VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 34891

Last change on this file since 34891 was 34563, checked in by vboxsync, 14 years ago

VRDPAuth -> VBoxAuth.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 58.5 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 34563 2010-12-01 11:39:52Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2010 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27/*******************************************************************************
28* Header Files *
29*******************************************************************************/
30#if defined(RT_OS_OS2)
31# define INCL_BASE
32# define INCL_ERRORS
33# include <os2.h>
34# include <stdio.h>
35# include <stdlib.h>
36# include <unistd.h>
37# include <sys/fcntl.h>
38# include <sys/errno.h>
39# include <sys/syslimits.h>
40
41#elif defined(RT_OS_WINDOWS)
42# include <Windows.h>
43# include <stdio.h>
44
45#else /* UNIXes */
46# include <sys/types.h>
47# include <stdio.h>
48# include <stdlib.h>
49# include <dirent.h>
50# include <dlfcn.h>
51# include <fcntl.h>
52# include <limits.h>
53# include <errno.h>
54# include <unistd.h>
55# include <sys/stat.h>
56# include <sys/time.h>
57# include <sys/fcntl.h>
58# include <stdio.h>
59# include <pwd.h>
60# ifdef RT_OS_DARWIN
61# include <mach-o/dyld.h>
62# endif
63
64#endif
65
66#include <VBox/sup.h>
67#include <VBox/err.h>
68#include <iprt/asm.h>
69#include <iprt/ctype.h>
70#include <iprt/param.h>
71#include <iprt/path.h>
72#include <iprt/string.h>
73
74#include "SUPLibInternal.h"
75
76
77/*******************************************************************************
78* Defined Constants And Macros *
79*******************************************************************************/
80/** The max path length acceptable for a trusted path. */
81#define SUPR3HARDENED_MAX_PATH 260U
82
83#ifdef RT_OS_SOLARIS
84# define dirfd(d) ((d)->d_fd)
85#endif
86
87
88/*******************************************************************************
89* Global Variables *
90*******************************************************************************/
91/**
92 * The files that gets verified.
93 *
94 * @todo This needs reviewing against the linux packages.
95 * @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
96 * the time being we're building the linux packages with SharedLib pointing to
97 * AppPrivArch (lazy bird).
98 */
99static SUPINSTFILE const g_aSupInstallFiles[] =
100{
101 /* type, dir, fOpt, "pszFile" */
102 /* ---------------------------------------------------------------------- */
103 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
104 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
105 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
106
107 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMGC.gc" },
108 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
109 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
110
111 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
112 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
113 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
114#if HC_ARCH_BITS == 32
115 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
116 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
117#endif
118 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
119 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
120 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
121
122//#ifdef VBOX_WITH_DEBUGGER_GUI
123 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
124 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
125//#endif
126
127//#ifdef VBOX_WITH_SHARED_CLIPBOARD
128 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
129//#endif
130//#ifdef VBOX_WITH_SHARED_FOLDERS
131 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
132//#endif
133//#ifdef VBOX_WITH_GUEST_PROPS
134 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
135//#endif
136//#ifdef VBOX_WITH_GUEST_CONTROL
137 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
138//#endif
139 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
140 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
141 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
142 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
143
144 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
145
146#ifdef VBOX_WITH_MAIN
147 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
148 #ifdef RT_OS_WINDOWS
149 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
150 #else
151 { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
152 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
153 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
154 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
155 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
156 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
157 #endif
158#endif
159
160 { kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
161 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
162 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
163
164//#ifdef VBOX_WITH_HEADLESS
165 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
166 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
167 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxFFmpegFB" SUPLIB_DLL_SUFF },
168//#endif
169
170//#ifdef VBOX_WITH_QTGUI
171 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
172 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
173# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
174 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
175# endif
176//#endif
177
178//#ifdef VBOX_WITH_VBOXSDL
179 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
180 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
181//#endif
182
183//#ifdef VBOX_WITH_VBOXBFE
184 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxBFE" SUPLIB_EXE_SUFF },
185 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxBFE" SUPLIB_DLL_SUFF },
186//#endif
187
188//#ifdef VBOX_WITH_WEBSERVICES
189 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
190//#endif
191
192#ifdef RT_OS_LINUX
193 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
194#endif
195
196//#ifdef VBOX_WITH_NETFLT
197 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
198 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
199//#endif
200};
201
202
203/** Array parallel to g_aSupInstallFiles containing per-file status info. */
204static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
205
206/** Array index by install directory specifier containing info about verified directories. */
207static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
208
209
210/**
211 * Assembles the path to a directory.
212 *
213 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
214 * decides whether it returns or not).
215 *
216 * @param enmDir The directory.
217 * @param pszDst Where to assemble the path.
218 * @param cchDst The size of the buffer.
219 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
220 */
221static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
222{
223 int rc;
224 switch (enmDir)
225 {
226 case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
227 case kSupID_Bin:
228 rc = supR3HardenedPathExecDir(pszDst, cchDst);
229 break;
230 case kSupID_SharedLib:
231 rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
232 break;
233 case kSupID_AppPrivArch:
234 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
235 break;
236 case kSupID_AppPrivArchComp:
237 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
238 if (RT_SUCCESS(rc))
239 {
240 size_t off = strlen(pszDst);
241 if (cchDst - off >= sizeof("/components"))
242 memcpy(&pszDst[off], "/components", sizeof("/components"));
243 else
244 rc = VERR_BUFFER_OVERFLOW;
245 }
246 break;
247 case kSupID_AppPrivNoArch:
248 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
249 break;
250 default:
251 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
252 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
253 }
254 if (RT_FAILURE(rc))
255 supR3HardenedError(rc, fFatal,
256 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
257 return rc;
258}
259
260
261
262/**
263 * Assembles the path to a file table entry, with or without the actual filename.
264 *
265 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
266 * decides whether it returns or not).
267 *
268 * @param pFile The file table entry.
269 * @param pszDst Where to assemble the path.
270 * @param cchDst The size of the buffer.
271 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
272 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
273 */
274static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
275{
276 /*
277 * Combine supR3HardenedMakePath and the filename.
278 */
279 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
280 if (RT_SUCCESS(rc))
281 {
282 size_t cchFile = strlen(pFile->pszFile);
283 size_t off = strlen(pszDst);
284 if (cchDst - off >= cchFile + 2)
285 {
286 pszDst[off++] = '/';
287 memcpy(&pszDst[off], pFile->pszFile, cchFile + 1);
288 }
289 else
290 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
291 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
292 pFile->pszFile, (long)off);
293 }
294 return rc;
295}
296
297
298/**
299 * Verifies a directory.
300 *
301 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
302 * fFatal is clear and if it's set the function wont return.
303 * @param enmDir The directory specifier.
304 * @param fFatal Whether validation failures should be treated as
305 * fatal (true) or not (false).
306 */
307DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
308{
309 /*
310 * Validate the index just to be on the safe side...
311 */
312 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
313 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
314 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
315
316 /*
317 * Already validated?
318 */
319 if (g_aSupVerifiedDirs[enmDir].fValidated)
320 return VINF_SUCCESS; /** @todo revalidate? */
321
322 /* initialize the entry. */
323 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
324 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
325 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
326 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
327 g_aSupVerifiedDirs[enmDir].hDir = -1;
328 g_aSupVerifiedDirs[enmDir].fValidated = false;
329
330 /*
331 * Make the path and open the directory.
332 */
333 char szPath[RTPATH_MAX];
334 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
335 if (RT_SUCCESS(rc))
336 {
337#if defined(RT_OS_WINDOWS)
338 HANDLE hDir = CreateFile(szPath,
339 GENERIC_READ,
340 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
341 NULL,
342 OPEN_ALWAYS,
343 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
344 NULL);
345 if (hDir != INVALID_HANDLE_VALUE)
346 {
347 /** @todo check the type */
348 /* That's all on windows, for now at least... */
349 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
350 g_aSupVerifiedDirs[enmDir].fValidated = true;
351 }
352 else
353 {
354 int err = GetLastError();
355 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
356 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
357 szPath, err);
358 }
359#else /* UNIXY */
360 int fd = open(szPath, O_RDONLY, 0);
361 if (fd >= 0)
362 {
363 /*
364 * On unixy systems we'll make sure the directory is owned by root
365 * and not writable by the group and user.
366 */
367 struct stat st;
368 if (!fstat(fd, &st))
369 {
370
371 if ( st.st_uid == 0
372 && !(st.st_mode & (S_IWGRP | S_IWOTH))
373 && S_ISDIR(st.st_mode))
374 {
375 g_aSupVerifiedDirs[enmDir].hDir = fd;
376 g_aSupVerifiedDirs[enmDir].fValidated = true;
377 }
378 else
379 {
380 if (!S_ISDIR(st.st_mode))
381 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
382 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
383 szPath, (long)st.st_uid);
384 else if (st.st_uid)
385 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
386 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
387 szPath, (long)st.st_uid);
388 else
389 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
390 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
391 szPath, (long)st.st_mode);
392 close(fd);
393 }
394 }
395 else
396 {
397 int err = errno;
398 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
399 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
400 szPath, strerror(err), err);
401 close(fd);
402 }
403 }
404 else
405 {
406 int err = errno;
407 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
408 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
409 szPath, strerror(err), err);
410 }
411#endif /* UNIXY */
412 }
413
414 return rc;
415}
416
417
418/**
419 * Verifies a file entry.
420 *
421 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
422 * fFatal is clear and if it's set the function wont return.
423 *
424 * @param iFile The file table index of the file to be verified.
425 * @param fFatal Whether validation failures should be treated as
426 * fatal (true) or not (false).
427 * @param fLeaveFileOpen Whether the file should be left open.
428 */
429static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen)
430{
431 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
432 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
433
434 /*
435 * Already done?
436 */
437 if (pVerified->fValidated)
438 return VINF_SUCCESS; /** @todo revalidate? */
439
440
441 /* initialize the entry. */
442 if (pVerified->hFile != 0)
443 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
444 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
445 (void *)pVerified->hFile, pFile->pszFile);
446 pVerified->hFile = -1;
447 pVerified->fValidated = false;
448
449 /*
450 * Verify the directory then proceed to open it.
451 * (This'll make sure the directory is opened and that we can (later)
452 * use openat if we wish.)
453 */
454 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
455 if (RT_SUCCESS(rc))
456 {
457 char szPath[RTPATH_MAX];
458 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true, fFatal);
459 if (RT_SUCCESS(rc))
460 {
461#if defined(RT_OS_WINDOWS)
462 HANDLE hFile = CreateFile(szPath,
463 GENERIC_READ,
464 FILE_SHARE_READ,
465 NULL,
466 OPEN_ALWAYS,
467 FILE_ATTRIBUTE_NORMAL,
468 NULL);
469 if (hFile != INVALID_HANDLE_VALUE)
470 {
471 /** @todo Check the type, and verify the signature (separate function so we can skip it). */
472 {
473 /* it's valid. */
474 if (fLeaveFileOpen)
475 pVerified->hFile = (intptr_t)hFile;
476 else
477 CloseHandle(hFile);
478 pVerified->fValidated = true;
479 }
480 }
481 else
482 {
483 int err = GetLastError();
484 if (!pFile->fOptional || err != ERROR_FILE_NOT_FOUND)
485 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
486 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": err=%d\n",
487 szPath, err);
488 }
489#else /* UNIXY */
490 int fd = open(szPath, O_RDONLY, 0);
491 if (fd >= 0)
492 {
493 /*
494 * On unixy systems we'll make sure the directory is owned by root
495 * and not writable by the group and user.
496 */
497 struct stat st;
498 if (!fstat(fd, &st))
499 {
500 if ( st.st_uid == 0
501 && !(st.st_mode & (S_IWGRP | S_IWOTH))
502 && S_ISREG(st.st_mode))
503 {
504 /* it's valid. */
505 if (fLeaveFileOpen)
506 pVerified->hFile = fd;
507 else
508 close(fd);
509 pVerified->fValidated = true;
510 }
511 else
512 {
513 if (!S_ISREG(st.st_mode))
514 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
515 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
516 szPath, (long)st.st_uid);
517 else if (st.st_uid)
518 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
519 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
520 szPath, (long)st.st_uid);
521 else
522 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
523 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
524 szPath, (long)st.st_mode);
525 close(fd);
526 }
527 }
528 else
529 {
530 int err = errno;
531 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
532 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
533 szPath, strerror(err), err);
534 close(fd);
535 }
536 }
537 else
538 {
539 int err = errno;
540 if (!pFile->fOptional || err != ENOENT)
541 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
542 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
543 szPath, strerror(err), err);
544 }
545#endif /* UNIXY */
546 }
547 }
548
549 return rc;
550}
551
552
553/**
554 * Verifies that the specified table entry matches the given filename.
555 *
556 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
557 * error is returned or we terminate the application.
558 *
559 * @param iFile The file table index.
560 * @param pszFilename The filename.
561 * @param fFatal Whether validation failures should be treated as
562 * fatal (true) or not (false).
563 */
564static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
565{
566 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
567
568 /*
569 * Construct the full path for the file table entry
570 * and compare it with the specified file.
571 */
572 char szName[RTPATH_MAX];
573 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
574 if (RT_FAILURE(rc))
575 return rc;
576#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
577 if (stricmp(szName, pszFilename))
578#else
579 if (strcmp(szName, pszFilename))
580#endif
581 {
582 /*
583 * Normalize the two paths and compare again.
584 */
585 rc = VERR_NOT_SAME_DEVICE;
586#if defined(RT_OS_WINDOWS)
587 LPSTR pszIgnored;
588 char szName2[RTPATH_MAX];
589 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
590 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
591 if (!stricmp(szName2, szName))
592 rc = VINF_SUCCESS;
593#else
594 AssertCompile(RTPATH_MAX >= PATH_MAX);
595 char szName2[RTPATH_MAX];
596 if ( realpath(szName, szName2) != NULL
597 && realpath(pszFilename, szName) != NULL)
598 if (!strcmp(szName2, szName))
599 rc = VINF_SUCCESS;
600#endif
601
602 if (RT_FAILURE(rc))
603 {
604 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
605 return supR3HardenedError(rc, fFatal,
606 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
607 pszFilename, szName);
608 }
609 }
610
611 /*
612 * Check more stuff like the stat info if it's an already open file?
613 */
614
615
616
617 return VINF_SUCCESS;
618}
619
620
621/**
622 * Verifies a file.
623 *
624 * @returns VINF_SUCCESS on success.
625 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
626 * On verification failure, an error code will be returned when fFatal is clear,
627 * otherwise the program will be terminated.
628 *
629 * @param pszFilename The filename.
630 * @param fFatal Whether validation failures should be treated as
631 * fatal (true) or not (false).
632 */
633DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
634{
635 /*
636 * Lookup the file and check if it's the same file.
637 */
638 const char *pszName = supR3HardenedPathFilename(pszFilename);
639 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
640 if (!strcmp(pszName, g_aSupInstallFiles[iFile].pszFile))
641 {
642 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
643 if (RT_SUCCESS(rc))
644 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */);
645 return rc;
646 }
647
648 return VERR_NOT_FOUND;
649}
650
651
652/**
653 * Verifies a program, worker for supR3HardenedVerifyAll.
654 *
655 * @returns See supR3HardenedVerifyAll.
656 * @param pszProgName See supR3HardenedVerifyAll.
657 * @param fFatal See supR3HardenedVerifyAll.
658 */
659static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal)
660{
661 /*
662 * Search the table looking for the executable and the DLL/DYLIB/SO.
663 */
664 int rc = VINF_SUCCESS;
665 bool fExe = false;
666 bool fDll = false;
667 size_t const cchProgName = strlen(pszProgName);
668 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
669 if (!strncmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
670 {
671 if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
672 && !strcmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
673 {
674 /* This only has to be found (once). */
675 if (fDll)
676 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
677 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
678 fDll = true;
679 }
680 else if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
681 && !strcmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
682 {
683 /* Here we'll have to check that the specific program is the same as the entry. */
684 if (fExe)
685 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
686 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
687 fExe = true;
688
689 char szFilename[RTPATH_MAX];
690 int rc2 = supR3HardenedPathExecDir(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
691 if (RT_SUCCESS(rc2))
692 {
693 strcat(szFilename, "/");
694 strcat(szFilename, g_aSupInstallFiles[iFile].pszFile);
695 supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
696 }
697 else
698 rc = supR3HardenedError(rc2, fFatal,
699 "supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
700 }
701 }
702
703 /*
704 * Check the findings.
705 */
706 if (!fDll && !fExe)
707 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
708 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
709 else if (!fExe)
710 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
711 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
712 else if (!fDll)
713 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
714 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
715 return rc;
716}
717
718
719/**
720 * Verifies all the known files.
721 *
722 * @returns VINF_SUCCESS on success.
723 * On verification failure, an error code will be returned when fFatal is clear,
724 * otherwise the program will be terminated.
725 *
726 * @param fFatal Whether validation failures should be treated as
727 * fatal (true) or not (false).
728 * @param fLeaveFilesOpen If set, all the verified files are left open.
729 * @param pszProgName Optional program name. This is used by SUPR3HardenedMain
730 * to verify that both the executable and corresponding
731 * DLL/DYLIB/SO are valid.
732 */
733DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, bool fLeaveFilesOpen, const char *pszProgName)
734{
735 /*
736 * The verify all the files.
737 */
738 int rc = VINF_SUCCESS;
739 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
740 {
741 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveFilesOpen);
742 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
743 rc = rc2;
744 }
745
746 /*
747 * Verify the program name if specified, that is to say, just check that
748 * it's in the table (=> we've already verified it).
749 */
750 if (pszProgName)
751 {
752 int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal);
753 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
754 rc2 = rc;
755 }
756
757 return rc;
758}
759
760
761/**
762 * Copies the N messages into the error buffer and returns @a rc.
763 *
764 * @returns Returns @a rc
765 * @param rc The return code.
766 * @param pszErr The error buffer.
767 * @param cbErr The size of the error buffer.
768 * @param cMsgs The number of messages in the ellipsis.
769 * @param ... Message parts.
770 */
771static int supR3HardenedSetErrorN(int rc, char *pszErr, size_t cbErr, unsigned cMsgs, ...)
772{
773 va_list va;
774 va_start(va, cMsgs);
775 while (cMsgs-- > 0 && cbErr > 0)
776 {
777 const char *pszMsg = va_arg(va, const char *);
778 size_t cchMsg = VALID_PTR(pszMsg) ? strlen(pszMsg) : 0;
779 if (cchMsg >= cbErr)
780 cchMsg = cbErr - 1;
781 memcpy(pszErr, pszMsg, cchMsg);
782 pszErr[cchMsg] = '\0';
783 pszErr += cchMsg;
784 cbErr -= cchMsg;
785 }
786 va_end(va);
787
788 return rc;
789}
790
791
792/**
793 * Copies the three messages into the error buffer and returns @a rc.
794 *
795 * @returns Returns @a rc
796 * @param rc The return code.
797 * @param pszErr The error buffer.
798 * @param cbErr The size of the error buffer.
799 * @param pszMsg1 The first message part.
800 * @param pszMsg2 The second message part.
801 * @param pszMsg3 The third message part.
802 */
803static int supR3HardenedSetError3(int rc, char *pszErr, size_t cbErr, const char *pszMsg1,
804 const char *pszMsg2, const char *pszMsg3)
805{
806 return supR3HardenedSetErrorN(rc, pszErr, cbErr, 3, pszMsg1, pszMsg2, pszMsg3);
807}
808
809
810/**
811 * Copies the two messages into the error buffer and returns @a rc.
812 *
813 * @returns Returns @a rc
814 * @param rc The return code.
815 * @param pszErr The error buffer.
816 * @param cbErr The size of the error buffer.
817 * @param pszMsg1 The first message part.
818 * @param pszMsg2 The second message part.
819 */
820static int supR3HardenedSetError2(int rc, char *pszErr, size_t cbErr, const char *pszMsg1,
821 const char *pszMsg2)
822{
823 return supR3HardenedSetErrorN(rc, pszErr, cbErr, 2, pszMsg1, pszMsg2);
824}
825
826
827/**
828 * Copies the error message to the error buffer and returns @a rc.
829 *
830 * @returns Returns @a rc
831 * @param rc The return code.
832 * @param pszErr The error buffer.
833 * @param cbErr The size of the error buffer.
834 * @param pszMsg The message.
835 */
836static int supR3HardenedSetError(int rc, char *pszErr, size_t cbErr, const char *pszMsg)
837{
838 return supR3HardenedSetErrorN(rc, pszErr, cbErr, 1, pszMsg);
839}
840
841
842/**
843 * Output from a successfull supR3HardenedVerifyPathSanity call.
844 */
845typedef struct SUPR3HARDENEDPATHINFO
846{
847 /** The length of the path in szCopy. */
848 uint16_t cch;
849 /** The number of path components. */
850 uint16_t cComponents;
851 /** Set if the path ends with slash, indicating that it's a directory
852 * reference and not a file reference. The slash has been removed from
853 * the copy. */
854 bool fDirSlash;
855 /** The offset where each path component starts, i.e. the char after the
856 * slash. The array has cComponents + 1 entries, where the final one is
857 * cch + 1 so that one can always terminate the current component by
858 * szPath[aoffComponent[i] - 1] = '\0'. */
859 uint16_t aoffComponents[32+1];
860 /** A normalized copy of the path.
861 * Reserve some extra space so we can be more relaxed about overflow
862 * checks and terminator paddings, especially when recursing. */
863 char szPath[SUPR3HARDENED_MAX_PATH * 2];
864} SUPR3HARDENEDPATHINFO;
865/** Pointer to a parsed path. */
866typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
867
868
869/**
870 * Verifies that the path is absolutely sane, it also parses the path.
871 *
872 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
873 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
874 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
875 * paths are not supported.
876 *
877 * @returns VBox status code.
878 * @param pszPath The path to check.
879 * @param pszErr The error buffer.
880 * @param cbErr The size of the error buffer.
881 * @param pInfo Where to return a copy of the path along with
882 * parsing information.
883 */
884static int supR3HardenedVerifyPathSanity(const char *pszPath, char *pszErr, size_t cbErr, PSUPR3HARDENEDPATHINFO pInfo)
885{
886 const char *pszSrc = pszPath;
887 char *pszDst = pInfo->szPath;
888
889 /*
890 * Check that it's an absolute path and copy the volume/root specifier.
891 */
892#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
893 if ( RT_C_IS_ALPHA(pszSrc[0])
894 || pszSrc[1] != ':'
895 || !RTPATH_IS_SLASH(pszSrc[2]))
896 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pszErr, cbErr, "The path is not absolute: '", pszPath, "'");
897
898 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
899 *pszDst++ = ':';
900 *pszDst++ = RTPATH_SLASH;
901 pszSrc += 3;
902
903#else
904 if (!RTPATH_IS_SLASH(pszSrc[0]))
905 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pszErr, cbErr, "The path is not absolute: '", pszPath, "'");
906
907 *pszDst++ = RTPATH_SLASH;
908 pszSrc += 1;
909#endif
910
911 /*
912 * No path specifying the root or something very shortly thereafter will
913 * be approved of.
914 */
915 if (pszSrc[0] == '\0')
916 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pszErr, cbErr, "The path is root: '", pszPath, "'");
917 if ( pszSrc[1] == '\0'
918 || pszSrc[2] == '\0')
919 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pszErr, cbErr, "The path is too short: '", pszPath, "'");
920
921 /*
922 * Check each component. No parent references or double slashes.
923 */
924 pInfo->cComponents = 0;
925 pInfo->fDirSlash = false;
926 while (pszSrc[0])
927 {
928 /* Sanity checks. */
929 if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
930 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pszErr, cbErr,
931 "The path is not clean of double slashes: '", pszPath, "'");
932 if ( pszSrc[0] == '.'
933 && pszSrc[1] == '.'
934 && RTPATH_IS_SLASH(pszSrc[2]))
935 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pszErr, cbErr,
936 "The path is not absolute: '", pszPath, "'");
937
938 /* Record the start of the component. */
939 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
940 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pszErr, cbErr,
941 "The path has too many components: '", pszPath, "'");
942 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
943
944 /* Traverse to the end of the component, copying it as we go along. */
945 while (pszSrc[0])
946 {
947 if (RTPATH_IS_SLASH(pszSrc[0]))
948 {
949 pszSrc++;
950 if (*pszSrc)
951 *pszDst++ = RTPATH_SLASH;
952 else
953 pInfo->fDirSlash = true;
954 break;
955 }
956 *pszDst++ = *pszSrc++;
957 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
958 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pszErr, cbErr,
959 "The path is too long: '", pszPath, "'");
960 }
961 }
962
963 /* Terminate the string and enter its length. */
964 pszDst[0] = '\0';
965 pszDst[1] = '\0'; /* for aoffComponents */
966 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
967 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
968
969 return VINF_SUCCESS;
970}
971
972
973/**
974 * The state information collected by supR3HardenedVerifyFsObject.
975 *
976 * This can be used to verify that a directory we've opened for enumeration is
977 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
978 * equally be used to verify a native specfied by the user.
979 */
980typedef struct SUPR3HARDENEDFSOBJSTATE
981{
982#ifdef RT_OS_WINDOWS
983 /** Not implemented for windows yet. */
984 char chTodo;
985#else
986 /** The stat output. */
987 struct stat Stat;
988#endif
989} SUPR3HARDENEDFSOBJSTATE;
990/** Pointer to a file system object state. */
991typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
992/** Pointer to a const file system object state. */
993typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
994
995
996/**
997 * Query information about a file system object by path.
998 *
999 * @returns VBox status code, error buffer filled on failure.
1000 * @param pszPath The path to the object.
1001 * @param pFsObjState Where to return the state information.
1002 * @param pszErr The error buffer.
1003 * @param cbErr The size of the error buffer.
1004 */
1005static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1006 char *pszErr, size_t cbErr)
1007{
1008#if defined(RT_OS_WINDOWS)
1009 /** @todo Windows hardening. */
1010 pFsObjState->chTodo = 0;
1011 return VINF_SUCCESS;
1012
1013#else
1014 /*
1015 * Stat the object, do not follow links.
1016 */
1017 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1018 {
1019 /* Ignore access errors */
1020 if (errno != EACCES)
1021 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pszErr, cbErr,
1022 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1023 }
1024
1025 /*
1026 * Read ACLs.
1027 */
1028 /** @todo */
1029
1030 return VINF_SUCCESS;
1031#endif
1032}
1033
1034
1035/**
1036 * Query information about a file system object by native handle.
1037 *
1038 * @returns VBox status code, error buffer filled on failure.
1039 * @param hNative The native handle to the object @a pszPath
1040 * specifies and this should be verified to be the
1041 * same file system object.
1042 * @param pFsObjState Where to return the state information.
1043 * @param pszPath The path to the object. (For the error message
1044 * only.)
1045 * @param pszErr The error buffer.
1046 * @param cbErr The size of the error buffer.
1047 */
1048static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1049 char const *pszPath, char *pszErr, size_t cbErr)
1050{
1051#if defined(RT_OS_WINDOWS)
1052 /** @todo Windows hardening. */
1053 pFsObjState->chTodo = 0;
1054 return VINF_SUCCESS;
1055
1056#else
1057 /*
1058 * Stat the object, do not follow links.
1059 */
1060 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1061 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pszErr, cbErr,
1062 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1063
1064 /*
1065 * Read ACLs.
1066 */
1067 /** @todo */
1068
1069 return VINF_SUCCESS;
1070#endif
1071}
1072
1073
1074/**
1075 * Verifies that the file system object indicated by the native handle is the
1076 * same as the one @a pFsObjState indicates.
1077 *
1078 * @returns VBox status code, error buffer filled on failure.
1079 * @param pFsObjState1 File system object information/state by path.
1080 * @param pFsObjState2 File system object information/state by handle.
1081 * @param pszPath The path to the object @a pFsObjState
1082 * describes. (For the error message.)
1083 * @param pszErr The error buffer.
1084 * @param cbErr The size of the error buffer.
1085 */
1086static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1087 const char *pszPath, char *pszErr, size_t cbErr)
1088{
1089#if defined(RT_OS_WINDOWS)
1090 /** @todo Windows hardening. */
1091 return VINF_SUCCESS;
1092
1093#elif defined(RT_OS_OS2)
1094 return VINF_SUCCESS;
1095
1096#else
1097 /*
1098 * Compare the ino+dev, then the uid+gid and finally the important mode
1099 * bits. Technically the first one should be enough, but we're paranoid.
1100 */
1101 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1102 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1103 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pszErr, cbErr,
1104 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1105 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1106 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1107 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pszErr, cbErr,
1108 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1109 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1110 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1111 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pszErr, cbErr,
1112 "The native handle is not the same as '", pszPath, "' (mode)");
1113 return VINF_SUCCESS;
1114#endif
1115}
1116
1117
1118/**
1119 * Verifies a file system object (file or directory).
1120 *
1121 * @returns VBox status code, error buffer filled on failure.
1122 * @param pFsObjState The file system object information/state to be
1123 * verified.
1124 * @param fDir Whether this is a directory or a file.
1125 * @param fRelaxed Whether we can be more relaxed about this
1126 * directory (only used for grand parent
1127 * directories).
1128 * @param pszPath The path to the object. (For error messages
1129 * only.)
1130 * @param pszErr The error buffer.
1131 * @param cbErr The size of the error buffer.
1132 */
1133static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1134 const char *pszPath, char *pszErr, size_t cbErr)
1135{
1136#if defined(RT_OS_WINDOWS)
1137 /** @todo Windows hardening. */
1138 return VINF_SUCCESS;
1139
1140#elif defined(RT_OS_OS2)
1141 /* No hardening here - it's a single user system. */
1142 return VINF_SUCCESS;
1143
1144#else
1145 /*
1146 * The owner must be root.
1147 *
1148 * This can be extended to include predefined system users if necessary.
1149 */
1150 if (pFsObjState->Stat.st_uid != 0)
1151 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pszErr, cbErr, "The owner is not root: '", pszPath, "'");
1152
1153 /*
1154 * The group does not matter if it does not have write access, if it has
1155 * write access it must be group 0 (root/wheel/whatever).
1156 *
1157 * This can be extended to include predefined system groups or groups that
1158 * only root is member of.
1159 */
1160 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1161 && pFsObjState->Stat.st_gid != 0)
1162 {
1163#ifdef RT_OS_DARWIN
1164 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1165 full access. So, to work around we relax the hardening a bit and
1166 permit grand parents and beyond to be group writable by admin. */
1167 if (pFsObjState->Stat.st_gid != 80 /*admin*/) /** @todo dynamically resolve the admin group? */
1168#endif
1169 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pszErr, cbErr,
1170 "The group is not a system group and it has write access to '", pszPath, "'");
1171 }
1172
1173 /*
1174 * World must not have write access. There is no relaxing this rule.
1175 */
1176 if (pFsObjState->Stat.st_mode & S_IWOTH)
1177 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pszErr, cbErr,
1178 "World writable: '", pszPath, "'");
1179
1180 /*
1181 * Check the ACLs.
1182 */
1183 /** @todo */
1184
1185 /*
1186 * Check the object type.
1187 */
1188 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1189 && !S_ISREG(pFsObjState->Stat.st_mode))
1190 {
1191 if (S_ISLNK(pFsObjState->Stat.st_mode))
1192 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pszErr, cbErr,
1193 "Symlinks are not permitted: '", pszPath, "'");
1194 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pszErr, cbErr,
1195 "Not regular file or directory: '", pszPath, "'");
1196 }
1197 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1198 {
1199 if (S_ISDIR(pFsObjState->Stat.st_mode))
1200 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pszErr, cbErr,
1201 "Expected file but found directory: '", pszPath, "'");
1202 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pszErr, cbErr,
1203 "Expected directory but found file: '", pszPath, "'");
1204 }
1205
1206 return VINF_SUCCESS;
1207#endif
1208
1209}
1210
1211
1212/**
1213 * Verifies that the file system object indicated by the native handle is the
1214 * same as the one @a pFsObjState indicates.
1215 *
1216 * @returns VBox status code, error buffer filled on failure.
1217 * @param hNative The native handle to the object @a pszPath
1218 * specifies and this should be verified to be the
1219 * same file system object.
1220 * @param pFsObjState The information/state returned by a previous
1221 * query call.
1222 * @param pszPath The path to the object @a pFsObjState
1223 * describes. (For the error message.)
1224 * @param pszErr The error buffer.
1225 * @param cbErr The size of the error buffer.
1226 */
1227static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1228 const char *pszPath, char *pszErr, size_t cbErr)
1229{
1230 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1231 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pszErr, cbErr);
1232 if (RT_SUCCESS(rc))
1233 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pszErr, cbErr);
1234 return rc;
1235}
1236
1237
1238/**
1239 * Does the recursive directory enumeration.
1240 *
1241 * @returns VBox status code, error buffer filled on failure.
1242 * @param pszDirPath The path buffer containing the subdirectory to
1243 * enumerate followed by a slash (this is never
1244 * the root slash). The buffer is RTPATH_MAX in
1245 * size and anything starting at @a cchDirPath
1246 * - 1 and beyond is scratch space.
1247 * @param cchDirPath The length of the directory path + slash.
1248 * @param pFsObjState Pointer to the file system object state buffer.
1249 * On input this will hold the stats for
1250 * the directory @a pszDirPath indicates and will
1251 * be used to verified that we're opening the same
1252 * thing.
1253 * @param fRecursive Whether to recurse into subdirectories.
1254 * @param pszErr The error buffer.
1255 * @param cbErr The size of the error buffer.
1256 */
1257static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1258 bool fRecursive, char *pszErr, size_t cbErr)
1259{
1260#if defined(RT_OS_WINDOWS)
1261 /** @todo Windows hardening. */
1262 return VINF_SUCCESS;
1263
1264#elif defined(RT_OS_OS2)
1265 /* No hardening here - it's a single user system. */
1266 return VINF_SUCCESS;
1267
1268#else
1269 /*
1270 * Open the directory. Now, we could probably eliminate opendir here
1271 * and go down on kernel API level (open + getdents for instance), however
1272 * that's not very portable and hopefully not necessary.
1273 */
1274 DIR *pDir = opendir(pszDirPath);
1275 if (!pDir)
1276 {
1277 /* Ignore access errors. */
1278 if (errno == EACCES)
1279 return VINF_SUCCESS;
1280 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pszErr, cbErr,
1281 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1282 }
1283 if (dirfd(pDir) != -1)
1284 {
1285 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pszErr, cbErr);
1286 if (RT_FAILURE(rc))
1287 {
1288 closedir(pDir);
1289 return rc;
1290 }
1291 }
1292
1293 /*
1294 * Enumerate the directory, check all the requested bits.
1295 */
1296 int rc = VINF_SUCCESS;
1297 for (;;)
1298 {
1299 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1300
1301 struct dirent Entry;
1302 struct dirent *pEntry;
1303 int iErr = readdir_r(pDir, &Entry, &pEntry);
1304 if (iErr)
1305 {
1306 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pszErr, cbErr,
1307 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1308 break;
1309 }
1310 if (!pEntry)
1311 break;
1312
1313 /*
1314 * Check the length and copy it into the path buffer so it can be
1315 * stat()'ed.
1316 */
1317 size_t cchName = strlen(pEntry->d_name);
1318 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1319 {
1320 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pszErr, cbErr,
1321 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1322 break;
1323 }
1324 memcpy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1325
1326 /*
1327 * Query the information about the entry and verify it.
1328 * (We don't bother skipping '.' and '..' at this point, a little bit
1329 * of extra checks doesn't hurt and neither requires relaxed handling.)
1330 */
1331 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pszErr, cbErr);
1332 if (RT_SUCCESS(rc))
1333 break;
1334 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1335 pszDirPath, pszErr, cbErr);
1336 if (RT_FAILURE(rc))
1337 break;
1338
1339 /*
1340 * Recurse into subdirectories if requested.
1341 */
1342 if ( fRecursive
1343 && S_ISDIR(pFsObjState->Stat.st_mode)
1344 && strcmp(pEntry->d_name, ".")
1345 && strcmp(pEntry->d_name, ".."))
1346 {
1347 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1348 pszDirPath[cchDirPath + cchName + 1] = '\0';
1349
1350 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1351 fRecursive, pszErr, cbErr);
1352 if (RT_FAILURE(rc))
1353 break;
1354 }
1355 }
1356
1357 closedir(pDir);
1358 return VINF_SUCCESS;
1359#endif
1360}
1361
1362
1363/**
1364 * Worker for SUPR3HardenedVerifyDir.
1365 *
1366 * @returns See SUPR3HardenedVerifyDir.
1367 * @param pszDirPath See SUPR3HardenedVerifyDir.
1368 * @param fRecursive See SUPR3HardenedVerifyDir.
1369 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1370 * @param pszErr See SUPR3HardenedVerifyDir.
1371 * @param cbErr See SUPR3HardenedVerifyDir.
1372 */
1373DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, char *pszErr, size_t cbErr)
1374{
1375 /*
1376 * Validate the input path and parse it.
1377 */
1378 SUPR3HARDENEDPATHINFO Info;
1379 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pszErr, cbErr, &Info);
1380 if (RT_FAILURE(rc))
1381 return rc;
1382
1383 /*
1384 * Verify each component from the root up.
1385 */
1386 SUPR3HARDENEDFSOBJSTATE FsObjState;
1387 uint32_t const cComponents = Info.cComponents;
1388 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1389 {
1390 bool fRelaxed = iComponent + 2 < cComponents;
1391 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1392 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pszErr, cbErr);
1393 if (RT_SUCCESS(rc))
1394 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed, Info.szPath, pszErr, cbErr);
1395 if (RT_FAILURE(rc))
1396 return rc;
1397 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1398 }
1399
1400 /*
1401 * Check files and subdirectories if requested.
1402 */
1403 if (fCheckFiles || fRecursive)
1404 {
1405 Info.szPath[Info.cch] = RTPATH_SLASH;
1406 Info.szPath[Info.cch + 1] = '\0';
1407 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1408 fRecursive, pszErr, cbErr);
1409 }
1410
1411 return VINF_SUCCESS;
1412}
1413
1414
1415/**
1416 * Verfies a file.
1417 *
1418 * @returns VBox status code, error buffer filled on failure.
1419 * @param pszFilename The file to verify.
1420 * @param hNativeFile Handle to the file, verify that it's the same
1421 * as we ended up with when verifying the path.
1422 * RTHCUINTPTR_MAX means NIL here.
1423 * @param pszErr The error buffer.
1424 * @param cbErr The size of the error buffer.
1425 */
1426DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile, char *pszErr, size_t cbErr)
1427{
1428 /*
1429 * Validate the input path and parse it.
1430 */
1431 SUPR3HARDENEDPATHINFO Info;
1432 int rc = supR3HardenedVerifyPathSanity(pszFilename, pszErr, cbErr, &Info);
1433 if (RT_FAILURE(rc))
1434 return rc;
1435 if (Info.fDirSlash)
1436 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pszErr, cbErr,
1437 "The file path specifies a directory: '", pszFilename, "'");
1438
1439 /*
1440 * Verify each component from the root up.
1441 */
1442 SUPR3HARDENEDFSOBJSTATE FsObjState;
1443 uint32_t const cComponents = Info.cComponents;
1444 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1445 {
1446 bool fFinal = iComponent + 1 == cComponents;
1447 bool fRelaxed = iComponent + 2 < cComponents;
1448 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1449 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pszErr, cbErr);
1450 if (RT_SUCCESS(rc))
1451 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed, Info.szPath, pszErr, cbErr);
1452 if (RT_FAILURE(rc))
1453 return rc;
1454 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1455 }
1456
1457 /*
1458 * Verify the file.
1459 */
1460 if (hNativeFile != RTHCUINTPTR_MAX)
1461 return supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pszErr, cbErr);
1462 return VINF_SUCCESS;
1463}
1464
1465
1466/**
1467 * Gets the pre-init data for the hand-over to the other version
1468 * of this code.
1469 *
1470 * The reason why we pass this information on is that it contains
1471 * open directories and files. Later it may include even more info
1472 * (int the verified arrays mostly).
1473 *
1474 * The receiver is supR3HardenedRecvPreInitData.
1475 *
1476 * @param pPreInitData Where to store it.
1477 */
1478DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1479{
1480 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1481 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1482 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1483
1484 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1485 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1486}
1487
1488
1489/**
1490 * Receives the pre-init data from the static executable stub.
1491 *
1492 * @returns VBox status code. Will not bitch on failure since the
1493 * runtime isn't ready for it, so that is left to the exe stub.
1494 *
1495 * @param pPreInitData The hand-over data.
1496 */
1497DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1498{
1499 /*
1500 * Compare the array lengths and the contents of g_aSupInstallFiles.
1501 */
1502 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1503 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1504 return VERR_VERSION_MISMATCH;
1505 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1506 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1507 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1508 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1509 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1510 || strcmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1511 return VERR_VERSION_MISMATCH;
1512
1513 /*
1514 * Check that we're not called out of order.
1515 * If dynamic linking it screwed up, we may end up here.
1516 */
1517 if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1518 || ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1519 return VERR_WRONG_ORDER;
1520
1521 /*
1522 * Copy the verification data over.
1523 */
1524 memcpy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1525 memcpy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1526 return VINF_SUCCESS;
1527}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette