VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 108714

Last change on this file since 108714 was 108714, checked in by vboxsync, 4 weeks ago

HostDrivers/Support/SUPR3HardenedVerify.cpp: Don't try to verify R0 modules if they are not there when VBOX_WITH_R0_MODULES is not defined, bugref:10391
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 85.7 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 108714 2025-03-24 11:05:02Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2024 Oracle and/or its affiliates.
8 *
9 * This file is part of VirtualBox base platform packages, as
10 * available from https://www.virtualbox.org.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation, in version 3 of the
15 * License.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <https://www.gnu.org/licenses>.
24 *
25 * The contents of this file may alternatively be used under the terms
26 * of the Common Development and Distribution License Version 1.0
27 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28 * in the VirtualBox distribution, in which case the provisions of the
29 * CDDL are applicable instead of those of the GPL.
30 *
31 * You may elect to license modified versions of this file under the
32 * terms and conditions of either the GPL or the CDDL or both.
33 *
34 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35 */
36
37
38/*********************************************************************************************************************************
39* Header Files *
40*********************************************************************************************************************************/
41#if defined(RT_OS_OS2)
42# define INCL_BASE
43# define INCL_ERRORS
44# include <os2.h>
45# include <stdio.h>
46# include <stdlib.h>
47# include <unistd.h>
48# include <sys/fcntl.h>
49# include <sys/errno.h>
50# include <sys/syslimits.h>
51
52#elif defined(RT_OS_WINDOWS)
53# include <iprt/nt/nt-and-windows.h>
54# ifndef IN_SUP_HARDENED_R3
55# include <stdio.h>
56# endif
57
58#else /* UNIXes */
59# include <sys/types.h>
60# include <stdio.h>
61# include <stdlib.h>
62# include <dirent.h>
63# include <dlfcn.h>
64# include <fcntl.h>
65# include <limits.h>
66# include <errno.h>
67# include <unistd.h>
68# include <sys/stat.h>
69# include <sys/time.h>
70# include <sys/fcntl.h>
71# include <pwd.h>
72# ifdef RT_OS_DARWIN
73# include <mach-o/dyld.h>
74# endif
75
76#endif
77
78#include <VBox/sup.h>
79#include <VBox/err.h>
80#include <iprt/asm.h>
81#include <iprt/ctype.h>
82#include <iprt/param.h>
83#include <iprt/path.h>
84#include <iprt/string.h>
85#include <iprt/utf16.h>
86
87#include "SUPLibInternal.h"
88#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
89# define SUPHNTVI_NO_NT_STUFF
90# include "win/SUPHardenedVerify-win.h"
91#endif
92
93
94/*********************************************************************************************************************************
95* Defined Constants And Macros *
96*********************************************************************************************************************************/
97/** The max path length acceptable for a trusted path. */
98#define SUPR3HARDENED_MAX_PATH 260U
99
100/** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
101#define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
102
103#ifdef RT_OS_SOLARIS
104# define dirfd(d) ((d)->d_fd)
105#endif
106
107/** Compare table file names with externally supplied names. */
108#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
109# define SUP_COMP_FILENAME RTStrICmp
110#else
111# define SUP_COMP_FILENAME suplibHardenedStrCmp
112#endif
113
114
115/*********************************************************************************************************************************
116* Global Variables *
117*********************************************************************************************************************************/
118/**
119 * The files that gets verified.
120 *
121 * @todo This needs reviewing against the linux packages.
122 * @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
123 * the time being we're building the linux packages with SharedLib pointing to
124 * AppPrivArch (lazy bird).
125 *
126 * @remarks If you add executables here, you might need to update
127 * g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
128 */
129static SUPINSTFILE const g_aSupInstallFiles[] =
130{
131 /* type, dir, fOpt, "pszFile" */
132 /* ---------------------------------------------------------------------- */
133#ifdef VBOX_WITH_R0_MODULES
134 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
135 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
136#endif
137
138#ifdef VBOX_WITH_RAW_MODE
139 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
140 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
141#endif
142
143 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
144 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
145#if HC_ARCH_BITS == 32
146 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
147 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
148#endif
149 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
150 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
151 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
152 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
153 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
154
155//#ifdef VBOX_WITH_DEBUGGER_GUI
156 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
157 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
158//#endif
159
160//#ifdef VBOX_WITH_SHARED_CLIPBOARD
161 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
162//#endif
163//#ifdef VBOX_WITH_SHARED_FOLDERS
164 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
165//#endif
166//#ifdef VBOX_WITH_DRAG_AND_DROP
167 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
168//#endif
169//#ifdef VBOX_WITH_GUEST_PROPS
170 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
171//#endif
172//#ifdef VBOX_WITH_GUEST_CONTROL
173 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
174//#endif
175 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
176 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
177 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
178 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
179 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
180
181 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
182
183#ifdef VBOX_WITH_MAIN
184 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
185 #ifdef RT_OS_WINDOWS
186 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
187 #else
188 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_DLL_SUFF },
189 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
190 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
191 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
192 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
193 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
194 #endif
195#endif
196
197 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
198 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
199 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
200
201//#ifdef VBOX_WITH_HEADLESS
202 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
203 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
204 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
205//#endif
206
207//#ifdef VBOX_WITH_QTGUI
208 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
209# ifdef RT_OS_DARWIN
210 { kSupIFT_Exe, kSupID_AppMacHelper, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
211# else
212 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
213# endif
214 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBoxVM" SUPLIB_DLL_SUFF },
215 { kSupIFT_Dll, kSupID_AppPrivArch, true, "UICommon" SUPLIB_DLL_SUFF },
216# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
217 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
218# endif
219//#endif
220
221//#ifdef VBOX_WITH_VBOXSDL
222 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
223 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
224//#endif
225
226//#ifdef VBOX_WITH_WEBSERVICES
227 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
228//#endif
229
230#ifdef RT_OS_LINUX
231 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
232#endif
233
234//#ifdef VBOX_WITH_NETFLT
235 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
236 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
237//#endif
238
239//#ifdef VBOX_WITH_LWIP_NAT
240 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
241 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
242//#endif
243#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
244# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
245 { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
246 { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
247 HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
248 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
249 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
250 HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
251 HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
252# define HARDENED_TESTCASE_ENTRY(a_szName) \
253 { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
254 { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
255 HARDENED_TESTCASE_ENTRY("tstCFGM"),
256 HARDENED_TESTCASE_ENTRY("tstGIP-2"),
257 HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
258 HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
259 HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
260 HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
261 HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
262 HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
263 HARDENED_TESTCASE_ENTRY("tstSSM"),
264#endif
265};
266
267
268/** Array parallel to g_aSupInstallFiles containing per-file status info. */
269static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
270
271/** Array index by install directory specifier containing info about verified directories. */
272static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
273
274
275/**
276 * Assembles the path to a directory.
277 *
278 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
279 * decides whether it returns or not).
280 *
281 * @param enmDir The directory.
282 * @param pszDst Where to assemble the path.
283 * @param cchDst The size of the buffer.
284 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
285 * @param pFile The file (for darwin helper app paths).
286 */
287static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal, PCSUPINSTFILE pFile)
288{
289 int rc;
290 switch (enmDir)
291 {
292 case kSupID_AppBin:
293 rc = supR3HardenedPathAppBin(pszDst, cchDst);
294 break;
295 case kSupID_AppSharedLib:
296 rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
297 break;
298 case kSupID_AppPrivArch:
299 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
300 break;
301 case kSupID_AppPrivArchComp:
302 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
303 if (RT_SUCCESS(rc))
304 {
305 size_t off = suplibHardenedStrLen(pszDst);
306 if (cchDst - off >= sizeof("/components"))
307 suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
308 else
309 rc = VERR_BUFFER_OVERFLOW;
310 }
311 break;
312 case kSupID_AppPrivNoArch:
313 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
314 break;
315 case kSupID_Testcase:
316 rc = supR3HardenedPathAppBin(pszDst, cchDst);
317 if (RT_SUCCESS(rc))
318 {
319 size_t off = suplibHardenedStrLen(pszDst);
320 if (cchDst - off >= sizeof("/testcase"))
321 suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
322 else
323 rc = VERR_BUFFER_OVERFLOW;
324 }
325 break;
326#ifdef RT_OS_DARWIN
327 case kSupID_AppMacHelper:
328 rc = supR3HardenedPathAppBin(pszDst, cchDst);
329 if (RT_SUCCESS(rc))
330 {
331 /* Up one level from the VirtualBox.app/Contents/MacOS directory: */
332 size_t offDst = suplibHardenedStrLen(pszDst);
333 while (offDst > 1 && pszDst[offDst - 1] == '/')
334 offDst--;
335 while (offDst > 1 && pszDst[offDst - 1] != '/')
336 offDst--;
337
338 /* Construct the path to the helper application's Contents/MacOS directory: */
339 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
340 if (offDst + cchFile + sizeof("Resources/.app/Contents/MacOS") <= cchDst)
341 {
342 suplibHardenedMemCopy(&pszDst[offDst], RT_STR_TUPLE("Resources/"));
343 offDst += sizeof("Resources/") - 1;
344 suplibHardenedMemCopy(&pszDst[offDst], pFile->pszFile, cchFile);
345 offDst += cchFile;
346 suplibHardenedMemCopy(&pszDst[offDst], RT_STR_TUPLE(".app/Contents/MacOS") + 1);
347 }
348 else
349 rc = VERR_BUFFER_OVERFLOW;
350 }
351 break;
352#endif
353 default:
354 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
355 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
356 }
357 if (RT_FAILURE(rc))
358 supR3HardenedError(rc, fFatal,
359 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
360 NOREF(pFile);
361 return rc;
362}
363
364
365
366/**
367 * Assembles the path to a file table entry, with or without the actual filename.
368 *
369 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
370 * decides whether it returns or not).
371 *
372 * @param pFile The file table entry.
373 * @param pszDst Where to assemble the path.
374 * @param cchDst The size of the buffer.
375 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
376 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
377 */
378static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
379{
380 /*
381 * Combine supR3HardenedMakePath and the filename.
382 */
383 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal, pFile);
384 if (RT_SUCCESS(rc) && fWithFilename)
385 {
386 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
387 size_t off = suplibHardenedStrLen(pszDst);
388 if (cchDst - off >= cchFile + 2)
389 {
390 pszDst[off++] = '/';
391 suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
392 }
393 else
394 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
395 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
396 pFile->pszFile, (long)off);
397 }
398 return rc;
399}
400
401
402/**
403 * Verifies a directory.
404 *
405 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
406 * fFatal is clear and if it's set the function wont return.
407 * @param enmDir The directory specifier.
408 * @param fFatal Whether validation failures should be treated as
409 * fatal (true) or not (false).
410 * @param pFile The file (for darwin helper app paths).
411 */
412DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal, PCSUPINSTFILE pFile)
413{
414 /*
415 * Validate the index just to be on the safe side...
416 */
417 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
418 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
419 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
420
421 /*
422 * Already validated?
423 */
424 if (g_aSupVerifiedDirs[enmDir].fValidated)
425 return VINF_SUCCESS; /** @todo revalidate? */
426
427 /* initialize the entry. */
428 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
429 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
430 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
431 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
432 g_aSupVerifiedDirs[enmDir].hDir = -1;
433 g_aSupVerifiedDirs[enmDir].fValidated = false;
434
435 /*
436 * Make the path and open the directory.
437 */
438 char szPath[RTPATH_MAX];
439 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal, pFile);
440 if (RT_SUCCESS(rc))
441 {
442#if defined(RT_OS_WINDOWS)
443 PRTUTF16 pwszPath;
444 rc = RTStrToUtf16(szPath, &pwszPath);
445 if (RT_SUCCESS(rc))
446 {
447 HANDLE hDir = CreateFileW(pwszPath,
448 GENERIC_READ,
449 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
450 NULL,
451 OPEN_EXISTING,
452 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
453 NULL);
454 if (hDir != INVALID_HANDLE_VALUE)
455 {
456 /** @todo check the type */
457 /* That's all on windows, for now at least... */
458 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
459 g_aSupVerifiedDirs[enmDir].fValidated = true;
460 }
461 else if (enmDir == kSupID_Testcase)
462 {
463 g_aSupVerifiedDirs[enmDir].fValidated = true;
464 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
465 }
466 else
467 {
468 int err = RtlGetLastWin32Error();
469 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
470 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
471 szPath, err);
472 }
473 RTUtf16Free(pwszPath);
474 }
475 else
476 rc = supR3HardenedError(rc, fFatal,
477 "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
478
479#else /* UNIXY */
480 int fd = open(szPath, O_RDONLY, 0);
481 if (fd >= 0)
482 {
483 /*
484 * On unixy systems we'll make sure the directory is owned by root
485 * and not writable by the group and user.
486 */
487 struct stat st;
488 if (!fstat(fd, &st))
489 {
490
491 if ( st.st_uid == 0
492 && !(st.st_mode & (S_IWGRP | S_IWOTH))
493 && S_ISDIR(st.st_mode))
494 {
495 g_aSupVerifiedDirs[enmDir].hDir = fd;
496 g_aSupVerifiedDirs[enmDir].fValidated = true;
497 }
498 else
499 {
500 if (!S_ISDIR(st.st_mode))
501 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
502 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
503 szPath, (long)st.st_uid);
504 else if (st.st_uid)
505 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
506 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
507 szPath, (long)st.st_uid);
508 else
509 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
510 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
511 szPath, (long)st.st_mode);
512 close(fd);
513 }
514 }
515 else
516 {
517 int err = errno;
518 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
519 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
520 szPath, strerror(err), err);
521 close(fd);
522 }
523 }
524 else if (enmDir == kSupID_Testcase)
525 {
526 g_aSupVerifiedDirs[enmDir].fValidated = true;
527 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
528 }
529 else
530 {
531 int err = errno;
532 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
533 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
534 szPath, strerror(err), err);
535 }
536#endif /* UNIXY */
537 }
538
539 return rc;
540}
541
542
543#ifdef RT_OS_WINDOWS
544/**
545 * Opens the file for verification.
546 *
547 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
548 * fFatal is clear and if it's set the function wont return.
549 * @param pFile The file entry.
550 * @param fFatal Whether validation failures should be treated as
551 * kl fatal (true) or not (false).
552 * @param phFile The file handle, set to -1 if we failed to open
553 * the file. The function may return VINF_SUCCESS
554 * and a -1 handle if the file is optional.
555 */
556static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
557{
558 *phFile = -1;
559
560 char szPath[RTPATH_MAX];
561 int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
562 if (RT_SUCCESS(rc))
563 {
564 PRTUTF16 pwszPath;
565 rc = RTStrToUtf16(szPath, &pwszPath);
566 if (RT_SUCCESS(rc))
567 {
568 HANDLE hFile = CreateFileW(pwszPath,
569 GENERIC_READ,
570 FILE_SHARE_READ,
571 NULL,
572 OPEN_EXISTING,
573 FILE_ATTRIBUTE_NORMAL,
574 NULL);
575 if (hFile != INVALID_HANDLE_VALUE)
576 {
577 *phFile = (intptr_t)hFile;
578 rc = VINF_SUCCESS;
579 }
580 else
581 {
582 int err = RtlGetLastWin32Error();
583 if ( !pFile->fOptional
584 || ( err != ERROR_FILE_NOT_FOUND
585 && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
586 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
587 "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
588 }
589 RTUtf16Free(pwszPath);
590 }
591 else
592 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
593 szPath, rc);
594 }
595 return rc;
596}
597
598
599/**
600 * Worker for supR3HardenedVerifyFileInternal.
601 *
602 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
603 * fFatal is clear and if it's set the function wont return.
604 * @param pFile The file entry.
605 * @param pVerified The verification record.
606 * @param fFatal Whether validation failures should be treated as
607 * fatal (true) or not (false).
608 * @param fLeaveFileOpen Whether the file should be left open.
609 */
610static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
611{
612# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
613
614 /*
615 * Open the file if we have to.
616 */
617 int rc;
618 intptr_t hFileOpened;
619 intptr_t hFile = pVerified->hFile;
620 if (hFile != -1)
621 hFileOpened = -1;
622 else
623 {
624 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
625 if (RT_FAILURE(rc))
626 return rc;
627 hFile = hFileOpened;
628 }
629
630 /*
631 * Verify the signature.
632 */
633 char szErr[1024];
634 RTERRINFO ErrInfo;
635 RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
636
637 uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
638 if (pFile->enmType == kSupIFT_Rc)
639 fFlags |= SUPHNTVI_F_RC_IMAGE;
640
641 rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
642 if (RT_SUCCESS(rc))
643 pVerified->fCheckedSignature = true;
644 else
645 {
646 pVerified->fCheckedSignature = false;
647 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
648 pFile->pszFile, rc, szErr);
649
650 }
651
652 /*
653 * Close the handle if we opened the file and we should close it.
654 */
655 if (hFileOpened != -1)
656 {
657 if (fLeaveFileOpen && RT_SUCCESS(rc))
658 pVerified->hFile = hFileOpened;
659 else
660 NtClose((HANDLE)hFileOpened);
661 }
662
663 return rc;
664
665# else /* Not checking signatures. */
666 RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
667 return VINF_SUCCESS;
668# endif /* Not checking signatures. */
669}
670#endif
671
672
673/**
674 * Verifies a file entry.
675 *
676 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
677 * fFatal is clear and if it's set the function wont return.
678 *
679 * @param iFile The file table index of the file to be verified.
680 * @param fFatal Whether validation failures should be treated as
681 * fatal (true) or not (false).
682 * @param fLeaveFileOpen Whether the file should be left open.
683 * @param fVerifyAll Set if this is an verify all call and we will
684 * postpone signature checking.
685 */
686static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
687{
688#ifndef RT_OS_WINDOWS
689 RT_NOREF1(fVerifyAll);
690#endif
691 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
692 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
693
694 /*
695 * Already done validation? Do signature validation if we haven't yet.
696 */
697 if (pVerified->fValidated)
698 {
699 /** @todo revalidate? Check that the file hasn't been replace or similar. */
700#ifdef RT_OS_WINDOWS
701 if (!pVerified->fCheckedSignature && !fVerifyAll)
702 return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
703#endif
704 return VINF_SUCCESS;
705 }
706
707
708 /* initialize the entry. */
709 if (pVerified->hFile != 0)
710 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
711 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
712 (void *)pVerified->hFile, pFile->pszFile);
713 pVerified->hFile = -1;
714 pVerified->fValidated = false;
715#ifdef RT_OS_WINDOWS
716 pVerified->fCheckedSignature = false;
717#endif
718
719 /*
720 * Verify the directory then proceed to open it.
721 * (This'll make sure the directory is opened and that we can (later)
722 * use openat if we wish.)
723 */
724 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal, pFile);
725 if (RT_SUCCESS(rc))
726 {
727#if defined(RT_OS_WINDOWS)
728 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
729 if (RT_SUCCESS(rc))
730 {
731 if (!fVerifyAll)
732 rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
733 if (RT_SUCCESS(rc))
734 {
735 pVerified->fValidated = true;
736 if (!fLeaveFileOpen)
737 {
738 NtClose((HANDLE)pVerified->hFile);
739 pVerified->hFile = -1;
740 }
741 }
742 }
743#else /* !RT_OS_WINDOWS */
744 char szPath[RTPATH_MAX];
745 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
746 if (RT_SUCCESS(rc))
747 {
748 int fd = open(szPath, O_RDONLY, 0);
749 if (fd >= 0)
750 {
751 /*
752 * On unixy systems we'll make sure the file is owned by root
753 * and not writable by the group and user.
754 */
755 struct stat st;
756 if (!fstat(fd, &st))
757 {
758 if ( st.st_uid == 0
759 && !(st.st_mode & (S_IWGRP | S_IWOTH))
760 && S_ISREG(st.st_mode))
761 {
762 /* it's valid. */
763 if (fLeaveFileOpen)
764 pVerified->hFile = fd;
765 else
766 close(fd);
767 pVerified->fValidated = true;
768 }
769 else
770 {
771 if (!S_ISREG(st.st_mode))
772 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
773 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
774 szPath, (long)st.st_uid);
775 else if (st.st_uid)
776 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
777 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
778 szPath, (long)st.st_uid);
779 else
780 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
781 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
782 szPath, (long)st.st_mode);
783 close(fd);
784 }
785 }
786 else
787 {
788 int err = errno;
789 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
790 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
791 szPath, strerror(err), err);
792 close(fd);
793 }
794 }
795 else
796 {
797 int err = errno;
798 if (!pFile->fOptional || err != ENOENT)
799 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
800 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
801 szPath, strerror(err), err);
802 }
803 }
804#endif /* !RT_OS_WINDOWS */
805 }
806
807 return rc;
808}
809
810
811/**
812 * Verifies that the specified table entry matches the given filename.
813 *
814 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
815 * error is returned or we terminate the application.
816 *
817 * @param iFile The file table index.
818 * @param pszFilename The filename.
819 * @param fFatal Whether validation failures should be treated as
820 * fatal (true) or not (false).
821 */
822static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
823{
824 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
825
826 /*
827 * Construct the full path for the file table entry
828 * and compare it with the specified file.
829 */
830 char szName[RTPATH_MAX];
831 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
832 if (RT_FAILURE(rc))
833 return rc;
834 if (SUP_COMP_FILENAME(szName, pszFilename))
835 {
836 /*
837 * Normalize the two paths and compare again.
838 */
839 rc = VERR_NOT_SAME_DEVICE;
840#if defined(RT_OS_WINDOWS)
841 LPSTR pszIgnored;
842 char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
843 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
844 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
845 if (!SUP_COMP_FILENAME(szName2, szName))
846 rc = VINF_SUCCESS;
847#else
848 AssertCompile(RTPATH_MAX >= PATH_MAX);
849 char szName2[RTPATH_MAX];
850 if ( realpath(szName, szName2) != NULL
851 && realpath(pszFilename, szName) != NULL)
852 if (!SUP_COMP_FILENAME(szName2, szName))
853 rc = VINF_SUCCESS;
854#endif
855
856 if (RT_FAILURE(rc))
857 {
858 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
859 return supR3HardenedError(rc, fFatal,
860 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
861 pszFilename, szName);
862 }
863 }
864
865 /*
866 * Check more stuff like the stat info if it's an already open file?
867 */
868
869
870
871 return VINF_SUCCESS;
872}
873
874
875/**
876 * Verifies a file.
877 *
878 * @returns VINF_SUCCESS on success.
879 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
880 * On verification failure, an error code will be returned when fFatal is clear,
881 * otherwise the program will be terminated.
882 *
883 * @param pszFilename The filename.
884 * @param fFatal Whether validation failures should be treated as
885 * fatal (true) or not (false).
886 */
887DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
888{
889 /*
890 * Lookup the file and check if it's the same file.
891 */
892 const char *pszName = supR3HardenedPathFilename(pszFilename);
893 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
894 if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
895 {
896 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
897 if (RT_SUCCESS(rc))
898 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
899 return rc;
900 }
901
902 return VERR_NOT_FOUND;
903}
904
905
906/**
907 * Verifies a program, worker for supR3HardenedVerifyAll.
908 *
909 * @returns See supR3HardenedVerifyAll.
910 * @param pszProgName See supR3HardenedVerifyAll.
911 * @param pszExePath The path to the executable.
912 * @param fFatal See supR3HardenedVerifyAll.
913 * @param fLeaveOpen The leave open setting used by
914 * supR3HardenedVerifyAll.
915 * @param fMainFlags Flags supplied to SUPR3HardenedMain.
916 */
917static int supR3HardenedVerifyProgram(const char *pszProgName, const char *pszExePath, bool fFatal,
918 bool fLeaveOpen, uint32_t fMainFlags)
919{
920 /*
921 * Search the table looking for the executable and the DLL/DYLIB/SO.
922 * Note! On darwin we have a hack in place for VirtualBoxVM helper app
923 * to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
924 * that cchProgNameDll is equal or shorter to the exe name.
925 */
926 int rc = VINF_SUCCESS;
927 bool fExe = false;
928 bool fDll = false;
929 size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
930#ifndef RT_OS_DARWIN
931 size_t const cchProgNameDll = cchProgNameExe;
932 NOREF(fMainFlags);
933#else
934 size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
935 ? sizeof("VirtualBox") - 1
936 : cchProgNameExe;
937 if (cchProgNameDll > cchProgNameExe)
938 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
939 "supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
940#endif
941 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
942 if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
943 {
944 if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
945 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
946 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
947 {
948 /* This only has to be found (once). */
949 if (fDll)
950 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
951 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
952 else
953 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
954 true /* fVerifyAll - check sign later, only final process need check it on load. */);
955 fDll = true;
956 }
957 else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
958 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
959 && ( cchProgNameExe == cchProgNameDll
960 || !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
961 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
962 {
963 /* Here we'll have to check that the specific program is the same as the entry. */
964 if (fExe)
965 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
966 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
967 else
968 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
969 fExe = true;
970
971 supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
972 }
973 }
974
975 /*
976 * Check the findings.
977 */
978 if (RT_SUCCESS(rc))
979 {
980 if (!fDll && !fExe)
981 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
982 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
983 else if (!fExe)
984 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
985 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
986 else if (!fDll)
987 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
988 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
989 }
990 return rc;
991}
992
993
994/**
995 * Verifies all the known files (called from SUPR3HardenedMain).
996 *
997 * @returns VINF_SUCCESS on success.
998 * On verification failure, an error code will be returned when fFatal is clear,
999 * otherwise the program will be terminated.
1000 *
1001 * @param fFatal Whether validation failures should be treated as
1002 * fatal (true) or not (false).
1003 * @param pszProgName The program name. This is used to verify that
1004 * both the executable and corresponding
1005 * DLL/DYLIB/SO are valid.
1006 * @param pszExePath The path to the executable.
1007 * @param fMainFlags Flags supplied to SUPR3HardenedMain.
1008 */
1009DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName, const char *pszExePath, uint32_t fMainFlags)
1010{
1011 /*
1012 * On windows
1013 */
1014#if defined(RT_OS_WINDOWS)
1015 bool fLeaveOpen = true;
1016#else
1017 bool fLeaveOpen = false;
1018#endif
1019
1020 /*
1021 * The verify all the files.
1022 */
1023 int rc = VINF_SUCCESS;
1024 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1025 {
1026 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
1027 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
1028 rc = rc2;
1029 }
1030
1031 /*
1032 * Verify the program name, that is to say, check that it's in the table
1033 * (thus verified above) and verify the signature on platforms where we
1034 * sign things.
1035 */
1036 int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
1037 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
1038 rc = rc2;
1039
1040 return rc;
1041}
1042
1043
1044/**
1045 * Copies the N messages into the error buffer and returns @a rc.
1046 *
1047 * @returns Returns @a rc
1048 * @param rc The return code.
1049 * @param pErrInfo The error info structure.
1050 * @param cMsgs The number of messages in the ellipsis.
1051 * @param ... Message parts.
1052 */
1053static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
1054{
1055 if (pErrInfo)
1056 {
1057 size_t cbErr = pErrInfo->cbMsg;
1058 char *pszErr = pErrInfo->pszMsg;
1059
1060 va_list va;
1061 va_start(va, cMsgs);
1062 while (cMsgs-- > 0 && cbErr > 0)
1063 {
1064 const char *pszMsg = va_arg(va, const char *);
1065 size_t cchMsg = RT_VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
1066 if (cchMsg >= cbErr)
1067 cchMsg = cbErr - 1;
1068 suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
1069 pszErr[cchMsg] = '\0';
1070 pszErr += cchMsg;
1071 cbErr -= cchMsg;
1072 }
1073 va_end(va);
1074
1075 pErrInfo->rc = rc;
1076 pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
1077 }
1078
1079 return rc;
1080}
1081
1082
1083#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1084/**
1085 * Copies the four messages into the error buffer and returns @a rc.
1086 *
1087 * @returns Returns @a rc
1088 * @param rc The return code.
1089 * @param pErrInfo The error info structure.
1090 * @param pszMsg1 The first message part.
1091 * @param pszMsg2 The second message part.
1092 * @param pszMsg3 The third message part.
1093 * @param pszMsg4 The fourth message part.
1094 */
1095static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1096 const char *pszMsg2, const char *pszMsg3, const char *pszMsg4)
1097{
1098 return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
1099}
1100#endif
1101
1102
1103/**
1104 * Copies the three messages into the error buffer and returns @a rc.
1105 *
1106 * @returns Returns @a rc
1107 * @param rc The return code.
1108 * @param pErrInfo The error info structure.
1109 * @param pszMsg1 The first message part.
1110 * @param pszMsg2 The second message part.
1111 * @param pszMsg3 The third message part.
1112 */
1113static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1114 const char *pszMsg2, const char *pszMsg3)
1115{
1116 return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1117}
1118
1119
1120#ifdef SOME_UNUSED_FUNCTION
1121/**
1122 * Copies the two messages into the error buffer and returns @a rc.
1123 *
1124 * @returns Returns @a rc
1125 * @param rc The return code.
1126 * @param pErrInfo The error info structure.
1127 * @param pszMsg1 The first message part.
1128 * @param pszMsg2 The second message part.
1129 */
1130static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1131 const char *pszMsg2)
1132{
1133 return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1134}
1135#endif
1136
1137
1138#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1139# if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1140/**
1141 * Copies the error message to the error buffer and returns @a rc.
1142 *
1143 * @returns Returns @a rc
1144 * @param rc The return code.
1145 * @param pErrInfo The error info structure.
1146 * @param pszMsg The message.
1147 */
1148static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1149{
1150 return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1151}
1152# endif
1153#endif
1154
1155
1156/**
1157 * Output from a successfull supR3HardenedVerifyPathSanity call.
1158 */
1159typedef struct SUPR3HARDENEDPATHINFO
1160{
1161 /** The length of the path in szCopy. */
1162 uint16_t cch;
1163 /** The number of path components. */
1164 uint16_t cComponents;
1165 /** Set if the path ends with slash, indicating that it's a directory
1166 * reference and not a file reference. The slash has been removed from
1167 * the copy. */
1168 bool fDirSlash;
1169 /** The offset where each path component starts, i.e. the char after the
1170 * slash. The array has cComponents + 1 entries, where the final one is
1171 * cch + 1 so that one can always terminate the current component by
1172 * szPath[aoffComponent[i] - 1] = '\0'. */
1173 uint16_t aoffComponents[32+1];
1174 /** A normalized copy of the path.
1175 * Reserve some extra space so we can be more relaxed about overflow
1176 * checks and terminator paddings, especially when recursing. */
1177 char szPath[SUPR3HARDENED_MAX_PATH * 2];
1178} SUPR3HARDENEDPATHINFO;
1179/** Pointer to a parsed path. */
1180typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1181
1182
1183/**
1184 * Verifies that the path is absolutely sane, it also parses the path.
1185 *
1186 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
1187 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1188 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1189 * paths are not supported.
1190 *
1191 * @returns VBox status code.
1192 * @param pszPath The path to check.
1193 * @param pErrInfo The error info structure.
1194 * @param pInfo Where to return a copy of the path along with
1195 * parsing information.
1196 */
1197static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1198{
1199 const char *pszSrc = pszPath;
1200 char *pszDst = pInfo->szPath;
1201
1202 /*
1203 * Check that it's an absolute path and copy the volume/root specifier.
1204 */
1205#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1206 if ( !RT_C_IS_ALPHA(pszSrc[0])
1207 || pszSrc[1] != ':'
1208 || !RTPATH_IS_SLASH(pszSrc[2]))
1209 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1210
1211 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1212 *pszDst++ = ':';
1213 *pszDst++ = RTPATH_SLASH;
1214 pszSrc += 3;
1215
1216#else
1217 if (!RTPATH_IS_SLASH(pszSrc[0]))
1218 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1219
1220 *pszDst++ = RTPATH_SLASH;
1221 pszSrc += 1;
1222#endif
1223
1224 /*
1225 * No path specifying the root or something very shortly thereafter will
1226 * be approved of.
1227 */
1228 if (pszSrc[0] == '\0')
1229 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1230 if ( pszSrc[1] == '\0'
1231 || pszSrc[2] == '\0')
1232 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1233
1234#if RTPATH_STYLE == RTPATH_STR_F_STYLE_UNIX
1235 /*
1236 * Skip double slashes.
1237 */
1238 while (RTPATH_IS_SLASH(*pszSrc))
1239 pszSrc++;
1240#else
1241 /*
1242 * The root slash should be alone to avoid UNC confusion.
1243 */
1244 if (RTPATH_IS_SLASH(pszSrc[0]))
1245 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1246 "The path is not clean of leading double slashes: '", pszPath, "'");
1247#endif
1248 /*
1249 * Check each component. No parent references.
1250 */
1251 pInfo->cComponents = 0;
1252 pInfo->fDirSlash = false;
1253 while (pszSrc[0])
1254 {
1255 /* Sanity checks. */
1256 if ( pszSrc[0] == '.'
1257 && pszSrc[1] == '.'
1258 && RTPATH_IS_SLASH(pszSrc[2]))
1259 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1260 "The path is not absolute: '", pszPath, "'");
1261
1262 /* Record the start of the component. */
1263 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1264 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1265 "The path has too many components: '", pszPath, "'");
1266 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1267
1268 /* Traverse to the end of the component, copying it as we go along. */
1269 while (pszSrc[0])
1270 {
1271 if (RTPATH_IS_SLASH(pszSrc[0]))
1272 {
1273 pszSrc++;
1274 if (*pszSrc)
1275 *pszDst++ = RTPATH_SLASH;
1276 else
1277 pInfo->fDirSlash = true;
1278 break;
1279 }
1280 *pszDst++ = *pszSrc++;
1281 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1282 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1283 "The path is too long: '", pszPath, "'");
1284 }
1285
1286 /* Skip double slashes. */
1287 while (RTPATH_IS_SLASH(*pszSrc))
1288 pszSrc++;
1289 }
1290
1291 /* Terminate the string and enter its length. */
1292 pszDst[0] = '\0';
1293 pszDst[1] = '\0'; /* for aoffComponents */
1294 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1295 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1296
1297 return VINF_SUCCESS;
1298}
1299
1300
1301/**
1302 * The state information collected by supR3HardenedVerifyFsObject.
1303 *
1304 * This can be used to verify that a directory we've opened for enumeration is
1305 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
1306 * equally be used to verify a native specfied by the user.
1307 */
1308typedef struct SUPR3HARDENEDFSOBJSTATE
1309{
1310#ifdef RT_OS_WINDOWS
1311 /** Not implemented for windows yet. */
1312 char chTodo;
1313#else
1314 /** The stat output. */
1315 struct stat Stat;
1316#endif
1317} SUPR3HARDENEDFSOBJSTATE;
1318/** Pointer to a file system object state. */
1319typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1320/** Pointer to a const file system object state. */
1321typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1322
1323
1324/**
1325 * Query information about a file system object by path.
1326 *
1327 * @returns VBox status code, error buffer filled on failure.
1328 * @param pszPath The path to the object.
1329 * @param pFsObjState Where to return the state information.
1330 * @param pErrInfo The error info structure.
1331 */
1332static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1333{
1334#if defined(RT_OS_WINDOWS)
1335 /** @todo Windows hardening. */
1336 pFsObjState->chTodo = 0;
1337 RT_NOREF2(pszPath, pErrInfo);
1338 return VINF_SUCCESS;
1339
1340#else
1341 /*
1342 * Stat the object, do not follow links.
1343 */
1344 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1345 {
1346 /* Ignore access errors */
1347 if (errno != EACCES)
1348 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1349 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1350 }
1351
1352 /*
1353 * Read ACLs.
1354 */
1355 /** @todo */
1356
1357 return VINF_SUCCESS;
1358#endif
1359}
1360
1361
1362/**
1363 * Query information about a file system object by native handle.
1364 *
1365 * @returns VBox status code, error buffer filled on failure.
1366 * @param hNative The native handle to the object @a pszPath
1367 * specifies and this should be verified to be the
1368 * same file system object.
1369 * @param pFsObjState Where to return the state information.
1370 * @param pszPath The path to the object. (For the error message
1371 * only.)
1372 * @param pErrInfo The error info structure.
1373 */
1374static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1375 char const *pszPath, PRTERRINFO pErrInfo)
1376{
1377#if defined(RT_OS_WINDOWS)
1378 /** @todo Windows hardening. */
1379 pFsObjState->chTodo = 0;
1380 RT_NOREF3(hNative, pszPath, pErrInfo);
1381 return VINF_SUCCESS;
1382
1383#else
1384 /*
1385 * Stat the object, do not follow links.
1386 */
1387 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1388 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1389 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1390
1391 /*
1392 * Read ACLs.
1393 */
1394 /** @todo */
1395
1396 return VINF_SUCCESS;
1397#endif
1398}
1399
1400
1401/**
1402 * Verifies that the file system object indicated by the native handle is the
1403 * same as the one @a pFsObjState indicates.
1404 *
1405 * @returns VBox status code, error buffer filled on failure.
1406 * @param pFsObjState1 File system object information/state by path.
1407 * @param pFsObjState2 File system object information/state by handle.
1408 * @param pszPath The path to the object @a pFsObjState
1409 * describes. (For the error message.)
1410 * @param pErrInfo The error info structure.
1411 */
1412static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1413 const char *pszPath, PRTERRINFO pErrInfo)
1414{
1415#if defined(RT_OS_WINDOWS)
1416 /** @todo Windows hardening. */
1417 RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1418 return VINF_SUCCESS;
1419
1420#elif defined(RT_OS_OS2)
1421 RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1422 return VINF_SUCCESS;
1423
1424#else
1425 /*
1426 * Compare the ino+dev, then the uid+gid and finally the important mode
1427 * bits. Technically the first one should be enough, but we're paranoid.
1428 */
1429 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1430 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1431 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1432 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1433 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1434 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1435 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1436 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1437 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1438 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1439 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1440 "The native handle is not the same as '", pszPath, "' (mode)");
1441 return VINF_SUCCESS;
1442#endif
1443}
1444
1445
1446/**
1447 * Verifies a file system object (file or directory).
1448 *
1449 * @returns VBox status code, error buffer filled on failure.
1450 * @param pFsObjState The file system object information/state to be
1451 * verified.
1452 * @param fDir Whether this is a directory or a file.
1453 * @param fRelaxed Whether we can be more relaxed about this
1454 * directory (only used for grand parent
1455 * directories).
1456 * @param fSymlinksAllowed Flag whether symlinks are allowed or not.
1457 * If allowed the symlink object is verified not the target.
1458 * @param pszPath The path to the object. For error messages and
1459 * securing a couple of hacks.
1460 * @param pErrInfo The error info structure.
1461 */
1462static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1463 bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
1464{
1465#if defined(RT_OS_WINDOWS)
1466 /** @todo Windows hardening. */
1467 RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1468 return VINF_SUCCESS;
1469
1470#elif defined(RT_OS_OS2)
1471 /* No hardening here - it's a single user system. */
1472 RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1473 return VINF_SUCCESS;
1474
1475#else
1476 /*
1477 * The owner must be root.
1478 *
1479 * This can be extended to include predefined system users if necessary.
1480 */
1481 if (pFsObjState->Stat.st_uid != 0)
1482 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1483
1484 /*
1485 * The object type must be directory or file. It can be a symbolic link
1486 * if explicitely allowed. Otherwise this and other risky stuff is not allowed
1487 * (sorry dude, but we're paranoid on purpose here).
1488 */
1489 if ( !S_ISLNK(pFsObjState->Stat.st_mode)
1490 || !fSymlinksAllowed)
1491 {
1492
1493 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1494 && !S_ISREG(pFsObjState->Stat.st_mode))
1495 {
1496 if (S_ISLNK(pFsObjState->Stat.st_mode))
1497 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1498 "Symlinks are not permitted: '", pszPath, "'");
1499 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1500 "Not regular file or directory: '", pszPath, "'");
1501 }
1502 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1503 {
1504 if (S_ISDIR(pFsObjState->Stat.st_mode))
1505 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1506 "Expected file but found directory: '", pszPath, "'");
1507 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1508 "Expected directory but found file: '", pszPath, "'");
1509 }
1510 }
1511
1512 /*
1513 * The group does not matter if it does not have write access, if it has
1514 * write access it must be group 0 (root/wheel/whatever).
1515 *
1516 * This can be extended to include predefined system groups or groups that
1517 * only root is member of.
1518 */
1519 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1520 && pFsObjState->Stat.st_gid != 0)
1521 {
1522# ifdef RT_OS_DARWIN
1523 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1524 full access. So, to work around we relax the hardening a bit and
1525 permit grand parents and beyond to be group writable by admin. */
1526 /** @todo dynamically resolve the admin group? */
1527 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
1528
1529# elif defined(RT_OS_FREEBSD)
1530 /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1531 similar to /Applications on OS X (see above).
1532 On FreeBSD root is normally the only member of this group, on
1533 PC-BSD the default user is a member. */
1534 /** @todo dynamically resolve the operator group? */
1535 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
1536 NOREF(fRelaxed);
1537# elif defined(RT_OS_SOLARIS)
1538 /* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
1539 which the appropriate module is loaded.
1540 By default only root and daemon are part of that group.
1541 . */
1542 /** @todo dynamically resolve the bin group? */
1543 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
1544# else
1545 NOREF(fRelaxed);
1546 bool fBad = true;
1547# endif
1548 if (fBad)
1549 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1550 "An unknown (and thus untrusted) group has write access to '", pszPath,
1551 "' and we therefore cannot trust the directory content or that of any subdirectory");
1552 }
1553
1554 /*
1555 * World must not have write access. There is no relaxing this rule.
1556 * Linux exception: Symbolic links are always give permission 0777, there
1557 * is no lchmod or lchown APIs. The permissions on parent
1558 * directory that contains the symbolic link is what is
1559 * decising wrt to modifying it. (Caller is expected not
1560 * to allow symbolic links in the first path component.)
1561 */
1562 if ( (pFsObjState->Stat.st_mode & S_IWOTH)
1563# ifdef RT_OS_LINUX
1564 && ( !S_ISLNK(pFsObjState->Stat.st_mode)
1565 || !fSymlinksAllowed /* paranoia */)
1566# endif
1567 )
1568 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1569 "World writable: '", pszPath, "'");
1570
1571 /*
1572 * Check the ACLs.
1573 */
1574 /** @todo */
1575
1576 return VINF_SUCCESS;
1577#endif
1578}
1579
1580
1581/**
1582 * Verifies that the file system object indicated by the native handle is the
1583 * same as the one @a pFsObjState indicates.
1584 *
1585 * @returns VBox status code, error buffer filled on failure.
1586 * @param hNative The native handle to the object @a pszPath
1587 * specifies and this should be verified to be the
1588 * same file system object.
1589 * @param pFsObjState The information/state returned by a previous
1590 * query call.
1591 * @param pszPath The path to the object @a pFsObjState
1592 * describes. (For the error message.)
1593 * @param pErrInfo The error info structure.
1594 */
1595static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1596 const char *pszPath, PRTERRINFO pErrInfo)
1597{
1598 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1599 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1600 if (RT_SUCCESS(rc))
1601 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1602 return rc;
1603}
1604
1605
1606/**
1607 * Does the recursive directory enumeration.
1608 *
1609 * @returns VBox status code, error buffer filled on failure.
1610 * @param pszDirPath The path buffer containing the subdirectory to
1611 * enumerate followed by a slash (this is never
1612 * the root slash). The buffer is RTPATH_MAX in
1613 * size and anything starting at @a cchDirPath
1614 * - 1 and beyond is scratch space.
1615 * @param cchDirPath The length of the directory path + slash.
1616 * @param pFsObjState Pointer to the file system object state buffer.
1617 * On input this will hold the stats for
1618 * the directory @a pszDirPath indicates and will
1619 * be used to verified that we're opening the same
1620 * thing.
1621 * @param fRecursive Whether to recurse into subdirectories.
1622 * @param pErrInfo The error info structure.
1623 */
1624static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1625 bool fRecursive, PRTERRINFO pErrInfo)
1626{
1627#if defined(RT_OS_WINDOWS)
1628 /** @todo Windows hardening. */
1629 RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1630 return VINF_SUCCESS;
1631
1632#elif defined(RT_OS_OS2)
1633 /* No hardening here - it's a single user system. */
1634 RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1635 return VINF_SUCCESS;
1636
1637#else
1638 /*
1639 * Open the directory. Now, we could probably eliminate opendir here
1640 * and go down on kernel API level (open + getdents for instance), however
1641 * that's not very portable and hopefully not necessary.
1642 */
1643 DIR *pDir = opendir(pszDirPath);
1644 if (!pDir)
1645 {
1646 /* Ignore access errors. */
1647 if (errno == EACCES)
1648 return VINF_SUCCESS;
1649 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1650 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1651 }
1652 if (dirfd(pDir) != -1)
1653 {
1654 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1655 if (RT_FAILURE(rc))
1656 {
1657 closedir(pDir);
1658 return rc;
1659 }
1660 }
1661
1662 /*
1663 * Enumerate the directory, check all the requested bits.
1664 */
1665 int rc = VINF_SUCCESS;
1666 for (;;)
1667 {
1668 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1669
1670 struct dirent Entry;
1671 struct dirent *pEntry;
1672#if RT_CLANG_PREREQ(3, 4) /* Needs to come first because clang also triggers on RT_GNUC_PREREQ() but doesn't work there. */
1673# pragma clang diagnostic push
1674# pragma clang diagnostic ignored "-Wdeprecated-declarations"
1675#elif RT_GNUC_PREREQ(4, 6)
1676# pragma GCC diagnostic push
1677# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
1678#endif
1679 int iErr = readdir_r(pDir, &Entry, &pEntry);
1680#if RT_CLANG_PREREQ(3, 4)
1681# pragma clang diagnostic pop
1682#elif RT_GNUC_PREREQ(4, 6)
1683# pragma GCC diagnostic pop
1684#endif
1685 if (iErr)
1686 {
1687 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1688 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1689 break;
1690 }
1691 if (!pEntry)
1692 break;
1693
1694 /*
1695 * Check the length and copy it into the path buffer so it can be
1696 * stat()'ed.
1697 */
1698 size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1699 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1700 {
1701 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1702 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1703 break;
1704 }
1705 suplibHardenedMemCopy(&pszDirPath[cchDirPath], pEntry->d_name, cchName + 1);
1706
1707 /*
1708 * Query the information about the entry and verify it.
1709 * (We don't bother skipping '.' and '..' at this point, a little bit
1710 * of extra checks doesn't hurt and neither requires relaxed handling.)
1711 */
1712 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1713 if (RT_SUCCESS(rc))
1714 break;
1715 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1716 false /*fSymlinksAllowed*/, pszDirPath, pErrInfo);
1717 if (RT_FAILURE(rc))
1718 break;
1719
1720 /*
1721 * Recurse into subdirectories if requested.
1722 */
1723 if ( fRecursive
1724 && S_ISDIR(pFsObjState->Stat.st_mode)
1725 && suplibHardenedStrCmp(pEntry->d_name, ".")
1726 && suplibHardenedStrCmp(pEntry->d_name, ".."))
1727 {
1728 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1729 pszDirPath[cchDirPath + cchName + 1] = '\0';
1730
1731 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1732 fRecursive, pErrInfo);
1733 if (RT_FAILURE(rc))
1734 break;
1735 }
1736 }
1737
1738 closedir(pDir);
1739 return rc;
1740#endif
1741}
1742
1743
1744/**
1745 * Worker for SUPR3HardenedVerifyDir.
1746 *
1747 * @returns See SUPR3HardenedVerifyDir.
1748 * @param pszDirPath See SUPR3HardenedVerifyDir.
1749 * @param fRecursive See SUPR3HardenedVerifyDir.
1750 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1751 * @param pErrInfo See SUPR3HardenedVerifyDir.
1752 */
1753DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1754{
1755 /*
1756 * Validate the input path and parse it.
1757 */
1758 SUPR3HARDENEDPATHINFO Info;
1759 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1760 if (RT_FAILURE(rc))
1761 return rc;
1762
1763 /*
1764 * Verify each component from the root up.
1765 */
1766 SUPR3HARDENEDFSOBJSTATE FsObjState;
1767 uint32_t const cComponents = Info.cComponents;
1768 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1769 {
1770 bool fRelaxed = iComponent + 2 < cComponents;
1771 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1772 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1773 if (RT_SUCCESS(rc))
1774 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed,
1775 false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1776 if (RT_FAILURE(rc))
1777 return rc;
1778 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1779 }
1780
1781 /*
1782 * Check files and subdirectories if requested.
1783 */
1784 if (fCheckFiles || fRecursive)
1785 {
1786 Info.szPath[Info.cch] = RTPATH_SLASH;
1787 Info.szPath[Info.cch + 1] = '\0';
1788 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1789 fRecursive, pErrInfo);
1790 }
1791
1792 return VINF_SUCCESS;
1793}
1794
1795
1796/**
1797 * Verfies a file.
1798 *
1799 * @returns VBox status code, error buffer filled on failure.
1800 * @param pszFilename The file to verify.
1801 * @param hNativeFile Handle to the file, verify that it's the same
1802 * as we ended up with when verifying the path.
1803 * RTHCUINTPTR_MAX means NIL here.
1804 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1805 * third party. Different validation rules may
1806 * apply to 3rd party code on some platforms.
1807 * @param pErrInfo Where to return extended error information.
1808 * Optional.
1809 */
1810DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1811 bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1812{
1813 /*
1814 * Validate the input path and parse it.
1815 */
1816 SUPR3HARDENEDPATHINFO Info;
1817 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1818 if (RT_FAILURE(rc))
1819 return rc;
1820 if (Info.fDirSlash)
1821 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1822 "The file path specifies a directory: '", pszFilename, "'");
1823
1824 /*
1825 * Verify each component from the root up.
1826 */
1827 SUPR3HARDENEDFSOBJSTATE FsObjState;
1828 uint32_t const cComponents = Info.cComponents;
1829 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1830 {
1831 bool fFinal = iComponent + 1 == cComponents;
1832 bool fRelaxed = iComponent + 2 < cComponents;
1833 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1834 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1835 if (RT_SUCCESS(rc))
1836 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
1837 false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1838 if (RT_FAILURE(rc))
1839 return rc;
1840 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1841 }
1842
1843 /*
1844 * Verify the file handle against the last component, if specified.
1845 */
1846 if (hNativeFile != RTHCUINTPTR_MAX)
1847 {
1848 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1849 if (RT_FAILURE(rc))
1850 return rc;
1851 }
1852
1853#ifdef RT_OS_WINDOWS
1854 /*
1855 * The files shall be signed on windows, verify that.
1856 */
1857 rc = VINF_SUCCESS;
1858 HANDLE hVerify;
1859 if (hNativeFile == RTHCUINTPTR_MAX)
1860 {
1861 PRTUTF16 pwszPath;
1862 rc = RTStrToUtf16(pszFilename, &pwszPath);
1863 if (RT_SUCCESS(rc))
1864 {
1865 hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1866 RTUtf16Free(pwszPath);
1867 }
1868 else
1869 {
1870 rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1871 hVerify = INVALID_HANDLE_VALUE;
1872 }
1873 }
1874 else
1875 {
1876 NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1877 GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
1878 if (!NT_SUCCESS(rcNt))
1879 hVerify = INVALID_HANDLE_VALUE;
1880 }
1881 if (hVerify != INVALID_HANDLE_VALUE)
1882 {
1883# ifdef VBOX_WITH_HARDENING
1884 /** @todo do we need to validate the fMaybe3rdParty claim here? I.e. only
1885 * apply it if 'ExtensionPacks' is part of the path. */
1886 uint32_t fFlags = SUPHNTVI_F_REQUIRE_CODE_SIGNING;
1887 if (!fMaybe3rdParty)
1888 fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1889 const char *pszSuffix = RTPathSuffix(pszFilename);
1890 if ( pszSuffix
1891 && pszSuffix[0] == '.'
1892 && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1893 || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1894 && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1895 && pszSuffix[3] == '\0' )
1896 fFlags |= SUPHNTVI_F_RC_IMAGE;
1897# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1898 rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1899# endif
1900# else
1901 RT_NOREF1(fMaybe3rdParty);
1902# endif
1903 NtClose(hVerify);
1904 }
1905 else if (RT_SUCCESS(rc))
1906 rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1907 "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1908 if (RT_FAILURE(rc))
1909 return rc;
1910#else
1911 RT_NOREF1(fMaybe3rdParty);
1912#endif
1913
1914 return VINF_SUCCESS;
1915}
1916
1917
1918#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1919/**
1920 * Verfies a file following symlinks.
1921 *
1922 * @returns VBox status code, error buffer filled on failure.
1923 * @param pszFilename The file to verify.
1924 * @param hNativeFile Handle to the file, verify that it's the same
1925 * as we ended up with when verifying the path.
1926 * RTHCUINTPTR_MAX means NIL here.
1927 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1928 * third party. Different validation rules may
1929 * apply to 3rd party code on some platforms.
1930 * @param pErrInfo Where to return extended error information.
1931 * Optional.
1932 *
1933 * @note This is only used on OS X for libraries loaded with dlopen() because
1934 * the frameworks use symbolic links to point to the relevant library.
1935 *
1936 * @sa supR3HardenedVerifyFile
1937 */
1938DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
1939 PRTERRINFO pErrInfo)
1940{
1941 RT_NOREF1(fMaybe3rdParty);
1942
1943 /*
1944 * Validate the input path and parse it.
1945 */
1946 SUPR3HARDENEDPATHINFO Info;
1947 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1948 if (RT_FAILURE(rc))
1949 return rc;
1950 if (Info.fDirSlash)
1951 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1952 "The file path specifies a directory: '", pszFilename, "'");
1953
1954 /*
1955 * Verify each component from the root up.
1956 */
1957#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1958 uint32_t iLoops = 0;
1959#endif
1960 SUPR3HARDENEDFSOBJSTATE FsObjState;
1961 uint32_t iComponent = 0;
1962 while (iComponent < Info.cComponents)
1963 {
1964 bool fFinal = iComponent + 1 == Info.cComponents;
1965 bool fRelaxed = iComponent + 2 < Info.cComponents;
1966 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1967 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1968 if (RT_SUCCESS(rc))
1969 {
1970 /*
1971 * In case the component is a symlink expand it and start from the beginning after
1972 * verifying it has the proper access rights.
1973 * Furthermore only allow symlinks which don't contain any .. or . in the target
1974 * (enforced by supR3HardenedVerifyPathSanity).
1975 */
1976 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
1977 true /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1978 if ( RT_SUCCESS(rc)
1979 && S_ISLNK(FsObjState.Stat.st_mode))
1980 {
1981#if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
1982 char *pszFilenameResolved = realpath(pszFilename, NULL);
1983 if (pszFilenameResolved)
1984 {
1985 rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
1986 free(pszFilenameResolved);
1987 return rc;
1988 }
1989 else
1990 {
1991 int iErr = errno;
1992 supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
1993 "supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
1994 pszFilename, strerror(iErr), iErr);
1995 return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
1996 "realpath failed for '", pszFilename, "': ", strerror(iErr));
1997 }
1998#else
1999 /* Don't loop forever. */
2000 iLoops++;
2001 if (iLoops < 8)
2002 {
2003 /*
2004 * Construct new path by replacing the current component by the symlink value.
2005 * Note! readlink() is a weird API that doesn't necessarily indicates if the
2006 * buffer is too small.
2007 */
2008 char szPath[RTPATH_MAX];
2009 size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
2010 size_t const cchAfter = fFinal ? 0 : 1 /*slash*/ + Info.cch - Info.aoffComponents[iComponent + 1];
2011 if (sizeof(szPath) > cchBefore + cchAfter + 2)
2012 {
2013 ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
2014 if (cchTarget > 0)
2015 {
2016 /* Some serious paranoia against embedded zero terminator and weird return values. */
2017 szPath[cchTarget] = '\0';
2018 size_t cchLink = strlen(szPath);
2019
2020 /* Strip trailing dirslashes of non-final link. */
2021 if (!fFinal)
2022 while (cchLink > 1 and szPath[cchLink - 1] == '/')
2023 cchLink--;
2024
2025 /* Check link value sanity and buffer size. */
2026 if (cchLink == 0)
2027 return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
2028 "Bad readlink return for '", Info.szPath, "'");
2029 if (szPath[0] == '/')
2030 return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
2031 "Absolute symbolic link not allowed: '", szPath, "'");
2032 if (cchBefore + cchLink + cchAfter + 1 /*terminator*/ > sizeof(szPath))
2033 return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
2034 "Symlinks causing too long path!");
2035
2036 /* Construct the new path. */
2037 if (cchBefore)
2038 memmove(&szPath[cchBefore], &szPath[0], cchLink);
2039 memcpy(&szPath[0], Info.szPath, cchBefore);
2040 if (!cchAfter)
2041 szPath[cchBefore + cchLink] = '\0';
2042 else
2043 {
2044 szPath[cchBefore + cchLink] = RTPATH_SLASH;
2045 memcpy(&szPath[cchBefore + cchLink + 1],
2046 &Info.szPath[Info.aoffComponents[iComponent + 1]],
2047 cchAfter); /* cchAfter includes a zero terminator */
2048 }
2049
2050 /* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
2051 rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
2052 if (RT_FAILURE(rc))
2053 return rc;
2054 if (Info.fDirSlash)
2055 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
2056 "The file path specifies a directory: '", szPath, "'");
2057
2058 /* Restart from the current component. */
2059 continue;
2060 }
2061 int iErr = errno;
2062 supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
2063 "supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
2064 Info.szPath, strerror(iErr), iErr);
2065 return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
2066 "readlink failed for '", Info.szPath, "': ", strerror(iErr));
2067 }
2068 return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
2069 }
2070 else
2071 return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
2072 "Too many symbolic links: '", pszFilename, "'");
2073#endif
2074 }
2075 }
2076 if (RT_FAILURE(rc))
2077 return rc;
2078 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
2079 iComponent++;
2080 }
2081
2082 /*
2083 * Verify the file handle against the last component, if specified.
2084 */
2085 if (hNativeFile != RTHCUINTPTR_MAX)
2086 {
2087 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
2088 if (RT_FAILURE(rc))
2089 return rc;
2090 }
2091
2092 return VINF_SUCCESS;
2093}
2094#endif /* RT_OS_DARWIN || RT_OS_LINUX */
2095
2096
2097/**
2098 * Gets the pre-init data for the hand-over to the other version
2099 * of this code.
2100 *
2101 * The reason why we pass this information on is that it contains
2102 * open directories and files. Later it may include even more info
2103 * (int the verified arrays mostly).
2104 *
2105 * The receiver is supR3HardenedRecvPreInitData.
2106 *
2107 * @param pPreInitData Where to store it.
2108 */
2109DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
2110{
2111 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
2112 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
2113 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
2114
2115 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
2116 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
2117}
2118
2119
2120/**
2121 * Receives the pre-init data from the static executable stub.
2122 *
2123 * @returns VBox status code. Will not bitch on failure since the
2124 * runtime isn't ready for it, so that is left to the exe stub.
2125 *
2126 * @param pPreInitData The hand-over data.
2127 */
2128DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
2129{
2130 /*
2131 * Compare the array lengths and the contents of g_aSupInstallFiles.
2132 */
2133 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
2134 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
2135 return VERR_VERSION_MISMATCH;
2136 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
2137 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
2138 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
2139 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
2140 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
2141 || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
2142 return VERR_VERSION_MISMATCH;
2143
2144 /*
2145 * Check that we're not called out of order.
2146 * If dynamic linking it screwed up, we may end up here.
2147 */
2148 if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
2149 || !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
2150 return VERR_WRONG_ORDER;
2151
2152 /*
2153 * Copy the verification data over.
2154 */
2155 suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
2156 suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
2157 return VINF_SUCCESS;
2158}
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette