SUPR3HardenedVerify.cpp@ 49736

Last change on this file since 49736 was 49211, checked in by vboxsync, 11 years ago
SUP: some minor improvements.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 59.4 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 49211 2013-10-21 14:22:52Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2013 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27	/*******************************************************************************
28	* Header Files *
29	*******************************************************************************/
30	#if defined(RT_OS_OS2)
31	# define INCL_BASE
32	# define INCL_ERRORS
33	# include <os2.h>
34	# include <stdio.h>
35	# include <stdlib.h>
36	# include <unistd.h>
37	# include <sys/fcntl.h>
38	# include <sys/errno.h>
39	# include <sys/syslimits.h>
40
41	#elif defined(RT_OS_WINDOWS)
42	# include <Windows.h>
43	# ifndef IN_SUP_HARDENED_R3
44	# include <stdio.h>
45	# endif
46
47	#else /* UNIXes */
48	# include <sys/types.h>
49	# include <stdio.h>
50	# include <stdlib.h>
51	# include <dirent.h>
52	# include <dlfcn.h>
53	# include <fcntl.h>
54	# include <limits.h>
55	# include <errno.h>
56	# include <unistd.h>
57	# include <sys/stat.h>
58	# include <sys/time.h>
59	# include <sys/fcntl.h>
60	# include <pwd.h>
61	# ifdef RT_OS_DARWIN
62	# include <mach-o/dyld.h>
63	# endif
64
65	#endif
66
67	#include <VBox/sup.h>
68	#include <VBox/err.h>
69	#include <iprt/asm.h>
70	#include <iprt/ctype.h>
71	#include <iprt/param.h>
72	#include <iprt/path.h>
73	#include <iprt/string.h>
74
75	#include "SUPLibInternal.h"
76
77
78	/*******************************************************************************
79	* Defined Constants And Macros *
80	*******************************************************************************/
81	/** The max path length acceptable for a trusted path. */
82	#define SUPR3HARDENED_MAX_PATH 260U
83
84	#ifdef RT_OS_SOLARIS
85	# define dirfd(d) ((d)->d_fd)
86	#endif
87
88
89	/*******************************************************************************
90	* Global Variables *
91	*******************************************************************************/
92	/**
93	* The files that gets verified.
94	*
95	* @todo This needs reviewing against the linux packages.
96	* @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
97	* the time being we're building the linux packages with SharedLib pointing to
98	* AppPrivArch (lazy bird).
99	*/
100	static SUPINSTFILE const g_aSupInstallFiles[] =
101	{
102	/* type, dir, fOpt, "pszFile" */
103	/* ---------------------------------------------------------------------- */
104	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
105	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
106	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
107
108	#ifdef VBOX_WITH_RAW_MODE
109	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMGC.gc" },
110	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
111	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
112	#endif
113
114	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
115	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
116	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
117	#if HC_ARCH_BITS == 32
118	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
119	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
120	#endif
121	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
122	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
123	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
124
125	//#ifdef VBOX_WITH_DEBUGGER_GUI
126	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
127	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
128	//#endif
129
130	//#ifdef VBOX_WITH_SHARED_CLIPBOARD
131	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
132	//#endif
133	//#ifdef VBOX_WITH_SHARED_FOLDERS
134	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
135	//#endif
136	//#ifdef VBOX_WITH_DRAG_AND_DROP
137	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
138	//#endif
139	//#ifdef VBOX_WITH_GUEST_PROPS
140	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
141	//#endif
142	//#ifdef VBOX_WITH_GUEST_CONTROL
143	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
144	//#endif
145	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
146	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
147	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
148	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
149	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
150
151	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
152
153	#ifdef VBOX_WITH_MAIN
154	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
155	#ifdef RT_OS_WINDOWS
156	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
157	#else
158	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
159	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
160	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
161	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
162	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
163	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
164	#endif
165	#endif
166
167	{ kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
168	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
169	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
170
171	//#ifdef VBOX_WITH_HEADLESS
172	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
173	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
174	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
175	//#endif
176
177	//#ifdef VBOX_WITH_QTGUI
178	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
179	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
180	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
181	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
182	# endif
183	//#endif
184
185	//#ifdef VBOX_WITH_VBOXSDL
186	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
187	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
188	//#endif
189
190	//#ifdef VBOX_WITH_WEBSERVICES
191	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
192	//#endif
193
194	#ifdef RT_OS_LINUX
195	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
196	#endif
197
198	//#ifdef VBOX_WITH_NETFLT
199	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
200	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
201	//#endif
202
203	//#ifdef VBOX_WITH_LWIP_NAT
204	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
205	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
206	//#endif
207	};
208
209
210	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
211	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
212
213	/** Array index by install directory specifier containing info about verified directories. */
214	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
215
216
217	/**
218	* Assembles the path to a directory.
219	*
220	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
221	* decides whether it returns or not).
222	*
223	* @param enmDir The directory.
224	* @param pszDst Where to assemble the path.
225	* @param cchDst The size of the buffer.
226	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
227	*/
228	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
229	{
230	int rc;
231	switch (enmDir)
232	{
233	case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
234	case kSupID_Bin:
235	rc = supR3HardenedPathExecDir(pszDst, cchDst);
236	break;
237	case kSupID_SharedLib:
238	rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
239	break;
240	case kSupID_AppPrivArch:
241	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
242	break;
243	case kSupID_AppPrivArchComp:
244	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
245	if (RT_SUCCESS(rc))
246	{
247	size_t off = suplibHardenedStrLen(pszDst);
248	if (cchDst - off >= sizeof("/components"))
249	suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
250	else
251	rc = VERR_BUFFER_OVERFLOW;
252	}
253	break;
254	case kSupID_AppPrivNoArch:
255	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
256	break;
257	default:
258	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
259	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
260	}
261	if (RT_FAILURE(rc))
262	supR3HardenedError(rc, fFatal,
263	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
264	return rc;
265	}
266
267
268
269	/**
270	* Assembles the path to a file table entry, with or without the actual filename.
271	*
272	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
273	* decides whether it returns or not).
274	*
275	* @param pFile The file table entry.
276	* @param pszDst Where to assemble the path.
277	* @param cchDst The size of the buffer.
278	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
279	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
280	*/
281	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
282	{
283	/*
284	* Combine supR3HardenedMakePath and the filename.
285	*/
286	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
287	if (RT_SUCCESS(rc) && fWithFilename)
288	{
289	size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
290	size_t off = suplibHardenedStrLen(pszDst);
291	if (cchDst - off >= cchFile + 2)
292	{
293	pszDst[off++] = '/';
294	suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
295	}
296	else
297	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
298	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
299	pFile->pszFile, (long)off);
300	}
301	return rc;
302	}
303
304
305	/**
306	* Verifies a directory.
307	*
308	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
309	* fFatal is clear and if it's set the function wont return.
310	* @param enmDir The directory specifier.
311	* @param fFatal Whether validation failures should be treated as
312	* fatal (true) or not (false).
313	*/
314	DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
315	{
316	/*
317	* Validate the index just to be on the safe side...
318	*/
319	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
320	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
321	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
322
323	/*
324	* Already validated?
325	*/
326	if (g_aSupVerifiedDirs[enmDir].fValidated)
327	return VINF_SUCCESS; /** @todo revalidate? */
328
329	/* initialize the entry. */
330	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
331	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
332	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
333	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
334	g_aSupVerifiedDirs[enmDir].hDir = -1;
335	g_aSupVerifiedDirs[enmDir].fValidated = false;
336
337	/*
338	* Make the path and open the directory.
339	*/
340	char szPath[RTPATH_MAX];
341	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
342	if (RT_SUCCESS(rc))
343	{
344	#if defined(RT_OS_WINDOWS)
345	HANDLE hDir = CreateFile(szPath,
346	GENERIC_READ,
347	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
348	NULL,
349	OPEN_ALWAYS,
350	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
351	NULL);
352	if (hDir != INVALID_HANDLE_VALUE)
353	{
354	/** @todo check the type */
355	/* That's all on windows, for now at least... */
356	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
357	g_aSupVerifiedDirs[enmDir].fValidated = true;
358	}
359	else
360	{
361	int err = GetLastError();
362	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
363	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
364	szPath, err);
365	}
366	#else /* UNIXY */
367	int fd = open(szPath, O_RDONLY, 0);
368	if (fd >= 0)
369	{
370	/*
371	* On unixy systems we'll make sure the directory is owned by root
372	* and not writable by the group and user.
373	*/
374	struct stat st;
375	if (!fstat(fd, &st))
376	{
377
378	if ( st.st_uid == 0
379	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
380	&& S_ISDIR(st.st_mode))
381	{
382	g_aSupVerifiedDirs[enmDir].hDir = fd;
383	g_aSupVerifiedDirs[enmDir].fValidated = true;
384	}
385	else
386	{
387	if (!S_ISDIR(st.st_mode))
388	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
389	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
390	szPath, (long)st.st_uid);
391	else if (st.st_uid)
392	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
393	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
394	szPath, (long)st.st_uid);
395	else
396	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
397	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
398	szPath, (long)st.st_mode);
399	close(fd);
400	}
401	}
402	else
403	{
404	int err = errno;
405	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
406	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
407	szPath, strerror(err), err);
408	close(fd);
409	}
410	}
411	else
412	{
413	int err = errno;
414	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
415	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
416	szPath, strerror(err), err);
417	}
418	#endif /* UNIXY */
419	}
420
421	return rc;
422	}
423
424
425	/**
426	* Verifies a file entry.
427	*
428	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
429	* fFatal is clear and if it's set the function wont return.
430	*
431	* @param iFile The file table index of the file to be verified.
432	* @param fFatal Whether validation failures should be treated as
433	* fatal (true) or not (false).
434	* @param fLeaveFileOpen Whether the file should be left open.
435	*/
436	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen)
437	{
438	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
439	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
440
441	/*
442	* Already done?
443	*/
444	if (pVerified->fValidated)
445	return VINF_SUCCESS; /** @todo revalidate? */
446
447
448	/* initialize the entry. */
449	if (pVerified->hFile != 0)
450	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
451	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
452	(void *)pVerified->hFile, pFile->pszFile);
453	pVerified->hFile = -1;
454	pVerified->fValidated = false;
455
456	/*
457	* Verify the directory then proceed to open it.
458	* (This'll make sure the directory is opened and that we can (later)
459	* use openat if we wish.)
460	*/
461	int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
462	if (RT_SUCCESS(rc))
463	{
464	char szPath[RTPATH_MAX];
465	rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
466	if (RT_SUCCESS(rc))
467	{
468	#if defined(RT_OS_WINDOWS)
469	HANDLE hFile = CreateFile(szPath,
470	GENERIC_READ,
471	FILE_SHARE_READ,
472	NULL,
473	OPEN_ALWAYS,
474	FILE_ATTRIBUTE_NORMAL,
475	NULL);
476	if (hFile != INVALID_HANDLE_VALUE)
477	{
478	/** @todo Check the type, and verify the signature (separate function so we can skip it). */
479	{
480	/* it's valid. */
481	if (fLeaveFileOpen)
482	pVerified->hFile = (intptr_t)hFile;
483	else
484	CloseHandle(hFile);
485	pVerified->fValidated = true;
486	}
487	}
488	else
489	{
490	int err = GetLastError();
491	if (!pFile->fOptional \|\| err != ERROR_FILE_NOT_FOUND)
492	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
493	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": err=%d\n",
494	szPath, err);
495	}
496	#else /* UNIXY */
497	int fd = open(szPath, O_RDONLY, 0);
498	if (fd >= 0)
499	{
500	/*
501	* On unixy systems we'll make sure the directory is owned by root
502	* and not writable by the group and user.
503	*/
504	struct stat st;
505	if (!fstat(fd, &st))
506	{
507	if ( st.st_uid == 0
508	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
509	&& S_ISREG(st.st_mode))
510	{
511	/* it's valid. */
512	if (fLeaveFileOpen)
513	pVerified->hFile = fd;
514	else
515	close(fd);
516	pVerified->fValidated = true;
517	}
518	else
519	{
520	if (!S_ISREG(st.st_mode))
521	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
522	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
523	szPath, (long)st.st_uid);
524	else if (st.st_uid)
525	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
526	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
527	szPath, (long)st.st_uid);
528	else
529	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
530	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
531	szPath, (long)st.st_mode);
532	close(fd);
533	}
534	}
535	else
536	{
537	int err = errno;
538	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
539	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
540	szPath, strerror(err), err);
541	close(fd);
542	}
543	}
544	else
545	{
546	int err = errno;
547	if (!pFile->fOptional \|\| err != ENOENT)
548	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
549	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
550	szPath, strerror(err), err);
551	}
552	#endif /* UNIXY */
553	}
554	}
555
556	return rc;
557	}
558
559
560	/**
561	* Verifies that the specified table entry matches the given filename.
562	*
563	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
564	* error is returned or we terminate the application.
565	*
566	* @param iFile The file table index.
567	* @param pszFilename The filename.
568	* @param fFatal Whether validation failures should be treated as
569	* fatal (true) or not (false).
570	*/
571	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
572	{
573	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
574
575	/*
576	* Construct the full path for the file table entry
577	* and compare it with the specified file.
578	*/
579	char szName[RTPATH_MAX];
580	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
581	if (RT_FAILURE(rc))
582	return rc;
583	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
584	if (suplibHardenedStrICmp(szName, pszFilename))
585	#else
586	if (suplibHardenedStrCmp(szName, pszFilename))
587	#endif
588	{
589	/*
590	* Normalize the two paths and compare again.
591	*/
592	rc = VERR_NOT_SAME_DEVICE;
593	#if defined(RT_OS_WINDOWS)
594	LPSTR pszIgnored;
595	char szName2[RTPATH_MAX];
596	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
597	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
598	if (!suplibHardenedStrICmp(szName2, szName))
599	rc = VINF_SUCCESS;
600	#else
601	AssertCompile(RTPATH_MAX >= PATH_MAX);
602	char szName2[RTPATH_MAX];
603	if ( realpath(szName, szName2) != NULL
604	&& realpath(pszFilename, szName) != NULL)
605	if (!suplibHardenedStrCmp(szName2, szName))
606	rc = VINF_SUCCESS;
607	#endif
608
609	if (RT_FAILURE(rc))
610	{
611	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
612	return supR3HardenedError(rc, fFatal,
613	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
614	pszFilename, szName);
615	}
616	}
617
618	/*
619	* Check more stuff like the stat info if it's an already open file?
620	*/
621
622
623
624	return VINF_SUCCESS;
625	}
626
627
628	/**
629	* Verifies a file.
630	*
631	* @returns VINF_SUCCESS on success.
632	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
633	* On verification failure, an error code will be returned when fFatal is clear,
634	* otherwise the program will be terminated.
635	*
636	* @param pszFilename The filename.
637	* @param fFatal Whether validation failures should be treated as
638	* fatal (true) or not (false).
639	*/
640	DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
641	{
642	/*
643	* Lookup the file and check if it's the same file.
644	*/
645	const char *pszName = supR3HardenedPathFilename(pszFilename);
646	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
647	if (!suplibHardenedStrCmp(pszName, g_aSupInstallFiles[iFile].pszFile))
648	{
649	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
650	if (RT_SUCCESS(rc))
651	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */);
652	return rc;
653	}
654
655	return VERR_NOT_FOUND;
656	}
657
658
659	/**
660	* Verifies a program, worker for supR3HardenedVerifyAll.
661	*
662	* @returns See supR3HardenedVerifyAll.
663	* @param pszProgName See supR3HardenedVerifyAll.
664	* @param fFatal See supR3HardenedVerifyAll.
665	*/
666	static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal)
667	{
668	/*
669	* Search the table looking for the executable and the DLL/DYLIB/SO.
670	*/
671	int rc = VINF_SUCCESS;
672	bool fExe = false;
673	bool fDll = false;
674	size_t const cchProgName = suplibHardenedStrLen(pszProgName);
675	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
676	if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
677	{
678	if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
679	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
680	{
681	/* This only has to be found (once). */
682	if (fDll)
683	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
684	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
685	fDll = true;
686	}
687	else if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
688	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
689	{
690	/* Here we'll have to check that the specific program is the same as the entry. */
691	if (fExe)
692	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
693	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
694	fExe = true;
695
696	char szFilename[RTPATH_MAX];
697	int rc2 = supR3HardenedPathExecDir(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
698	if (RT_SUCCESS(rc2))
699	{
700	suplibHardenedStrCat(szFilename, "/");
701	suplibHardenedStrCat(szFilename, g_aSupInstallFiles[iFile].pszFile);
702	supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
703	}
704	else
705	rc = supR3HardenedError(rc2, fFatal,
706	"supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
707	}
708	}
709
710	/*
711	* Check the findings.
712	*/
713	if (!fDll && !fExe)
714	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
715	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
716	else if (!fExe)
717	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
718	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
719	else if (!fDll)
720	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
721	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
722	return rc;
723	}
724
725
726	/**
727	* Verifies all the known files.
728	*
729	* @returns VINF_SUCCESS on success.
730	* On verification failure, an error code will be returned when fFatal is clear,
731	* otherwise the program will be terminated.
732	*
733	* @param fFatal Whether validation failures should be treated as
734	* fatal (true) or not (false).
735	* @param fLeaveFilesOpen If set, all the verified files are left open.
736	* @param pszProgName Optional program name. This is used by SUPR3HardenedMain
737	* to verify that both the executable and corresponding
738	* DLL/DYLIB/SO are valid.
739	*/
740	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, bool fLeaveFilesOpen, const char *pszProgName)
741	{
742	/*
743	* The verify all the files.
744	*/
745	int rc = VINF_SUCCESS;
746	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
747	{
748	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveFilesOpen);
749	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
750	rc = rc2;
751	}
752
753	/*
754	* Verify the program name if specified, that is to say, just check that
755	* it's in the table (=> we've already verified it).
756	*/
757	if (pszProgName)
758	{
759	int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal);
760	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
761	rc2 = rc;
762	}
763
764	return rc;
765	}
766
767
768	/**
769	* Copies the N messages into the error buffer and returns @a rc.
770	*
771	* @returns Returns @a rc
772	* @param rc The return code.
773	* @param pErrInfo The error info structure.
774	* @param cMsgs The number of messages in the ellipsis.
775	* @param ... Message parts.
776	*/
777	static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
778	{
779	if (pErrInfo)
780	{
781	size_t cbErr = pErrInfo->cbMsg;
782	char *pszErr = pErrInfo->pszMsg;
783
784	va_list va;
785	va_start(va, cMsgs);
786	while (cMsgs-- > 0 && cbErr > 0)
787	{
788	const char pszMsg = va_arg(va, const char );
789	size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
790	if (cchMsg >= cbErr)
791	cchMsg = cbErr - 1;
792	suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
793	pszErr[cchMsg] = '\0';
794	pszErr += cchMsg;
795	cbErr -= cchMsg;
796	}
797	va_end(va);
798
799	pErrInfo->rc = rc;
800	pErrInfo->fFlags \|= RTERRINFO_FLAGS_SET;
801	}
802
803	return rc;
804	}
805
806
807	/**
808	* Copies the three messages into the error buffer and returns @a rc.
809	*
810	* @returns Returns @a rc
811	* @param rc The return code.
812	* @param pErrInfo The error info structure.
813	* @param pszMsg1 The first message part.
814	* @param pszMsg2 The second message part.
815	* @param pszMsg3 The third message part.
816	*/
817	static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
818	const char pszMsg2, const char pszMsg3)
819	{
820	return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
821	}
822
823	#ifdef SOME_UNUSED_FUNCTION
824
825	/**
826	* Copies the two messages into the error buffer and returns @a rc.
827	*
828	* @returns Returns @a rc
829	* @param rc The return code.
830	* @param pErrInfo The error info structure.
831	* @param pszMsg1 The first message part.
832	* @param pszMsg2 The second message part.
833	*/
834	static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
835	const char *pszMsg2)
836	{
837	return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
838	}
839
840
841	/**
842	* Copies the error message to the error buffer and returns @a rc.
843	*
844	* @returns Returns @a rc
845	* @param rc The return code.
846	* @param pErrInfo The error info structure.
847	* @param pszMsg The message.
848	*/
849	static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
850	{
851	return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
852	}
853
854	#endif /* SOME_UNUSED_FUNCTION */
855
856	/**
857	* Output from a successfull supR3HardenedVerifyPathSanity call.
858	*/
859	typedef struct SUPR3HARDENEDPATHINFO
860	{
861	/** The length of the path in szCopy. */
862	uint16_t cch;
863	/** The number of path components. */
864	uint16_t cComponents;
865	/** Set if the path ends with slash, indicating that it's a directory
866	* reference and not a file reference. The slash has been removed from
867	* the copy. */
868	bool fDirSlash;
869	/** The offset where each path component starts, i.e. the char after the
870	* slash. The array has cComponents + 1 entries, where the final one is
871	* cch + 1 so that one can always terminate the current component by
872	* szPath[aoffComponent[i] - 1] = '\0'. */
873	uint16_t aoffComponents[32+1];
874	/** A normalized copy of the path.
875	* Reserve some extra space so we can be more relaxed about overflow
876	* checks and terminator paddings, especially when recursing. */
877	char szPath[SUPR3HARDENED_MAX_PATH * 2];
878	} SUPR3HARDENEDPATHINFO;
879	/** Pointer to a parsed path. */
880	typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
881
882
883	/**
884	* Verifies that the path is absolutely sane, it also parses the path.
885	*
886	* A sane path starts at the root (w/ drive letter on DOS derived systems) and
887	* does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
888	* Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
889	* paths are not supported.
890	*
891	* @returns VBox status code.
892	* @param pszPath The path to check.
893	* @param pErrInfo The error info structure.
894	* @param pInfo Where to return a copy of the path along with
895	* parsing information.
896	*/
897	static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
898	{
899	const char *pszSrc = pszPath;
900	char *pszDst = pInfo->szPath;
901
902	/*
903	* Check that it's an absolute path and copy the volume/root specifier.
904	*/
905	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
906	if ( RT_C_IS_ALPHA(pszSrc[0])
907	\|\| pszSrc[1] != ':'
908	\|\| !RTPATH_IS_SLASH(pszSrc[2]))
909	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
910
911	*pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
912	*pszDst++ = ':';
913	*pszDst++ = RTPATH_SLASH;
914	pszSrc += 3;
915
916	#else
917	if (!RTPATH_IS_SLASH(pszSrc[0]))
918	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
919
920	*pszDst++ = RTPATH_SLASH;
921	pszSrc += 1;
922	#endif
923
924	/*
925	* No path specifying the root or something very shortly thereafter will
926	* be approved of.
927	*/
928	if (pszSrc[0] == '\0')
929	return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
930	if ( pszSrc[1] == '\0'
931	\|\| pszSrc[2] == '\0')
932	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
933
934	/*
935	* Check each component. No parent references or double slashes.
936	*/
937	pInfo->cComponents = 0;
938	pInfo->fDirSlash = false;
939	while (pszSrc[0])
940	{
941	/* Sanity checks. */
942	if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
943	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
944	"The path is not clean of double slashes: '", pszPath, "'");
945	if ( pszSrc[0] == '.'
946	&& pszSrc[1] == '.'
947	&& RTPATH_IS_SLASH(pszSrc[2]))
948	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
949	"The path is not absolute: '", pszPath, "'");
950
951	/* Record the start of the component. */
952	if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
953	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
954	"The path has too many components: '", pszPath, "'");
955	pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
956
957	/* Traverse to the end of the component, copying it as we go along. */
958	while (pszSrc[0])
959	{
960	if (RTPATH_IS_SLASH(pszSrc[0]))
961	{
962	pszSrc++;
963	if (*pszSrc)
964	*pszDst++ = RTPATH_SLASH;
965	else
966	pInfo->fDirSlash = true;
967	break;
968	}
969	pszDst++ = pszSrc++;
970	if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
971	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
972	"The path is too long: '", pszPath, "'");
973	}
974	}
975
976	/* Terminate the string and enter its length. */
977	pszDst[0] = '\0';
978	pszDst[1] = '\0'; /* for aoffComponents */
979	pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
980	pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
981
982	return VINF_SUCCESS;
983	}
984
985
986	/**
987	* The state information collected by supR3HardenedVerifyFsObject.
988	*
989	* This can be used to verify that a directory we've opened for enumeration is
990	* the same as the one that supR3HardenedVerifyFsObject just verified. It can
991	* equally be used to verify a native specfied by the user.
992	*/
993	typedef struct SUPR3HARDENEDFSOBJSTATE
994	{
995	#ifdef RT_OS_WINDOWS
996	/** Not implemented for windows yet. */
997	char chTodo;
998	#else
999	/** The stat output. */
1000	struct stat Stat;
1001	#endif
1002	} SUPR3HARDENEDFSOBJSTATE;
1003	/** Pointer to a file system object state. */
1004	typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1005	/** Pointer to a const file system object state. */
1006	typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1007
1008
1009	/**
1010	* Query information about a file system object by path.
1011	*
1012	* @returns VBox status code, error buffer filled on failure.
1013	* @param pszPath The path to the object.
1014	* @param pFsObjState Where to return the state information.
1015	* @param pErrInfo The error info structure.
1016	*/
1017	static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1018	{
1019	#if defined(RT_OS_WINDOWS)
1020	/** @todo Windows hardening. */
1021	pFsObjState->chTodo = 0;
1022	return VINF_SUCCESS;
1023
1024	#else
1025	/*
1026	* Stat the object, do not follow links.
1027	*/
1028	if (lstat(pszPath, &pFsObjState->Stat) != 0)
1029	{
1030	/* Ignore access errors */
1031	if (errno != EACCES)
1032	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1033	5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1034	}
1035
1036	/*
1037	* Read ACLs.
1038	*/
1039	/** @todo */
1040
1041	return VINF_SUCCESS;
1042	#endif
1043	}
1044
1045
1046	/**
1047	* Query information about a file system object by native handle.
1048	*
1049	* @returns VBox status code, error buffer filled on failure.
1050	* @param hNative The native handle to the object @a pszPath
1051	* specifies and this should be verified to be the
1052	* same file system object.
1053	* @param pFsObjState Where to return the state information.
1054	* @param pszPath The path to the object. (For the error message
1055	* only.)
1056	* @param pErrInfo The error info structure.
1057	*/
1058	static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1059	char const *pszPath, PRTERRINFO pErrInfo)
1060	{
1061	#if defined(RT_OS_WINDOWS)
1062	/** @todo Windows hardening. */
1063	pFsObjState->chTodo = 0;
1064	return VINF_SUCCESS;
1065
1066	#else
1067	/*
1068	* Stat the object, do not follow links.
1069	*/
1070	if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1071	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1072	5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1073
1074	/*
1075	* Read ACLs.
1076	*/
1077	/** @todo */
1078
1079	return VINF_SUCCESS;
1080	#endif
1081	}
1082
1083
1084	/**
1085	* Verifies that the file system object indicated by the native handle is the
1086	* same as the one @a pFsObjState indicates.
1087	*
1088	* @returns VBox status code, error buffer filled on failure.
1089	* @param pFsObjState1 File system object information/state by path.
1090	* @param pFsObjState2 File system object information/state by handle.
1091	* @param pszPath The path to the object @a pFsObjState
1092	* describes. (For the error message.)
1093	* @param pErrInfo The error info structure.
1094	*/
1095	static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1096	const char *pszPath, PRTERRINFO pErrInfo)
1097	{
1098	#if defined(RT_OS_WINDOWS)
1099	/** @todo Windows hardening. */
1100	return VINF_SUCCESS;
1101
1102	#elif defined(RT_OS_OS2)
1103	return VINF_SUCCESS;
1104
1105	#else
1106	/*
1107	* Compare the ino+dev, then the uid+gid and finally the important mode
1108	* bits. Technically the first one should be enough, but we're paranoid.
1109	*/
1110	if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1111	\|\| pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1112	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1113	"The native handle is not the same as '", pszPath, "' (ino/dev)");
1114	if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1115	\|\| pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1116	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1117	"The native handle is not the same as '", pszPath, "' (uid/gid)");
1118	if ( (pFsObjState1->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH))
1119	!= (pFsObjState2->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH)))
1120	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1121	"The native handle is not the same as '", pszPath, "' (mode)");
1122	return VINF_SUCCESS;
1123	#endif
1124	}
1125
1126
1127	/**
1128	* Verifies a file system object (file or directory).
1129	*
1130	* @returns VBox status code, error buffer filled on failure.
1131	* @param pFsObjState The file system object information/state to be
1132	* verified.
1133	* @param fDir Whether this is a directory or a file.
1134	* @param fRelaxed Whether we can be more relaxed about this
1135	* directory (only used for grand parent
1136	* directories).
1137	* @param pszPath The path to the object. For error messages and
1138	* securing a couple of hacks.
1139	* @param pErrInfo The error info structure.
1140	*/
1141	static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1142	const char *pszPath, PRTERRINFO pErrInfo)
1143	{
1144	#if defined(RT_OS_WINDOWS)
1145	/** @todo Windows hardening. */
1146	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1147	return VINF_SUCCESS;
1148
1149	#elif defined(RT_OS_OS2)
1150	/* No hardening here - it's a single user system. */
1151	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1152	return VINF_SUCCESS;
1153
1154	#else
1155	/*
1156	* The owner must be root.
1157	*
1158	* This can be extended to include predefined system users if necessary.
1159	*/
1160	if (pFsObjState->Stat.st_uid != 0)
1161	return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1162
1163	/*
1164	* The object type must be directory or file, no symbolic links or other
1165	* risky stuff (sorry dude, but we're paranoid on purpose here).
1166	*/
1167	if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1168	&& !S_ISREG(pFsObjState->Stat.st_mode))
1169	{
1170	if (S_ISLNK(pFsObjState->Stat.st_mode))
1171	return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1172	"Symlinks are not permitted: '", pszPath, "'");
1173	return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1174	"Not regular file or directory: '", pszPath, "'");
1175	}
1176	if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1177	{
1178	if (S_ISDIR(pFsObjState->Stat.st_mode))
1179	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1180	"Expected file but found directory: '", pszPath, "'");
1181	return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1182	"Expected directory but found file: '", pszPath, "'");
1183	}
1184
1185	/*
1186	* The group does not matter if it does not have write access, if it has
1187	* write access it must be group 0 (root/wheel/whatever).
1188	*
1189	* This can be extended to include predefined system groups or groups that
1190	* only root is member of.
1191	*/
1192	if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1193	&& pFsObjState->Stat.st_gid != 0)
1194	{
1195	#ifdef RT_OS_DARWIN
1196	/* HACK ALERT: On Darwin /Applications is root:admin with admin having
1197	full access. So, to work around we relax the hardening a bit and
1198	permit grand parents and beyond to be group writable by admin. */
1199	/** @todo dynamically resolve the admin group? */
1200	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 80 /admin/ \|\| suplibHardenedStrCmp(pszPath, "/Applications");
1201
1202	#elif defined(RT_OS_FREEBSD)
1203	/* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1204	similar to /Applications on OS X (see above).
1205	On FreeBSD root is normally the only member of this group, on
1206	PC-BSD the default user is a member. */
1207	/** @todo dynamically resolve the operator group? */
1208	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 5 /operator/ \|\| suplibHardenedStrCmp(pszPath, "/usr/pbi");
1209	NOREF(fRelaxed);
1210	#else
1211	NOREF(fRelaxed);
1212	bool fBad = true;
1213	#endif
1214	if (fBad)
1215	return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1216	"The group is not a system group and it has write access to '", pszPath, "'");
1217	}
1218
1219	/*
1220	* World must not have write access. There is no relaxing this rule.
1221	*/
1222	if (pFsObjState->Stat.st_mode & S_IWOTH)
1223	return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1224	"World writable: '", pszPath, "'");
1225
1226	/*
1227	* Check the ACLs.
1228	*/
1229	/** @todo */
1230
1231	return VINF_SUCCESS;
1232	#endif
1233	}
1234
1235
1236	/**
1237	* Verifies that the file system object indicated by the native handle is the
1238	* same as the one @a pFsObjState indicates.
1239	*
1240	* @returns VBox status code, error buffer filled on failure.
1241	* @param hNative The native handle to the object @a pszPath
1242	* specifies and this should be verified to be the
1243	* same file system object.
1244	* @param pFsObjState The information/state returned by a previous
1245	* query call.
1246	* @param pszPath The path to the object @a pFsObjState
1247	* describes. (For the error message.)
1248	* @param pErrInfo The error info structure.
1249	*/
1250	static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1251	const char *pszPath, PRTERRINFO pErrInfo)
1252	{
1253	SUPR3HARDENEDFSOBJSTATE FsObjState2;
1254	int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1255	if (RT_SUCCESS(rc))
1256	rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1257	return rc;
1258	}
1259
1260
1261	/**
1262	* Does the recursive directory enumeration.
1263	*
1264	* @returns VBox status code, error buffer filled on failure.
1265	* @param pszDirPath The path buffer containing the subdirectory to
1266	* enumerate followed by a slash (this is never
1267	* the root slash). The buffer is RTPATH_MAX in
1268	* size and anything starting at @a cchDirPath
1269	* - 1 and beyond is scratch space.
1270	* @param cchDirPath The length of the directory path + slash.
1271	* @param pFsObjState Pointer to the file system object state buffer.
1272	* On input this will hold the stats for
1273	* the directory @a pszDirPath indicates and will
1274	* be used to verified that we're opening the same
1275	* thing.
1276	* @param fRecursive Whether to recurse into subdirectories.
1277	* @param pErrInfo The error info structure.
1278	*/
1279	static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1280	bool fRecursive, PRTERRINFO pErrInfo)
1281	{
1282	#if defined(RT_OS_WINDOWS)
1283	/** @todo Windows hardening. */
1284	return VINF_SUCCESS;
1285
1286	#elif defined(RT_OS_OS2)
1287	/* No hardening here - it's a single user system. */
1288	return VINF_SUCCESS;
1289
1290	#else
1291	/*
1292	* Open the directory. Now, we could probably eliminate opendir here
1293	* and go down on kernel API level (open + getdents for instance), however
1294	* that's not very portable and hopefully not necessary.
1295	*/
1296	DIR *pDir = opendir(pszDirPath);
1297	if (!pDir)
1298	{
1299	/* Ignore access errors. */
1300	if (errno == EACCES)
1301	return VINF_SUCCESS;
1302	return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1303	5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1304	}
1305	if (dirfd(pDir) != -1)
1306	{
1307	int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1308	if (RT_FAILURE(rc))
1309	{
1310	closedir(pDir);
1311	return rc;
1312	}
1313	}
1314
1315	/*
1316	* Enumerate the directory, check all the requested bits.
1317	*/
1318	int rc = VINF_SUCCESS;
1319	for (;;)
1320	{
1321	pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1322
1323	struct dirent Entry;
1324	struct dirent *pEntry;
1325	int iErr = readdir_r(pDir, &Entry, &pEntry);
1326	if (iErr)
1327	{
1328	rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1329	5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1330	break;
1331	}
1332	if (!pEntry)
1333	break;
1334
1335	/*
1336	* Check the length and copy it into the path buffer so it can be
1337	* stat()'ed.
1338	*/
1339	size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1340	if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1341	{
1342	rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1343	4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1344	break;
1345	}
1346	suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1347
1348	/*
1349	* Query the information about the entry and verify it.
1350	* (We don't bother skipping '.' and '..' at this point, a little bit
1351	* of extra checks doesn't hurt and neither requires relaxed handling.)
1352	*/
1353	rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1354	if (RT_SUCCESS(rc))
1355	break;
1356	rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /fRelaxed/,
1357	pszDirPath, pErrInfo);
1358	if (RT_FAILURE(rc))
1359	break;
1360
1361	/*
1362	* Recurse into subdirectories if requested.
1363	*/
1364	if ( fRecursive
1365	&& S_ISDIR(pFsObjState->Stat.st_mode)
1366	&& suplibHardenedStrCmp(pEntry->d_name, ".")
1367	&& suplibHardenedStrCmp(pEntry->d_name, ".."))
1368	{
1369	pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1370	pszDirPath[cchDirPath + cchName + 1] = '\0';
1371
1372	rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1373	fRecursive, pErrInfo);
1374	if (RT_FAILURE(rc))
1375	break;
1376	}
1377	}
1378
1379	closedir(pDir);
1380	return VINF_SUCCESS;
1381	#endif
1382	}
1383
1384
1385	/**
1386	* Worker for SUPR3HardenedVerifyDir.
1387	*
1388	* @returns See SUPR3HardenedVerifyDir.
1389	* @param pszDirPath See SUPR3HardenedVerifyDir.
1390	* @param fRecursive See SUPR3HardenedVerifyDir.
1391	* @param fCheckFiles See SUPR3HardenedVerifyDir.
1392	* @param pErrInfo See SUPR3HardenedVerifyDir.
1393	*/
1394	DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1395	{
1396	/*
1397	* Validate the input path and parse it.
1398	*/
1399	SUPR3HARDENEDPATHINFO Info;
1400	int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1401	if (RT_FAILURE(rc))
1402	return rc;
1403
1404	/*
1405	* Verify each component from the root up.
1406	*/
1407	SUPR3HARDENEDFSOBJSTATE FsObjState;
1408	uint32_t const cComponents = Info.cComponents;
1409	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1410	{
1411	bool fRelaxed = iComponent + 2 < cComponents;
1412	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1413	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1414	if (RT_SUCCESS(rc))
1415	rc = supR3HardenedVerifyFsObject(&FsObjState, true /fDir/, fRelaxed, Info.szPath, pErrInfo);
1416	if (RT_FAILURE(rc))
1417	return rc;
1418	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1419	}
1420
1421	/*
1422	* Check files and subdirectories if requested.
1423	*/
1424	if (fCheckFiles \|\| fRecursive)
1425	{
1426	Info.szPath[Info.cch] = RTPATH_SLASH;
1427	Info.szPath[Info.cch + 1] = '\0';
1428	return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1429	fRecursive, pErrInfo);
1430	}
1431
1432	return VINF_SUCCESS;
1433	}
1434
1435
1436	/**
1437	* Verfies a file.
1438	*
1439	* @returns VBox status code, error buffer filled on failure.
1440	* @param pszFilename The file to verify.
1441	* @param hNativeFile Handle to the file, verify that it's the same
1442	* as we ended up with when verifying the path.
1443	* RTHCUINTPTR_MAX means NIL here.
1444	* @param pErrInfo Where to return extended error information.
1445	* Optional.
1446	*/
1447	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile, PRTERRINFO pErrInfo)
1448	{
1449	/*
1450	* Validate the input path and parse it.
1451	*/
1452	SUPR3HARDENEDPATHINFO Info;
1453	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1454	if (RT_FAILURE(rc))
1455	return rc;
1456	if (Info.fDirSlash)
1457	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1458	"The file path specifies a directory: '", pszFilename, "'");
1459
1460	/*
1461	* Verify each component from the root up.
1462	*/
1463	SUPR3HARDENEDFSOBJSTATE FsObjState;
1464	uint32_t const cComponents = Info.cComponents;
1465	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1466	{
1467	bool fFinal = iComponent + 1 == cComponents;
1468	bool fRelaxed = iComponent + 2 < cComponents;
1469	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1470	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1471	if (RT_SUCCESS(rc))
1472	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed, Info.szPath, pErrInfo);
1473	if (RT_FAILURE(rc))
1474	return rc;
1475	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1476	}
1477
1478	/*
1479	* Verify the file.
1480	*/
1481	if (hNativeFile != RTHCUINTPTR_MAX)
1482	return supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1483	return VINF_SUCCESS;
1484	}
1485
1486
1487	/**
1488	* Gets the pre-init data for the hand-over to the other version
1489	* of this code.
1490	*
1491	* The reason why we pass this information on is that it contains
1492	* open directories and files. Later it may include even more info
1493	* (int the verified arrays mostly).
1494	*
1495	* The receiver is supR3HardenedRecvPreInitData.
1496	*
1497	* @param pPreInitData Where to store it.
1498	*/
1499	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1500	{
1501	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1502	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1503	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1504
1505	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1506	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1507	}
1508
1509
1510	/**
1511	* Receives the pre-init data from the static executable stub.
1512	*
1513	* @returns VBox status code. Will not bitch on failure since the
1514	* runtime isn't ready for it, so that is left to the exe stub.
1515	*
1516	* @param pPreInitData The hand-over data.
1517	*/
1518	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1519	{
1520	/*
1521	* Compare the array lengths and the contents of g_aSupInstallFiles.
1522	*/
1523	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1524	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1525	return VERR_VERSION_MISMATCH;
1526	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1527	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1528	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1529	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1530	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1531	\|\| suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1532	return VERR_VERSION_MISMATCH;
1533
1534	/*
1535	* Check that we're not called out of order.
1536	* If dynamic linking it screwed up, we may end up here.
1537	*/
1538	if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1539	\|\| ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1540	return VERR_WRONG_ORDER;
1541
1542	/*
1543	* Copy the verification data over.
1544	*/
1545	suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1546	suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1547	return VINF_SUCCESS;
1548	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 49736

Download in other formats: