VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 43059

Last change on this file since 43059 was 42477, checked in by vboxsync, 12 years ago

typo

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 58.9 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 42477 2012-07-31 11:57:18Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2010 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27/*******************************************************************************
28* Header Files *
29*******************************************************************************/
30#if defined(RT_OS_OS2)
31# define INCL_BASE
32# define INCL_ERRORS
33# include <os2.h>
34# include <stdio.h>
35# include <stdlib.h>
36# include <unistd.h>
37# include <sys/fcntl.h>
38# include <sys/errno.h>
39# include <sys/syslimits.h>
40
41#elif defined(RT_OS_WINDOWS)
42# include <Windows.h>
43# include <stdio.h>
44
45#else /* UNIXes */
46# include <sys/types.h>
47# include <stdio.h>
48# include <stdlib.h>
49# include <dirent.h>
50# include <dlfcn.h>
51# include <fcntl.h>
52# include <limits.h>
53# include <errno.h>
54# include <unistd.h>
55# include <sys/stat.h>
56# include <sys/time.h>
57# include <sys/fcntl.h>
58# include <stdio.h>
59# include <pwd.h>
60# ifdef RT_OS_DARWIN
61# include <mach-o/dyld.h>
62# endif
63
64#endif
65
66#include <VBox/sup.h>
67#include <VBox/err.h>
68#include <iprt/asm.h>
69#include <iprt/ctype.h>
70#include <iprt/param.h>
71#include <iprt/path.h>
72#include <iprt/string.h>
73
74#include "SUPLibInternal.h"
75
76
77/*******************************************************************************
78* Defined Constants And Macros *
79*******************************************************************************/
80/** The max path length acceptable for a trusted path. */
81#define SUPR3HARDENED_MAX_PATH 260U
82
83#ifdef RT_OS_SOLARIS
84# define dirfd(d) ((d)->d_fd)
85#endif
86
87
88/*******************************************************************************
89* Global Variables *
90*******************************************************************************/
91/**
92 * The files that gets verified.
93 *
94 * @todo This needs reviewing against the linux packages.
95 * @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
96 * the time being we're building the linux packages with SharedLib pointing to
97 * AppPrivArch (lazy bird).
98 */
99static SUPINSTFILE const g_aSupInstallFiles[] =
100{
101 /* type, dir, fOpt, "pszFile" */
102 /* ---------------------------------------------------------------------- */
103 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
104 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
105 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
106
107#ifdef VBOX_WITH_RAW_MODE
108 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMGC.gc" },
109 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
110 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
111#endif
112
113 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
114 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
115 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
116#if HC_ARCH_BITS == 32
117 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
118 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
119#endif
120 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
121 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
122 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
123
124//#ifdef VBOX_WITH_DEBUGGER_GUI
125 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
126 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
127//#endif
128
129//#ifdef VBOX_WITH_SHARED_CLIPBOARD
130 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
131//#endif
132//#ifdef VBOX_WITH_SHARED_FOLDERS
133 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
134//#endif
135//#ifdef VBOX_WITH_DRAG_AND_DROP
136 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
137//#endif
138//#ifdef VBOX_WITH_GUEST_PROPS
139 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
140//#endif
141//#ifdef VBOX_WITH_GUEST_CONTROL
142 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
143//#endif
144 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
145 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
146 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
147 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
148
149 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
150
151#ifdef VBOX_WITH_MAIN
152 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
153 #ifdef RT_OS_WINDOWS
154 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
155 #else
156 { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
157 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
158 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
159 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
160 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
161 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
162 #endif
163#endif
164
165 { kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
166 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
167 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
168
169//#ifdef VBOX_WITH_HEADLESS
170 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
171 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
172 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
173//#endif
174
175//#ifdef VBOX_WITH_QTGUI
176 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
177 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
178# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
179 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
180# endif
181//#endif
182
183//#ifdef VBOX_WITH_VBOXSDL
184 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
185 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
186//#endif
187
188//#ifdef VBOX_WITH_VBOXBFE
189 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxBFE" SUPLIB_EXE_SUFF },
190 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxBFE" SUPLIB_DLL_SUFF },
191//#endif
192
193//#ifdef VBOX_WITH_WEBSERVICES
194 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
195//#endif
196
197#ifdef RT_OS_LINUX
198 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
199#endif
200
201//#ifdef VBOX_WITH_NETFLT
202 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
203 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
204//#endif
205};
206
207
208/** Array parallel to g_aSupInstallFiles containing per-file status info. */
209static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
210
211/** Array index by install directory specifier containing info about verified directories. */
212static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
213
214
215/**
216 * Assembles the path to a directory.
217 *
218 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
219 * decides whether it returns or not).
220 *
221 * @param enmDir The directory.
222 * @param pszDst Where to assemble the path.
223 * @param cchDst The size of the buffer.
224 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
225 */
226static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
227{
228 int rc;
229 switch (enmDir)
230 {
231 case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
232 case kSupID_Bin:
233 rc = supR3HardenedPathExecDir(pszDst, cchDst);
234 break;
235 case kSupID_SharedLib:
236 rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
237 break;
238 case kSupID_AppPrivArch:
239 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
240 break;
241 case kSupID_AppPrivArchComp:
242 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
243 if (RT_SUCCESS(rc))
244 {
245 size_t off = strlen(pszDst);
246 if (cchDst - off >= sizeof("/components"))
247 memcpy(&pszDst[off], "/components", sizeof("/components"));
248 else
249 rc = VERR_BUFFER_OVERFLOW;
250 }
251 break;
252 case kSupID_AppPrivNoArch:
253 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
254 break;
255 default:
256 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
257 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
258 }
259 if (RT_FAILURE(rc))
260 supR3HardenedError(rc, fFatal,
261 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
262 return rc;
263}
264
265
266
267/**
268 * Assembles the path to a file table entry, with or without the actual filename.
269 *
270 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
271 * decides whether it returns or not).
272 *
273 * @param pFile The file table entry.
274 * @param pszDst Where to assemble the path.
275 * @param cchDst The size of the buffer.
276 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
277 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
278 */
279static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
280{
281 /*
282 * Combine supR3HardenedMakePath and the filename.
283 */
284 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
285 if (RT_SUCCESS(rc) && fWithFilename)
286 {
287 size_t cchFile = strlen(pFile->pszFile);
288 size_t off = strlen(pszDst);
289 if (cchDst - off >= cchFile + 2)
290 {
291 pszDst[off++] = '/';
292 memcpy(&pszDst[off], pFile->pszFile, cchFile + 1);
293 }
294 else
295 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
296 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
297 pFile->pszFile, (long)off);
298 }
299 return rc;
300}
301
302
303/**
304 * Verifies a directory.
305 *
306 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
307 * fFatal is clear and if it's set the function wont return.
308 * @param enmDir The directory specifier.
309 * @param fFatal Whether validation failures should be treated as
310 * fatal (true) or not (false).
311 */
312DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
313{
314 /*
315 * Validate the index just to be on the safe side...
316 */
317 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
318 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
319 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
320
321 /*
322 * Already validated?
323 */
324 if (g_aSupVerifiedDirs[enmDir].fValidated)
325 return VINF_SUCCESS; /** @todo revalidate? */
326
327 /* initialize the entry. */
328 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
329 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
330 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
331 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
332 g_aSupVerifiedDirs[enmDir].hDir = -1;
333 g_aSupVerifiedDirs[enmDir].fValidated = false;
334
335 /*
336 * Make the path and open the directory.
337 */
338 char szPath[RTPATH_MAX];
339 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
340 if (RT_SUCCESS(rc))
341 {
342#if defined(RT_OS_WINDOWS)
343 HANDLE hDir = CreateFile(szPath,
344 GENERIC_READ,
345 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
346 NULL,
347 OPEN_ALWAYS,
348 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
349 NULL);
350 if (hDir != INVALID_HANDLE_VALUE)
351 {
352 /** @todo check the type */
353 /* That's all on windows, for now at least... */
354 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
355 g_aSupVerifiedDirs[enmDir].fValidated = true;
356 }
357 else
358 {
359 int err = GetLastError();
360 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
361 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
362 szPath, err);
363 }
364#else /* UNIXY */
365 int fd = open(szPath, O_RDONLY, 0);
366 if (fd >= 0)
367 {
368 /*
369 * On unixy systems we'll make sure the directory is owned by root
370 * and not writable by the group and user.
371 */
372 struct stat st;
373 if (!fstat(fd, &st))
374 {
375
376 if ( st.st_uid == 0
377 && !(st.st_mode & (S_IWGRP | S_IWOTH))
378 && S_ISDIR(st.st_mode))
379 {
380 g_aSupVerifiedDirs[enmDir].hDir = fd;
381 g_aSupVerifiedDirs[enmDir].fValidated = true;
382 }
383 else
384 {
385 if (!S_ISDIR(st.st_mode))
386 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
387 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
388 szPath, (long)st.st_uid);
389 else if (st.st_uid)
390 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
391 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
392 szPath, (long)st.st_uid);
393 else
394 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
395 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
396 szPath, (long)st.st_mode);
397 close(fd);
398 }
399 }
400 else
401 {
402 int err = errno;
403 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
404 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
405 szPath, strerror(err), err);
406 close(fd);
407 }
408 }
409 else
410 {
411 int err = errno;
412 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
413 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
414 szPath, strerror(err), err);
415 }
416#endif /* UNIXY */
417 }
418
419 return rc;
420}
421
422
423/**
424 * Verifies a file entry.
425 *
426 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
427 * fFatal is clear and if it's set the function wont return.
428 *
429 * @param iFile The file table index of the file to be verified.
430 * @param fFatal Whether validation failures should be treated as
431 * fatal (true) or not (false).
432 * @param fLeaveFileOpen Whether the file should be left open.
433 */
434static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen)
435{
436 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
437 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
438
439 /*
440 * Already done?
441 */
442 if (pVerified->fValidated)
443 return VINF_SUCCESS; /** @todo revalidate? */
444
445
446 /* initialize the entry. */
447 if (pVerified->hFile != 0)
448 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
449 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
450 (void *)pVerified->hFile, pFile->pszFile);
451 pVerified->hFile = -1;
452 pVerified->fValidated = false;
453
454 /*
455 * Verify the directory then proceed to open it.
456 * (This'll make sure the directory is opened and that we can (later)
457 * use openat if we wish.)
458 */
459 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
460 if (RT_SUCCESS(rc))
461 {
462 char szPath[RTPATH_MAX];
463 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
464 if (RT_SUCCESS(rc))
465 {
466#if defined(RT_OS_WINDOWS)
467 HANDLE hFile = CreateFile(szPath,
468 GENERIC_READ,
469 FILE_SHARE_READ,
470 NULL,
471 OPEN_ALWAYS,
472 FILE_ATTRIBUTE_NORMAL,
473 NULL);
474 if (hFile != INVALID_HANDLE_VALUE)
475 {
476 /** @todo Check the type, and verify the signature (separate function so we can skip it). */
477 {
478 /* it's valid. */
479 if (fLeaveFileOpen)
480 pVerified->hFile = (intptr_t)hFile;
481 else
482 CloseHandle(hFile);
483 pVerified->fValidated = true;
484 }
485 }
486 else
487 {
488 int err = GetLastError();
489 if (!pFile->fOptional || err != ERROR_FILE_NOT_FOUND)
490 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
491 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": err=%d\n",
492 szPath, err);
493 }
494#else /* UNIXY */
495 int fd = open(szPath, O_RDONLY, 0);
496 if (fd >= 0)
497 {
498 /*
499 * On unixy systems we'll make sure the directory is owned by root
500 * and not writable by the group and user.
501 */
502 struct stat st;
503 if (!fstat(fd, &st))
504 {
505 if ( st.st_uid == 0
506 && !(st.st_mode & (S_IWGRP | S_IWOTH))
507 && S_ISREG(st.st_mode))
508 {
509 /* it's valid. */
510 if (fLeaveFileOpen)
511 pVerified->hFile = fd;
512 else
513 close(fd);
514 pVerified->fValidated = true;
515 }
516 else
517 {
518 if (!S_ISREG(st.st_mode))
519 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
520 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
521 szPath, (long)st.st_uid);
522 else if (st.st_uid)
523 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
524 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
525 szPath, (long)st.st_uid);
526 else
527 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
528 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
529 szPath, (long)st.st_mode);
530 close(fd);
531 }
532 }
533 else
534 {
535 int err = errno;
536 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
537 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
538 szPath, strerror(err), err);
539 close(fd);
540 }
541 }
542 else
543 {
544 int err = errno;
545 if (!pFile->fOptional || err != ENOENT)
546 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
547 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
548 szPath, strerror(err), err);
549 }
550#endif /* UNIXY */
551 }
552 }
553
554 return rc;
555}
556
557
558/**
559 * Verifies that the specified table entry matches the given filename.
560 *
561 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
562 * error is returned or we terminate the application.
563 *
564 * @param iFile The file table index.
565 * @param pszFilename The filename.
566 * @param fFatal Whether validation failures should be treated as
567 * fatal (true) or not (false).
568 */
569static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
570{
571 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
572
573 /*
574 * Construct the full path for the file table entry
575 * and compare it with the specified file.
576 */
577 char szName[RTPATH_MAX];
578 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
579 if (RT_FAILURE(rc))
580 return rc;
581#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
582 if (stricmp(szName, pszFilename))
583#else
584 if (strcmp(szName, pszFilename))
585#endif
586 {
587 /*
588 * Normalize the two paths and compare again.
589 */
590 rc = VERR_NOT_SAME_DEVICE;
591#if defined(RT_OS_WINDOWS)
592 LPSTR pszIgnored;
593 char szName2[RTPATH_MAX];
594 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
595 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
596 if (!stricmp(szName2, szName))
597 rc = VINF_SUCCESS;
598#else
599 AssertCompile(RTPATH_MAX >= PATH_MAX);
600 char szName2[RTPATH_MAX];
601 if ( realpath(szName, szName2) != NULL
602 && realpath(pszFilename, szName) != NULL)
603 if (!strcmp(szName2, szName))
604 rc = VINF_SUCCESS;
605#endif
606
607 if (RT_FAILURE(rc))
608 {
609 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
610 return supR3HardenedError(rc, fFatal,
611 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
612 pszFilename, szName);
613 }
614 }
615
616 /*
617 * Check more stuff like the stat info if it's an already open file?
618 */
619
620
621
622 return VINF_SUCCESS;
623}
624
625
626/**
627 * Verifies a file.
628 *
629 * @returns VINF_SUCCESS on success.
630 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
631 * On verification failure, an error code will be returned when fFatal is clear,
632 * otherwise the program will be terminated.
633 *
634 * @param pszFilename The filename.
635 * @param fFatal Whether validation failures should be treated as
636 * fatal (true) or not (false).
637 */
638DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
639{
640 /*
641 * Lookup the file and check if it's the same file.
642 */
643 const char *pszName = supR3HardenedPathFilename(pszFilename);
644 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
645 if (!strcmp(pszName, g_aSupInstallFiles[iFile].pszFile))
646 {
647 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
648 if (RT_SUCCESS(rc))
649 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */);
650 return rc;
651 }
652
653 return VERR_NOT_FOUND;
654}
655
656
657/**
658 * Verifies a program, worker for supR3HardenedVerifyAll.
659 *
660 * @returns See supR3HardenedVerifyAll.
661 * @param pszProgName See supR3HardenedVerifyAll.
662 * @param fFatal See supR3HardenedVerifyAll.
663 */
664static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal)
665{
666 /*
667 * Search the table looking for the executable and the DLL/DYLIB/SO.
668 */
669 int rc = VINF_SUCCESS;
670 bool fExe = false;
671 bool fDll = false;
672 size_t const cchProgName = strlen(pszProgName);
673 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
674 if (!strncmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
675 {
676 if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
677 && !strcmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
678 {
679 /* This only has to be found (once). */
680 if (fDll)
681 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
682 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
683 fDll = true;
684 }
685 else if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
686 && !strcmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
687 {
688 /* Here we'll have to check that the specific program is the same as the entry. */
689 if (fExe)
690 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
691 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
692 fExe = true;
693
694 char szFilename[RTPATH_MAX];
695 int rc2 = supR3HardenedPathExecDir(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
696 if (RT_SUCCESS(rc2))
697 {
698 strcat(szFilename, "/");
699 strcat(szFilename, g_aSupInstallFiles[iFile].pszFile);
700 supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
701 }
702 else
703 rc = supR3HardenedError(rc2, fFatal,
704 "supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
705 }
706 }
707
708 /*
709 * Check the findings.
710 */
711 if (!fDll && !fExe)
712 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
713 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
714 else if (!fExe)
715 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
716 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
717 else if (!fDll)
718 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
719 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
720 return rc;
721}
722
723
724/**
725 * Verifies all the known files.
726 *
727 * @returns VINF_SUCCESS on success.
728 * On verification failure, an error code will be returned when fFatal is clear,
729 * otherwise the program will be terminated.
730 *
731 * @param fFatal Whether validation failures should be treated as
732 * fatal (true) or not (false).
733 * @param fLeaveFilesOpen If set, all the verified files are left open.
734 * @param pszProgName Optional program name. This is used by SUPR3HardenedMain
735 * to verify that both the executable and corresponding
736 * DLL/DYLIB/SO are valid.
737 */
738DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, bool fLeaveFilesOpen, const char *pszProgName)
739{
740 /*
741 * The verify all the files.
742 */
743 int rc = VINF_SUCCESS;
744 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
745 {
746 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveFilesOpen);
747 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
748 rc = rc2;
749 }
750
751 /*
752 * Verify the program name if specified, that is to say, just check that
753 * it's in the table (=> we've already verified it).
754 */
755 if (pszProgName)
756 {
757 int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal);
758 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
759 rc2 = rc;
760 }
761
762 return rc;
763}
764
765
766/**
767 * Copies the N messages into the error buffer and returns @a rc.
768 *
769 * @returns Returns @a rc
770 * @param rc The return code.
771 * @param pErrInfo The error info structure.
772 * @param cMsgs The number of messages in the ellipsis.
773 * @param ... Message parts.
774 */
775static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
776{
777 if (pErrInfo)
778 {
779 size_t cbErr = pErrInfo->cbMsg;
780 char *pszErr = pErrInfo->pszMsg;
781
782 va_list va;
783 va_start(va, cMsgs);
784 while (cMsgs-- > 0 && cbErr > 0)
785 {
786 const char *pszMsg = va_arg(va, const char *);
787 size_t cchMsg = VALID_PTR(pszMsg) ? strlen(pszMsg) : 0;
788 if (cchMsg >= cbErr)
789 cchMsg = cbErr - 1;
790 memcpy(pszErr, pszMsg, cchMsg);
791 pszErr[cchMsg] = '\0';
792 pszErr += cchMsg;
793 cbErr -= cchMsg;
794 }
795 va_end(va);
796
797 pErrInfo->rc = rc;
798 pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
799 }
800
801 return rc;
802}
803
804
805/**
806 * Copies the three messages into the error buffer and returns @a rc.
807 *
808 * @returns Returns @a rc
809 * @param rc The return code.
810 * @param pErrInfo The error info structure.
811 * @param pszMsg1 The first message part.
812 * @param pszMsg2 The second message part.
813 * @param pszMsg3 The third message part.
814 */
815static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
816 const char *pszMsg2, const char *pszMsg3)
817{
818 return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
819}
820
821#ifdef SOME_UNUSED_FUNCTION
822
823/**
824 * Copies the two messages into the error buffer and returns @a rc.
825 *
826 * @returns Returns @a rc
827 * @param rc The return code.
828 * @param pErrInfo The error info structure.
829 * @param pszMsg1 The first message part.
830 * @param pszMsg2 The second message part.
831 */
832static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
833 const char *pszMsg2)
834{
835 return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
836}
837
838
839/**
840 * Copies the error message to the error buffer and returns @a rc.
841 *
842 * @returns Returns @a rc
843 * @param rc The return code.
844 * @param pErrInfo The error info structure.
845 * @param pszMsg The message.
846 */
847static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
848{
849 return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
850}
851
852#endif /* SOME_UNUSED_FUNCTION */
853
854/**
855 * Output from a successfull supR3HardenedVerifyPathSanity call.
856 */
857typedef struct SUPR3HARDENEDPATHINFO
858{
859 /** The length of the path in szCopy. */
860 uint16_t cch;
861 /** The number of path components. */
862 uint16_t cComponents;
863 /** Set if the path ends with slash, indicating that it's a directory
864 * reference and not a file reference. The slash has been removed from
865 * the copy. */
866 bool fDirSlash;
867 /** The offset where each path component starts, i.e. the char after the
868 * slash. The array has cComponents + 1 entries, where the final one is
869 * cch + 1 so that one can always terminate the current component by
870 * szPath[aoffComponent[i] - 1] = '\0'. */
871 uint16_t aoffComponents[32+1];
872 /** A normalized copy of the path.
873 * Reserve some extra space so we can be more relaxed about overflow
874 * checks and terminator paddings, especially when recursing. */
875 char szPath[SUPR3HARDENED_MAX_PATH * 2];
876} SUPR3HARDENEDPATHINFO;
877/** Pointer to a parsed path. */
878typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
879
880
881/**
882 * Verifies that the path is absolutely sane, it also parses the path.
883 *
884 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
885 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
886 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
887 * paths are not supported.
888 *
889 * @returns VBox status code.
890 * @param pszPath The path to check.
891 * @param pErrInfo The error info structure.
892 * @param pInfo Where to return a copy of the path along with
893 * parsing information.
894 */
895static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
896{
897 const char *pszSrc = pszPath;
898 char *pszDst = pInfo->szPath;
899
900 /*
901 * Check that it's an absolute path and copy the volume/root specifier.
902 */
903#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
904 if ( RT_C_IS_ALPHA(pszSrc[0])
905 || pszSrc[1] != ':'
906 || !RTPATH_IS_SLASH(pszSrc[2]))
907 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
908
909 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
910 *pszDst++ = ':';
911 *pszDst++ = RTPATH_SLASH;
912 pszSrc += 3;
913
914#else
915 if (!RTPATH_IS_SLASH(pszSrc[0]))
916 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
917
918 *pszDst++ = RTPATH_SLASH;
919 pszSrc += 1;
920#endif
921
922 /*
923 * No path specifying the root or something very shortly thereafter will
924 * be approved of.
925 */
926 if (pszSrc[0] == '\0')
927 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
928 if ( pszSrc[1] == '\0'
929 || pszSrc[2] == '\0')
930 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
931
932 /*
933 * Check each component. No parent references or double slashes.
934 */
935 pInfo->cComponents = 0;
936 pInfo->fDirSlash = false;
937 while (pszSrc[0])
938 {
939 /* Sanity checks. */
940 if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
941 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
942 "The path is not clean of double slashes: '", pszPath, "'");
943 if ( pszSrc[0] == '.'
944 && pszSrc[1] == '.'
945 && RTPATH_IS_SLASH(pszSrc[2]))
946 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
947 "The path is not absolute: '", pszPath, "'");
948
949 /* Record the start of the component. */
950 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
951 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
952 "The path has too many components: '", pszPath, "'");
953 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
954
955 /* Traverse to the end of the component, copying it as we go along. */
956 while (pszSrc[0])
957 {
958 if (RTPATH_IS_SLASH(pszSrc[0]))
959 {
960 pszSrc++;
961 if (*pszSrc)
962 *pszDst++ = RTPATH_SLASH;
963 else
964 pInfo->fDirSlash = true;
965 break;
966 }
967 *pszDst++ = *pszSrc++;
968 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
969 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
970 "The path is too long: '", pszPath, "'");
971 }
972 }
973
974 /* Terminate the string and enter its length. */
975 pszDst[0] = '\0';
976 pszDst[1] = '\0'; /* for aoffComponents */
977 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
978 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
979
980 return VINF_SUCCESS;
981}
982
983
984/**
985 * The state information collected by supR3HardenedVerifyFsObject.
986 *
987 * This can be used to verify that a directory we've opened for enumeration is
988 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
989 * equally be used to verify a native specfied by the user.
990 */
991typedef struct SUPR3HARDENEDFSOBJSTATE
992{
993#ifdef RT_OS_WINDOWS
994 /** Not implemented for windows yet. */
995 char chTodo;
996#else
997 /** The stat output. */
998 struct stat Stat;
999#endif
1000} SUPR3HARDENEDFSOBJSTATE;
1001/** Pointer to a file system object state. */
1002typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1003/** Pointer to a const file system object state. */
1004typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1005
1006
1007/**
1008 * Query information about a file system object by path.
1009 *
1010 * @returns VBox status code, error buffer filled on failure.
1011 * @param pszPath The path to the object.
1012 * @param pFsObjState Where to return the state information.
1013 * @param pErrInfo The error info structure.
1014 */
1015static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1016{
1017#if defined(RT_OS_WINDOWS)
1018 /** @todo Windows hardening. */
1019 pFsObjState->chTodo = 0;
1020 return VINF_SUCCESS;
1021
1022#else
1023 /*
1024 * Stat the object, do not follow links.
1025 */
1026 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1027 {
1028 /* Ignore access errors */
1029 if (errno != EACCES)
1030 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1031 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1032 }
1033
1034 /*
1035 * Read ACLs.
1036 */
1037 /** @todo */
1038
1039 return VINF_SUCCESS;
1040#endif
1041}
1042
1043
1044/**
1045 * Query information about a file system object by native handle.
1046 *
1047 * @returns VBox status code, error buffer filled on failure.
1048 * @param hNative The native handle to the object @a pszPath
1049 * specifies and this should be verified to be the
1050 * same file system object.
1051 * @param pFsObjState Where to return the state information.
1052 * @param pszPath The path to the object. (For the error message
1053 * only.)
1054 * @param pErrInfo The error info structure.
1055 */
1056static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1057 char const *pszPath, PRTERRINFO pErrInfo)
1058{
1059#if defined(RT_OS_WINDOWS)
1060 /** @todo Windows hardening. */
1061 pFsObjState->chTodo = 0;
1062 return VINF_SUCCESS;
1063
1064#else
1065 /*
1066 * Stat the object, do not follow links.
1067 */
1068 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1069 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1070 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1071
1072 /*
1073 * Read ACLs.
1074 */
1075 /** @todo */
1076
1077 return VINF_SUCCESS;
1078#endif
1079}
1080
1081
1082/**
1083 * Verifies that the file system object indicated by the native handle is the
1084 * same as the one @a pFsObjState indicates.
1085 *
1086 * @returns VBox status code, error buffer filled on failure.
1087 * @param pFsObjState1 File system object information/state by path.
1088 * @param pFsObjState2 File system object information/state by handle.
1089 * @param pszPath The path to the object @a pFsObjState
1090 * describes. (For the error message.)
1091 * @param pErrInfo The error info structure.
1092 */
1093static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1094 const char *pszPath, PRTERRINFO pErrInfo)
1095{
1096#if defined(RT_OS_WINDOWS)
1097 /** @todo Windows hardening. */
1098 return VINF_SUCCESS;
1099
1100#elif defined(RT_OS_OS2)
1101 return VINF_SUCCESS;
1102
1103#else
1104 /*
1105 * Compare the ino+dev, then the uid+gid and finally the important mode
1106 * bits. Technically the first one should be enough, but we're paranoid.
1107 */
1108 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1109 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1110 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1111 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1112 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1113 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1114 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1115 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1116 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1117 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1118 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1119 "The native handle is not the same as '", pszPath, "' (mode)");
1120 return VINF_SUCCESS;
1121#endif
1122}
1123
1124
1125/**
1126 * Verifies a file system object (file or directory).
1127 *
1128 * @returns VBox status code, error buffer filled on failure.
1129 * @param pFsObjState The file system object information/state to be
1130 * verified.
1131 * @param fDir Whether this is a directory or a file.
1132 * @param fRelaxed Whether we can be more relaxed about this
1133 * directory (only used for grand parent
1134 * directories).
1135 * @param pszPath The path to the object. For error messages and
1136 * securing a couple of hacks.
1137 * @param pErrInfo The error info structure.
1138 */
1139static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1140 const char *pszPath, PRTERRINFO pErrInfo)
1141{
1142#if defined(RT_OS_WINDOWS)
1143 /** @todo Windows hardening. */
1144 NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1145 return VINF_SUCCESS;
1146
1147#elif defined(RT_OS_OS2)
1148 /* No hardening here - it's a single user system. */
1149 NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1150 return VINF_SUCCESS;
1151
1152#else
1153 /*
1154 * The owner must be root.
1155 *
1156 * This can be extended to include predefined system users if necessary.
1157 */
1158 if (pFsObjState->Stat.st_uid != 0)
1159 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1160
1161 /*
1162 * The object type must be directory or file, no symbolic links or other
1163 * risky stuff (sorry dude, but we're paranoid on purpose here).
1164 */
1165 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1166 && !S_ISREG(pFsObjState->Stat.st_mode))
1167 {
1168 if (S_ISLNK(pFsObjState->Stat.st_mode))
1169 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1170 "Symlinks are not permitted: '", pszPath, "'");
1171 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1172 "Not regular file or directory: '", pszPath, "'");
1173 }
1174 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1175 {
1176 if (S_ISDIR(pFsObjState->Stat.st_mode))
1177 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1178 "Expected file but found directory: '", pszPath, "'");
1179 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1180 "Expected directory but found file: '", pszPath, "'");
1181 }
1182
1183 /*
1184 * The group does not matter if it does not have write access, if it has
1185 * write access it must be group 0 (root/wheel/whatever).
1186 *
1187 * This can be extended to include predefined system groups or groups that
1188 * only root is member of.
1189 */
1190 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1191 && pFsObjState->Stat.st_gid != 0)
1192 {
1193#ifdef RT_OS_DARWIN
1194 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1195 full access. So, to work around we relax the hardening a bit and
1196 permit grand parents and beyond to be group writable by admin. */
1197 /** @todo dynamically resolve the admin group? */
1198 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || strcmp(pszPath, "/Applications");
1199
1200#elif defined(RT_OS_FREEBSD)
1201 /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1202 similar to /Applications on OS X (see above).
1203 On FreeBSD root is normally the only member of this group, on
1204 PC-BSD the default user is a member. */
1205 /** @todo dynamically resolve the operator group? */
1206 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || strcmp(pszPath, "/usr/pbi");
1207 NOREF(fRelaxed);
1208#else
1209 NOREF(fRelaxed);
1210 bool fBad = true;
1211#endif
1212 if (fBad)
1213 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1214 "The group is not a system group and it has write access to '", pszPath, "'");
1215 }
1216
1217 /*
1218 * World must not have write access. There is no relaxing this rule.
1219 */
1220 if (pFsObjState->Stat.st_mode & S_IWOTH)
1221 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1222 "World writable: '", pszPath, "'");
1223
1224 /*
1225 * Check the ACLs.
1226 */
1227 /** @todo */
1228
1229 return VINF_SUCCESS;
1230#endif
1231}
1232
1233
1234/**
1235 * Verifies that the file system object indicated by the native handle is the
1236 * same as the one @a pFsObjState indicates.
1237 *
1238 * @returns VBox status code, error buffer filled on failure.
1239 * @param hNative The native handle to the object @a pszPath
1240 * specifies and this should be verified to be the
1241 * same file system object.
1242 * @param pFsObjState The information/state returned by a previous
1243 * query call.
1244 * @param pszPath The path to the object @a pFsObjState
1245 * describes. (For the error message.)
1246 * @param pErrInfo The error info structure.
1247 */
1248static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1249 const char *pszPath, PRTERRINFO pErrInfo)
1250{
1251 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1252 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1253 if (RT_SUCCESS(rc))
1254 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1255 return rc;
1256}
1257
1258
1259/**
1260 * Does the recursive directory enumeration.
1261 *
1262 * @returns VBox status code, error buffer filled on failure.
1263 * @param pszDirPath The path buffer containing the subdirectory to
1264 * enumerate followed by a slash (this is never
1265 * the root slash). The buffer is RTPATH_MAX in
1266 * size and anything starting at @a cchDirPath
1267 * - 1 and beyond is scratch space.
1268 * @param cchDirPath The length of the directory path + slash.
1269 * @param pFsObjState Pointer to the file system object state buffer.
1270 * On input this will hold the stats for
1271 * the directory @a pszDirPath indicates and will
1272 * be used to verified that we're opening the same
1273 * thing.
1274 * @param fRecursive Whether to recurse into subdirectories.
1275 * @param pErrInfo The error info structure.
1276 */
1277static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1278 bool fRecursive, PRTERRINFO pErrInfo)
1279{
1280#if defined(RT_OS_WINDOWS)
1281 /** @todo Windows hardening. */
1282 return VINF_SUCCESS;
1283
1284#elif defined(RT_OS_OS2)
1285 /* No hardening here - it's a single user system. */
1286 return VINF_SUCCESS;
1287
1288#else
1289 /*
1290 * Open the directory. Now, we could probably eliminate opendir here
1291 * and go down on kernel API level (open + getdents for instance), however
1292 * that's not very portable and hopefully not necessary.
1293 */
1294 DIR *pDir = opendir(pszDirPath);
1295 if (!pDir)
1296 {
1297 /* Ignore access errors. */
1298 if (errno == EACCES)
1299 return VINF_SUCCESS;
1300 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1301 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1302 }
1303 if (dirfd(pDir) != -1)
1304 {
1305 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1306 if (RT_FAILURE(rc))
1307 {
1308 closedir(pDir);
1309 return rc;
1310 }
1311 }
1312
1313 /*
1314 * Enumerate the directory, check all the requested bits.
1315 */
1316 int rc = VINF_SUCCESS;
1317 for (;;)
1318 {
1319 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1320
1321 struct dirent Entry;
1322 struct dirent *pEntry;
1323 int iErr = readdir_r(pDir, &Entry, &pEntry);
1324 if (iErr)
1325 {
1326 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1327 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1328 break;
1329 }
1330 if (!pEntry)
1331 break;
1332
1333 /*
1334 * Check the length and copy it into the path buffer so it can be
1335 * stat()'ed.
1336 */
1337 size_t cchName = strlen(pEntry->d_name);
1338 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1339 {
1340 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1341 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1342 break;
1343 }
1344 memcpy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1345
1346 /*
1347 * Query the information about the entry and verify it.
1348 * (We don't bother skipping '.' and '..' at this point, a little bit
1349 * of extra checks doesn't hurt and neither requires relaxed handling.)
1350 */
1351 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1352 if (RT_SUCCESS(rc))
1353 break;
1354 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1355 pszDirPath, pErrInfo);
1356 if (RT_FAILURE(rc))
1357 break;
1358
1359 /*
1360 * Recurse into subdirectories if requested.
1361 */
1362 if ( fRecursive
1363 && S_ISDIR(pFsObjState->Stat.st_mode)
1364 && strcmp(pEntry->d_name, ".")
1365 && strcmp(pEntry->d_name, ".."))
1366 {
1367 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1368 pszDirPath[cchDirPath + cchName + 1] = '\0';
1369
1370 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1371 fRecursive, pErrInfo);
1372 if (RT_FAILURE(rc))
1373 break;
1374 }
1375 }
1376
1377 closedir(pDir);
1378 return VINF_SUCCESS;
1379#endif
1380}
1381
1382
1383/**
1384 * Worker for SUPR3HardenedVerifyDir.
1385 *
1386 * @returns See SUPR3HardenedVerifyDir.
1387 * @param pszDirPath See SUPR3HardenedVerifyDir.
1388 * @param fRecursive See SUPR3HardenedVerifyDir.
1389 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1390 * @param pErrInfo See SUPR3HardenedVerifyDir.
1391 */
1392DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1393{
1394 /*
1395 * Validate the input path and parse it.
1396 */
1397 SUPR3HARDENEDPATHINFO Info;
1398 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1399 if (RT_FAILURE(rc))
1400 return rc;
1401
1402 /*
1403 * Verify each component from the root up.
1404 */
1405 SUPR3HARDENEDFSOBJSTATE FsObjState;
1406 uint32_t const cComponents = Info.cComponents;
1407 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1408 {
1409 bool fRelaxed = iComponent + 2 < cComponents;
1410 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1411 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1412 if (RT_SUCCESS(rc))
1413 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed, Info.szPath, pErrInfo);
1414 if (RT_FAILURE(rc))
1415 return rc;
1416 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1417 }
1418
1419 /*
1420 * Check files and subdirectories if requested.
1421 */
1422 if (fCheckFiles || fRecursive)
1423 {
1424 Info.szPath[Info.cch] = RTPATH_SLASH;
1425 Info.szPath[Info.cch + 1] = '\0';
1426 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1427 fRecursive, pErrInfo);
1428 }
1429
1430 return VINF_SUCCESS;
1431}
1432
1433
1434/**
1435 * Verfies a file.
1436 *
1437 * @returns VBox status code, error buffer filled on failure.
1438 * @param pszFilename The file to verify.
1439 * @param hNativeFile Handle to the file, verify that it's the same
1440 * as we ended up with when verifying the path.
1441 * RTHCUINTPTR_MAX means NIL here.
1442 * @param pErrInfo Where to return extended error information.
1443 * Optional.
1444 */
1445DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile, PRTERRINFO pErrInfo)
1446{
1447 /*
1448 * Validate the input path and parse it.
1449 */
1450 SUPR3HARDENEDPATHINFO Info;
1451 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1452 if (RT_FAILURE(rc))
1453 return rc;
1454 if (Info.fDirSlash)
1455 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1456 "The file path specifies a directory: '", pszFilename, "'");
1457
1458 /*
1459 * Verify each component from the root up.
1460 */
1461 SUPR3HARDENEDFSOBJSTATE FsObjState;
1462 uint32_t const cComponents = Info.cComponents;
1463 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1464 {
1465 bool fFinal = iComponent + 1 == cComponents;
1466 bool fRelaxed = iComponent + 2 < cComponents;
1467 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1468 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1469 if (RT_SUCCESS(rc))
1470 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed, Info.szPath, pErrInfo);
1471 if (RT_FAILURE(rc))
1472 return rc;
1473 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1474 }
1475
1476 /*
1477 * Verify the file.
1478 */
1479 if (hNativeFile != RTHCUINTPTR_MAX)
1480 return supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1481 return VINF_SUCCESS;
1482}
1483
1484
1485/**
1486 * Gets the pre-init data for the hand-over to the other version
1487 * of this code.
1488 *
1489 * The reason why we pass this information on is that it contains
1490 * open directories and files. Later it may include even more info
1491 * (int the verified arrays mostly).
1492 *
1493 * The receiver is supR3HardenedRecvPreInitData.
1494 *
1495 * @param pPreInitData Where to store it.
1496 */
1497DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1498{
1499 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1500 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1501 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1502
1503 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1504 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1505}
1506
1507
1508/**
1509 * Receives the pre-init data from the static executable stub.
1510 *
1511 * @returns VBox status code. Will not bitch on failure since the
1512 * runtime isn't ready for it, so that is left to the exe stub.
1513 *
1514 * @param pPreInitData The hand-over data.
1515 */
1516DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1517{
1518 /*
1519 * Compare the array lengths and the contents of g_aSupInstallFiles.
1520 */
1521 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1522 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1523 return VERR_VERSION_MISMATCH;
1524 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1525 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1526 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1527 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1528 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1529 || strcmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1530 return VERR_VERSION_MISMATCH;
1531
1532 /*
1533 * Check that we're not called out of order.
1534 * If dynamic linking it screwed up, we may end up here.
1535 */
1536 if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1537 || ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1538 return VERR_WRONG_ORDER;
1539
1540 /*
1541 * Copy the verification data over.
1542 */
1543 memcpy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1544 memcpy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1545 return VINF_SUCCESS;
1546}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette