VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 54874

Last change on this file since 54874 was 54453, checked in by vboxsync, 10 years ago

Runtime/testcase: tstRTR0ThreadPreemption rename fixes.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 69.6 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 54453 2015-02-24 15:05:45Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2013 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27/*******************************************************************************
28* Header Files *
29*******************************************************************************/
30#if defined(RT_OS_OS2)
31# define INCL_BASE
32# define INCL_ERRORS
33# include <os2.h>
34# include <stdio.h>
35# include <stdlib.h>
36# include <unistd.h>
37# include <sys/fcntl.h>
38# include <sys/errno.h>
39# include <sys/syslimits.h>
40
41#elif defined(RT_OS_WINDOWS)
42# include <iprt/nt/nt-and-windows.h>
43# ifndef IN_SUP_HARDENED_R3
44# include <stdio.h>
45# endif
46
47#else /* UNIXes */
48# include <sys/types.h>
49# include <stdio.h>
50# include <stdlib.h>
51# include <dirent.h>
52# include <dlfcn.h>
53# include <fcntl.h>
54# include <limits.h>
55# include <errno.h>
56# include <unistd.h>
57# include <sys/stat.h>
58# include <sys/time.h>
59# include <sys/fcntl.h>
60# include <pwd.h>
61# ifdef RT_OS_DARWIN
62# include <mach-o/dyld.h>
63# endif
64
65#endif
66
67#include <VBox/sup.h>
68#include <VBox/err.h>
69#include <iprt/asm.h>
70#include <iprt/ctype.h>
71#include <iprt/param.h>
72#include <iprt/path.h>
73#include <iprt/string.h>
74
75#include "SUPLibInternal.h"
76#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
77# define SUPHNTVI_NO_NT_STUFF
78# include "win/SUPHardenedVerify-win.h"
79#endif
80
81
82/*******************************************************************************
83* Defined Constants And Macros *
84*******************************************************************************/
85/** The max path length acceptable for a trusted path. */
86#define SUPR3HARDENED_MAX_PATH 260U
87
88#ifdef RT_OS_SOLARIS
89# define dirfd(d) ((d)->d_fd)
90#endif
91
92/** Compare table file names with externally supplied names. */
93#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
94# define SUP_COMP_FILENAME RTStrICmp
95#else
96# define SUP_COMP_FILENAME suplibHardenedStrCmp
97#endif
98
99
100/*******************************************************************************
101* Global Variables *
102*******************************************************************************/
103/**
104 * The files that gets verified.
105 *
106 * @todo This needs reviewing against the linux packages.
107 * @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
108 * the time being we're building the linux packages with SharedLib pointing to
109 * AppPrivArch (lazy bird).
110 */
111static SUPINSTFILE const g_aSupInstallFiles[] =
112{
113 /* type, dir, fOpt, "pszFile" */
114 /* ---------------------------------------------------------------------- */
115 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
116 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
117 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
118
119#ifdef VBOX_WITH_RAW_MODE
120 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMGC.gc" },
121 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
122 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
123#endif
124
125 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
126 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
127 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
128#if HC_ARCH_BITS == 32
129 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
130 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
131#endif
132 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
133 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
134 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
135
136//#ifdef VBOX_WITH_DEBUGGER_GUI
137 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
138 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
139//#endif
140
141//#ifdef VBOX_WITH_SHARED_CLIPBOARD
142 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
143//#endif
144//#ifdef VBOX_WITH_SHARED_FOLDERS
145 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
146//#endif
147//#ifdef VBOX_WITH_DRAG_AND_DROP
148 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
149//#endif
150//#ifdef VBOX_WITH_GUEST_PROPS
151 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
152//#endif
153//#ifdef VBOX_WITH_GUEST_CONTROL
154 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
155//#endif
156 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
157 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
158 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
159 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
160 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
161
162 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
163
164#ifdef VBOX_WITH_MAIN
165 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
166 #ifdef RT_OS_WINDOWS
167 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
168 #else
169 { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
170 { kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
171 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
172 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
173 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
174 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
175 #endif
176#endif
177
178 { kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
179 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
180 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
181
182//#ifdef VBOX_WITH_HEADLESS
183 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
184 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
185 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
186//#endif
187
188//#ifdef VBOX_WITH_QTGUI
189 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
190 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
191# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
192 { kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
193# endif
194//#endif
195
196//#ifdef VBOX_WITH_VBOXSDL
197 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
198 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
199//#endif
200
201//#ifdef VBOX_WITH_WEBSERVICES
202 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
203//#endif
204
205#ifdef RT_OS_LINUX
206 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
207#endif
208
209//#ifdef VBOX_WITH_NETFLT
210 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
211 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
212//#endif
213
214//#ifdef VBOX_WITH_LWIP_NAT
215 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
216 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
217//#endif
218#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
219# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
220 { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
221 { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
222 HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
223 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
224 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
225 HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
226 HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
227# define HARDENED_TESTCASE_ENTRY(a_szName) \
228 { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
229 { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
230 HARDENED_TESTCASE_ENTRY("tstCFGM"),
231 HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
232 HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
233 HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
234 HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
235 HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
236 HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
237 HARDENED_TESTCASE_ENTRY("tstSSM"),
238#endif
239};
240
241
242/** Array parallel to g_aSupInstallFiles containing per-file status info. */
243static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
244
245/** Array index by install directory specifier containing info about verified directories. */
246static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
247
248
249/**
250 * Assembles the path to a directory.
251 *
252 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
253 * decides whether it returns or not).
254 *
255 * @param enmDir The directory.
256 * @param pszDst Where to assemble the path.
257 * @param cchDst The size of the buffer.
258 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
259 */
260static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
261{
262 int rc;
263 switch (enmDir)
264 {
265 case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
266 case kSupID_Bin:
267 rc = supR3HardenedPathExecDir(pszDst, cchDst);
268 break;
269 case kSupID_SharedLib:
270 rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
271 break;
272 case kSupID_AppPrivArch:
273 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
274 break;
275 case kSupID_AppPrivArchComp:
276 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
277 if (RT_SUCCESS(rc))
278 {
279 size_t off = suplibHardenedStrLen(pszDst);
280 if (cchDst - off >= sizeof("/components"))
281 suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
282 else
283 rc = VERR_BUFFER_OVERFLOW;
284 }
285 break;
286 case kSupID_AppPrivNoArch:
287 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
288 break;
289 case kSupID_Testcase:
290 rc = supR3HardenedPathExecDir(pszDst, cchDst);
291 if (RT_SUCCESS(rc))
292 {
293 size_t off = suplibHardenedStrLen(pszDst);
294 if (cchDst - off >= sizeof("/testcase"))
295 suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
296 else
297 rc = VERR_BUFFER_OVERFLOW;
298 }
299 break;
300 default:
301 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
302 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
303 }
304 if (RT_FAILURE(rc))
305 supR3HardenedError(rc, fFatal,
306 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
307 return rc;
308}
309
310
311
312/**
313 * Assembles the path to a file table entry, with or without the actual filename.
314 *
315 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
316 * decides whether it returns or not).
317 *
318 * @param pFile The file table entry.
319 * @param pszDst Where to assemble the path.
320 * @param cchDst The size of the buffer.
321 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
322 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
323 */
324static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
325{
326 /*
327 * Combine supR3HardenedMakePath and the filename.
328 */
329 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
330 if (RT_SUCCESS(rc) && fWithFilename)
331 {
332 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
333 size_t off = suplibHardenedStrLen(pszDst);
334 if (cchDst - off >= cchFile + 2)
335 {
336 pszDst[off++] = '/';
337 suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
338 }
339 else
340 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
341 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
342 pFile->pszFile, (long)off);
343 }
344 return rc;
345}
346
347
348/**
349 * Verifies a directory.
350 *
351 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
352 * fFatal is clear and if it's set the function wont return.
353 * @param enmDir The directory specifier.
354 * @param fFatal Whether validation failures should be treated as
355 * fatal (true) or not (false).
356 */
357DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
358{
359 /*
360 * Validate the index just to be on the safe side...
361 */
362 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
363 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
364 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
365
366 /*
367 * Already validated?
368 */
369 if (g_aSupVerifiedDirs[enmDir].fValidated)
370 return VINF_SUCCESS; /** @todo revalidate? */
371
372 /* initialize the entry. */
373 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
374 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
375 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
376 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
377 g_aSupVerifiedDirs[enmDir].hDir = -1;
378 g_aSupVerifiedDirs[enmDir].fValidated = false;
379
380 /*
381 * Make the path and open the directory.
382 */
383 char szPath[RTPATH_MAX];
384 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
385 if (RT_SUCCESS(rc))
386 {
387#if defined(RT_OS_WINDOWS)
388 PRTUTF16 pwszPath;
389 rc = RTStrToUtf16(szPath, &pwszPath);
390 if (RT_SUCCESS(rc))
391 {
392 HANDLE hDir = CreateFileW(pwszPath,
393 GENERIC_READ,
394 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
395 NULL,
396 OPEN_EXISTING,
397 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
398 NULL);
399 if (hDir != INVALID_HANDLE_VALUE)
400 {
401 /** @todo check the type */
402 /* That's all on windows, for now at least... */
403 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
404 g_aSupVerifiedDirs[enmDir].fValidated = true;
405 }
406 else if (enmDir == kSupID_Testcase)
407 {
408 g_aSupVerifiedDirs[enmDir].fValidated = true;
409 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
410 }
411 else
412 {
413 int err = RtlGetLastWin32Error();
414 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
415 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
416 szPath, err);
417 }
418 RTUtf16Free(pwszPath);
419 }
420 else
421 rc = supR3HardenedError(rc, fFatal,
422 "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
423
424#else /* UNIXY */
425 int fd = open(szPath, O_RDONLY, 0);
426 if (fd >= 0)
427 {
428 /*
429 * On unixy systems we'll make sure the directory is owned by root
430 * and not writable by the group and user.
431 */
432 struct stat st;
433 if (!fstat(fd, &st))
434 {
435
436 if ( st.st_uid == 0
437 && !(st.st_mode & (S_IWGRP | S_IWOTH))
438 && S_ISDIR(st.st_mode))
439 {
440 g_aSupVerifiedDirs[enmDir].hDir = fd;
441 g_aSupVerifiedDirs[enmDir].fValidated = true;
442 }
443 else
444 {
445 if (!S_ISDIR(st.st_mode))
446 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
447 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
448 szPath, (long)st.st_uid);
449 else if (st.st_uid)
450 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
451 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
452 szPath, (long)st.st_uid);
453 else
454 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
455 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
456 szPath, (long)st.st_mode);
457 close(fd);
458 }
459 }
460 else
461 {
462 int err = errno;
463 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
464 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
465 szPath, strerror(err), err);
466 close(fd);
467 }
468 }
469 else if (enmDir == kSupID_Testcase)
470 {
471 g_aSupVerifiedDirs[enmDir].fValidated = true;
472 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
473 }
474 else
475 {
476 int err = errno;
477 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
478 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
479 szPath, strerror(err), err);
480 }
481#endif /* UNIXY */
482 }
483
484 return rc;
485}
486
487
488#ifdef RT_OS_WINDOWS
489/**
490 * Opens the file for verification.
491 *
492 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
493 * fFatal is clear and if it's set the function wont return.
494 * @param pFile The file entry.
495 * @param fFatal Whether validation failures should be treated as
496 * kl fatal (true) or not (false).
497 * @param phFile The file handle, set to -1 if we failed to open
498 * the file. The function may return VINF_SUCCESS
499 * and a -1 handle if the file is optional.
500 */
501static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
502{
503 *phFile = -1;
504
505 char szPath[RTPATH_MAX];
506 int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
507 if (RT_SUCCESS(rc))
508 {
509 PRTUTF16 pwszPath;
510 rc = RTStrToUtf16(szPath, &pwszPath);
511 if (RT_SUCCESS(rc))
512 {
513 HANDLE hFile = CreateFileW(pwszPath,
514 GENERIC_READ,
515 FILE_SHARE_READ,
516 NULL,
517 OPEN_EXISTING,
518 FILE_ATTRIBUTE_NORMAL,
519 NULL);
520 if (hFile != INVALID_HANDLE_VALUE)
521 {
522 *phFile = (intptr_t)hFile;
523 rc = VINF_SUCCESS;
524 }
525 else
526 {
527 int err = RtlGetLastWin32Error();
528 if ( !pFile->fOptional
529 || ( err != ERROR_FILE_NOT_FOUND
530 && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
531 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
532 "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
533 }
534 RTUtf16Free(pwszPath);
535 }
536 else
537 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
538 szPath, rc);
539 }
540 return rc;
541}
542
543
544/**
545 * Worker for supR3HardenedVerifyFileInternal.
546 *
547 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
548 * fFatal is clear and if it's set the function wont return.
549 * @param pFile The file entry.
550 * @param pVerified The verification record.
551 * @param fFatal Whether validation failures should be treated as
552 * fatal (true) or not (false).
553 * @param fLeaveFileOpen Whether the file should be left open.
554 */
555static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
556{
557# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
558
559 /*
560 * Open the file if we have to.
561 */
562 int rc;
563 intptr_t hFileOpened;
564 intptr_t hFile = pVerified->hFile;
565 if (hFile != -1)
566 hFileOpened = -1;
567 else
568 {
569 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
570 if (RT_FAILURE(rc))
571 return rc;
572 hFile = hFileOpened;
573 }
574
575 /*
576 * Verify the signature.
577 */
578 char szErr[1024];
579 RTERRINFO ErrInfo;
580 RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
581
582 uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
583 if (pFile->enmType == kSupIFT_Rc)
584 fFlags |= SUPHNTVI_F_RC_IMAGE;
585
586 rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
587 if (RT_SUCCESS(rc))
588 pVerified->fCheckedSignature = true;
589 else
590 {
591 pVerified->fCheckedSignature = false;
592 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
593 pFile->pszFile, rc, szErr);
594
595 }
596
597 /*
598 * Close the handle if we opened the file and we should close it.
599 */
600 if (hFileOpened != -1)
601 {
602 if (fLeaveFileOpen && RT_SUCCESS(rc))
603 pVerified->hFile = hFileOpened;
604 else
605 NtClose((HANDLE)hFileOpened);
606 }
607
608 return rc;
609
610# else /* Not checking signatures. */
611 return VINF_SUCCESS;
612# endif /* Not checking signatures. */
613}
614#endif
615
616
617/**
618 * Verifies a file entry.
619 *
620 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
621 * fFatal is clear and if it's set the function wont return.
622 *
623 * @param iFile The file table index of the file to be verified.
624 * @param fFatal Whether validation failures should be treated as
625 * fatal (true) or not (false).
626 * @param fLeaveFileOpen Whether the file should be left open.
627 * @param fVerifyAll Set if this is an verify all call and we will
628 * postpone signature checking.
629 */
630static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
631{
632 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
633 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
634
635 /*
636 * Already done validation? Do signature validation if we haven't yet.
637 */
638 if (pVerified->fValidated)
639 {
640 /** @todo revalidate? Check that the file hasn't been replace or similar. */
641#ifdef RT_OS_WINDOWS
642 if (!pVerified->fCheckedSignature && !fVerifyAll)
643 return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
644#endif
645 return VINF_SUCCESS;
646 }
647
648
649 /* initialize the entry. */
650 if (pVerified->hFile != 0)
651 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
652 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
653 (void *)pVerified->hFile, pFile->pszFile);
654 pVerified->hFile = -1;
655 pVerified->fValidated = false;
656#ifdef RT_OS_WINDOWS
657 pVerified->fCheckedSignature = false;
658#endif
659
660 /*
661 * Verify the directory then proceed to open it.
662 * (This'll make sure the directory is opened and that we can (later)
663 * use openat if we wish.)
664 */
665 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
666 if (RT_SUCCESS(rc))
667 {
668#if defined(RT_OS_WINDOWS)
669 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
670 if (RT_SUCCESS(rc))
671 {
672 if (!fVerifyAll)
673 rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
674 if (RT_SUCCESS(rc))
675 {
676 pVerified->fValidated = true;
677 if (!fLeaveFileOpen)
678 {
679 NtClose((HANDLE)pVerified->hFile);
680 pVerified->hFile = -1;
681 }
682 }
683 }
684#else /* !RT_OS_WINDOWS */
685 char szPath[RTPATH_MAX];
686 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
687 if (RT_SUCCESS(rc))
688 {
689 int fd = open(szPath, O_RDONLY, 0);
690 if (fd >= 0)
691 {
692 /*
693 * On unixy systems we'll make sure the file is owned by root
694 * and not writable by the group and user.
695 */
696 struct stat st;
697 if (!fstat(fd, &st))
698 {
699 if ( st.st_uid == 0
700 && !(st.st_mode & (S_IWGRP | S_IWOTH))
701 && S_ISREG(st.st_mode))
702 {
703 /* it's valid. */
704 if (fLeaveFileOpen)
705 pVerified->hFile = fd;
706 else
707 close(fd);
708 pVerified->fValidated = true;
709 }
710 else
711 {
712 if (!S_ISREG(st.st_mode))
713 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
714 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
715 szPath, (long)st.st_uid);
716 else if (st.st_uid)
717 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
718 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
719 szPath, (long)st.st_uid);
720 else
721 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
722 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
723 szPath, (long)st.st_mode);
724 close(fd);
725 }
726 }
727 else
728 {
729 int err = errno;
730 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
731 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
732 szPath, strerror(err), err);
733 close(fd);
734 }
735 }
736 else
737 {
738 int err = errno;
739 if (!pFile->fOptional || err != ENOENT)
740 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
741 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
742 szPath, strerror(err), err);
743 }
744 }
745#endif /* !RT_OS_WINDOWS */
746 }
747
748 return rc;
749}
750
751
752/**
753 * Verifies that the specified table entry matches the given filename.
754 *
755 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
756 * error is returned or we terminate the application.
757 *
758 * @param iFile The file table index.
759 * @param pszFilename The filename.
760 * @param fFatal Whether validation failures should be treated as
761 * fatal (true) or not (false).
762 */
763static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
764{
765 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
766
767 /*
768 * Construct the full path for the file table entry
769 * and compare it with the specified file.
770 */
771 char szName[RTPATH_MAX];
772 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
773 if (RT_FAILURE(rc))
774 return rc;
775 if (SUP_COMP_FILENAME(szName, pszFilename))
776 {
777 /*
778 * Normalize the two paths and compare again.
779 */
780 rc = VERR_NOT_SAME_DEVICE;
781#if defined(RT_OS_WINDOWS)
782 LPSTR pszIgnored;
783 char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
784 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
785 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
786 if (!SUP_COMP_FILENAME(szName2, szName))
787 rc = VINF_SUCCESS;
788#else
789 AssertCompile(RTPATH_MAX >= PATH_MAX);
790 char szName2[RTPATH_MAX];
791 if ( realpath(szName, szName2) != NULL
792 && realpath(pszFilename, szName) != NULL)
793 if (!SUP_COMP_FILENAME(szName2, szName))
794 rc = VINF_SUCCESS;
795#endif
796
797 if (RT_FAILURE(rc))
798 {
799 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
800 return supR3HardenedError(rc, fFatal,
801 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
802 pszFilename, szName);
803 }
804 }
805
806 /*
807 * Check more stuff like the stat info if it's an already open file?
808 */
809
810
811
812 return VINF_SUCCESS;
813}
814
815
816/**
817 * Verifies a file.
818 *
819 * @returns VINF_SUCCESS on success.
820 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
821 * On verification failure, an error code will be returned when fFatal is clear,
822 * otherwise the program will be terminated.
823 *
824 * @param pszFilename The filename.
825 * @param fFatal Whether validation failures should be treated as
826 * fatal (true) or not (false).
827 */
828DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
829{
830 /*
831 * Lookup the file and check if it's the same file.
832 */
833 const char *pszName = supR3HardenedPathFilename(pszFilename);
834 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
835 if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
836 {
837 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
838 if (RT_SUCCESS(rc))
839 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
840 return rc;
841 }
842
843 return VERR_NOT_FOUND;
844}
845
846
847/**
848 * Verifies a program, worker for supR3HardenedVerifyAll.
849 *
850 * @returns See supR3HardenedVerifyAll.
851 * @param pszProgName See supR3HardenedVerifyAll.
852 * @param fFatal See supR3HardenedVerifyAll.
853 * @param fLeaveOpen The leave open setting used by
854 * supR3HardenedVerifyAll.
855 */
856static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal, bool fLeaveOpen)
857{
858 /*
859 * Search the table looking for the executable and the DLL/DYLIB/SO.
860 */
861 int rc = VINF_SUCCESS;
862 bool fExe = false;
863 bool fDll = false;
864 size_t const cchProgName = suplibHardenedStrLen(pszProgName);
865 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
866 if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
867 {
868 if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
869 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
870 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
871 {
872 /* This only has to be found (once). */
873 if (fDll)
874 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
875 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
876 else
877 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
878 true /* fVerifyAll - check sign later, only final process need check it on load. */);
879 fDll = true;
880 }
881 else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
882 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
883 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
884 {
885 /* Here we'll have to check that the specific program is the same as the entry. */
886 if (fExe)
887 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
888 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
889 else
890 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
891 fExe = true;
892
893 char szFilename[RTPATH_MAX];
894 int rc2 = supR3HardenedPathExecDir(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
895 if (RT_SUCCESS(rc2))
896 {
897 suplibHardenedStrCat(szFilename, "/");
898 suplibHardenedStrCat(szFilename, g_aSupInstallFiles[iFile].pszFile);
899 supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
900 }
901 else
902 rc = supR3HardenedError(rc2, fFatal,
903 "supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
904 }
905 }
906
907 /*
908 * Check the findings.
909 */
910 if (RT_SUCCESS(rc))
911 {
912 if (!fDll && !fExe)
913 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
914 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
915 else if (!fExe)
916 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
917 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
918 else if (!fDll)
919 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
920 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
921 }
922 return rc;
923}
924
925
926/**
927 * Verifies all the known files (called from SUPR3HardenedMain).
928 *
929 * @returns VINF_SUCCESS on success.
930 * On verification failure, an error code will be returned when fFatal is clear,
931 * otherwise the program will be terminated.
932 *
933 * @param fFatal Whether validation failures should be treated as
934 * fatal (true) or not (false).
935 * @param pszProgName The program name. This is used to verify that
936 * both the executable and corresponding
937 * DLL/DYLIB/SO are valid.
938 */
939DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName)
940{
941 /*
942 * On windows
943 */
944#if defined(RT_OS_WINDOWS)
945 bool fLeaveOpen = true;
946#else
947 bool fLeaveOpen = false;
948#endif
949
950 /*
951 * The verify all the files.
952 */
953 int rc = VINF_SUCCESS;
954 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
955 {
956 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
957 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
958 rc = rc2;
959 }
960
961 /*
962 * Verify the program name, that is to say, check that it's in the table
963 * (thus verified above) and verify the signature on platforms where we
964 * sign things.
965 */
966 int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal, fLeaveOpen);
967 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
968 rc2 = rc;
969
970 return rc;
971}
972
973
974/**
975 * Copies the N messages into the error buffer and returns @a rc.
976 *
977 * @returns Returns @a rc
978 * @param rc The return code.
979 * @param pErrInfo The error info structure.
980 * @param cMsgs The number of messages in the ellipsis.
981 * @param ... Message parts.
982 */
983static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
984{
985 if (pErrInfo)
986 {
987 size_t cbErr = pErrInfo->cbMsg;
988 char *pszErr = pErrInfo->pszMsg;
989
990 va_list va;
991 va_start(va, cMsgs);
992 while (cMsgs-- > 0 && cbErr > 0)
993 {
994 const char *pszMsg = va_arg(va, const char *);
995 size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
996 if (cchMsg >= cbErr)
997 cchMsg = cbErr - 1;
998 suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
999 pszErr[cchMsg] = '\0';
1000 pszErr += cchMsg;
1001 cbErr -= cchMsg;
1002 }
1003 va_end(va);
1004
1005 pErrInfo->rc = rc;
1006 pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
1007 }
1008
1009 return rc;
1010}
1011
1012
1013/**
1014 * Copies the three messages into the error buffer and returns @a rc.
1015 *
1016 * @returns Returns @a rc
1017 * @param rc The return code.
1018 * @param pErrInfo The error info structure.
1019 * @param pszMsg1 The first message part.
1020 * @param pszMsg2 The second message part.
1021 * @param pszMsg3 The third message part.
1022 */
1023static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1024 const char *pszMsg2, const char *pszMsg3)
1025{
1026 return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1027}
1028
1029#ifdef SOME_UNUSED_FUNCTION
1030
1031/**
1032 * Copies the two messages into the error buffer and returns @a rc.
1033 *
1034 * @returns Returns @a rc
1035 * @param rc The return code.
1036 * @param pErrInfo The error info structure.
1037 * @param pszMsg1 The first message part.
1038 * @param pszMsg2 The second message part.
1039 */
1040static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1041 const char *pszMsg2)
1042{
1043 return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1044}
1045
1046
1047/**
1048 * Copies the error message to the error buffer and returns @a rc.
1049 *
1050 * @returns Returns @a rc
1051 * @param rc The return code.
1052 * @param pErrInfo The error info structure.
1053 * @param pszMsg The message.
1054 */
1055static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1056{
1057 return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1058}
1059
1060#endif /* SOME_UNUSED_FUNCTION */
1061
1062/**
1063 * Output from a successfull supR3HardenedVerifyPathSanity call.
1064 */
1065typedef struct SUPR3HARDENEDPATHINFO
1066{
1067 /** The length of the path in szCopy. */
1068 uint16_t cch;
1069 /** The number of path components. */
1070 uint16_t cComponents;
1071 /** Set if the path ends with slash, indicating that it's a directory
1072 * reference and not a file reference. The slash has been removed from
1073 * the copy. */
1074 bool fDirSlash;
1075 /** The offset where each path component starts, i.e. the char after the
1076 * slash. The array has cComponents + 1 entries, where the final one is
1077 * cch + 1 so that one can always terminate the current component by
1078 * szPath[aoffComponent[i] - 1] = '\0'. */
1079 uint16_t aoffComponents[32+1];
1080 /** A normalized copy of the path.
1081 * Reserve some extra space so we can be more relaxed about overflow
1082 * checks and terminator paddings, especially when recursing. */
1083 char szPath[SUPR3HARDENED_MAX_PATH * 2];
1084} SUPR3HARDENEDPATHINFO;
1085/** Pointer to a parsed path. */
1086typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1087
1088
1089/**
1090 * Verifies that the path is absolutely sane, it also parses the path.
1091 *
1092 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
1093 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1094 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1095 * paths are not supported.
1096 *
1097 * @returns VBox status code.
1098 * @param pszPath The path to check.
1099 * @param pErrInfo The error info structure.
1100 * @param pInfo Where to return a copy of the path along with
1101 * parsing information.
1102 */
1103static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1104{
1105 const char *pszSrc = pszPath;
1106 char *pszDst = pInfo->szPath;
1107
1108 /*
1109 * Check that it's an absolute path and copy the volume/root specifier.
1110 */
1111#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1112 if ( !RT_C_IS_ALPHA(pszSrc[0])
1113 || pszSrc[1] != ':'
1114 || !RTPATH_IS_SLASH(pszSrc[2]))
1115 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1116
1117 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1118 *pszDst++ = ':';
1119 *pszDst++ = RTPATH_SLASH;
1120 pszSrc += 3;
1121
1122#else
1123 if (!RTPATH_IS_SLASH(pszSrc[0]))
1124 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1125
1126 *pszDst++ = RTPATH_SLASH;
1127 pszSrc += 1;
1128#endif
1129
1130 /*
1131 * No path specifying the root or something very shortly thereafter will
1132 * be approved of.
1133 */
1134 if (pszSrc[0] == '\0')
1135 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1136 if ( pszSrc[1] == '\0'
1137 || pszSrc[2] == '\0')
1138 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1139
1140 /*
1141 * Check each component. No parent references or double slashes.
1142 */
1143 pInfo->cComponents = 0;
1144 pInfo->fDirSlash = false;
1145 while (pszSrc[0])
1146 {
1147 /* Sanity checks. */
1148 if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
1149 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1150 "The path is not clean of double slashes: '", pszPath, "'");
1151 if ( pszSrc[0] == '.'
1152 && pszSrc[1] == '.'
1153 && RTPATH_IS_SLASH(pszSrc[2]))
1154 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1155 "The path is not absolute: '", pszPath, "'");
1156
1157 /* Record the start of the component. */
1158 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1159 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1160 "The path has too many components: '", pszPath, "'");
1161 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1162
1163 /* Traverse to the end of the component, copying it as we go along. */
1164 while (pszSrc[0])
1165 {
1166 if (RTPATH_IS_SLASH(pszSrc[0]))
1167 {
1168 pszSrc++;
1169 if (*pszSrc)
1170 *pszDst++ = RTPATH_SLASH;
1171 else
1172 pInfo->fDirSlash = true;
1173 break;
1174 }
1175 *pszDst++ = *pszSrc++;
1176 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1177 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1178 "The path is too long: '", pszPath, "'");
1179 }
1180 }
1181
1182 /* Terminate the string and enter its length. */
1183 pszDst[0] = '\0';
1184 pszDst[1] = '\0'; /* for aoffComponents */
1185 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1186 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1187
1188 return VINF_SUCCESS;
1189}
1190
1191
1192/**
1193 * The state information collected by supR3HardenedVerifyFsObject.
1194 *
1195 * This can be used to verify that a directory we've opened for enumeration is
1196 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
1197 * equally be used to verify a native specfied by the user.
1198 */
1199typedef struct SUPR3HARDENEDFSOBJSTATE
1200{
1201#ifdef RT_OS_WINDOWS
1202 /** Not implemented for windows yet. */
1203 char chTodo;
1204#else
1205 /** The stat output. */
1206 struct stat Stat;
1207#endif
1208} SUPR3HARDENEDFSOBJSTATE;
1209/** Pointer to a file system object state. */
1210typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1211/** Pointer to a const file system object state. */
1212typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1213
1214
1215/**
1216 * Query information about a file system object by path.
1217 *
1218 * @returns VBox status code, error buffer filled on failure.
1219 * @param pszPath The path to the object.
1220 * @param pFsObjState Where to return the state information.
1221 * @param pErrInfo The error info structure.
1222 */
1223static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1224{
1225#if defined(RT_OS_WINDOWS)
1226 /** @todo Windows hardening. */
1227 pFsObjState->chTodo = 0;
1228 return VINF_SUCCESS;
1229
1230#else
1231 /*
1232 * Stat the object, do not follow links.
1233 */
1234 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1235 {
1236 /* Ignore access errors */
1237 if (errno != EACCES)
1238 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1239 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1240 }
1241
1242 /*
1243 * Read ACLs.
1244 */
1245 /** @todo */
1246
1247 return VINF_SUCCESS;
1248#endif
1249}
1250
1251
1252/**
1253 * Query information about a file system object by native handle.
1254 *
1255 * @returns VBox status code, error buffer filled on failure.
1256 * @param hNative The native handle to the object @a pszPath
1257 * specifies and this should be verified to be the
1258 * same file system object.
1259 * @param pFsObjState Where to return the state information.
1260 * @param pszPath The path to the object. (For the error message
1261 * only.)
1262 * @param pErrInfo The error info structure.
1263 */
1264static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1265 char const *pszPath, PRTERRINFO pErrInfo)
1266{
1267#if defined(RT_OS_WINDOWS)
1268 /** @todo Windows hardening. */
1269 pFsObjState->chTodo = 0;
1270 return VINF_SUCCESS;
1271
1272#else
1273 /*
1274 * Stat the object, do not follow links.
1275 */
1276 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1277 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1278 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1279
1280 /*
1281 * Read ACLs.
1282 */
1283 /** @todo */
1284
1285 return VINF_SUCCESS;
1286#endif
1287}
1288
1289
1290/**
1291 * Verifies that the file system object indicated by the native handle is the
1292 * same as the one @a pFsObjState indicates.
1293 *
1294 * @returns VBox status code, error buffer filled on failure.
1295 * @param pFsObjState1 File system object information/state by path.
1296 * @param pFsObjState2 File system object information/state by handle.
1297 * @param pszPath The path to the object @a pFsObjState
1298 * describes. (For the error message.)
1299 * @param pErrInfo The error info structure.
1300 */
1301static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1302 const char *pszPath, PRTERRINFO pErrInfo)
1303{
1304#if defined(RT_OS_WINDOWS)
1305 /** @todo Windows hardening. */
1306 return VINF_SUCCESS;
1307
1308#elif defined(RT_OS_OS2)
1309 return VINF_SUCCESS;
1310
1311#else
1312 /*
1313 * Compare the ino+dev, then the uid+gid and finally the important mode
1314 * bits. Technically the first one should be enough, but we're paranoid.
1315 */
1316 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1317 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1318 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1319 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1320 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1321 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1322 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1323 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1324 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1325 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1326 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1327 "The native handle is not the same as '", pszPath, "' (mode)");
1328 return VINF_SUCCESS;
1329#endif
1330}
1331
1332
1333/**
1334 * Verifies a file system object (file or directory).
1335 *
1336 * @returns VBox status code, error buffer filled on failure.
1337 * @param pFsObjState The file system object information/state to be
1338 * verified.
1339 * @param fDir Whether this is a directory or a file.
1340 * @param fRelaxed Whether we can be more relaxed about this
1341 * directory (only used for grand parent
1342 * directories).
1343 * @param pszPath The path to the object. For error messages and
1344 * securing a couple of hacks.
1345 * @param pErrInfo The error info structure.
1346 */
1347static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1348 const char *pszPath, PRTERRINFO pErrInfo)
1349{
1350#if defined(RT_OS_WINDOWS)
1351 /** @todo Windows hardening. */
1352 NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1353 return VINF_SUCCESS;
1354
1355#elif defined(RT_OS_OS2)
1356 /* No hardening here - it's a single user system. */
1357 NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1358 return VINF_SUCCESS;
1359
1360#else
1361 /*
1362 * The owner must be root.
1363 *
1364 * This can be extended to include predefined system users if necessary.
1365 */
1366 if (pFsObjState->Stat.st_uid != 0)
1367 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1368
1369 /*
1370 * The object type must be directory or file, no symbolic links or other
1371 * risky stuff (sorry dude, but we're paranoid on purpose here).
1372 */
1373 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1374 && !S_ISREG(pFsObjState->Stat.st_mode))
1375 {
1376 if (S_ISLNK(pFsObjState->Stat.st_mode))
1377 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1378 "Symlinks are not permitted: '", pszPath, "'");
1379 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1380 "Not regular file or directory: '", pszPath, "'");
1381 }
1382 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1383 {
1384 if (S_ISDIR(pFsObjState->Stat.st_mode))
1385 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1386 "Expected file but found directory: '", pszPath, "'");
1387 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1388 "Expected directory but found file: '", pszPath, "'");
1389 }
1390
1391 /*
1392 * The group does not matter if it does not have write access, if it has
1393 * write access it must be group 0 (root/wheel/whatever).
1394 *
1395 * This can be extended to include predefined system groups or groups that
1396 * only root is member of.
1397 */
1398 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1399 && pFsObjState->Stat.st_gid != 0)
1400 {
1401#ifdef RT_OS_DARWIN
1402 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1403 full access. So, to work around we relax the hardening a bit and
1404 permit grand parents and beyond to be group writable by admin. */
1405 /** @todo dynamically resolve the admin group? */
1406 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
1407
1408#elif defined(RT_OS_FREEBSD)
1409 /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1410 similar to /Applications on OS X (see above).
1411 On FreeBSD root is normally the only member of this group, on
1412 PC-BSD the default user is a member. */
1413 /** @todo dynamically resolve the operator group? */
1414 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
1415 NOREF(fRelaxed);
1416#else
1417 NOREF(fRelaxed);
1418 bool fBad = true;
1419#endif
1420 if (fBad)
1421 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1422 "An unknown (and thus untrusted) group has write access to '", pszPath,
1423 "' and we therefore cannot trust the directory content or that of any subdirectory");
1424 }
1425
1426 /*
1427 * World must not have write access. There is no relaxing this rule.
1428 */
1429 if (pFsObjState->Stat.st_mode & S_IWOTH)
1430 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1431 "World writable: '", pszPath, "'");
1432
1433 /*
1434 * Check the ACLs.
1435 */
1436 /** @todo */
1437
1438 return VINF_SUCCESS;
1439#endif
1440}
1441
1442
1443/**
1444 * Verifies that the file system object indicated by the native handle is the
1445 * same as the one @a pFsObjState indicates.
1446 *
1447 * @returns VBox status code, error buffer filled on failure.
1448 * @param hNative The native handle to the object @a pszPath
1449 * specifies and this should be verified to be the
1450 * same file system object.
1451 * @param pFsObjState The information/state returned by a previous
1452 * query call.
1453 * @param pszPath The path to the object @a pFsObjState
1454 * describes. (For the error message.)
1455 * @param pErrInfo The error info structure.
1456 */
1457static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1458 const char *pszPath, PRTERRINFO pErrInfo)
1459{
1460 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1461 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1462 if (RT_SUCCESS(rc))
1463 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1464 return rc;
1465}
1466
1467
1468/**
1469 * Does the recursive directory enumeration.
1470 *
1471 * @returns VBox status code, error buffer filled on failure.
1472 * @param pszDirPath The path buffer containing the subdirectory to
1473 * enumerate followed by a slash (this is never
1474 * the root slash). The buffer is RTPATH_MAX in
1475 * size and anything starting at @a cchDirPath
1476 * - 1 and beyond is scratch space.
1477 * @param cchDirPath The length of the directory path + slash.
1478 * @param pFsObjState Pointer to the file system object state buffer.
1479 * On input this will hold the stats for
1480 * the directory @a pszDirPath indicates and will
1481 * be used to verified that we're opening the same
1482 * thing.
1483 * @param fRecursive Whether to recurse into subdirectories.
1484 * @param pErrInfo The error info structure.
1485 */
1486static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1487 bool fRecursive, PRTERRINFO pErrInfo)
1488{
1489#if defined(RT_OS_WINDOWS)
1490 /** @todo Windows hardening. */
1491 return VINF_SUCCESS;
1492
1493#elif defined(RT_OS_OS2)
1494 /* No hardening here - it's a single user system. */
1495 return VINF_SUCCESS;
1496
1497#else
1498 /*
1499 * Open the directory. Now, we could probably eliminate opendir here
1500 * and go down on kernel API level (open + getdents for instance), however
1501 * that's not very portable and hopefully not necessary.
1502 */
1503 DIR *pDir = opendir(pszDirPath);
1504 if (!pDir)
1505 {
1506 /* Ignore access errors. */
1507 if (errno == EACCES)
1508 return VINF_SUCCESS;
1509 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1510 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1511 }
1512 if (dirfd(pDir) != -1)
1513 {
1514 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1515 if (RT_FAILURE(rc))
1516 {
1517 closedir(pDir);
1518 return rc;
1519 }
1520 }
1521
1522 /*
1523 * Enumerate the directory, check all the requested bits.
1524 */
1525 int rc = VINF_SUCCESS;
1526 for (;;)
1527 {
1528 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1529
1530 struct dirent Entry;
1531 struct dirent *pEntry;
1532 int iErr = readdir_r(pDir, &Entry, &pEntry);
1533 if (iErr)
1534 {
1535 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1536 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1537 break;
1538 }
1539 if (!pEntry)
1540 break;
1541
1542 /*
1543 * Check the length and copy it into the path buffer so it can be
1544 * stat()'ed.
1545 */
1546 size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1547 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1548 {
1549 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1550 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1551 break;
1552 }
1553 suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1554
1555 /*
1556 * Query the information about the entry and verify it.
1557 * (We don't bother skipping '.' and '..' at this point, a little bit
1558 * of extra checks doesn't hurt and neither requires relaxed handling.)
1559 */
1560 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1561 if (RT_SUCCESS(rc))
1562 break;
1563 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1564 pszDirPath, pErrInfo);
1565 if (RT_FAILURE(rc))
1566 break;
1567
1568 /*
1569 * Recurse into subdirectories if requested.
1570 */
1571 if ( fRecursive
1572 && S_ISDIR(pFsObjState->Stat.st_mode)
1573 && suplibHardenedStrCmp(pEntry->d_name, ".")
1574 && suplibHardenedStrCmp(pEntry->d_name, ".."))
1575 {
1576 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1577 pszDirPath[cchDirPath + cchName + 1] = '\0';
1578
1579 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1580 fRecursive, pErrInfo);
1581 if (RT_FAILURE(rc))
1582 break;
1583 }
1584 }
1585
1586 closedir(pDir);
1587 return VINF_SUCCESS;
1588#endif
1589}
1590
1591
1592/**
1593 * Worker for SUPR3HardenedVerifyDir.
1594 *
1595 * @returns See SUPR3HardenedVerifyDir.
1596 * @param pszDirPath See SUPR3HardenedVerifyDir.
1597 * @param fRecursive See SUPR3HardenedVerifyDir.
1598 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1599 * @param pErrInfo See SUPR3HardenedVerifyDir.
1600 */
1601DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1602{
1603 /*
1604 * Validate the input path and parse it.
1605 */
1606 SUPR3HARDENEDPATHINFO Info;
1607 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1608 if (RT_FAILURE(rc))
1609 return rc;
1610
1611 /*
1612 * Verify each component from the root up.
1613 */
1614 SUPR3HARDENEDFSOBJSTATE FsObjState;
1615 uint32_t const cComponents = Info.cComponents;
1616 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1617 {
1618 bool fRelaxed = iComponent + 2 < cComponents;
1619 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1620 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1621 if (RT_SUCCESS(rc))
1622 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed, Info.szPath, pErrInfo);
1623 if (RT_FAILURE(rc))
1624 return rc;
1625 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1626 }
1627
1628 /*
1629 * Check files and subdirectories if requested.
1630 */
1631 if (fCheckFiles || fRecursive)
1632 {
1633 Info.szPath[Info.cch] = RTPATH_SLASH;
1634 Info.szPath[Info.cch + 1] = '\0';
1635 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1636 fRecursive, pErrInfo);
1637 }
1638
1639 return VINF_SUCCESS;
1640}
1641
1642
1643/**
1644 * Verfies a file.
1645 *
1646 * @returns VBox status code, error buffer filled on failure.
1647 * @param pszFilename The file to verify.
1648 * @param hNativeFile Handle to the file, verify that it's the same
1649 * as we ended up with when verifying the path.
1650 * RTHCUINTPTR_MAX means NIL here.
1651 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1652 * third party. Different validation rules may
1653 * apply to 3rd party code on some platforms.
1654 * @param pErrInfo Where to return extended error information.
1655 * Optional.
1656 */
1657DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1658 bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1659{
1660 /*
1661 * Validate the input path and parse it.
1662 */
1663 SUPR3HARDENEDPATHINFO Info;
1664 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1665 if (RT_FAILURE(rc))
1666 return rc;
1667 if (Info.fDirSlash)
1668 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1669 "The file path specifies a directory: '", pszFilename, "'");
1670
1671 /*
1672 * Verify each component from the root up.
1673 */
1674 SUPR3HARDENEDFSOBJSTATE FsObjState;
1675 uint32_t const cComponents = Info.cComponents;
1676 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1677 {
1678 bool fFinal = iComponent + 1 == cComponents;
1679 bool fRelaxed = iComponent + 2 < cComponents;
1680 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1681 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1682 if (RT_SUCCESS(rc))
1683 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed, Info.szPath, pErrInfo);
1684 if (RT_FAILURE(rc))
1685 return rc;
1686 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1687 }
1688
1689 /*
1690 * Verify the file handle against the last component, if specified.
1691 */
1692 if (hNativeFile != RTHCUINTPTR_MAX)
1693 {
1694 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1695 if (RT_FAILURE(rc))
1696 return rc;
1697 }
1698
1699#ifdef RT_OS_WINDOWS
1700 /*
1701 * The files shall be signed on windows, verify that.
1702 */
1703 rc = VINF_SUCCESS;
1704 HANDLE hVerify;
1705 if (hNativeFile == RTHCUINTPTR_MAX)
1706 {
1707 PRTUTF16 pwszPath;
1708 rc = RTStrToUtf16(pszFilename, &pwszPath);
1709 if (RT_SUCCESS(rc))
1710 {
1711 hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1712 RTUtf16Free(pwszPath);
1713 }
1714 else
1715 rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1716 }
1717 else
1718 {
1719 NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1720 GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
1721 if (!NT_SUCCESS(rcNt))
1722 hVerify = INVALID_HANDLE_VALUE;
1723 }
1724 if (hVerify != INVALID_HANDLE_VALUE)
1725 {
1726# ifdef VBOX_WITH_HARDENING
1727 uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1728 if (!fMaybe3rdParty)
1729 fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1730 const char *pszSuffix = RTPathSuffix(pszFilename);
1731 if ( pszSuffix
1732 && pszSuffix[0] == '.'
1733 && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1734 || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1735 && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1736 && pszSuffix[3] == '\0' )
1737 fFlags |= SUPHNTVI_F_RC_IMAGE;
1738# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1739 rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1740# endif
1741# endif
1742 NtClose(hVerify);
1743 }
1744 else if (RT_SUCCESS(rc))
1745 rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1746 "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1747 if (RT_FAILURE(rc))
1748 return rc;
1749#endif
1750
1751 return VINF_SUCCESS;
1752}
1753
1754
1755/**
1756 * Gets the pre-init data for the hand-over to the other version
1757 * of this code.
1758 *
1759 * The reason why we pass this information on is that it contains
1760 * open directories and files. Later it may include even more info
1761 * (int the verified arrays mostly).
1762 *
1763 * The receiver is supR3HardenedRecvPreInitData.
1764 *
1765 * @param pPreInitData Where to store it.
1766 */
1767DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1768{
1769 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1770 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1771 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1772
1773 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1774 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1775}
1776
1777
1778/**
1779 * Receives the pre-init data from the static executable stub.
1780 *
1781 * @returns VBox status code. Will not bitch on failure since the
1782 * runtime isn't ready for it, so that is left to the exe stub.
1783 *
1784 * @param pPreInitData The hand-over data.
1785 */
1786DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1787{
1788 /*
1789 * Compare the array lengths and the contents of g_aSupInstallFiles.
1790 */
1791 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1792 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1793 return VERR_VERSION_MISMATCH;
1794 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1795 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1796 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1797 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1798 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1799 || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1800 return VERR_VERSION_MISMATCH;
1801
1802 /*
1803 * Check that we're not called out of order.
1804 * If dynamic linking it screwed up, we may end up here.
1805 */
1806 if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1807 || ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1808 return VERR_WRONG_ORDER;
1809
1810 /*
1811 * Copy the verification data over.
1812 */
1813 suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1814 suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1815 return VINF_SUCCESS;
1816}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette