SUPR3HardenedVerify.cpp@ 74125

Last change on this file since 74125 was 72247, checked in by vboxsync, 7 years ago
FE/Qt and HostDriver/Support: bugref:9049: Hardening support for split GUI functionality (at least Win host).
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 83.9 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 72247 2018-05-17 17:28:18Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2017 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#if defined(RT_OS_OS2)
32	# define INCL_BASE
33	# define INCL_ERRORS
34	# include <os2.h>
35	# include <stdio.h>
36	# include <stdlib.h>
37	# include <unistd.h>
38	# include <sys/fcntl.h>
39	# include <sys/errno.h>
40	# include <sys/syslimits.h>
41
42	#elif defined(RT_OS_WINDOWS)
43	# include <iprt/nt/nt-and-windows.h>
44	# ifndef IN_SUP_HARDENED_R3
45	# include <stdio.h>
46	# endif
47
48	#else /* UNIXes */
49	# include <sys/types.h>
50	# include <stdio.h>
51	# include <stdlib.h>
52	# include <dirent.h>
53	# include <dlfcn.h>
54	# include <fcntl.h>
55	# include <limits.h>
56	# include <errno.h>
57	# include <unistd.h>
58	# include <sys/stat.h>
59	# include <sys/time.h>
60	# include <sys/fcntl.h>
61	# include <pwd.h>
62	# ifdef RT_OS_DARWIN
63	# include <mach-o/dyld.h>
64	# endif
65
66	#endif
67
68	#include <VBox/sup.h>
69	#include <VBox/err.h>
70	#include <iprt/asm.h>
71	#include <iprt/ctype.h>
72	#include <iprt/param.h>
73	#include <iprt/path.h>
74	#include <iprt/string.h>
75
76	#include "SUPLibInternal.h"
77	#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
78	# define SUPHNTVI_NO_NT_STUFF
79	# include "win/SUPHardenedVerify-win.h"
80	#endif
81
82
83	/*********************************************************************************************************************************
84	* Defined Constants And Macros *
85	*********************************************************************************************************************************/
86	/** The max path length acceptable for a trusted path. */
87	#define SUPR3HARDENED_MAX_PATH 260U
88
89	/** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
90	#define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
91
92	#ifdef RT_OS_SOLARIS
93	# define dirfd(d) ((d)->d_fd)
94	#endif
95
96	/** Compare table file names with externally supplied names. */
97	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
98	# define SUP_COMP_FILENAME RTStrICmp
99	#else
100	# define SUP_COMP_FILENAME suplibHardenedStrCmp
101	#endif
102
103
104	/*********************************************************************************************************************************
105	* Global Variables *
106	*********************************************************************************************************************************/
107	/**
108	* The files that gets verified.
109	*
110	* @todo This needs reviewing against the linux packages.
111	* @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
112	* the time being we're building the linux packages with SharedLib pointing to
113	* AppPrivArch (lazy bird).
114	*
115	* @remarks If you add executables here, you might need to update
116	* g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
117	*/
118	static SUPINSTFILE const g_aSupInstallFiles[] =
119	{
120	/* type, dir, fOpt, "pszFile" */
121	/* ---------------------------------------------------------------------- */
122	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
123	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
124	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
125
126	#ifdef VBOX_WITH_RAW_MODE
127	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
128	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
129	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2RC.rc" },
130	#endif
131
132	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
133	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
134	#ifdef VBOX_WITH_REM
135	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
136	#endif
137	#if HC_ARCH_BITS == 32
138	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
139	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
140	#endif
141	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
142	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
143	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
144	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
145	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
146
147	//#ifdef VBOX_WITH_DEBUGGER_GUI
148	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
149	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
150	//#endif
151
152	//#ifdef VBOX_WITH_SHARED_CLIPBOARD
153	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
154	//#endif
155	//#ifdef VBOX_WITH_SHARED_FOLDERS
156	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
157	//#endif
158	//#ifdef VBOX_WITH_DRAG_AND_DROP
159	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
160	//#endif
161	//#ifdef VBOX_WITH_GUEST_PROPS
162	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
163	//#endif
164	//#ifdef VBOX_WITH_GUEST_CONTROL
165	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
166	//#endif
167	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
168	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
169	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
170	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
171	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
172
173	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
174
175	#ifdef VBOX_WITH_MAIN
176	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
177	#ifdef RT_OS_WINDOWS
178	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
179	#else
180	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
181	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
182	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
183	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
184	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
185	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
186	#endif
187	#endif
188
189	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
190	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
191	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
192
193	//#ifdef VBOX_WITH_HEADLESS
194	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
195	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
196	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
197	//#endif
198
199	//#ifdef VBOX_WITH_QTGUI
200	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
201	# ifndef VBOX_GUI_WITH_SHARED_LIBRARY
202	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
203	# ifdef RT_OS_DARWIN
204	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
205	# endif
206	# else
207	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
208	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBoxVM" SUPLIB_DLL_SUFF },
209	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGlobal" SUPLIB_DLL_SUFF },
210	# endif
211	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
212	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
213	# endif
214	//#endif
215
216	//#ifdef VBOX_WITH_VBOXSDL
217	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
218	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
219	//#endif
220
221	//#ifdef VBOX_WITH_WEBSERVICES
222	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
223	//#endif
224
225	#ifdef RT_OS_LINUX
226	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
227	#endif
228
229	//#ifdef VBOX_WITH_NETFLT
230	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
231	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
232	//#endif
233
234	//#ifdef VBOX_WITH_LWIP_NAT
235	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
236	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
237	//#endif
238	#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
239	# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
240	{ kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
241	{ kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
242	HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
243	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
244	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
245	HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
246	HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
247	# define HARDENED_TESTCASE_ENTRY(a_szName) \
248	{ kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
249	{ kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
250	HARDENED_TESTCASE_ENTRY("tstCFGM"),
251	HARDENED_TESTCASE_ENTRY("tstGIP-2"),
252	HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
253	HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
254	HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
255	HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
256	HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
257	HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
258	HARDENED_TESTCASE_ENTRY("tstSSM"),
259	#endif
260	};
261
262
263	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
264	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
265
266	/** Array index by install directory specifier containing info about verified directories. */
267	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
268
269
270	/**
271	* Assembles the path to a directory.
272	*
273	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
274	* decides whether it returns or not).
275	*
276	* @param enmDir The directory.
277	* @param pszDst Where to assemble the path.
278	* @param cchDst The size of the buffer.
279	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
280	*/
281	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
282	{
283	int rc;
284	switch (enmDir)
285	{
286	case kSupID_AppBin:
287	rc = supR3HardenedPathAppBin(pszDst, cchDst);
288	break;
289	case kSupID_AppSharedLib:
290	rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
291	break;
292	case kSupID_AppPrivArch:
293	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
294	break;
295	case kSupID_AppPrivArchComp:
296	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
297	if (RT_SUCCESS(rc))
298	{
299	size_t off = suplibHardenedStrLen(pszDst);
300	if (cchDst - off >= sizeof("/components"))
301	suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
302	else
303	rc = VERR_BUFFER_OVERFLOW;
304	}
305	break;
306	case kSupID_AppPrivNoArch:
307	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
308	break;
309	case kSupID_Testcase:
310	rc = supR3HardenedPathAppBin(pszDst, cchDst);
311	if (RT_SUCCESS(rc))
312	{
313	size_t off = suplibHardenedStrLen(pszDst);
314	if (cchDst - off >= sizeof("/testcase"))
315	suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
316	else
317	rc = VERR_BUFFER_OVERFLOW;
318	}
319	break;
320	default:
321	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
322	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
323	}
324	if (RT_FAILURE(rc))
325	supR3HardenedError(rc, fFatal,
326	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
327	return rc;
328	}
329
330
331
332	/**
333	* Assembles the path to a file table entry, with or without the actual filename.
334	*
335	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
336	* decides whether it returns or not).
337	*
338	* @param pFile The file table entry.
339	* @param pszDst Where to assemble the path.
340	* @param cchDst The size of the buffer.
341	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
342	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
343	*/
344	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
345	{
346	/*
347	* Combine supR3HardenedMakePath and the filename.
348	*/
349	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
350	if (RT_SUCCESS(rc) && fWithFilename)
351	{
352	size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
353	size_t off = suplibHardenedStrLen(pszDst);
354	if (cchDst - off >= cchFile + 2)
355	{
356	pszDst[off++] = '/';
357	suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
358	}
359	else
360	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
361	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
362	pFile->pszFile, (long)off);
363	}
364	return rc;
365	}
366
367
368	/**
369	* Verifies a directory.
370	*
371	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
372	* fFatal is clear and if it's set the function wont return.
373	* @param enmDir The directory specifier.
374	* @param fFatal Whether validation failures should be treated as
375	* fatal (true) or not (false).
376	*/
377	DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
378	{
379	/*
380	* Validate the index just to be on the safe side...
381	*/
382	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
383	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
384	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
385
386	/*
387	* Already validated?
388	*/
389	if (g_aSupVerifiedDirs[enmDir].fValidated)
390	return VINF_SUCCESS; /** @todo revalidate? */
391
392	/* initialize the entry. */
393	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
394	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
395	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
396	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
397	g_aSupVerifiedDirs[enmDir].hDir = -1;
398	g_aSupVerifiedDirs[enmDir].fValidated = false;
399
400	/*
401	* Make the path and open the directory.
402	*/
403	char szPath[RTPATH_MAX];
404	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
405	if (RT_SUCCESS(rc))
406	{
407	#if defined(RT_OS_WINDOWS)
408	PRTUTF16 pwszPath;
409	rc = RTStrToUtf16(szPath, &pwszPath);
410	if (RT_SUCCESS(rc))
411	{
412	HANDLE hDir = CreateFileW(pwszPath,
413	GENERIC_READ,
414	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
415	NULL,
416	OPEN_EXISTING,
417	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
418	NULL);
419	if (hDir != INVALID_HANDLE_VALUE)
420	{
421	/** @todo check the type */
422	/* That's all on windows, for now at least... */
423	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
424	g_aSupVerifiedDirs[enmDir].fValidated = true;
425	}
426	else if (enmDir == kSupID_Testcase)
427	{
428	g_aSupVerifiedDirs[enmDir].fValidated = true;
429	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
430	}
431	else
432	{
433	int err = RtlGetLastWin32Error();
434	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
435	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
436	szPath, err);
437	}
438	RTUtf16Free(pwszPath);
439	}
440	else
441	rc = supR3HardenedError(rc, fFatal,
442	"supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
443
444	#else /* UNIXY */
445	int fd = open(szPath, O_RDONLY, 0);
446	if (fd >= 0)
447	{
448	/*
449	* On unixy systems we'll make sure the directory is owned by root
450	* and not writable by the group and user.
451	*/
452	struct stat st;
453	if (!fstat(fd, &st))
454	{
455
456	if ( st.st_uid == 0
457	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
458	&& S_ISDIR(st.st_mode))
459	{
460	g_aSupVerifiedDirs[enmDir].hDir = fd;
461	g_aSupVerifiedDirs[enmDir].fValidated = true;
462	}
463	else
464	{
465	if (!S_ISDIR(st.st_mode))
466	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
467	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
468	szPath, (long)st.st_uid);
469	else if (st.st_uid)
470	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
471	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
472	szPath, (long)st.st_uid);
473	else
474	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
475	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
476	szPath, (long)st.st_mode);
477	close(fd);
478	}
479	}
480	else
481	{
482	int err = errno;
483	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
484	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
485	szPath, strerror(err), err);
486	close(fd);
487	}
488	}
489	else if (enmDir == kSupID_Testcase)
490	{
491	g_aSupVerifiedDirs[enmDir].fValidated = true;
492	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
493	}
494	else
495	{
496	int err = errno;
497	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
498	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
499	szPath, strerror(err), err);
500	}
501	#endif /* UNIXY */
502	}
503
504	return rc;
505	}
506
507
508	#ifdef RT_OS_WINDOWS
509	/**
510	* Opens the file for verification.
511	*
512	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
513	* fFatal is clear and if it's set the function wont return.
514	* @param pFile The file entry.
515	* @param fFatal Whether validation failures should be treated as
516	* kl fatal (true) or not (false).
517	* @param phFile The file handle, set to -1 if we failed to open
518	* the file. The function may return VINF_SUCCESS
519	* and a -1 handle if the file is optional.
520	*/
521	static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
522	{
523	*phFile = -1;
524
525	char szPath[RTPATH_MAX];
526	int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
527	if (RT_SUCCESS(rc))
528	{
529	PRTUTF16 pwszPath;
530	rc = RTStrToUtf16(szPath, &pwszPath);
531	if (RT_SUCCESS(rc))
532	{
533	HANDLE hFile = CreateFileW(pwszPath,
534	GENERIC_READ,
535	FILE_SHARE_READ,
536	NULL,
537	OPEN_EXISTING,
538	FILE_ATTRIBUTE_NORMAL,
539	NULL);
540	if (hFile != INVALID_HANDLE_VALUE)
541	{
542	*phFile = (intptr_t)hFile;
543	rc = VINF_SUCCESS;
544	}
545	else
546	{
547	int err = RtlGetLastWin32Error();
548	if ( !pFile->fOptional
549	\|\| ( err != ERROR_FILE_NOT_FOUND
550	&& (err != ERROR_PATH_NOT_FOUND \|\| pFile->enmDir != kSupID_Testcase) ) )
551	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
552	"supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
553	}
554	RTUtf16Free(pwszPath);
555	}
556	else
557	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
558	szPath, rc);
559	}
560	return rc;
561	}
562
563
564	/**
565	* Worker for supR3HardenedVerifyFileInternal.
566	*
567	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
568	* fFatal is clear and if it's set the function wont return.
569	* @param pFile The file entry.
570	* @param pVerified The verification record.
571	* @param fFatal Whether validation failures should be treated as
572	* fatal (true) or not (false).
573	* @param fLeaveFileOpen Whether the file should be left open.
574	*/
575	static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
576	{
577	# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
578
579	/*
580	* Open the file if we have to.
581	*/
582	int rc;
583	intptr_t hFileOpened;
584	intptr_t hFile = pVerified->hFile;
585	if (hFile != -1)
586	hFileOpened = -1;
587	else
588	{
589	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
590	if (RT_FAILURE(rc))
591	return rc;
592	hFile = hFileOpened;
593	}
594
595	/*
596	* Verify the signature.
597	*/
598	char szErr[1024];
599	RTERRINFO ErrInfo;
600	RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
601
602	uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
603	if (pFile->enmType == kSupIFT_Rc)
604	fFlags \|= SUPHNTVI_F_RC_IMAGE;
605
606	rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
607	if (RT_SUCCESS(rc))
608	pVerified->fCheckedSignature = true;
609	else
610	{
611	pVerified->fCheckedSignature = false;
612	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
613	pFile->pszFile, rc, szErr);
614
615	}
616
617	/*
618	* Close the handle if we opened the file and we should close it.
619	*/
620	if (hFileOpened != -1)
621	{
622	if (fLeaveFileOpen && RT_SUCCESS(rc))
623	pVerified->hFile = hFileOpened;
624	else
625	NtClose((HANDLE)hFileOpened);
626	}
627
628	return rc;
629
630	# else /* Not checking signatures. */
631	RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
632	return VINF_SUCCESS;
633	# endif /* Not checking signatures. */
634	}
635	#endif
636
637
638	/**
639	* Verifies a file entry.
640	*
641	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
642	* fFatal is clear and if it's set the function wont return.
643	*
644	* @param iFile The file table index of the file to be verified.
645	* @param fFatal Whether validation failures should be treated as
646	* fatal (true) or not (false).
647	* @param fLeaveFileOpen Whether the file should be left open.
648	* @param fVerifyAll Set if this is an verify all call and we will
649	* postpone signature checking.
650	*/
651	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
652	{
653	#ifndef RT_OS_WINDOWS
654	RT_NOREF1(fVerifyAll);
655	#endif
656	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
657	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
658
659	/*
660	* Already done validation? Do signature validation if we haven't yet.
661	*/
662	if (pVerified->fValidated)
663	{
664	/** @todo revalidate? Check that the file hasn't been replace or similar. */
665	#ifdef RT_OS_WINDOWS
666	if (!pVerified->fCheckedSignature && !fVerifyAll)
667	return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
668	#endif
669	return VINF_SUCCESS;
670	}
671
672
673	/* initialize the entry. */
674	if (pVerified->hFile != 0)
675	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
676	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
677	(void *)pVerified->hFile, pFile->pszFile);
678	pVerified->hFile = -1;
679	pVerified->fValidated = false;
680	#ifdef RT_OS_WINDOWS
681	pVerified->fCheckedSignature = false;
682	#endif
683
684	/*
685	* Verify the directory then proceed to open it.
686	* (This'll make sure the directory is opened and that we can (later)
687	* use openat if we wish.)
688	*/
689	int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
690	if (RT_SUCCESS(rc))
691	{
692	#if defined(RT_OS_WINDOWS)
693	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
694	if (RT_SUCCESS(rc))
695	{
696	if (!fVerifyAll)
697	rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
698	if (RT_SUCCESS(rc))
699	{
700	pVerified->fValidated = true;
701	if (!fLeaveFileOpen)
702	{
703	NtClose((HANDLE)pVerified->hFile);
704	pVerified->hFile = -1;
705	}
706	}
707	}
708	#else /* !RT_OS_WINDOWS */
709	char szPath[RTPATH_MAX];
710	rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
711	if (RT_SUCCESS(rc))
712	{
713	int fd = open(szPath, O_RDONLY, 0);
714	if (fd >= 0)
715	{
716	/*
717	* On unixy systems we'll make sure the file is owned by root
718	* and not writable by the group and user.
719	*/
720	struct stat st;
721	if (!fstat(fd, &st))
722	{
723	if ( st.st_uid == 0
724	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
725	&& S_ISREG(st.st_mode))
726	{
727	/* it's valid. */
728	if (fLeaveFileOpen)
729	pVerified->hFile = fd;
730	else
731	close(fd);
732	pVerified->fValidated = true;
733	}
734	else
735	{
736	if (!S_ISREG(st.st_mode))
737	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
738	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
739	szPath, (long)st.st_uid);
740	else if (st.st_uid)
741	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
742	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
743	szPath, (long)st.st_uid);
744	else
745	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
746	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
747	szPath, (long)st.st_mode);
748	close(fd);
749	}
750	}
751	else
752	{
753	int err = errno;
754	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
755	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
756	szPath, strerror(err), err);
757	close(fd);
758	}
759	}
760	else
761	{
762	int err = errno;
763	if (!pFile->fOptional \|\| err != ENOENT)
764	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
765	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
766	szPath, strerror(err), err);
767	}
768	}
769	#endif /* !RT_OS_WINDOWS */
770	}
771
772	return rc;
773	}
774
775
776	/**
777	* Verifies that the specified table entry matches the given filename.
778	*
779	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
780	* error is returned or we terminate the application.
781	*
782	* @param iFile The file table index.
783	* @param pszFilename The filename.
784	* @param fFatal Whether validation failures should be treated as
785	* fatal (true) or not (false).
786	*/
787	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
788	{
789	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
790
791	/*
792	* Construct the full path for the file table entry
793	* and compare it with the specified file.
794	*/
795	char szName[RTPATH_MAX];
796	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
797	if (RT_FAILURE(rc))
798	return rc;
799	if (SUP_COMP_FILENAME(szName, pszFilename))
800	{
801	/*
802	* Normalize the two paths and compare again.
803	*/
804	rc = VERR_NOT_SAME_DEVICE;
805	#if defined(RT_OS_WINDOWS)
806	LPSTR pszIgnored;
807	char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
808	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
809	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
810	if (!SUP_COMP_FILENAME(szName2, szName))
811	rc = VINF_SUCCESS;
812	#else
813	AssertCompile(RTPATH_MAX >= PATH_MAX);
814	char szName2[RTPATH_MAX];
815	if ( realpath(szName, szName2) != NULL
816	&& realpath(pszFilename, szName) != NULL)
817	if (!SUP_COMP_FILENAME(szName2, szName))
818	rc = VINF_SUCCESS;
819	#endif
820
821	if (RT_FAILURE(rc))
822	{
823	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
824	return supR3HardenedError(rc, fFatal,
825	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
826	pszFilename, szName);
827	}
828	}
829
830	/*
831	* Check more stuff like the stat info if it's an already open file?
832	*/
833
834
835
836	return VINF_SUCCESS;
837	}
838
839
840	/**
841	* Verifies a file.
842	*
843	* @returns VINF_SUCCESS on success.
844	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
845	* On verification failure, an error code will be returned when fFatal is clear,
846	* otherwise the program will be terminated.
847	*
848	* @param pszFilename The filename.
849	* @param fFatal Whether validation failures should be treated as
850	* fatal (true) or not (false).
851	*/
852	DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
853	{
854	/*
855	* Lookup the file and check if it's the same file.
856	*/
857	const char *pszName = supR3HardenedPathFilename(pszFilename);
858	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
859	if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
860	{
861	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
862	if (RT_SUCCESS(rc))
863	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen /, false / fVerifyAll */);
864	return rc;
865	}
866
867	return VERR_NOT_FOUND;
868	}
869
870
871	/**
872	* Verifies a program, worker for supR3HardenedVerifyAll.
873	*
874	* @returns See supR3HardenedVerifyAll.
875	* @param pszProgName See supR3HardenedVerifyAll.
876	* @param pszExePath The path to the executable.
877	* @param fFatal See supR3HardenedVerifyAll.
878	* @param fLeaveOpen The leave open setting used by
879	* supR3HardenedVerifyAll.
880	* @param fMainFlags Flags supplied to SUPR3HardenedMain.
881	*/
882	static int supR3HardenedVerifyProgram(const char pszProgName, const char pszExePath, bool fFatal,
883	bool fLeaveOpen, uint32_t fMainFlags)
884	{
885	/*
886	* Search the table looking for the executable and the DLL/DYLIB/SO.
887	* Note! On darwin we have a hack in place for VirtualBoxVM helper app
888	* to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
889	* that cchProgNameDll is equal or shorter to the exe name.
890	*/
891	int rc = VINF_SUCCESS;
892	bool fExe = false;
893	bool fDll = false;
894	size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
895	#ifndef RT_OS_DARWIN
896	size_t const cchProgNameDll = cchProgNameExe;
897	NOREF(fMainFlags);
898	#else
899	size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
900	? sizeof("VirtualBox") - 1
901	: cchProgNameExe;
902	if (cchProgNameDll > cchProgNameExe)
903	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
904	"supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
905	#endif
906	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
907	if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
908	{
909	if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
910	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
911	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
912	{
913	/* This only has to be found (once). */
914	if (fDll)
915	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
916	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
917	else
918	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
919	true /* fVerifyAll - check sign later, only final process need check it on load. */);
920	fDll = true;
921	}
922	else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
923	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
924	&& ( cchProgNameExe == cchProgNameDll
925	\|\| !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
926	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
927	{
928	/* Here we'll have to check that the specific program is the same as the entry. */
929	if (fExe)
930	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
931	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
932	else
933	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
934	fExe = true;
935
936	supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
937	}
938	}
939
940	/*
941	* Check the findings.
942	*/
943	if (RT_SUCCESS(rc))
944	{
945	if (!fDll && !fExe)
946	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
947	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
948	else if (!fExe)
949	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
950	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
951	else if (!fDll)
952	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
953	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
954	}
955	return rc;
956	}
957
958
959	/**
960	* Verifies all the known files (called from SUPR3HardenedMain).
961	*
962	* @returns VINF_SUCCESS on success.
963	* On verification failure, an error code will be returned when fFatal is clear,
964	* otherwise the program will be terminated.
965	*
966	* @param fFatal Whether validation failures should be treated as
967	* fatal (true) or not (false).
968	* @param pszProgName The program name. This is used to verify that
969	* both the executable and corresponding
970	* DLL/DYLIB/SO are valid.
971	* @param pszExePath The path to the executable.
972	* @param fMainFlags Flags supplied to SUPR3HardenedMain.
973	*/
974	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char pszProgName, const char pszExePath, uint32_t fMainFlags)
975	{
976	/*
977	* On windows
978	*/
979	#if defined(RT_OS_WINDOWS)
980	bool fLeaveOpen = true;
981	#else
982	bool fLeaveOpen = false;
983	#endif
984
985	/*
986	* The verify all the files.
987	*/
988	int rc = VINF_SUCCESS;
989	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
990	{
991	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
992	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
993	rc = rc2;
994	}
995
996	/*
997	* Verify the program name, that is to say, check that it's in the table
998	* (thus verified above) and verify the signature on platforms where we
999	* sign things.
1000	*/
1001	int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
1002	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
1003	rc2 = rc;
1004
1005	return rc;
1006	}
1007
1008
1009	/**
1010	* Copies the N messages into the error buffer and returns @a rc.
1011	*
1012	* @returns Returns @a rc
1013	* @param rc The return code.
1014	* @param pErrInfo The error info structure.
1015	* @param cMsgs The number of messages in the ellipsis.
1016	* @param ... Message parts.
1017	*/
1018	static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
1019	{
1020	if (pErrInfo)
1021	{
1022	size_t cbErr = pErrInfo->cbMsg;
1023	char *pszErr = pErrInfo->pszMsg;
1024
1025	va_list va;
1026	va_start(va, cMsgs);
1027	while (cMsgs-- > 0 && cbErr > 0)
1028	{
1029	const char pszMsg = va_arg(va, const char );
1030	size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
1031	if (cchMsg >= cbErr)
1032	cchMsg = cbErr - 1;
1033	suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
1034	pszErr[cchMsg] = '\0';
1035	pszErr += cchMsg;
1036	cbErr -= cchMsg;
1037	}
1038	va_end(va);
1039
1040	pErrInfo->rc = rc;
1041	pErrInfo->fFlags \|= RTERRINFO_FLAGS_SET;
1042	}
1043
1044	return rc;
1045	}
1046
1047
1048	#if defined(RT_OS_DARWIN) \|\| defined(RT_OS_LINUX)
1049	/**
1050	* Copies the four messages into the error buffer and returns @a rc.
1051	*
1052	* @returns Returns @a rc
1053	* @param rc The return code.
1054	* @param pErrInfo The error info structure.
1055	* @param pszMsg1 The first message part.
1056	* @param pszMsg2 The second message part.
1057	* @param pszMsg3 The third message part.
1058	* @param pszMsg4 The fourth message part.
1059	*/
1060	static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1061	const char pszMsg2, const char pszMsg3, const char *pszMsg4)
1062	{
1063	return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
1064	}
1065	#endif
1066
1067
1068	/**
1069	* Copies the three messages into the error buffer and returns @a rc.
1070	*
1071	* @returns Returns @a rc
1072	* @param rc The return code.
1073	* @param pErrInfo The error info structure.
1074	* @param pszMsg1 The first message part.
1075	* @param pszMsg2 The second message part.
1076	* @param pszMsg3 The third message part.
1077	*/
1078	static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1079	const char pszMsg2, const char pszMsg3)
1080	{
1081	return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1082	}
1083
1084
1085	#ifdef SOME_UNUSED_FUNCTION
1086	/**
1087	* Copies the two messages into the error buffer and returns @a rc.
1088	*
1089	* @returns Returns @a rc
1090	* @param rc The return code.
1091	* @param pErrInfo The error info structure.
1092	* @param pszMsg1 The first message part.
1093	* @param pszMsg2 The second message part.
1094	*/
1095	static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1096	const char *pszMsg2)
1097	{
1098	return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1099	}
1100	#endif
1101
1102
1103	#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1104	# if defined(RT_OS_DARWIN) \|\| defined(RT_OS_LINUX)
1105	/**
1106	* Copies the error message to the error buffer and returns @a rc.
1107	*
1108	* @returns Returns @a rc
1109	* @param rc The return code.
1110	* @param pErrInfo The error info structure.
1111	* @param pszMsg The message.
1112	*/
1113	static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1114	{
1115	return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1116	}
1117	# endif
1118	#endif
1119
1120
1121	/**
1122	* Output from a successfull supR3HardenedVerifyPathSanity call.
1123	*/
1124	typedef struct SUPR3HARDENEDPATHINFO
1125	{
1126	/** The length of the path in szCopy. */
1127	uint16_t cch;
1128	/** The number of path components. */
1129	uint16_t cComponents;
1130	/** Set if the path ends with slash, indicating that it's a directory
1131	* reference and not a file reference. The slash has been removed from
1132	* the copy. */
1133	bool fDirSlash;
1134	/** The offset where each path component starts, i.e. the char after the
1135	* slash. The array has cComponents + 1 entries, where the final one is
1136	* cch + 1 so that one can always terminate the current component by
1137	* szPath[aoffComponent[i] - 1] = '\0'. */
1138	uint16_t aoffComponents[32+1];
1139	/** A normalized copy of the path.
1140	* Reserve some extra space so we can be more relaxed about overflow
1141	* checks and terminator paddings, especially when recursing. */
1142	char szPath[SUPR3HARDENED_MAX_PATH * 2];
1143	} SUPR3HARDENEDPATHINFO;
1144	/** Pointer to a parsed path. */
1145	typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1146
1147
1148	/**
1149	* Verifies that the path is absolutely sane, it also parses the path.
1150	*
1151	* A sane path starts at the root (w/ drive letter on DOS derived systems) and
1152	* does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1153	* Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1154	* paths are not supported.
1155	*
1156	* @returns VBox status code.
1157	* @param pszPath The path to check.
1158	* @param pErrInfo The error info structure.
1159	* @param pInfo Where to return a copy of the path along with
1160	* parsing information.
1161	*/
1162	static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1163	{
1164	const char *pszSrc = pszPath;
1165	char *pszDst = pInfo->szPath;
1166
1167	/*
1168	* Check that it's an absolute path and copy the volume/root specifier.
1169	*/
1170	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
1171	if ( !RT_C_IS_ALPHA(pszSrc[0])
1172	\|\| pszSrc[1] != ':'
1173	\|\| !RTPATH_IS_SLASH(pszSrc[2]))
1174	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1175
1176	*pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1177	*pszDst++ = ':';
1178	*pszDst++ = RTPATH_SLASH;
1179	pszSrc += 3;
1180
1181	#else
1182	if (!RTPATH_IS_SLASH(pszSrc[0]))
1183	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1184
1185	*pszDst++ = RTPATH_SLASH;
1186	pszSrc += 1;
1187	#endif
1188
1189	/*
1190	* No path specifying the root or something very shortly thereafter will
1191	* be approved of.
1192	*/
1193	if (pszSrc[0] == '\0')
1194	return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1195	if ( pszSrc[1] == '\0'
1196	\|\| pszSrc[2] == '\0')
1197	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1198
1199	#if RTPATH_STYLE == RTPATH_STR_F_STYLE_UNIX
1200	/*
1201	* Skip double slashes.
1202	*/
1203	while (RTPATH_IS_SLASH(*pszSrc))
1204	pszSrc++;
1205	#else
1206	/*
1207	* The root slash should be alone to avoid UNC confusion.
1208	*/
1209	if (RTPATH_IS_SLASH(pszSrc[0]))
1210	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1211	"The path is not clean of leading double slashes: '", pszPath, "'");
1212	#endif
1213	/*
1214	* Check each component. No parent references.
1215	*/
1216	pInfo->cComponents = 0;
1217	pInfo->fDirSlash = false;
1218	while (pszSrc[0])
1219	{
1220	/* Sanity checks. */
1221	if ( pszSrc[0] == '.'
1222	&& pszSrc[1] == '.'
1223	&& RTPATH_IS_SLASH(pszSrc[2]))
1224	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1225	"The path is not absolute: '", pszPath, "'");
1226
1227	/* Record the start of the component. */
1228	if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1229	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1230	"The path has too many components: '", pszPath, "'");
1231	pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1232
1233	/* Traverse to the end of the component, copying it as we go along. */
1234	while (pszSrc[0])
1235	{
1236	if (RTPATH_IS_SLASH(pszSrc[0]))
1237	{
1238	pszSrc++;
1239	if (*pszSrc)
1240	*pszDst++ = RTPATH_SLASH;
1241	else
1242	pInfo->fDirSlash = true;
1243	break;
1244	}
1245	pszDst++ = pszSrc++;
1246	if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1247	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1248	"The path is too long: '", pszPath, "'");
1249	}
1250
1251	/* Skip double slashes. */
1252	while (RTPATH_IS_SLASH(*pszSrc))
1253	pszSrc++;
1254	}
1255
1256	/* Terminate the string and enter its length. */
1257	pszDst[0] = '\0';
1258	pszDst[1] = '\0'; /* for aoffComponents */
1259	pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1260	pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1261
1262	return VINF_SUCCESS;
1263	}
1264
1265
1266	/**
1267	* The state information collected by supR3HardenedVerifyFsObject.
1268	*
1269	* This can be used to verify that a directory we've opened for enumeration is
1270	* the same as the one that supR3HardenedVerifyFsObject just verified. It can
1271	* equally be used to verify a native specfied by the user.
1272	*/
1273	typedef struct SUPR3HARDENEDFSOBJSTATE
1274	{
1275	#ifdef RT_OS_WINDOWS
1276	/** Not implemented for windows yet. */
1277	char chTodo;
1278	#else
1279	/** The stat output. */
1280	struct stat Stat;
1281	#endif
1282	} SUPR3HARDENEDFSOBJSTATE;
1283	/** Pointer to a file system object state. */
1284	typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1285	/** Pointer to a const file system object state. */
1286	typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1287
1288
1289	/**
1290	* Query information about a file system object by path.
1291	*
1292	* @returns VBox status code, error buffer filled on failure.
1293	* @param pszPath The path to the object.
1294	* @param pFsObjState Where to return the state information.
1295	* @param pErrInfo The error info structure.
1296	*/
1297	static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1298	{
1299	#if defined(RT_OS_WINDOWS)
1300	/** @todo Windows hardening. */
1301	pFsObjState->chTodo = 0;
1302	RT_NOREF2(pszPath, pErrInfo);
1303	return VINF_SUCCESS;
1304
1305	#else
1306	/*
1307	* Stat the object, do not follow links.
1308	*/
1309	if (lstat(pszPath, &pFsObjState->Stat) != 0)
1310	{
1311	/* Ignore access errors */
1312	if (errno != EACCES)
1313	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1314	5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1315	}
1316
1317	/*
1318	* Read ACLs.
1319	*/
1320	/** @todo */
1321
1322	return VINF_SUCCESS;
1323	#endif
1324	}
1325
1326
1327	/**
1328	* Query information about a file system object by native handle.
1329	*
1330	* @returns VBox status code, error buffer filled on failure.
1331	* @param hNative The native handle to the object @a pszPath
1332	* specifies and this should be verified to be the
1333	* same file system object.
1334	* @param pFsObjState Where to return the state information.
1335	* @param pszPath The path to the object. (For the error message
1336	* only.)
1337	* @param pErrInfo The error info structure.
1338	*/
1339	static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1340	char const *pszPath, PRTERRINFO pErrInfo)
1341	{
1342	#if defined(RT_OS_WINDOWS)
1343	/** @todo Windows hardening. */
1344	pFsObjState->chTodo = 0;
1345	RT_NOREF3(hNative, pszPath, pErrInfo);
1346	return VINF_SUCCESS;
1347
1348	#else
1349	/*
1350	* Stat the object, do not follow links.
1351	*/
1352	if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1353	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1354	5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1355
1356	/*
1357	* Read ACLs.
1358	*/
1359	/** @todo */
1360
1361	return VINF_SUCCESS;
1362	#endif
1363	}
1364
1365
1366	/**
1367	* Verifies that the file system object indicated by the native handle is the
1368	* same as the one @a pFsObjState indicates.
1369	*
1370	* @returns VBox status code, error buffer filled on failure.
1371	* @param pFsObjState1 File system object information/state by path.
1372	* @param pFsObjState2 File system object information/state by handle.
1373	* @param pszPath The path to the object @a pFsObjState
1374	* describes. (For the error message.)
1375	* @param pErrInfo The error info structure.
1376	*/
1377	static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1378	const char *pszPath, PRTERRINFO pErrInfo)
1379	{
1380	#if defined(RT_OS_WINDOWS)
1381	/** @todo Windows hardening. */
1382	RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1383	return VINF_SUCCESS;
1384
1385	#elif defined(RT_OS_OS2)
1386	RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1387	return VINF_SUCCESS;
1388
1389	#else
1390	/*
1391	* Compare the ino+dev, then the uid+gid and finally the important mode
1392	* bits. Technically the first one should be enough, but we're paranoid.
1393	*/
1394	if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1395	\|\| pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1396	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1397	"The native handle is not the same as '", pszPath, "' (ino/dev)");
1398	if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1399	\|\| pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1400	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1401	"The native handle is not the same as '", pszPath, "' (uid/gid)");
1402	if ( (pFsObjState1->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH))
1403	!= (pFsObjState2->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH)))
1404	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1405	"The native handle is not the same as '", pszPath, "' (mode)");
1406	return VINF_SUCCESS;
1407	#endif
1408	}
1409
1410
1411	/**
1412	* Verifies a file system object (file or directory).
1413	*
1414	* @returns VBox status code, error buffer filled on failure.
1415	* @param pFsObjState The file system object information/state to be
1416	* verified.
1417	* @param fDir Whether this is a directory or a file.
1418	* @param fRelaxed Whether we can be more relaxed about this
1419	* directory (only used for grand parent
1420	* directories).
1421	* @param fSymlinksAllowed Flag whether symlinks are allowed or not.
1422	* If allowed the symlink object is verified not the target.
1423	* @param pszPath The path to the object. For error messages and
1424	* securing a couple of hacks.
1425	* @param pErrInfo The error info structure.
1426	*/
1427	static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1428	bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
1429	{
1430	#if defined(RT_OS_WINDOWS)
1431	/** @todo Windows hardening. */
1432	RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1433	return VINF_SUCCESS;
1434
1435	#elif defined(RT_OS_OS2)
1436	/* No hardening here - it's a single user system. */
1437	RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1438	return VINF_SUCCESS;
1439
1440	#else
1441	/*
1442	* The owner must be root.
1443	*
1444	* This can be extended to include predefined system users if necessary.
1445	*/
1446	if (pFsObjState->Stat.st_uid != 0)
1447	return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1448
1449	/*
1450	* The object type must be directory or file. It can be a symbolic link
1451	* if explicitely allowed. Otherwise this and other risky stuff is not allowed
1452	* (sorry dude, but we're paranoid on purpose here).
1453	*/
1454	if ( !S_ISLNK(pFsObjState->Stat.st_mode)
1455	\|\| !fSymlinksAllowed)
1456	{
1457
1458	if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1459	&& !S_ISREG(pFsObjState->Stat.st_mode))
1460	{
1461	if (S_ISLNK(pFsObjState->Stat.st_mode))
1462	return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1463	"Symlinks are not permitted: '", pszPath, "'");
1464	return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1465	"Not regular file or directory: '", pszPath, "'");
1466	}
1467	if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1468	{
1469	if (S_ISDIR(pFsObjState->Stat.st_mode))
1470	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1471	"Expected file but found directory: '", pszPath, "'");
1472	return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1473	"Expected directory but found file: '", pszPath, "'");
1474	}
1475	}
1476
1477	/*
1478	* The group does not matter if it does not have write access, if it has
1479	* write access it must be group 0 (root/wheel/whatever).
1480	*
1481	* This can be extended to include predefined system groups or groups that
1482	* only root is member of.
1483	*/
1484	if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1485	&& pFsObjState->Stat.st_gid != 0)
1486	{
1487	# ifdef RT_OS_DARWIN
1488	/* HACK ALERT: On Darwin /Applications is root:admin with admin having
1489	full access. So, to work around we relax the hardening a bit and
1490	permit grand parents and beyond to be group writable by admin. */
1491	/** @todo dynamically resolve the admin group? */
1492	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 80 /admin/ \|\| suplibHardenedStrCmp(pszPath, "/Applications");
1493
1494	# elif defined(RT_OS_FREEBSD)
1495	/* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1496	similar to /Applications on OS X (see above).
1497	On FreeBSD root is normally the only member of this group, on
1498	PC-BSD the default user is a member. */
1499	/** @todo dynamically resolve the operator group? */
1500	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 5 /operator/ \|\| suplibHardenedStrCmp(pszPath, "/usr/pbi");
1501	NOREF(fRelaxed);
1502	# elif defined(RT_OS_SOLARIS)
1503	/* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
1504	which the appropriate module is loaded.
1505	By default only root and daemon are part of that group.
1506	. */
1507	/** @todo dynamically resolve the bin group? */
1508	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 2 /bin/ \|\| suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
1509	# else
1510	NOREF(fRelaxed);
1511	bool fBad = true;
1512	# endif
1513	if (fBad)
1514	return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1515	"An unknown (and thus untrusted) group has write access to '", pszPath,
1516	"' and we therefore cannot trust the directory content or that of any subdirectory");
1517	}
1518
1519	/*
1520	* World must not have write access. There is no relaxing this rule.
1521	* Linux exception: Symbolic links are always give permission 0777, there
1522	* is no lchmod or lchown APIs. The permissions on parent
1523	* directory that contains the symbolic link is what is
1524	* decising wrt to modifying it. (Caller is expected not
1525	* to allow symbolic links in the first path component.)
1526	*/
1527	if ( (pFsObjState->Stat.st_mode & S_IWOTH)
1528	# ifdef RT_OS_LINUX
1529	&& ( !S_ISLNK(pFsObjState->Stat.st_mode)
1530	\|\| !fSymlinksAllowed /* paranoia */)
1531	# endif
1532	)
1533	return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1534	"World writable: '", pszPath, "'");
1535
1536	/*
1537	* Check the ACLs.
1538	*/
1539	/** @todo */
1540
1541	return VINF_SUCCESS;
1542	#endif
1543	}
1544
1545
1546	/**
1547	* Verifies that the file system object indicated by the native handle is the
1548	* same as the one @a pFsObjState indicates.
1549	*
1550	* @returns VBox status code, error buffer filled on failure.
1551	* @param hNative The native handle to the object @a pszPath
1552	* specifies and this should be verified to be the
1553	* same file system object.
1554	* @param pFsObjState The information/state returned by a previous
1555	* query call.
1556	* @param pszPath The path to the object @a pFsObjState
1557	* describes. (For the error message.)
1558	* @param pErrInfo The error info structure.
1559	*/
1560	static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1561	const char *pszPath, PRTERRINFO pErrInfo)
1562	{
1563	SUPR3HARDENEDFSOBJSTATE FsObjState2;
1564	int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1565	if (RT_SUCCESS(rc))
1566	rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1567	return rc;
1568	}
1569
1570
1571	/**
1572	* Does the recursive directory enumeration.
1573	*
1574	* @returns VBox status code, error buffer filled on failure.
1575	* @param pszDirPath The path buffer containing the subdirectory to
1576	* enumerate followed by a slash (this is never
1577	* the root slash). The buffer is RTPATH_MAX in
1578	* size and anything starting at @a cchDirPath
1579	* - 1 and beyond is scratch space.
1580	* @param cchDirPath The length of the directory path + slash.
1581	* @param pFsObjState Pointer to the file system object state buffer.
1582	* On input this will hold the stats for
1583	* the directory @a pszDirPath indicates and will
1584	* be used to verified that we're opening the same
1585	* thing.
1586	* @param fRecursive Whether to recurse into subdirectories.
1587	* @param pErrInfo The error info structure.
1588	*/
1589	static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1590	bool fRecursive, PRTERRINFO pErrInfo)
1591	{
1592	#if defined(RT_OS_WINDOWS)
1593	/** @todo Windows hardening. */
1594	RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1595	return VINF_SUCCESS;
1596
1597	#elif defined(RT_OS_OS2)
1598	/* No hardening here - it's a single user system. */
1599	RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1600	return VINF_SUCCESS;
1601
1602	#else
1603	/*
1604	* Open the directory. Now, we could probably eliminate opendir here
1605	* and go down on kernel API level (open + getdents for instance), however
1606	* that's not very portable and hopefully not necessary.
1607	*/
1608	DIR *pDir = opendir(pszDirPath);
1609	if (!pDir)
1610	{
1611	/* Ignore access errors. */
1612	if (errno == EACCES)
1613	return VINF_SUCCESS;
1614	return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1615	5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1616	}
1617	if (dirfd(pDir) != -1)
1618	{
1619	int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1620	if (RT_FAILURE(rc))
1621	{
1622	closedir(pDir);
1623	return rc;
1624	}
1625	}
1626
1627	/*
1628	* Enumerate the directory, check all the requested bits.
1629	*/
1630	int rc = VINF_SUCCESS;
1631	for (;;)
1632	{
1633	pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1634
1635	struct dirent Entry;
1636	struct dirent *pEntry;
1637	#if RT_GNUC_PREREQ(4, 6)
1638	# pragma GCC diagnostic push
1639	# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
1640	#endif
1641	int iErr = readdir_r(pDir, &Entry, &pEntry);
1642	#if RT_GNUC_PREREQ(4, 6)
1643	# pragma GCC diagnostic pop
1644	#endif
1645	if (iErr)
1646	{
1647	rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1648	5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1649	break;
1650	}
1651	if (!pEntry)
1652	break;
1653
1654	/*
1655	* Check the length and copy it into the path buffer so it can be
1656	* stat()'ed.
1657	*/
1658	size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1659	if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1660	{
1661	rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1662	4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1663	break;
1664	}
1665	suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1666
1667	/*
1668	* Query the information about the entry and verify it.
1669	* (We don't bother skipping '.' and '..' at this point, a little bit
1670	* of extra checks doesn't hurt and neither requires relaxed handling.)
1671	*/
1672	rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1673	if (RT_SUCCESS(rc))
1674	break;
1675	rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /fRelaxed/,
1676	false /fSymlinksAllowed/, pszDirPath, pErrInfo);
1677	if (RT_FAILURE(rc))
1678	break;
1679
1680	/*
1681	* Recurse into subdirectories if requested.
1682	*/
1683	if ( fRecursive
1684	&& S_ISDIR(pFsObjState->Stat.st_mode)
1685	&& suplibHardenedStrCmp(pEntry->d_name, ".")
1686	&& suplibHardenedStrCmp(pEntry->d_name, ".."))
1687	{
1688	pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1689	pszDirPath[cchDirPath + cchName + 1] = '\0';
1690
1691	rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1692	fRecursive, pErrInfo);
1693	if (RT_FAILURE(rc))
1694	break;
1695	}
1696	}
1697
1698	closedir(pDir);
1699	return VINF_SUCCESS;
1700	#endif
1701	}
1702
1703
1704	/**
1705	* Worker for SUPR3HardenedVerifyDir.
1706	*
1707	* @returns See SUPR3HardenedVerifyDir.
1708	* @param pszDirPath See SUPR3HardenedVerifyDir.
1709	* @param fRecursive See SUPR3HardenedVerifyDir.
1710	* @param fCheckFiles See SUPR3HardenedVerifyDir.
1711	* @param pErrInfo See SUPR3HardenedVerifyDir.
1712	*/
1713	DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1714	{
1715	/*
1716	* Validate the input path and parse it.
1717	*/
1718	SUPR3HARDENEDPATHINFO Info;
1719	int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1720	if (RT_FAILURE(rc))
1721	return rc;
1722
1723	/*
1724	* Verify each component from the root up.
1725	*/
1726	SUPR3HARDENEDFSOBJSTATE FsObjState;
1727	uint32_t const cComponents = Info.cComponents;
1728	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1729	{
1730	bool fRelaxed = iComponent + 2 < cComponents;
1731	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1732	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1733	if (RT_SUCCESS(rc))
1734	rc = supR3HardenedVerifyFsObject(&FsObjState, true /fDir/, fRelaxed,
1735	false /fSymlinksAllowed/, Info.szPath, pErrInfo);
1736	if (RT_FAILURE(rc))
1737	return rc;
1738	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1739	}
1740
1741	/*
1742	* Check files and subdirectories if requested.
1743	*/
1744	if (fCheckFiles \|\| fRecursive)
1745	{
1746	Info.szPath[Info.cch] = RTPATH_SLASH;
1747	Info.szPath[Info.cch + 1] = '\0';
1748	return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1749	fRecursive, pErrInfo);
1750	}
1751
1752	return VINF_SUCCESS;
1753	}
1754
1755
1756	/**
1757	* Verfies a file.
1758	*
1759	* @returns VBox status code, error buffer filled on failure.
1760	* @param pszFilename The file to verify.
1761	* @param hNativeFile Handle to the file, verify that it's the same
1762	* as we ended up with when verifying the path.
1763	* RTHCUINTPTR_MAX means NIL here.
1764	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1765	* third party. Different validation rules may
1766	* apply to 3rd party code on some platforms.
1767	* @param pErrInfo Where to return extended error information.
1768	* Optional.
1769	*/
1770	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1771	bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1772	{
1773	/*
1774	* Validate the input path and parse it.
1775	*/
1776	SUPR3HARDENEDPATHINFO Info;
1777	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1778	if (RT_FAILURE(rc))
1779	return rc;
1780	if (Info.fDirSlash)
1781	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1782	"The file path specifies a directory: '", pszFilename, "'");
1783
1784	/*
1785	* Verify each component from the root up.
1786	*/
1787	SUPR3HARDENEDFSOBJSTATE FsObjState;
1788	uint32_t const cComponents = Info.cComponents;
1789	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1790	{
1791	bool fFinal = iComponent + 1 == cComponents;
1792	bool fRelaxed = iComponent + 2 < cComponents;
1793	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1794	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1795	if (RT_SUCCESS(rc))
1796	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed,
1797	false /fSymlinksAllowed/, Info.szPath, pErrInfo);
1798	if (RT_FAILURE(rc))
1799	return rc;
1800	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1801	}
1802
1803	/*
1804	* Verify the file handle against the last component, if specified.
1805	*/
1806	if (hNativeFile != RTHCUINTPTR_MAX)
1807	{
1808	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1809	if (RT_FAILURE(rc))
1810	return rc;
1811	}
1812
1813	#ifdef RT_OS_WINDOWS
1814	/*
1815	* The files shall be signed on windows, verify that.
1816	*/
1817	rc = VINF_SUCCESS;
1818	HANDLE hVerify;
1819	if (hNativeFile == RTHCUINTPTR_MAX)
1820	{
1821	PRTUTF16 pwszPath;
1822	rc = RTStrToUtf16(pszFilename, &pwszPath);
1823	if (RT_SUCCESS(rc))
1824	{
1825	hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1826	RTUtf16Free(pwszPath);
1827	}
1828	else
1829	{
1830	rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1831	hVerify = INVALID_HANDLE_VALUE;
1832	}
1833	}
1834	else
1835	{
1836	NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1837	GENERIC_READ, 0 /HandleAttributes/, 0 /Options/);
1838	if (!NT_SUCCESS(rcNt))
1839	hVerify = INVALID_HANDLE_VALUE;
1840	}
1841	if (hVerify != INVALID_HANDLE_VALUE)
1842	{
1843	# ifdef VBOX_WITH_HARDENING
1844	uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1845	if (!fMaybe3rdParty)
1846	fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1847	const char *pszSuffix = RTPathSuffix(pszFilename);
1848	if ( pszSuffix
1849	&& pszSuffix[0] == '.'
1850	&& ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1851	\|\| RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1852	&& RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1853	&& pszSuffix[3] == '\0' )
1854	fFlags \|= SUPHNTVI_F_RC_IMAGE;
1855	# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1856	rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1857	# endif
1858	# else
1859	RT_NOREF1(fMaybe3rdParty);
1860	# endif
1861	NtClose(hVerify);
1862	}
1863	else if (RT_SUCCESS(rc))
1864	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1865	"Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1866	if (RT_FAILURE(rc))
1867	return rc;
1868	#else
1869	RT_NOREF1(fMaybe3rdParty);
1870	#endif
1871
1872	return VINF_SUCCESS;
1873	}
1874
1875
1876	#if defined(RT_OS_DARWIN) \|\| defined(RT_OS_LINUX)
1877	/**
1878	* Verfies a file following symlinks.
1879	*
1880	* @returns VBox status code, error buffer filled on failure.
1881	* @param pszFilename The file to verify.
1882	* @param hNativeFile Handle to the file, verify that it's the same
1883	* as we ended up with when verifying the path.
1884	* RTHCUINTPTR_MAX means NIL here.
1885	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1886	* third party. Different validation rules may
1887	* apply to 3rd party code on some platforms.
1888	* @param pErrInfo Where to return extended error information.
1889	* Optional.
1890	*
1891	* @note This is only used on OS X for libraries loaded with dlopen() because
1892	* the frameworks use symbolic links to point to the relevant library.
1893	*
1894	* @sa supR3HardenedVerifyFile
1895	*/
1896	DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
1897	PRTERRINFO pErrInfo)
1898	{
1899	RT_NOREF1(fMaybe3rdParty);
1900
1901	/*
1902	* Validate the input path and parse it.
1903	*/
1904	SUPR3HARDENEDPATHINFO Info;
1905	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1906	if (RT_FAILURE(rc))
1907	return rc;
1908	if (Info.fDirSlash)
1909	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1910	"The file path specifies a directory: '", pszFilename, "'");
1911
1912	/*
1913	* Verify each component from the root up.
1914	*/
1915	#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1916	uint32_t iLoops = 0;
1917	#endif
1918	SUPR3HARDENEDFSOBJSTATE FsObjState;
1919	uint32_t iComponent = 0;
1920	while (iComponent < Info.cComponents)
1921	{
1922	bool fFinal = iComponent + 1 == Info.cComponents;
1923	bool fRelaxed = iComponent + 2 < Info.cComponents;
1924	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1925	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1926	if (RT_SUCCESS(rc))
1927	{
1928	/*
1929	* In case the component is a symlink expand it and start from the beginning after
1930	* verifying it has the proper access rights.
1931	* Furthermore only allow symlinks which don't contain any .. or . in the target
1932	* (enforced by supR3HardenedVerifyPathSanity).
1933	*/
1934	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed,
1935	true /fSymlinksAllowed/, Info.szPath, pErrInfo);
1936	if ( RT_SUCCESS(rc)
1937	&& S_ISLNK(FsObjState.Stat.st_mode))
1938	{
1939	#if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
1940	char *pszFilenameResolved = realpath(pszFilename, NULL);
1941	if (pszFilenameResolved)
1942	{
1943	rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
1944	free(pszFilenameResolved);
1945	return rc;
1946	}
1947	else
1948	{
1949	int iErr = errno;
1950	supR3HardenedError(VERR_ACCESS_DENIED, false /fFatal/,
1951	"supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
1952	pszFilename, strerror(iErr), iErr);
1953	return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
1954	"realpath failed for '", pszFilename, "': ", strerror(iErr));
1955	}
1956	#else
1957	/* Don't loop forever. */
1958	iLoops++;
1959	if (iLoops < 8)
1960	{
1961	/*
1962	* Construct new path by replacing the current component by the symlink value.
1963	* Note! readlink() is a weird API that doesn't necessarily indicates if the
1964	* buffer is too small.
1965	*/
1966	char szPath[RTPATH_MAX];
1967	size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
1968	size_t const cchAfter = fFinal ? 0 : 1 /slash/ + Info.cch - Info.aoffComponents[iComponent + 1];
1969	if (sizeof(szPath) > cchBefore + cchAfter + 2)
1970	{
1971	ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
1972	if (cchTarget > 0)
1973	{
1974	/* Some serious paranoia against embedded zero terminator and weird return values. */
1975	szPath[cchTarget] = '\0';
1976	size_t cchLink = strlen(szPath);
1977
1978	/* Strip trailing dirslashes of non-final link. */
1979	if (!fFinal)
1980	while (cchLink > 1 and szPath[cchLink - 1] == '/')
1981	cchLink--;
1982
1983	/* Check link value sanity and buffer size. */
1984	if (cchLink == 0)
1985	return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
1986	"Bad readlink return for '", Info.szPath, "'");
1987	if (szPath[0] == '/')
1988	return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
1989	"Absolute symbolic link not allowed: '", szPath, "'");
1990	if (cchBefore + cchLink + cchAfter + 1 /terminator/ > sizeof(szPath))
1991	return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1992	"Symlinks causing too long path!");
1993
1994	/* Construct the new path. */
1995	if (cchBefore)
1996	memmove(&szPath[cchBefore], &szPath[0], cchLink);
1997	memcpy(&szPath[0], Info.szPath, cchBefore);
1998	if (!cchAfter)
1999	szPath[cchBefore + cchLink] = '\0';
2000	else
2001	{
2002	szPath[cchBefore + cchLink] = RTPATH_SLASH;
2003	memcpy(&szPath[cchBefore + cchLink + 1],
2004	&Info.szPath[Info.aoffComponents[iComponent + 1]],
2005	cchAfter); /* cchAfter includes a zero terminator */
2006	}
2007
2008	/* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
2009	rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
2010	if (RT_FAILURE(rc))
2011	return rc;
2012	if (Info.fDirSlash)
2013	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
2014	"The file path specifies a directory: '", szPath, "'");
2015
2016	/* Restart from the current component. */
2017	continue;
2018	}
2019	int iErr = errno;
2020	supR3HardenedError(VERR_ACCESS_DENIED, false /fFatal/,
2021	"supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
2022	Info.szPath, strerror(iErr), iErr);
2023	return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
2024	"readlink failed for '", Info.szPath, "': ", strerror(iErr));
2025	}
2026	return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
2027	}
2028	else
2029	return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
2030	"Too many symbolic links: '", pszFilename, "'");
2031	#endif
2032	}
2033	}
2034	if (RT_FAILURE(rc))
2035	return rc;
2036	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
2037	iComponent++;
2038	}
2039
2040	/*
2041	* Verify the file handle against the last component, if specified.
2042	*/
2043	if (hNativeFile != RTHCUINTPTR_MAX)
2044	{
2045	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
2046	if (RT_FAILURE(rc))
2047	return rc;
2048	}
2049
2050	return VINF_SUCCESS;
2051	}
2052	#endif /* RT_OS_DARWIN \|\| RT_OS_LINUX */
2053
2054
2055	/**
2056	* Gets the pre-init data for the hand-over to the other version
2057	* of this code.
2058	*
2059	* The reason why we pass this information on is that it contains
2060	* open directories and files. Later it may include even more info
2061	* (int the verified arrays mostly).
2062	*
2063	* The receiver is supR3HardenedRecvPreInitData.
2064	*
2065	* @param pPreInitData Where to store it.
2066	*/
2067	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
2068	{
2069	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
2070	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
2071	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
2072
2073	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
2074	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
2075	}
2076
2077
2078	/**
2079	* Receives the pre-init data from the static executable stub.
2080	*
2081	* @returns VBox status code. Will not bitch on failure since the
2082	* runtime isn't ready for it, so that is left to the exe stub.
2083	*
2084	* @param pPreInitData The hand-over data.
2085	*/
2086	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
2087	{
2088	/*
2089	* Compare the array lengths and the contents of g_aSupInstallFiles.
2090	*/
2091	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
2092	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
2093	return VERR_VERSION_MISMATCH;
2094	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
2095	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
2096	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
2097	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
2098	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
2099	\|\| suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
2100	return VERR_VERSION_MISMATCH;
2101
2102	/*
2103	* Check that we're not called out of order.
2104	* If dynamic linking it screwed up, we may end up here.
2105	*/
2106	if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
2107	\|\| !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
2108	return VERR_WRONG_ORDER;
2109
2110	/*
2111	* Copy the verification data over.
2112	*/
2113	suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
2114	suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
2115	return VINF_SUCCESS;
2116	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 74125

Download in other formats: