrintf(char pszDst, size_t cchDst, const char pszFormat, ...)
555	{
556	va_list va;
557	va_start(va, pszFormat);
558	#ifdef _MSC_VER
559	int cch = _vsnprintf(pszDst, cchDst, pszFormat, va);
560	#else
561	int cch = vsnprintf(pszDst, cchDst, pszFormat, va);
562	#endif
563	va_end(va);
564	if ((unsigned)cch >= cchDst \|\| cch < 0)
565	supR3HardenedFatal("supR3HardenedStrPrintf: buffer overflow, %d >= %lu\n", cch, (long)cchDst);
566	return cch;
567	}
568
569
570	/**
571	* Attempts to open /dev/vboxdrv (or equvivalent).
572	*
573	* @remarks This function will not return on failure.
574	*/
575	static void supR3HardenedMainOpenDevice(void)
576	{
577	int rc = suplibOsInit(&g_SupPreInitData.Data, false);
578	if (RT_SUCCESS(rc))
579	return;
580
581	switch (rc)
582	{
583	/** @todo better messages! */
584	case VERR_VM_DRIVER_NOT_INSTALLED:
585	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
586	"Kernel driver not installed");
587	case VERR_VM_DRIVER_NOT_ACCESSIBLE:
588	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
589	"Kernel driver not accessible");
590	case VERR_VM_DRIVER_LOAD_ERROR:
591	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
592	"VERR_VM_DRIVER_LOAD_ERROR");
593	case VERR_VM_DRIVER_OPEN_ERROR:
594	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
595	"VERR_VM_DRIVER_OPEN_ERROR");
596	case VERR_VM_DRIVER_VERSION_MISMATCH:
597	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
598	"Kernel driver version mismatch");
599	case VERR_ACCESS_DENIED:
600	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
601	"VERR_ACCESS_DENIED");
602	case VERR_NO_MEMORY:
603	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
604	"Kernel memory allocation/mapping failed");
605	default:
606	supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
607	"Unknown rc=%d", rc);
608	}
609	}
610
611
612	#ifdef SUP_HARDENED_SUID
613
614	/**
615	* Grabs extra non-root capabilities / privileges that we might require.
616	*
617	* This is currently only used for being able to do ICMP from the NAT engine.
618	*
619	* @note We still have root privileges at the time of this call.
620	*/
621	static void supR3HardenedMainGrabCapabilites(void)
622	{
623	# if defined(RT_OS_LINUX)
624	/*
625	* We are about to drop all our privileges. Remove all capabilities but
626	* keep the cap_net_raw capability for ICMP sockets for the NAT stack.
627	*/
628	if (g_uCaps != 0)
629	{
630	# ifdef USE_LIB_PCAP
631	/* XXX cap_net_bind_service */
632	if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep")))
633	prctl(PR_SET_KEEPCAPS, 1 /keep=/, 0, 0, 0);
634	prctl(PR_SET_DUMPABLE, 1 /dump/, 0, 0, 0);
635	# else
636	cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
637	cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap));
638	memset(hdr, 0, sizeof(*hdr));
639	hdr->version = _LINUX_CAPABILITY_VERSION;
640	memset(cap, 0, sizeof(*cap));
641	cap->effective = g_uCaps;
642	cap->permitted = g_uCaps;
643	if (!capset(hdr, cap))
644	prctl(PR_SET_KEEPCAPS, 1 /keep/, 0, 0, 0);
645	prctl(PR_SET_DUMPABLE, 1 /dump/, 0, 0, 0);
646	# endif /* !USE_LIB_PCAP */
647	}
648
649	# elif defined(RT_OS_SOLARIS)
650	/*
651	* Add net_icmpaccess privilege to permitted, effective and inheritable
652	* privileges before dropping root privileges. Skip this hacky code for
653	* real root, as it removes lots of privileges due to the harcoded set.
654	*/
655	if (getuid() != 0)
656	{
657	priv_set_t *pPrivSet = priv_str_to_set("basic", ",", NULL);
658	if (pPrivSet)
659	{
660	priv_addset(pPrivSet, PRIV_NET_ICMPACCESS);
661	int rc = setppriv(PRIV_SET, PRIV_INHERITABLE, pPrivSet);
662	if (!rc)
663	{
664	rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivSet);
665	if (!rc)
666	{
667	rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivSet);
668	if (rc)
669	supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
670	}
671	else
672	supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
673	}
674	else
675	supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set inheritable privilege set.\n");
676
677	priv_freeset(pPrivSet);
678	}
679	else
680	supR3HardenedError(-1, false, "SUPR3HardenedMain: failed to get basic privilege set.\n");
681	}
682	# endif
683	}
684
685	/*
686	* Look at the environment for some special options.
687	*/
688	static void supR3GrabOptions(void)
689	{
690	const char *pszOpt;
691
692	# ifdef RT_OS_LINUX
693	g_uCaps = 0;
694
695	/*
696	* Do _not_ perform any capability-related system calls for root processes
697	* (leaving g_uCaps at 0).
698	* (Hint: getuid gets the real user id, not the effective.)
699	*/
700	if (getuid() != 0)
701	{
702	/*
703	* CAP_NET_RAW.
704	* Default: enabled.
705	* Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'.
706	*/
707	pszOpt = getenv("VBOX_HARD_CAP_NET_RAW");
708	if ( !pszOpt
709	\|\| memcmp(pszOpt, "0", sizeof("0")) != 0)
710	g_uCaps = CAP_TO_MASK(CAP_NET_RAW);
711
712	/*
713	* CAP_NET_BIND_SERVICE.
714	* Default: disabled.
715	* Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'.
716	*/
717	pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE");
718	if ( pszOpt
719	&& memcmp(pszOpt, "0", sizeof("0")) != 0)
720	g_uCaps \|= CAP_TO_MASK(CAP_NET_BIND_SERVICE);
721	}
722	# endif
723	}
724
725	/**
726	* Drop any root privileges we might be holding.
727	*/
728	static void supR3HardenedMainDropPrivileges(void)
729	{
730	/*
731	* Try use setre[ug]id since this will clear the save uid/gid and thus
732	* leave fewer traces behind that libs like GTK+ may pick up.
733	*/
734	uid_t euid, ruid, suid;
735	gid_t egid, rgid, sgid;
736	# if defined(RT_OS_DARWIN)
737	/* The really great thing here is that setreuid isn't available on
738	OS X 10.4, libc emulates it. While 10.4 have a slightly different and
739	non-standard setuid implementation compared to 10.5, the following
740	works the same way with both version since we're super user (10.5 req).
741	The following will set all three variants of the group and user IDs. */
742	setgid(g_gid);
743	setuid(g_uid);
744	euid = geteuid();
745	ruid = suid = getuid();
746	egid = getegid();
747	rgid = sgid = getgid();
748
749	# elif defined(RT_OS_SOLARIS)
750	/* Solaris doesn't have setresuid, but the setreuid interface is BSD
751	compatible and will set the saved uid to euid when we pass it a ruid
752	that isn't -1 (which we do). */
753	setregid(g_gid, g_gid);
754	setreuid(g_uid, g_uid);
755	euid = geteuid();
756	ruid = suid = getuid();
757	egid = getegid();
758	rgid = sgid = getgid();
759
760	# else
761	/* This is the preferred one, full control no questions about semantics.
762	PORTME: If this isn't work, try join one of two other gangs above. */
763	setresgid(g_gid, g_gid, g_gid);
764	setresuid(g_uid, g_uid, g_uid);
765	if (getresuid(&ruid, &euid, &suid) != 0)
766	{
767	euid = geteuid();
768	ruid = suid = getuid();
769	}
770	if (getresgid(&rgid, &egid, &sgid) != 0)
771	{
772	egid = getegid();
773	rgid = sgid = getgid();
774	}
775	# endif
776
777
778	/* Check that it worked out all right. */
779	if ( euid != g_uid
780	\|\| ruid != g_uid
781	\|\| suid != g_uid
782	\|\| egid != g_gid
783	\|\| rgid != g_gid
784	\|\| sgid != g_gid)
785	supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
786	" (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
787	euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);
788
789	# if RT_OS_LINUX
790	/*
791	* Re-enable the cap_net_raw capability which was disabled during setresuid.
792	*/
793	if (g_uCaps != 0)
794	{
795	# ifdef USE_LIB_PCAP
796	/** @todo Warn if that does not work? */
797	/* XXX cap_net_bind_service */
798	cap_set_proc(cap_from_text("cap_net_raw+ep"));
799	# else
800	cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
801	cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap));
802	memset(hdr, 0, sizeof(*hdr));
803	hdr->version = _LINUX_CAPABILITY_VERSION;
804	memset(cap, 0, sizeof(*cap));
805	cap->effective = g_uCaps;
806	cap->permitted = g_uCaps;
807	/** @todo Warn if that does not work? */
808	capset(hdr, cap);
809	# endif /* !USE_LIB_PCAP */
810	}
811	# endif
812	}
813
814	#endif /* SUP_HARDENED_SUID */
815
816	/**
817	* Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
818	* and calls RTR3Init.
819	*
820	* @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
821	*
822	* @remarks VBoxRT contains both IPRT and SUPR3.
823	* @remarks This function will not return on failure.
824	*/
825	static void supR3HardenedMainInitRuntime(uint32_t fFlags)
826	{
827	/*
828	* Construct the name.
829	*/
830	char szPath[RTPATH_MAX];
831	supR3HardenedPathSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
832	strcat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);
833
834	/*
835	* Open it and resolve the symbols.
836	*/
837	#if defined(RT_OS_WINDOWS)
838	/** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
839	HMODULE hMod = LoadLibraryEx(szPath, NULL /hFile/, 0 /* dwFlags */);
840	if (!hMod)
841	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
842	"LoadLibraryEx(\"%s\",,) failed (rc=%d)",
843	szPath, GetLastError());
844	PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
845	if (!pfnRTInitEx)
846	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
847	"Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
848	szPath, GetLastError());
849
850	PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
851	if (!pfnSUPPreInit)
852	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
853	"Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
854	szPath, GetLastError());
855
856	#else
857	/* the dlopen crowd */
858	void *pvMod = dlopen(szPath, RTLD_NOW \| RTLD_GLOBAL);
859	if (!pvMod)
860	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
861	"dlopen(\"%s\",) failed: %s",
862	szPath, dlerror());
863	PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
864	if (!pfnRTInitEx)
865	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
866	"Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
867	szPath, dlerror());
868	PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
869	if (!pfnSUPPreInit)
870	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
871	"Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
872	szPath, dlerror());
873	#endif
874
875	/*
876	* Make the calls.
877	*/
878	supR3HardenedGetPreInitData(&g_SupPreInitData);
879	int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
880	if (RT_FAILURE(rc))
881	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
882	"supR3PreInit failed with rc=%d", rc);
883	const char *pszExePath = NULL;
884	#ifdef RT_OS_LINUX
885	if (!supR3HardenedMainIsProcSelfExeAccssible())
886	pszExePath = g_szSupLibHardenedExePath;
887	#endif
888	rc = pfnRTInitEx(0, pszExePath, !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV));
889	if (RT_FAILURE(rc))
890	supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
891	"RTR3Init failed with rc=%d", rc);
892	}
893
894
895	/**
896	* Loads the DLL/SO/DYLIB containing the actual program and
897	* resolves the TrustedError symbol.
898	*
899	* This is very similar to supR3HardenedMainGetTrustedMain().
900	*
901	* @returns Pointer to the trusted error symbol if it is exported, NULL
902	* and no error messages otherwise.
903	* @param pszProgName The program name.
904	*/
905	static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
906	{
907	/*
908	* Construct the name.
909	*/
910	char szPath[RTPATH_MAX];
911	supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
912	size_t cch = strlen(szPath);
913	supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);
914
915	/*
916	* Open it and resolve the symbol.
917	*/
918	#if defined(RT_OS_WINDOWS)
919	/** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
920	HMODULE hMod = LoadLibraryEx(szPath, NULL /hFile/, 0 /* dwFlags */);
921	if (!hMod)
922	return NULL;
923	FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
924	if (!pfn)
925	return NULL;
926	return (PFNSUPTRUSTEDERROR)pfn;
927
928	#else
929	/* the dlopen crowd */
930	void *pvMod = dlopen(szPath, RTLD_NOW \| RTLD_GLOBAL);
931	if (!pvMod)
932	return NULL;
933	void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
934	if (!pvSym)
935	return NULL;
936	return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
937	#endif
938	}
939
940
941	/**
942	* Loads the DLL/SO/DYLIB containing the actual program and
943	* resolves the TrustedMain symbol.
944	*
945	* @returns Pointer to the trusted main of the actual program.
946	* @param pszProgName The program name.
947	* @remarks This function will not return on failure.
948	*/
949	static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName)
950	{
951	/*
952	* Construct the name.
953	*/
954	char szPath[RTPATH_MAX];
955	supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
956	size_t cch = strlen(szPath);
957	supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);
958
959	/*
960	* Open it and resolve the symbol.
961	*/
962	#if defined(RT_OS_WINDOWS)
963	/** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
964	HMODULE hMod = LoadLibraryEx(szPath, NULL /hFile/, 0 /* dwFlags */);
965	if (!hMod)
966	supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibraryEx(\"%s\",,) failed, rc=%d\n",
967	szPath, GetLastError());
968	FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
969	if (!pfn)
970	supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
971	szPath, GetLastError());
972	return (PFNSUPTRUSTEDMAIN)pfn;
973
974	#else
975	/* the dlopen crowd */
976	void *pvMod = dlopen(szPath, RTLD_NOW \| RTLD_GLOBAL);
977	if (!pvMod)
978	supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
979	szPath, dlerror());
980	void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
981	if (!pvSym)
982	supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
983	szPath, dlerror());
984	return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
985	#endif
986	}
987
988
989	/**
990	* Secure main.
991	*
992	* This is used for the set-user-ID-on-execute binaries on unixy systems
993	* and when using the open-vboxdrv-via-root-service setup on Windows.
994	*
995	* This function will perform the integrity checks of the VirtualBox
996	* installation, open the support driver, open the root service (later),
997	* and load the DLL corresponding to \a pszProgName and execute its main
998	* function.
999	*
1000	* @returns Return code appropriate for main().
1001	*
1002	* @param pszProgName The program name. This will be used to figure out which
1003	* DLL/SO/DYLIB to load and execute.
1004	* @param fFlags Flags.
1005	* @param argc The argument count.
1006	* @param argv The argument vector.
1007	* @param envp The environment vector.
1008	*/
1009	DECLHIDDEN(int) SUPR3HardenedMain(const char pszProgName, uint32_t fFlags, int argc, char argv, char *envp)
1010	{
1011	/*
1012	* Note! At this point there is no IPRT, so we will have to stick
1013	* to basic CRT functions that everyone agree upon.
1014	*/
1015	g_pszSupLibHardenedProgName = pszProgName;
1016	g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
1017	g_SupPreInitData.Data.hDevice = NIL_RTFILE;
1018	g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;
1019
1020	#ifdef SUP_HARDENED_SUID
1021	# ifdef RT_OS_LINUX
1022	/*
1023	* On linux we have to make sure the path is initialized because we
1024	* might not be able to access /proc/self/exe after the seteuid call.
1025	*/
1026	supR3HardenedGetFullExePath();
1027
1028	# endif
1029
1030	/*
1031	* Grab any options from the environment.
1032	*/
1033	supR3GrabOptions();
1034
1035	/*
1036	* Check that we're root, if we aren't then the installation is butchered.
1037	*/
1038	g_uid = getuid();
1039	g_gid = getgid();
1040	if (geteuid() != 0 /* root */)
1041	supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
1042	"Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
1043	geteuid(), getegid(), g_uid, g_gid);
1044	#endif
1045
1046	/*
1047	* Validate the installation.
1048	*/
1049	supR3HardenedVerifyAll(true /* fFatal /, false / fLeaveFilesOpen */, pszProgName);
1050
1051	/*
1052	* Open the vboxdrv device.
1053	*/
1054	if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
1055	supR3HardenedMainOpenDevice();
1056
1057	/*
1058	* Open the root service connection.
1059	*/
1060	//if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_SVC))
1061	//supR3HardenedMainOpenService(&g_SupPreInitData, true /* fFatal */);
1062
1063	#ifdef SUP_HARDENED_SUID
1064	/*
1065	* Grab additional capabilities / privileges.
1066	*/
1067	supR3HardenedMainGrabCapabilites();
1068
1069	/*
1070	* Drop any root privileges we might be holding (won't return on failure)
1071	*/
1072	supR3HardenedMainDropPrivileges();
1073	#endif
1074
1075	/*
1076	* Load the IPRT, hand the SUPLib part the open driver and
1077	* call RTR3Init.
1078	*/
1079	supR3HardenedMainInitRuntime(fFlags);
1080
1081	/*
1082	* Load the DLL/SO/DYLIB containing the actual program
1083	* and pass control to it.
1084	*/
1085	PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName);
1086	return pfnTrustedMain(argc, argv, envp);
1087	}
1088

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp@ 34372

Download in other formats: