SUPR3HardenedVerify.cpp@ 62691

Last change on this file since 62691 was 62675, checked in by vboxsync, 9 years ago
SUPLib: Two error path fixes and lots of warnings.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 71.7 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 62675 2016-07-29 11:19:16Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2016 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#if defined(RT_OS_OS2)
32	# define INCL_BASE
33	# define INCL_ERRORS
34	# include <os2.h>
35	# include <stdio.h>
36	# include <stdlib.h>
37	# include <unistd.h>
38	# include <sys/fcntl.h>
39	# include <sys/errno.h>
40	# include <sys/syslimits.h>
41
42	#elif defined(RT_OS_WINDOWS)
43	# include <iprt/nt/nt-and-windows.h>
44	# ifndef IN_SUP_HARDENED_R3
45	# include <stdio.h>
46	# endif
47
48	#else /* UNIXes */
49	# include <sys/types.h>
50	# include <stdio.h>
51	# include <stdlib.h>
52	# include <dirent.h>
53	# include <dlfcn.h>
54	# include <fcntl.h>
55	# include <limits.h>
56	# include <errno.h>
57	# include <unistd.h>
58	# include <sys/stat.h>
59	# include <sys/time.h>
60	# include <sys/fcntl.h>
61	# include <pwd.h>
62	# ifdef RT_OS_DARWIN
63	# include <mach-o/dyld.h>
64	# endif
65
66	#endif
67
68	#include <VBox/sup.h>
69	#include <VBox/err.h>
70	#include <iprt/asm.h>
71	#include <iprt/ctype.h>
72	#include <iprt/param.h>
73	#include <iprt/path.h>
74	#include <iprt/string.h>
75
76	#include "SUPLibInternal.h"
77	#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
78	# define SUPHNTVI_NO_NT_STUFF
79	# include "win/SUPHardenedVerify-win.h"
80	#endif
81
82
83	/*********************************************************************************************************************************
84	* Defined Constants And Macros *
85	*********************************************************************************************************************************/
86	/** The max path length acceptable for a trusted path. */
87	#define SUPR3HARDENED_MAX_PATH 260U
88
89	#ifdef RT_OS_SOLARIS
90	# define dirfd(d) ((d)->d_fd)
91	#endif
92
93	/** Compare table file names with externally supplied names. */
94	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
95	# define SUP_COMP_FILENAME RTStrICmp
96	#else
97	# define SUP_COMP_FILENAME suplibHardenedStrCmp
98	#endif
99
100
101	/*********************************************************************************************************************************
102	* Global Variables *
103	*********************************************************************************************************************************/
104	/**
105	* The files that gets verified.
106	*
107	* @todo This needs reviewing against the linux packages.
108	* @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
109	* the time being we're building the linux packages with SharedLib pointing to
110	* AppPrivArch (lazy bird).
111	*
112	* @remarks If you add executables here, you might need to update
113	* g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
114	*/
115	static SUPINSTFILE const g_aSupInstallFiles[] =
116	{
117	/* type, dir, fOpt, "pszFile" */
118	/* ---------------------------------------------------------------------- */
119	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
120	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
121	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
122
123	#ifdef VBOX_WITH_RAW_MODE
124	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
125	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
126	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2RC.rc" },
127	#endif
128
129	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
130	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
131	#ifdef VBOX_WITH_REM
132	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
133	#endif
134	#if HC_ARCH_BITS == 32
135	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
136	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
137	#endif
138	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
139	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
140	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
141	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
142	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
143
144	//#ifdef VBOX_WITH_DEBUGGER_GUI
145	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
146	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
147	//#endif
148
149	//#ifdef VBOX_WITH_SHARED_CLIPBOARD
150	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
151	//#endif
152	//#ifdef VBOX_WITH_SHARED_FOLDERS
153	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
154	//#endif
155	//#ifdef VBOX_WITH_DRAG_AND_DROP
156	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
157	//#endif
158	//#ifdef VBOX_WITH_GUEST_PROPS
159	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
160	//#endif
161	//#ifdef VBOX_WITH_GUEST_CONTROL
162	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
163	//#endif
164	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
165	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
166	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
167	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
168	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
169
170	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
171
172	#ifdef VBOX_WITH_MAIN
173	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
174	#ifdef RT_OS_WINDOWS
175	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
176	#else
177	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
178	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
179	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
180	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
181	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
182	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
183	#endif
184	#endif
185
186	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
187	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
188	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
189
190	//#ifdef VBOX_WITH_HEADLESS
191	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
192	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
193	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
194	//#endif
195
196	//#ifdef VBOX_WITH_QTGUI
197	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
198	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
199	# ifdef RT_OS_DARWIN
200	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
201	# endif
202	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
203	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
204	# endif
205	//#endif
206
207	//#ifdef VBOX_WITH_VBOXSDL
208	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
209	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
210	//#endif
211
212	//#ifdef VBOX_WITH_WEBSERVICES
213	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
214	//#endif
215
216	#ifdef RT_OS_LINUX
217	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
218	#endif
219
220	//#ifdef VBOX_WITH_NETFLT
221	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
222	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
223	//#endif
224
225	//#ifdef VBOX_WITH_LWIP_NAT
226	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
227	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
228	//#endif
229	#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
230	# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
231	{ kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
232	{ kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
233	HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
234	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
235	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
236	HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
237	HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
238	# define HARDENED_TESTCASE_ENTRY(a_szName) \
239	{ kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
240	{ kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
241	HARDENED_TESTCASE_ENTRY("tstCFGM"),
242	HARDENED_TESTCASE_ENTRY("tstGIP-2"),
243	HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
244	HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
245	HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
246	HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
247	HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
248	HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
249	HARDENED_TESTCASE_ENTRY("tstSSM"),
250	#endif
251	};
252
253
254	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
255	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
256
257	/** Array index by install directory specifier containing info about verified directories. */
258	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
259
260
261	/**
262	* Assembles the path to a directory.
263	*
264	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
265	* decides whether it returns or not).
266	*
267	* @param enmDir The directory.
268	* @param pszDst Where to assemble the path.
269	* @param cchDst The size of the buffer.
270	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
271	*/
272	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
273	{
274	int rc;
275	switch (enmDir)
276	{
277	case kSupID_AppBin:
278	rc = supR3HardenedPathAppBin(pszDst, cchDst);
279	break;
280	case kSupID_AppSharedLib:
281	rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
282	break;
283	case kSupID_AppPrivArch:
284	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
285	break;
286	case kSupID_AppPrivArchComp:
287	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
288	if (RT_SUCCESS(rc))
289	{
290	size_t off = suplibHardenedStrLen(pszDst);
291	if (cchDst - off >= sizeof("/components"))
292	suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
293	else
294	rc = VERR_BUFFER_OVERFLOW;
295	}
296	break;
297	case kSupID_AppPrivNoArch:
298	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
299	break;
300	case kSupID_Testcase:
301	rc = supR3HardenedPathAppBin(pszDst, cchDst);
302	if (RT_SUCCESS(rc))
303	{
304	size_t off = suplibHardenedStrLen(pszDst);
305	if (cchDst - off >= sizeof("/testcase"))
306	suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
307	else
308	rc = VERR_BUFFER_OVERFLOW;
309	}
310	break;
311	default:
312	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
313	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
314	}
315	if (RT_FAILURE(rc))
316	supR3HardenedError(rc, fFatal,
317	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
318	return rc;
319	}
320
321
322
323	/**
324	* Assembles the path to a file table entry, with or without the actual filename.
325	*
326	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
327	* decides whether it returns or not).
328	*
329	* @param pFile The file table entry.
330	* @param pszDst Where to assemble the path.
331	* @param cchDst The size of the buffer.
332	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
333	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
334	*/
335	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
336	{
337	/*
338	* Combine supR3HardenedMakePath and the filename.
339	*/
340	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
341	if (RT_SUCCESS(rc) && fWithFilename)
342	{
343	size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
344	size_t off = suplibHardenedStrLen(pszDst);
345	if (cchDst - off >= cchFile + 2)
346	{
347	pszDst[off++] = '/';
348	suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
349	}
350	else
351	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
352	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
353	pFile->pszFile, (long)off);
354	}
355	return rc;
356	}
357
358
359	/**
360	* Verifies a directory.
361	*
362	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
363	* fFatal is clear and if it's set the function wont return.
364	* @param enmDir The directory specifier.
365	* @param fFatal Whether validation failures should be treated as
366	* fatal (true) or not (false).
367	*/
368	DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
369	{
370	/*
371	* Validate the index just to be on the safe side...
372	*/
373	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
374	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
375	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
376
377	/*
378	* Already validated?
379	*/
380	if (g_aSupVerifiedDirs[enmDir].fValidated)
381	return VINF_SUCCESS; /** @todo revalidate? */
382
383	/* initialize the entry. */
384	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
385	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
386	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
387	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
388	g_aSupVerifiedDirs[enmDir].hDir = -1;
389	g_aSupVerifiedDirs[enmDir].fValidated = false;
390
391	/*
392	* Make the path and open the directory.
393	*/
394	char szPath[RTPATH_MAX];
395	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
396	if (RT_SUCCESS(rc))
397	{
398	#if defined(RT_OS_WINDOWS)
399	PRTUTF16 pwszPath;
400	rc = RTStrToUtf16(szPath, &pwszPath);
401	if (RT_SUCCESS(rc))
402	{
403	HANDLE hDir = CreateFileW(pwszPath,
404	GENERIC_READ,
405	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
406	NULL,
407	OPEN_EXISTING,
408	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
409	NULL);
410	if (hDir != INVALID_HANDLE_VALUE)
411	{
412	/** @todo check the type */
413	/* That's all on windows, for now at least... */
414	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
415	g_aSupVerifiedDirs[enmDir].fValidated = true;
416	}
417	else if (enmDir == kSupID_Testcase)
418	{
419	g_aSupVerifiedDirs[enmDir].fValidated = true;
420	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
421	}
422	else
423	{
424	int err = RtlGetLastWin32Error();
425	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
426	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
427	szPath, err);
428	}
429	RTUtf16Free(pwszPath);
430	}
431	else
432	rc = supR3HardenedError(rc, fFatal,
433	"supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
434
435	#else /* UNIXY */
436	int fd = open(szPath, O_RDONLY, 0);
437	if (fd >= 0)
438	{
439	/*
440	* On unixy systems we'll make sure the directory is owned by root
441	* and not writable by the group and user.
442	*/
443	struct stat st;
444	if (!fstat(fd, &st))
445	{
446
447	if ( st.st_uid == 0
448	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
449	&& S_ISDIR(st.st_mode))
450	{
451	g_aSupVerifiedDirs[enmDir].hDir = fd;
452	g_aSupVerifiedDirs[enmDir].fValidated = true;
453	}
454	else
455	{
456	if (!S_ISDIR(st.st_mode))
457	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
458	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
459	szPath, (long)st.st_uid);
460	else if (st.st_uid)
461	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
462	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
463	szPath, (long)st.st_uid);
464	else
465	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
466	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
467	szPath, (long)st.st_mode);
468	close(fd);
469	}
470	}
471	else
472	{
473	int err = errno;
474	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
475	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
476	szPath, strerror(err), err);
477	close(fd);
478	}
479	}
480	else if (enmDir == kSupID_Testcase)
481	{
482	g_aSupVerifiedDirs[enmDir].fValidated = true;
483	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
484	}
485	else
486	{
487	int err = errno;
488	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
489	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
490	szPath, strerror(err), err);
491	}
492	#endif /* UNIXY */
493	}
494
495	return rc;
496	}
497
498
499	#ifdef RT_OS_WINDOWS
500	/**
501	* Opens the file for verification.
502	*
503	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
504	* fFatal is clear and if it's set the function wont return.
505	* @param pFile The file entry.
506	* @param fFatal Whether validation failures should be treated as
507	* kl fatal (true) or not (false).
508	* @param phFile The file handle, set to -1 if we failed to open
509	* the file. The function may return VINF_SUCCESS
510	* and a -1 handle if the file is optional.
511	*/
512	static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
513	{
514	*phFile = -1;
515
516	char szPath[RTPATH_MAX];
517	int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
518	if (RT_SUCCESS(rc))
519	{
520	PRTUTF16 pwszPath;
521	rc = RTStrToUtf16(szPath, &pwszPath);
522	if (RT_SUCCESS(rc))
523	{
524	HANDLE hFile = CreateFileW(pwszPath,
525	GENERIC_READ,
526	FILE_SHARE_READ,
527	NULL,
528	OPEN_EXISTING,
529	FILE_ATTRIBUTE_NORMAL,
530	NULL);
531	if (hFile != INVALID_HANDLE_VALUE)
532	{
533	*phFile = (intptr_t)hFile;
534	rc = VINF_SUCCESS;
535	}
536	else
537	{
538	int err = RtlGetLastWin32Error();
539	if ( !pFile->fOptional
540	\|\| ( err != ERROR_FILE_NOT_FOUND
541	&& (err != ERROR_PATH_NOT_FOUND \|\| pFile->enmDir != kSupID_Testcase) ) )
542	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
543	"supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
544	}
545	RTUtf16Free(pwszPath);
546	}
547	else
548	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
549	szPath, rc);
550	}
551	return rc;
552	}
553
554
555	/**
556	* Worker for supR3HardenedVerifyFileInternal.
557	*
558	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
559	* fFatal is clear and if it's set the function wont return.
560	* @param pFile The file entry.
561	* @param pVerified The verification record.
562	* @param fFatal Whether validation failures should be treated as
563	* fatal (true) or not (false).
564	* @param fLeaveFileOpen Whether the file should be left open.
565	*/
566	static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
567	{
568	# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
569
570	/*
571	* Open the file if we have to.
572	*/
573	int rc;
574	intptr_t hFileOpened;
575	intptr_t hFile = pVerified->hFile;
576	if (hFile != -1)
577	hFileOpened = -1;
578	else
579	{
580	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
581	if (RT_FAILURE(rc))
582	return rc;
583	hFile = hFileOpened;
584	}
585
586	/*
587	* Verify the signature.
588	*/
589	char szErr[1024];
590	RTERRINFO ErrInfo;
591	RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
592
593	uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
594	if (pFile->enmType == kSupIFT_Rc)
595	fFlags \|= SUPHNTVI_F_RC_IMAGE;
596
597	rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
598	if (RT_SUCCESS(rc))
599	pVerified->fCheckedSignature = true;
600	else
601	{
602	pVerified->fCheckedSignature = false;
603	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
604	pFile->pszFile, rc, szErr);
605
606	}
607
608	/*
609	* Close the handle if we opened the file and we should close it.
610	*/
611	if (hFileOpened != -1)
612	{
613	if (fLeaveFileOpen && RT_SUCCESS(rc))
614	pVerified->hFile = hFileOpened;
615	else
616	NtClose((HANDLE)hFileOpened);
617	}
618
619	return rc;
620
621	# else /* Not checking signatures. */
622	RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
623	return VINF_SUCCESS;
624	# endif /* Not checking signatures. */
625	}
626	#endif
627
628
629	/**
630	* Verifies a file entry.
631	*
632	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
633	* fFatal is clear and if it's set the function wont return.
634	*
635	* @param iFile The file table index of the file to be verified.
636	* @param fFatal Whether validation failures should be treated as
637	* fatal (true) or not (false).
638	* @param fLeaveFileOpen Whether the file should be left open.
639	* @param fVerifyAll Set if this is an verify all call and we will
640	* postpone signature checking.
641	*/
642	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
643	{
644	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
645	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
646
647	/*
648	* Already done validation? Do signature validation if we haven't yet.
649	*/
650	if (pVerified->fValidated)
651	{
652	/** @todo revalidate? Check that the file hasn't been replace or similar. */
653	#ifdef RT_OS_WINDOWS
654	if (!pVerified->fCheckedSignature && !fVerifyAll)
655	return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
656	#endif
657	return VINF_SUCCESS;
658	}
659
660
661	/* initialize the entry. */
662	if (pVerified->hFile != 0)
663	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
664	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
665	(void *)pVerified->hFile, pFile->pszFile);
666	pVerified->hFile = -1;
667	pVerified->fValidated = false;
668	#ifdef RT_OS_WINDOWS
669	pVerified->fCheckedSignature = false;
670	#endif
671
672	/*
673	* Verify the directory then proceed to open it.
674	* (This'll make sure the directory is opened and that we can (later)
675	* use openat if we wish.)
676	*/
677	int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
678	if (RT_SUCCESS(rc))
679	{
680	#if defined(RT_OS_WINDOWS)
681	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
682	if (RT_SUCCESS(rc))
683	{
684	if (!fVerifyAll)
685	rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
686	if (RT_SUCCESS(rc))
687	{
688	pVerified->fValidated = true;
689	if (!fLeaveFileOpen)
690	{
691	NtClose((HANDLE)pVerified->hFile);
692	pVerified->hFile = -1;
693	}
694	}
695	}
696	#else /* !RT_OS_WINDOWS */
697	char szPath[RTPATH_MAX];
698	rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
699	if (RT_SUCCESS(rc))
700	{
701	int fd = open(szPath, O_RDONLY, 0);
702	if (fd >= 0)
703	{
704	/*
705	* On unixy systems we'll make sure the file is owned by root
706	* and not writable by the group and user.
707	*/
708	struct stat st;
709	if (!fstat(fd, &st))
710	{
711	if ( st.st_uid == 0
712	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
713	&& S_ISREG(st.st_mode))
714	{
715	/* it's valid. */
716	if (fLeaveFileOpen)
717	pVerified->hFile = fd;
718	else
719	close(fd);
720	pVerified->fValidated = true;
721	}
722	else
723	{
724	if (!S_ISREG(st.st_mode))
725	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
726	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
727	szPath, (long)st.st_uid);
728	else if (st.st_uid)
729	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
730	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
731	szPath, (long)st.st_uid);
732	else
733	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
734	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
735	szPath, (long)st.st_mode);
736	close(fd);
737	}
738	}
739	else
740	{
741	int err = errno;
742	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
743	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
744	szPath, strerror(err), err);
745	close(fd);
746	}
747	}
748	else
749	{
750	int err = errno;
751	if (!pFile->fOptional \|\| err != ENOENT)
752	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
753	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
754	szPath, strerror(err), err);
755	}
756	}
757	#endif /* !RT_OS_WINDOWS */
758	}
759
760	return rc;
761	}
762
763
764	/**
765	* Verifies that the specified table entry matches the given filename.
766	*
767	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
768	* error is returned or we terminate the application.
769	*
770	* @param iFile The file table index.
771	* @param pszFilename The filename.
772	* @param fFatal Whether validation failures should be treated as
773	* fatal (true) or not (false).
774	*/
775	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
776	{
777	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
778
779	/*
780	* Construct the full path for the file table entry
781	* and compare it with the specified file.
782	*/
783	char szName[RTPATH_MAX];
784	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
785	if (RT_FAILURE(rc))
786	return rc;
787	if (SUP_COMP_FILENAME(szName, pszFilename))
788	{
789	/*
790	* Normalize the two paths and compare again.
791	*/
792	rc = VERR_NOT_SAME_DEVICE;
793	#if defined(RT_OS_WINDOWS)
794	LPSTR pszIgnored;
795	char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
796	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
797	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
798	if (!SUP_COMP_FILENAME(szName2, szName))
799	rc = VINF_SUCCESS;
800	#else
801	AssertCompile(RTPATH_MAX >= PATH_MAX);
802	char szName2[RTPATH_MAX];
803	if ( realpath(szName, szName2) != NULL
804	&& realpath(pszFilename, szName) != NULL)
805	if (!SUP_COMP_FILENAME(szName2, szName))
806	rc = VINF_SUCCESS;
807	#endif
808
809	if (RT_FAILURE(rc))
810	{
811	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
812	return supR3HardenedError(rc, fFatal,
813	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
814	pszFilename, szName);
815	}
816	}
817
818	/*
819	* Check more stuff like the stat info if it's an already open file?
820	*/
821
822
823
824	return VINF_SUCCESS;
825	}
826
827
828	/**
829	* Verifies a file.
830	*
831	* @returns VINF_SUCCESS on success.
832	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
833	* On verification failure, an error code will be returned when fFatal is clear,
834	* otherwise the program will be terminated.
835	*
836	* @param pszFilename The filename.
837	* @param fFatal Whether validation failures should be treated as
838	* fatal (true) or not (false).
839	*/
840	DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
841	{
842	/*
843	* Lookup the file and check if it's the same file.
844	*/
845	const char *pszName = supR3HardenedPathFilename(pszFilename);
846	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
847	if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
848	{
849	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
850	if (RT_SUCCESS(rc))
851	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen /, false / fVerifyAll */);
852	return rc;
853	}
854
855	return VERR_NOT_FOUND;
856	}
857
858
859	/**
860	* Verifies a program, worker for supR3HardenedVerifyAll.
861	*
862	* @returns See supR3HardenedVerifyAll.
863	* @param pszProgName See supR3HardenedVerifyAll.
864	* @param pszExePath The path to the executable.
865	* @param fFatal See supR3HardenedVerifyAll.
866	* @param fLeaveOpen The leave open setting used by
867	* supR3HardenedVerifyAll.
868	* @param fMainFlags Flags supplied to SUPR3HardenedMain.
869	*/
870	static int supR3HardenedVerifyProgram(const char pszProgName, const char pszExePath, bool fFatal,
871	bool fLeaveOpen, uint32_t fMainFlags)
872	{
873	/*
874	* Search the table looking for the executable and the DLL/DYLIB/SO.
875	* Note! On darwin we have a hack in place for VirtualBoxVM helper app
876	* to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
877	* that cchProgNameDll is equal or shorter to the exe name.
878	*/
879	int rc = VINF_SUCCESS;
880	bool fExe = false;
881	bool fDll = false;
882	size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
883	#ifndef RT_OS_DARWIN
884	size_t const cchProgNameDll = cchProgNameExe;
885	NOREF(fMainFlags);
886	#else
887	size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
888	? sizeof("VirtualBox") - 1
889	: cchProgNameExe;
890	if (cchProgNameDll > cchProgNameExe)
891	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
892	"supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
893	#endif
894	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
895	if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
896	{
897	if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
898	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
899	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
900	{
901	/* This only has to be found (once). */
902	if (fDll)
903	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
904	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
905	else
906	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
907	true /* fVerifyAll - check sign later, only final process need check it on load. */);
908	fDll = true;
909	}
910	else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
911	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
912	&& ( cchProgNameExe == cchProgNameDll
913	\|\| !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
914	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
915	{
916	/* Here we'll have to check that the specific program is the same as the entry. */
917	if (fExe)
918	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
919	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
920	else
921	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
922	fExe = true;
923
924	supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
925	}
926	}
927
928	/*
929	* Check the findings.
930	*/
931	if (RT_SUCCESS(rc))
932	{
933	if (!fDll && !fExe)
934	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
935	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
936	else if (!fExe)
937	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
938	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
939	else if (!fDll)
940	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
941	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
942	}
943	return rc;
944	}
945
946
947	/**
948	* Verifies all the known files (called from SUPR3HardenedMain).
949	*
950	* @returns VINF_SUCCESS on success.
951	* On verification failure, an error code will be returned when fFatal is clear,
952	* otherwise the program will be terminated.
953	*
954	* @param fFatal Whether validation failures should be treated as
955	* fatal (true) or not (false).
956	* @param pszProgName The program name. This is used to verify that
957	* both the executable and corresponding
958	* DLL/DYLIB/SO are valid.
959	* @param pszExePath The path to the executable.
960	* @param fMainFlags Flags supplied to SUPR3HardenedMain.
961	*/
962	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char pszProgName, const char pszExePath, uint32_t fMainFlags)
963	{
964	/*
965	* On windows
966	*/
967	#if defined(RT_OS_WINDOWS)
968	bool fLeaveOpen = true;
969	#else
970	bool fLeaveOpen = false;
971	#endif
972
973	/*
974	* The verify all the files.
975	*/
976	int rc = VINF_SUCCESS;
977	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
978	{
979	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
980	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
981	rc = rc2;
982	}
983
984	/*
985	* Verify the program name, that is to say, check that it's in the table
986	* (thus verified above) and verify the signature on platforms where we
987	* sign things.
988	*/
989	int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
990	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
991	rc2 = rc;
992
993	return rc;
994	}
995
996
997	/**
998	* Copies the N messages into the error buffer and returns @a rc.
999	*
1000	* @returns Returns @a rc
1001	* @param rc The return code.
1002	* @param pErrInfo The error info structure.
1003	* @param cMsgs The number of messages in the ellipsis.
1004	* @param ... Message parts.
1005	*/
1006	static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
1007	{
1008	if (pErrInfo)
1009	{
1010	size_t cbErr = pErrInfo->cbMsg;
1011	char *pszErr = pErrInfo->pszMsg;
1012
1013	va_list va;
1014	va_start(va, cMsgs);
1015	while (cMsgs-- > 0 && cbErr > 0)
1016	{
1017	const char pszMsg = va_arg(va, const char );
1018	size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
1019	if (cchMsg >= cbErr)
1020	cchMsg = cbErr - 1;
1021	suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
1022	pszErr[cchMsg] = '\0';
1023	pszErr += cchMsg;
1024	cbErr -= cchMsg;
1025	}
1026	va_end(va);
1027
1028	pErrInfo->rc = rc;
1029	pErrInfo->fFlags \|= RTERRINFO_FLAGS_SET;
1030	}
1031
1032	return rc;
1033	}
1034
1035
1036	/**
1037	* Copies the three messages into the error buffer and returns @a rc.
1038	*
1039	* @returns Returns @a rc
1040	* @param rc The return code.
1041	* @param pErrInfo The error info structure.
1042	* @param pszMsg1 The first message part.
1043	* @param pszMsg2 The second message part.
1044	* @param pszMsg3 The third message part.
1045	*/
1046	static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1047	const char pszMsg2, const char pszMsg3)
1048	{
1049	return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1050	}
1051
1052	#ifdef SOME_UNUSED_FUNCTION
1053
1054	/**
1055	* Copies the two messages into the error buffer and returns @a rc.
1056	*
1057	* @returns Returns @a rc
1058	* @param rc The return code.
1059	* @param pErrInfo The error info structure.
1060	* @param pszMsg1 The first message part.
1061	* @param pszMsg2 The second message part.
1062	*/
1063	static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1064	const char *pszMsg2)
1065	{
1066	return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1067	}
1068
1069
1070	/**
1071	* Copies the error message to the error buffer and returns @a rc.
1072	*
1073	* @returns Returns @a rc
1074	* @param rc The return code.
1075	* @param pErrInfo The error info structure.
1076	* @param pszMsg The message.
1077	*/
1078	static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1079	{
1080	return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1081	}
1082
1083	#endif /* SOME_UNUSED_FUNCTION */
1084
1085	/**
1086	* Output from a successfull supR3HardenedVerifyPathSanity call.
1087	*/
1088	typedef struct SUPR3HARDENEDPATHINFO
1089	{
1090	/** The length of the path in szCopy. */
1091	uint16_t cch;
1092	/** The number of path components. */
1093	uint16_t cComponents;
1094	/** Set if the path ends with slash, indicating that it's a directory
1095	* reference and not a file reference. The slash has been removed from
1096	* the copy. */
1097	bool fDirSlash;
1098	/** The offset where each path component starts, i.e. the char after the
1099	* slash. The array has cComponents + 1 entries, where the final one is
1100	* cch + 1 so that one can always terminate the current component by
1101	* szPath[aoffComponent[i] - 1] = '\0'. */
1102	uint16_t aoffComponents[32+1];
1103	/** A normalized copy of the path.
1104	* Reserve some extra space so we can be more relaxed about overflow
1105	* checks and terminator paddings, especially when recursing. */
1106	char szPath[SUPR3HARDENED_MAX_PATH * 2];
1107	} SUPR3HARDENEDPATHINFO;
1108	/** Pointer to a parsed path. */
1109	typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1110
1111
1112	/**
1113	* Verifies that the path is absolutely sane, it also parses the path.
1114	*
1115	* A sane path starts at the root (w/ drive letter on DOS derived systems) and
1116	* does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1117	* Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1118	* paths are not supported.
1119	*
1120	* @returns VBox status code.
1121	* @param pszPath The path to check.
1122	* @param pErrInfo The error info structure.
1123	* @param pInfo Where to return a copy of the path along with
1124	* parsing information.
1125	*/
1126	static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1127	{
1128	const char *pszSrc = pszPath;
1129	char *pszDst = pInfo->szPath;
1130
1131	/*
1132	* Check that it's an absolute path and copy the volume/root specifier.
1133	*/
1134	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
1135	if ( !RT_C_IS_ALPHA(pszSrc[0])
1136	\|\| pszSrc[1] != ':'
1137	\|\| !RTPATH_IS_SLASH(pszSrc[2]))
1138	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1139
1140	*pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1141	*pszDst++ = ':';
1142	*pszDst++ = RTPATH_SLASH;
1143	pszSrc += 3;
1144
1145	#else
1146	if (!RTPATH_IS_SLASH(pszSrc[0]))
1147	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1148
1149	*pszDst++ = RTPATH_SLASH;
1150	pszSrc += 1;
1151	#endif
1152
1153	/*
1154	* No path specifying the root or something very shortly thereafter will
1155	* be approved of.
1156	*/
1157	if (pszSrc[0] == '\0')
1158	return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1159	if ( pszSrc[1] == '\0'
1160	\|\| pszSrc[2] == '\0')
1161	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1162
1163	/*
1164	* Check each component. No parent references or double slashes.
1165	*/
1166	pInfo->cComponents = 0;
1167	pInfo->fDirSlash = false;
1168	while (pszSrc[0])
1169	{
1170	/* Sanity checks. */
1171	if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
1172	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1173	"The path is not clean of double slashes: '", pszPath, "'");
1174	if ( pszSrc[0] == '.'
1175	&& pszSrc[1] == '.'
1176	&& RTPATH_IS_SLASH(pszSrc[2]))
1177	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1178	"The path is not absolute: '", pszPath, "'");
1179
1180	/* Record the start of the component. */
1181	if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1182	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1183	"The path has too many components: '", pszPath, "'");
1184	pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1185
1186	/* Traverse to the end of the component, copying it as we go along. */
1187	while (pszSrc[0])
1188	{
1189	if (RTPATH_IS_SLASH(pszSrc[0]))
1190	{
1191	pszSrc++;
1192	if (*pszSrc)
1193	*pszDst++ = RTPATH_SLASH;
1194	else
1195	pInfo->fDirSlash = true;
1196	break;
1197	}
1198	pszDst++ = pszSrc++;
1199	if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1200	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1201	"The path is too long: '", pszPath, "'");
1202	}
1203	}
1204
1205	/* Terminate the string and enter its length. */
1206	pszDst[0] = '\0';
1207	pszDst[1] = '\0'; /* for aoffComponents */
1208	pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1209	pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1210
1211	return VINF_SUCCESS;
1212	}
1213
1214
1215	/**
1216	* The state information collected by supR3HardenedVerifyFsObject.
1217	*
1218	* This can be used to verify that a directory we've opened for enumeration is
1219	* the same as the one that supR3HardenedVerifyFsObject just verified. It can
1220	* equally be used to verify a native specfied by the user.
1221	*/
1222	typedef struct SUPR3HARDENEDFSOBJSTATE
1223	{
1224	#ifdef RT_OS_WINDOWS
1225	/** Not implemented for windows yet. */
1226	char chTodo;
1227	#else
1228	/** The stat output. */
1229	struct stat Stat;
1230	#endif
1231	} SUPR3HARDENEDFSOBJSTATE;
1232	/** Pointer to a file system object state. */
1233	typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1234	/** Pointer to a const file system object state. */
1235	typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1236
1237
1238	/**
1239	* Query information about a file system object by path.
1240	*
1241	* @returns VBox status code, error buffer filled on failure.
1242	* @param pszPath The path to the object.
1243	* @param pFsObjState Where to return the state information.
1244	* @param pErrInfo The error info structure.
1245	*/
1246	static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1247	{
1248	#if defined(RT_OS_WINDOWS)
1249	/** @todo Windows hardening. */
1250	pFsObjState->chTodo = 0;
1251	RT_NOREF2(pszPath, pErrInfo);
1252	return VINF_SUCCESS;
1253
1254	#else
1255	/*
1256	* Stat the object, do not follow links.
1257	*/
1258	if (lstat(pszPath, &pFsObjState->Stat) != 0)
1259	{
1260	/* Ignore access errors */
1261	if (errno != EACCES)
1262	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1263	5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1264	}
1265
1266	/*
1267	* Read ACLs.
1268	*/
1269	/** @todo */
1270
1271	return VINF_SUCCESS;
1272	#endif
1273	}
1274
1275
1276	/**
1277	* Query information about a file system object by native handle.
1278	*
1279	* @returns VBox status code, error buffer filled on failure.
1280	* @param hNative The native handle to the object @a pszPath
1281	* specifies and this should be verified to be the
1282	* same file system object.
1283	* @param pFsObjState Where to return the state information.
1284	* @param pszPath The path to the object. (For the error message
1285	* only.)
1286	* @param pErrInfo The error info structure.
1287	*/
1288	static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1289	char const *pszPath, PRTERRINFO pErrInfo)
1290	{
1291	#if defined(RT_OS_WINDOWS)
1292	/** @todo Windows hardening. */
1293	pFsObjState->chTodo = 0;
1294	RT_NOREF3(hNative, pszPath, pErrInfo);
1295	return VINF_SUCCESS;
1296
1297	#else
1298	/*
1299	* Stat the object, do not follow links.
1300	*/
1301	if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1302	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1303	5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1304
1305	/*
1306	* Read ACLs.
1307	*/
1308	/** @todo */
1309
1310	return VINF_SUCCESS;
1311	#endif
1312	}
1313
1314
1315	/**
1316	* Verifies that the file system object indicated by the native handle is the
1317	* same as the one @a pFsObjState indicates.
1318	*
1319	* @returns VBox status code, error buffer filled on failure.
1320	* @param pFsObjState1 File system object information/state by path.
1321	* @param pFsObjState2 File system object information/state by handle.
1322	* @param pszPath The path to the object @a pFsObjState
1323	* describes. (For the error message.)
1324	* @param pErrInfo The error info structure.
1325	*/
1326	static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1327	const char *pszPath, PRTERRINFO pErrInfo)
1328	{
1329	#if defined(RT_OS_WINDOWS)
1330	/** @todo Windows hardening. */
1331	RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1332	return VINF_SUCCESS;
1333
1334	#elif defined(RT_OS_OS2)
1335	RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1336	return VINF_SUCCESS;
1337
1338	#else
1339	/*
1340	* Compare the ino+dev, then the uid+gid and finally the important mode
1341	* bits. Technically the first one should be enough, but we're paranoid.
1342	*/
1343	if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1344	\|\| pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1345	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1346	"The native handle is not the same as '", pszPath, "' (ino/dev)");
1347	if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1348	\|\| pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1349	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1350	"The native handle is not the same as '", pszPath, "' (uid/gid)");
1351	if ( (pFsObjState1->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH))
1352	!= (pFsObjState2->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH)))
1353	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1354	"The native handle is not the same as '", pszPath, "' (mode)");
1355	return VINF_SUCCESS;
1356	#endif
1357	}
1358
1359
1360	/**
1361	* Verifies a file system object (file or directory).
1362	*
1363	* @returns VBox status code, error buffer filled on failure.
1364	* @param pFsObjState The file system object information/state to be
1365	* verified.
1366	* @param fDir Whether this is a directory or a file.
1367	* @param fRelaxed Whether we can be more relaxed about this
1368	* directory (only used for grand parent
1369	* directories).
1370	* @param pszPath The path to the object. For error messages and
1371	* securing a couple of hacks.
1372	* @param pErrInfo The error info structure.
1373	*/
1374	static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1375	const char *pszPath, PRTERRINFO pErrInfo)
1376	{
1377	#if defined(RT_OS_WINDOWS)
1378	/** @todo Windows hardening. */
1379	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1380	return VINF_SUCCESS;
1381
1382	#elif defined(RT_OS_OS2)
1383	/* No hardening here - it's a single user system. */
1384	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1385	return VINF_SUCCESS;
1386
1387	#else
1388	/*
1389	* The owner must be root.
1390	*
1391	* This can be extended to include predefined system users if necessary.
1392	*/
1393	if (pFsObjState->Stat.st_uid != 0)
1394	return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1395
1396	/*
1397	* The object type must be directory or file, no symbolic links or other
1398	* risky stuff (sorry dude, but we're paranoid on purpose here).
1399	*/
1400	if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1401	&& !S_ISREG(pFsObjState->Stat.st_mode))
1402	{
1403	if (S_ISLNK(pFsObjState->Stat.st_mode))
1404	return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1405	"Symlinks are not permitted: '", pszPath, "'");
1406	return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1407	"Not regular file or directory: '", pszPath, "'");
1408	}
1409	if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1410	{
1411	if (S_ISDIR(pFsObjState->Stat.st_mode))
1412	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1413	"Expected file but found directory: '", pszPath, "'");
1414	return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1415	"Expected directory but found file: '", pszPath, "'");
1416	}
1417
1418	/*
1419	* The group does not matter if it does not have write access, if it has
1420	* write access it must be group 0 (root/wheel/whatever).
1421	*
1422	* This can be extended to include predefined system groups or groups that
1423	* only root is member of.
1424	*/
1425	if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1426	&& pFsObjState->Stat.st_gid != 0)
1427	{
1428	#ifdef RT_OS_DARWIN
1429	/* HACK ALERT: On Darwin /Applications is root:admin with admin having
1430	full access. So, to work around we relax the hardening a bit and
1431	permit grand parents and beyond to be group writable by admin. */
1432	/** @todo dynamically resolve the admin group? */
1433	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 80 /admin/ \|\| suplibHardenedStrCmp(pszPath, "/Applications");
1434
1435	#elif defined(RT_OS_FREEBSD)
1436	/* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1437	similar to /Applications on OS X (see above).
1438	On FreeBSD root is normally the only member of this group, on
1439	PC-BSD the default user is a member. */
1440	/** @todo dynamically resolve the operator group? */
1441	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 5 /operator/ \|\| suplibHardenedStrCmp(pszPath, "/usr/pbi");
1442	NOREF(fRelaxed);
1443	#else
1444	NOREF(fRelaxed);
1445	bool fBad = true;
1446	#endif
1447	if (fBad)
1448	return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1449	"An unknown (and thus untrusted) group has write access to '", pszPath,
1450	"' and we therefore cannot trust the directory content or that of any subdirectory");
1451	}
1452
1453	/*
1454	* World must not have write access. There is no relaxing this rule.
1455	*/
1456	if (pFsObjState->Stat.st_mode & S_IWOTH)
1457	return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1458	"World writable: '", pszPath, "'");
1459
1460	/*
1461	* Check the ACLs.
1462	*/
1463	/** @todo */
1464
1465	return VINF_SUCCESS;
1466	#endif
1467	}
1468
1469
1470	/**
1471	* Verifies that the file system object indicated by the native handle is the
1472	* same as the one @a pFsObjState indicates.
1473	*
1474	* @returns VBox status code, error buffer filled on failure.
1475	* @param hNative The native handle to the object @a pszPath
1476	* specifies and this should be verified to be the
1477	* same file system object.
1478	* @param pFsObjState The information/state returned by a previous
1479	* query call.
1480	* @param pszPath The path to the object @a pFsObjState
1481	* describes. (For the error message.)
1482	* @param pErrInfo The error info structure.
1483	*/
1484	static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1485	const char *pszPath, PRTERRINFO pErrInfo)
1486	{
1487	SUPR3HARDENEDFSOBJSTATE FsObjState2;
1488	int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1489	if (RT_SUCCESS(rc))
1490	rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1491	return rc;
1492	}
1493
1494
1495	/**
1496	* Does the recursive directory enumeration.
1497	*
1498	* @returns VBox status code, error buffer filled on failure.
1499	* @param pszDirPath The path buffer containing the subdirectory to
1500	* enumerate followed by a slash (this is never
1501	* the root slash). The buffer is RTPATH_MAX in
1502	* size and anything starting at @a cchDirPath
1503	* - 1 and beyond is scratch space.
1504	* @param cchDirPath The length of the directory path + slash.
1505	* @param pFsObjState Pointer to the file system object state buffer.
1506	* On input this will hold the stats for
1507	* the directory @a pszDirPath indicates and will
1508	* be used to verified that we're opening the same
1509	* thing.
1510	* @param fRecursive Whether to recurse into subdirectories.
1511	* @param pErrInfo The error info structure.
1512	*/
1513	static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1514	bool fRecursive, PRTERRINFO pErrInfo)
1515	{
1516	#if defined(RT_OS_WINDOWS)
1517	/** @todo Windows hardening. */
1518	RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1519	return VINF_SUCCESS;
1520
1521	#elif defined(RT_OS_OS2)
1522	/* No hardening here - it's a single user system. */
1523	RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1524	return VINF_SUCCESS;
1525
1526	#else
1527	/*
1528	* Open the directory. Now, we could probably eliminate opendir here
1529	* and go down on kernel API level (open + getdents for instance), however
1530	* that's not very portable and hopefully not necessary.
1531	*/
1532	DIR *pDir = opendir(pszDirPath);
1533	if (!pDir)
1534	{
1535	/* Ignore access errors. */
1536	if (errno == EACCES)
1537	return VINF_SUCCESS;
1538	return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1539	5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1540	}
1541	if (dirfd(pDir) != -1)
1542	{
1543	int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1544	if (RT_FAILURE(rc))
1545	{
1546	closedir(pDir);
1547	return rc;
1548	}
1549	}
1550
1551	/*
1552	* Enumerate the directory, check all the requested bits.
1553	*/
1554	int rc = VINF_SUCCESS;
1555	for (;;)
1556	{
1557	pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1558
1559	struct dirent Entry;
1560	struct dirent *pEntry;
1561	int iErr = readdir_r(pDir, &Entry, &pEntry);
1562	if (iErr)
1563	{
1564	rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1565	5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1566	break;
1567	}
1568	if (!pEntry)
1569	break;
1570
1571	/*
1572	* Check the length and copy it into the path buffer so it can be
1573	* stat()'ed.
1574	*/
1575	size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1576	if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1577	{
1578	rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1579	4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1580	break;
1581	}
1582	suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1583
1584	/*
1585	* Query the information about the entry and verify it.
1586	* (We don't bother skipping '.' and '..' at this point, a little bit
1587	* of extra checks doesn't hurt and neither requires relaxed handling.)
1588	*/
1589	rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1590	if (RT_SUCCESS(rc))
1591	break;
1592	rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /fRelaxed/,
1593	pszDirPath, pErrInfo);
1594	if (RT_FAILURE(rc))
1595	break;
1596
1597	/*
1598	* Recurse into subdirectories if requested.
1599	*/
1600	if ( fRecursive
1601	&& S_ISDIR(pFsObjState->Stat.st_mode)
1602	&& suplibHardenedStrCmp(pEntry->d_name, ".")
1603	&& suplibHardenedStrCmp(pEntry->d_name, ".."))
1604	{
1605	pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1606	pszDirPath[cchDirPath + cchName + 1] = '\0';
1607
1608	rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1609	fRecursive, pErrInfo);
1610	if (RT_FAILURE(rc))
1611	break;
1612	}
1613	}
1614
1615	closedir(pDir);
1616	return VINF_SUCCESS;
1617	#endif
1618	}
1619
1620
1621	/**
1622	* Worker for SUPR3HardenedVerifyDir.
1623	*
1624	* @returns See SUPR3HardenedVerifyDir.
1625	* @param pszDirPath See SUPR3HardenedVerifyDir.
1626	* @param fRecursive See SUPR3HardenedVerifyDir.
1627	* @param fCheckFiles See SUPR3HardenedVerifyDir.
1628	* @param pErrInfo See SUPR3HardenedVerifyDir.
1629	*/
1630	DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1631	{
1632	/*
1633	* Validate the input path and parse it.
1634	*/
1635	SUPR3HARDENEDPATHINFO Info;
1636	int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1637	if (RT_FAILURE(rc))
1638	return rc;
1639
1640	/*
1641	* Verify each component from the root up.
1642	*/
1643	SUPR3HARDENEDFSOBJSTATE FsObjState;
1644	uint32_t const cComponents = Info.cComponents;
1645	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1646	{
1647	bool fRelaxed = iComponent + 2 < cComponents;
1648	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1649	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1650	if (RT_SUCCESS(rc))
1651	rc = supR3HardenedVerifyFsObject(&FsObjState, true /fDir/, fRelaxed, Info.szPath, pErrInfo);
1652	if (RT_FAILURE(rc))
1653	return rc;
1654	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1655	}
1656
1657	/*
1658	* Check files and subdirectories if requested.
1659	*/
1660	if (fCheckFiles \|\| fRecursive)
1661	{
1662	Info.szPath[Info.cch] = RTPATH_SLASH;
1663	Info.szPath[Info.cch + 1] = '\0';
1664	return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1665	fRecursive, pErrInfo);
1666	}
1667
1668	return VINF_SUCCESS;
1669	}
1670
1671
1672	/**
1673	* Verfies a file.
1674	*
1675	* @returns VBox status code, error buffer filled on failure.
1676	* @param pszFilename The file to verify.
1677	* @param hNativeFile Handle to the file, verify that it's the same
1678	* as we ended up with when verifying the path.
1679	* RTHCUINTPTR_MAX means NIL here.
1680	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1681	* third party. Different validation rules may
1682	* apply to 3rd party code on some platforms.
1683	* @param pErrInfo Where to return extended error information.
1684	* Optional.
1685	*/
1686	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1687	bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1688	{
1689	/*
1690	* Validate the input path and parse it.
1691	*/
1692	SUPR3HARDENEDPATHINFO Info;
1693	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1694	if (RT_FAILURE(rc))
1695	return rc;
1696	if (Info.fDirSlash)
1697	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1698	"The file path specifies a directory: '", pszFilename, "'");
1699
1700	/*
1701	* Verify each component from the root up.
1702	*/
1703	SUPR3HARDENEDFSOBJSTATE FsObjState;
1704	uint32_t const cComponents = Info.cComponents;
1705	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1706	{
1707	bool fFinal = iComponent + 1 == cComponents;
1708	bool fRelaxed = iComponent + 2 < cComponents;
1709	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1710	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1711	if (RT_SUCCESS(rc))
1712	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed, Info.szPath, pErrInfo);
1713	if (RT_FAILURE(rc))
1714	return rc;
1715	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1716	}
1717
1718	/*
1719	* Verify the file handle against the last component, if specified.
1720	*/
1721	if (hNativeFile != RTHCUINTPTR_MAX)
1722	{
1723	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1724	if (RT_FAILURE(rc))
1725	return rc;
1726	}
1727
1728	#ifdef RT_OS_WINDOWS
1729	/*
1730	* The files shall be signed on windows, verify that.
1731	*/
1732	rc = VINF_SUCCESS;
1733	HANDLE hVerify;
1734	if (hNativeFile == RTHCUINTPTR_MAX)
1735	{
1736	PRTUTF16 pwszPath;
1737	rc = RTStrToUtf16(pszFilename, &pwszPath);
1738	if (RT_SUCCESS(rc))
1739	{
1740	hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1741	RTUtf16Free(pwszPath);
1742	}
1743	else
1744	{
1745	rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1746	hVerify = INVALID_HANDLE_VALUE;
1747	}
1748	}
1749	else
1750	{
1751	NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1752	GENERIC_READ, 0 /HandleAttributes/, 0 /Options/);
1753	if (!NT_SUCCESS(rcNt))
1754	hVerify = INVALID_HANDLE_VALUE;
1755	}
1756	if (hVerify != INVALID_HANDLE_VALUE)
1757	{
1758	# ifdef VBOX_WITH_HARDENING
1759	uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1760	if (!fMaybe3rdParty)
1761	fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1762	const char *pszSuffix = RTPathSuffix(pszFilename);
1763	if ( pszSuffix
1764	&& pszSuffix[0] == '.'
1765	&& ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1766	\|\| RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1767	&& RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1768	&& pszSuffix[3] == '\0' )
1769	fFlags \|= SUPHNTVI_F_RC_IMAGE;
1770	# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1771	rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1772	# endif
1773	# else
1774	RT_NOREF1(fMaybe3rdParty);
1775	# endif
1776	NtClose(hVerify);
1777	}
1778	else if (RT_SUCCESS(rc))
1779	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1780	"Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1781	if (RT_FAILURE(rc))
1782	return rc;
1783	#else
1784	RT_NOREF1(fMaybe3rdParty);
1785	#endif
1786
1787	return VINF_SUCCESS;
1788	}
1789
1790
1791	/**
1792	* Gets the pre-init data for the hand-over to the other version
1793	* of this code.
1794	*
1795	* The reason why we pass this information on is that it contains
1796	* open directories and files. Later it may include even more info
1797	* (int the verified arrays mostly).
1798	*
1799	* The receiver is supR3HardenedRecvPreInitData.
1800	*
1801	* @param pPreInitData Where to store it.
1802	*/
1803	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1804	{
1805	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1806	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1807	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1808
1809	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1810	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1811	}
1812
1813
1814	/**
1815	* Receives the pre-init data from the static executable stub.
1816	*
1817	* @returns VBox status code. Will not bitch on failure since the
1818	* runtime isn't ready for it, so that is left to the exe stub.
1819	*
1820	* @param pPreInitData The hand-over data.
1821	*/
1822	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1823	{
1824	/*
1825	* Compare the array lengths and the contents of g_aSupInstallFiles.
1826	*/
1827	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1828	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1829	return VERR_VERSION_MISMATCH;
1830	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1831	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1832	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1833	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1834	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1835	\|\| suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1836	return VERR_VERSION_MISMATCH;
1837
1838	/*
1839	* Check that we're not called out of order.
1840	* If dynamic linking it screwed up, we may end up here.
1841	*/
1842	if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
1843	\|\| !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
1844	return VERR_WRONG_ORDER;
1845
1846	/*
1847	* Copy the verification data over.
1848	*/
1849	suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1850	suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1851	return VINF_SUCCESS;
1852	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 62691

Download in other formats: