VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 74950

Last change on this file since 74950 was 74774, checked in by vboxsync, 6 years ago

Don't verify nonexistent modules.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 83.8 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 74774 2018-10-11 16:35:40Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2017 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#if defined(RT_OS_OS2)
32# define INCL_BASE
33# define INCL_ERRORS
34# include <os2.h>
35# include <stdio.h>
36# include <stdlib.h>
37# include <unistd.h>
38# include <sys/fcntl.h>
39# include <sys/errno.h>
40# include <sys/syslimits.h>
41
42#elif defined(RT_OS_WINDOWS)
43# include <iprt/nt/nt-and-windows.h>
44# ifndef IN_SUP_HARDENED_R3
45# include <stdio.h>
46# endif
47
48#else /* UNIXes */
49# include <sys/types.h>
50# include <stdio.h>
51# include <stdlib.h>
52# include <dirent.h>
53# include <dlfcn.h>
54# include <fcntl.h>
55# include <limits.h>
56# include <errno.h>
57# include <unistd.h>
58# include <sys/stat.h>
59# include <sys/time.h>
60# include <sys/fcntl.h>
61# include <pwd.h>
62# ifdef RT_OS_DARWIN
63# include <mach-o/dyld.h>
64# endif
65
66#endif
67
68#include <VBox/sup.h>
69#include <VBox/err.h>
70#include <iprt/asm.h>
71#include <iprt/ctype.h>
72#include <iprt/param.h>
73#include <iprt/path.h>
74#include <iprt/string.h>
75
76#include "SUPLibInternal.h"
77#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
78# define SUPHNTVI_NO_NT_STUFF
79# include "win/SUPHardenedVerify-win.h"
80#endif
81
82
83/*********************************************************************************************************************************
84* Defined Constants And Macros *
85*********************************************************************************************************************************/
86/** The max path length acceptable for a trusted path. */
87#define SUPR3HARDENED_MAX_PATH 260U
88
89/** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
90#define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
91
92#ifdef RT_OS_SOLARIS
93# define dirfd(d) ((d)->d_fd)
94#endif
95
96/** Compare table file names with externally supplied names. */
97#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
98# define SUP_COMP_FILENAME RTStrICmp
99#else
100# define SUP_COMP_FILENAME suplibHardenedStrCmp
101#endif
102
103
104/*********************************************************************************************************************************
105* Global Variables *
106*********************************************************************************************************************************/
107/**
108 * The files that gets verified.
109 *
110 * @todo This needs reviewing against the linux packages.
111 * @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
112 * the time being we're building the linux packages with SharedLib pointing to
113 * AppPrivArch (lazy bird).
114 *
115 * @remarks If you add executables here, you might need to update
116 * g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
117 */
118static SUPINSTFILE const g_aSupInstallFiles[] =
119{
120 /* type, dir, fOpt, "pszFile" */
121 /* ---------------------------------------------------------------------- */
122 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
123 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
124
125#ifdef VBOX_WITH_RAW_MODE
126 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
127 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
128#endif
129
130 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
131 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
132#ifdef VBOX_WITH_REM
133 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
134#endif
135#if HC_ARCH_BITS == 32
136 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
137 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
138#endif
139 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
140 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
141 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
142 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
143 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
144
145//#ifdef VBOX_WITH_DEBUGGER_GUI
146 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
147 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
148//#endif
149
150//#ifdef VBOX_WITH_SHARED_CLIPBOARD
151 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
152//#endif
153//#ifdef VBOX_WITH_SHARED_FOLDERS
154 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
155//#endif
156//#ifdef VBOX_WITH_DRAG_AND_DROP
157 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
158//#endif
159//#ifdef VBOX_WITH_GUEST_PROPS
160 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
161//#endif
162//#ifdef VBOX_WITH_GUEST_CONTROL
163 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
164//#endif
165 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
166 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
167 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
168 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
169 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
170
171 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
172
173#ifdef VBOX_WITH_MAIN
174 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
175 #ifdef RT_OS_WINDOWS
176 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
177 #else
178 { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
179 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
180 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
181 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
182 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
183 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
184 #endif
185#endif
186
187 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
188 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
189 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
190
191//#ifdef VBOX_WITH_HEADLESS
192 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
193 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
194 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
195//#endif
196
197//#ifdef VBOX_WITH_QTGUI
198 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
199# ifndef VBOX_GUI_WITH_SHARED_LIBRARY
200 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
201# ifdef RT_OS_DARWIN
202 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
203# endif
204# else
205 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
206 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBoxVM" SUPLIB_DLL_SUFF },
207 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGlobal" SUPLIB_DLL_SUFF },
208# endif
209# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
210 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
211# endif
212//#endif
213
214//#ifdef VBOX_WITH_VBOXSDL
215 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
216 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
217//#endif
218
219//#ifdef VBOX_WITH_WEBSERVICES
220 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
221//#endif
222
223#ifdef RT_OS_LINUX
224 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
225#endif
226
227//#ifdef VBOX_WITH_NETFLT
228 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
229 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
230//#endif
231
232//#ifdef VBOX_WITH_LWIP_NAT
233 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
234 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
235//#endif
236#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
237# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
238 { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
239 { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
240 HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
241 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
242 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
243 HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
244 HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
245# define HARDENED_TESTCASE_ENTRY(a_szName) \
246 { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
247 { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
248 HARDENED_TESTCASE_ENTRY("tstCFGM"),
249 HARDENED_TESTCASE_ENTRY("tstGIP-2"),
250 HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
251 HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
252 HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
253 HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
254 HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
255 HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
256 HARDENED_TESTCASE_ENTRY("tstSSM"),
257#endif
258};
259
260
261/** Array parallel to g_aSupInstallFiles containing per-file status info. */
262static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
263
264/** Array index by install directory specifier containing info about verified directories. */
265static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
266
267
268/**
269 * Assembles the path to a directory.
270 *
271 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
272 * decides whether it returns or not).
273 *
274 * @param enmDir The directory.
275 * @param pszDst Where to assemble the path.
276 * @param cchDst The size of the buffer.
277 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
278 */
279static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
280{
281 int rc;
282 switch (enmDir)
283 {
284 case kSupID_AppBin:
285 rc = supR3HardenedPathAppBin(pszDst, cchDst);
286 break;
287 case kSupID_AppSharedLib:
288 rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
289 break;
290 case kSupID_AppPrivArch:
291 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
292 break;
293 case kSupID_AppPrivArchComp:
294 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
295 if (RT_SUCCESS(rc))
296 {
297 size_t off = suplibHardenedStrLen(pszDst);
298 if (cchDst - off >= sizeof("/components"))
299 suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
300 else
301 rc = VERR_BUFFER_OVERFLOW;
302 }
303 break;
304 case kSupID_AppPrivNoArch:
305 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
306 break;
307 case kSupID_Testcase:
308 rc = supR3HardenedPathAppBin(pszDst, cchDst);
309 if (RT_SUCCESS(rc))
310 {
311 size_t off = suplibHardenedStrLen(pszDst);
312 if (cchDst - off >= sizeof("/testcase"))
313 suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
314 else
315 rc = VERR_BUFFER_OVERFLOW;
316 }
317 break;
318 default:
319 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
320 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
321 }
322 if (RT_FAILURE(rc))
323 supR3HardenedError(rc, fFatal,
324 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
325 return rc;
326}
327
328
329
330/**
331 * Assembles the path to a file table entry, with or without the actual filename.
332 *
333 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
334 * decides whether it returns or not).
335 *
336 * @param pFile The file table entry.
337 * @param pszDst Where to assemble the path.
338 * @param cchDst The size of the buffer.
339 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
340 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
341 */
342static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
343{
344 /*
345 * Combine supR3HardenedMakePath and the filename.
346 */
347 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
348 if (RT_SUCCESS(rc) && fWithFilename)
349 {
350 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
351 size_t off = suplibHardenedStrLen(pszDst);
352 if (cchDst - off >= cchFile + 2)
353 {
354 pszDst[off++] = '/';
355 suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
356 }
357 else
358 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
359 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
360 pFile->pszFile, (long)off);
361 }
362 return rc;
363}
364
365
366/**
367 * Verifies a directory.
368 *
369 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
370 * fFatal is clear and if it's set the function wont return.
371 * @param enmDir The directory specifier.
372 * @param fFatal Whether validation failures should be treated as
373 * fatal (true) or not (false).
374 */
375DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
376{
377 /*
378 * Validate the index just to be on the safe side...
379 */
380 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
381 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
382 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
383
384 /*
385 * Already validated?
386 */
387 if (g_aSupVerifiedDirs[enmDir].fValidated)
388 return VINF_SUCCESS; /** @todo revalidate? */
389
390 /* initialize the entry. */
391 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
392 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
393 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
394 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
395 g_aSupVerifiedDirs[enmDir].hDir = -1;
396 g_aSupVerifiedDirs[enmDir].fValidated = false;
397
398 /*
399 * Make the path and open the directory.
400 */
401 char szPath[RTPATH_MAX];
402 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
403 if (RT_SUCCESS(rc))
404 {
405#if defined(RT_OS_WINDOWS)
406 PRTUTF16 pwszPath;
407 rc = RTStrToUtf16(szPath, &pwszPath);
408 if (RT_SUCCESS(rc))
409 {
410 HANDLE hDir = CreateFileW(pwszPath,
411 GENERIC_READ,
412 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
413 NULL,
414 OPEN_EXISTING,
415 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
416 NULL);
417 if (hDir != INVALID_HANDLE_VALUE)
418 {
419 /** @todo check the type */
420 /* That's all on windows, for now at least... */
421 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
422 g_aSupVerifiedDirs[enmDir].fValidated = true;
423 }
424 else if (enmDir == kSupID_Testcase)
425 {
426 g_aSupVerifiedDirs[enmDir].fValidated = true;
427 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
428 }
429 else
430 {
431 int err = RtlGetLastWin32Error();
432 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
433 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
434 szPath, err);
435 }
436 RTUtf16Free(pwszPath);
437 }
438 else
439 rc = supR3HardenedError(rc, fFatal,
440 "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
441
442#else /* UNIXY */
443 int fd = open(szPath, O_RDONLY, 0);
444 if (fd >= 0)
445 {
446 /*
447 * On unixy systems we'll make sure the directory is owned by root
448 * and not writable by the group and user.
449 */
450 struct stat st;
451 if (!fstat(fd, &st))
452 {
453
454 if ( st.st_uid == 0
455 && !(st.st_mode & (S_IWGRP | S_IWOTH))
456 && S_ISDIR(st.st_mode))
457 {
458 g_aSupVerifiedDirs[enmDir].hDir = fd;
459 g_aSupVerifiedDirs[enmDir].fValidated = true;
460 }
461 else
462 {
463 if (!S_ISDIR(st.st_mode))
464 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
465 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
466 szPath, (long)st.st_uid);
467 else if (st.st_uid)
468 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
469 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
470 szPath, (long)st.st_uid);
471 else
472 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
473 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
474 szPath, (long)st.st_mode);
475 close(fd);
476 }
477 }
478 else
479 {
480 int err = errno;
481 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
482 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
483 szPath, strerror(err), err);
484 close(fd);
485 }
486 }
487 else if (enmDir == kSupID_Testcase)
488 {
489 g_aSupVerifiedDirs[enmDir].fValidated = true;
490 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
491 }
492 else
493 {
494 int err = errno;
495 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
496 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
497 szPath, strerror(err), err);
498 }
499#endif /* UNIXY */
500 }
501
502 return rc;
503}
504
505
506#ifdef RT_OS_WINDOWS
507/**
508 * Opens the file for verification.
509 *
510 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
511 * fFatal is clear and if it's set the function wont return.
512 * @param pFile The file entry.
513 * @param fFatal Whether validation failures should be treated as
514 * kl fatal (true) or not (false).
515 * @param phFile The file handle, set to -1 if we failed to open
516 * the file. The function may return VINF_SUCCESS
517 * and a -1 handle if the file is optional.
518 */
519static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
520{
521 *phFile = -1;
522
523 char szPath[RTPATH_MAX];
524 int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
525 if (RT_SUCCESS(rc))
526 {
527 PRTUTF16 pwszPath;
528 rc = RTStrToUtf16(szPath, &pwszPath);
529 if (RT_SUCCESS(rc))
530 {
531 HANDLE hFile = CreateFileW(pwszPath,
532 GENERIC_READ,
533 FILE_SHARE_READ,
534 NULL,
535 OPEN_EXISTING,
536 FILE_ATTRIBUTE_NORMAL,
537 NULL);
538 if (hFile != INVALID_HANDLE_VALUE)
539 {
540 *phFile = (intptr_t)hFile;
541 rc = VINF_SUCCESS;
542 }
543 else
544 {
545 int err = RtlGetLastWin32Error();
546 if ( !pFile->fOptional
547 || ( err != ERROR_FILE_NOT_FOUND
548 && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
549 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
550 "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
551 }
552 RTUtf16Free(pwszPath);
553 }
554 else
555 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
556 szPath, rc);
557 }
558 return rc;
559}
560
561
562/**
563 * Worker for supR3HardenedVerifyFileInternal.
564 *
565 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
566 * fFatal is clear and if it's set the function wont return.
567 * @param pFile The file entry.
568 * @param pVerified The verification record.
569 * @param fFatal Whether validation failures should be treated as
570 * fatal (true) or not (false).
571 * @param fLeaveFileOpen Whether the file should be left open.
572 */
573static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
574{
575# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
576
577 /*
578 * Open the file if we have to.
579 */
580 int rc;
581 intptr_t hFileOpened;
582 intptr_t hFile = pVerified->hFile;
583 if (hFile != -1)
584 hFileOpened = -1;
585 else
586 {
587 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
588 if (RT_FAILURE(rc))
589 return rc;
590 hFile = hFileOpened;
591 }
592
593 /*
594 * Verify the signature.
595 */
596 char szErr[1024];
597 RTERRINFO ErrInfo;
598 RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
599
600 uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
601 if (pFile->enmType == kSupIFT_Rc)
602 fFlags |= SUPHNTVI_F_RC_IMAGE;
603
604 rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
605 if (RT_SUCCESS(rc))
606 pVerified->fCheckedSignature = true;
607 else
608 {
609 pVerified->fCheckedSignature = false;
610 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
611 pFile->pszFile, rc, szErr);
612
613 }
614
615 /*
616 * Close the handle if we opened the file and we should close it.
617 */
618 if (hFileOpened != -1)
619 {
620 if (fLeaveFileOpen && RT_SUCCESS(rc))
621 pVerified->hFile = hFileOpened;
622 else
623 NtClose((HANDLE)hFileOpened);
624 }
625
626 return rc;
627
628# else /* Not checking signatures. */
629 RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
630 return VINF_SUCCESS;
631# endif /* Not checking signatures. */
632}
633#endif
634
635
636/**
637 * Verifies a file entry.
638 *
639 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
640 * fFatal is clear and if it's set the function wont return.
641 *
642 * @param iFile The file table index of the file to be verified.
643 * @param fFatal Whether validation failures should be treated as
644 * fatal (true) or not (false).
645 * @param fLeaveFileOpen Whether the file should be left open.
646 * @param fVerifyAll Set if this is an verify all call and we will
647 * postpone signature checking.
648 */
649static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
650{
651#ifndef RT_OS_WINDOWS
652 RT_NOREF1(fVerifyAll);
653#endif
654 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
655 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
656
657 /*
658 * Already done validation? Do signature validation if we haven't yet.
659 */
660 if (pVerified->fValidated)
661 {
662 /** @todo revalidate? Check that the file hasn't been replace or similar. */
663#ifdef RT_OS_WINDOWS
664 if (!pVerified->fCheckedSignature && !fVerifyAll)
665 return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
666#endif
667 return VINF_SUCCESS;
668 }
669
670
671 /* initialize the entry. */
672 if (pVerified->hFile != 0)
673 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
674 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
675 (void *)pVerified->hFile, pFile->pszFile);
676 pVerified->hFile = -1;
677 pVerified->fValidated = false;
678#ifdef RT_OS_WINDOWS
679 pVerified->fCheckedSignature = false;
680#endif
681
682 /*
683 * Verify the directory then proceed to open it.
684 * (This'll make sure the directory is opened and that we can (later)
685 * use openat if we wish.)
686 */
687 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
688 if (RT_SUCCESS(rc))
689 {
690#if defined(RT_OS_WINDOWS)
691 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
692 if (RT_SUCCESS(rc))
693 {
694 if (!fVerifyAll)
695 rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
696 if (RT_SUCCESS(rc))
697 {
698 pVerified->fValidated = true;
699 if (!fLeaveFileOpen)
700 {
701 NtClose((HANDLE)pVerified->hFile);
702 pVerified->hFile = -1;
703 }
704 }
705 }
706#else /* !RT_OS_WINDOWS */
707 char szPath[RTPATH_MAX];
708 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
709 if (RT_SUCCESS(rc))
710 {
711 int fd = open(szPath, O_RDONLY, 0);
712 if (fd >= 0)
713 {
714 /*
715 * On unixy systems we'll make sure the file is owned by root
716 * and not writable by the group and user.
717 */
718 struct stat st;
719 if (!fstat(fd, &st))
720 {
721 if ( st.st_uid == 0
722 && !(st.st_mode & (S_IWGRP | S_IWOTH))
723 && S_ISREG(st.st_mode))
724 {
725 /* it's valid. */
726 if (fLeaveFileOpen)
727 pVerified->hFile = fd;
728 else
729 close(fd);
730 pVerified->fValidated = true;
731 }
732 else
733 {
734 if (!S_ISREG(st.st_mode))
735 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
736 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
737 szPath, (long)st.st_uid);
738 else if (st.st_uid)
739 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
740 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
741 szPath, (long)st.st_uid);
742 else
743 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
744 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
745 szPath, (long)st.st_mode);
746 close(fd);
747 }
748 }
749 else
750 {
751 int err = errno;
752 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
753 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
754 szPath, strerror(err), err);
755 close(fd);
756 }
757 }
758 else
759 {
760 int err = errno;
761 if (!pFile->fOptional || err != ENOENT)
762 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
763 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
764 szPath, strerror(err), err);
765 }
766 }
767#endif /* !RT_OS_WINDOWS */
768 }
769
770 return rc;
771}
772
773
774/**
775 * Verifies that the specified table entry matches the given filename.
776 *
777 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
778 * error is returned or we terminate the application.
779 *
780 * @param iFile The file table index.
781 * @param pszFilename The filename.
782 * @param fFatal Whether validation failures should be treated as
783 * fatal (true) or not (false).
784 */
785static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
786{
787 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
788
789 /*
790 * Construct the full path for the file table entry
791 * and compare it with the specified file.
792 */
793 char szName[RTPATH_MAX];
794 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
795 if (RT_FAILURE(rc))
796 return rc;
797 if (SUP_COMP_FILENAME(szName, pszFilename))
798 {
799 /*
800 * Normalize the two paths and compare again.
801 */
802 rc = VERR_NOT_SAME_DEVICE;
803#if defined(RT_OS_WINDOWS)
804 LPSTR pszIgnored;
805 char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
806 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
807 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
808 if (!SUP_COMP_FILENAME(szName2, szName))
809 rc = VINF_SUCCESS;
810#else
811 AssertCompile(RTPATH_MAX >= PATH_MAX);
812 char szName2[RTPATH_MAX];
813 if ( realpath(szName, szName2) != NULL
814 && realpath(pszFilename, szName) != NULL)
815 if (!SUP_COMP_FILENAME(szName2, szName))
816 rc = VINF_SUCCESS;
817#endif
818
819 if (RT_FAILURE(rc))
820 {
821 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
822 return supR3HardenedError(rc, fFatal,
823 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
824 pszFilename, szName);
825 }
826 }
827
828 /*
829 * Check more stuff like the stat info if it's an already open file?
830 */
831
832
833
834 return VINF_SUCCESS;
835}
836
837
838/**
839 * Verifies a file.
840 *
841 * @returns VINF_SUCCESS on success.
842 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
843 * On verification failure, an error code will be returned when fFatal is clear,
844 * otherwise the program will be terminated.
845 *
846 * @param pszFilename The filename.
847 * @param fFatal Whether validation failures should be treated as
848 * fatal (true) or not (false).
849 */
850DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
851{
852 /*
853 * Lookup the file and check if it's the same file.
854 */
855 const char *pszName = supR3HardenedPathFilename(pszFilename);
856 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
857 if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
858 {
859 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
860 if (RT_SUCCESS(rc))
861 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
862 return rc;
863 }
864
865 return VERR_NOT_FOUND;
866}
867
868
869/**
870 * Verifies a program, worker for supR3HardenedVerifyAll.
871 *
872 * @returns See supR3HardenedVerifyAll.
873 * @param pszProgName See supR3HardenedVerifyAll.
874 * @param pszExePath The path to the executable.
875 * @param fFatal See supR3HardenedVerifyAll.
876 * @param fLeaveOpen The leave open setting used by
877 * supR3HardenedVerifyAll.
878 * @param fMainFlags Flags supplied to SUPR3HardenedMain.
879 */
880static int supR3HardenedVerifyProgram(const char *pszProgName, const char *pszExePath, bool fFatal,
881 bool fLeaveOpen, uint32_t fMainFlags)
882{
883 /*
884 * Search the table looking for the executable and the DLL/DYLIB/SO.
885 * Note! On darwin we have a hack in place for VirtualBoxVM helper app
886 * to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
887 * that cchProgNameDll is equal or shorter to the exe name.
888 */
889 int rc = VINF_SUCCESS;
890 bool fExe = false;
891 bool fDll = false;
892 size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
893#ifndef RT_OS_DARWIN
894 size_t const cchProgNameDll = cchProgNameExe;
895 NOREF(fMainFlags);
896#else
897 size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
898 ? sizeof("VirtualBox") - 1
899 : cchProgNameExe;
900 if (cchProgNameDll > cchProgNameExe)
901 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
902 "supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
903#endif
904 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
905 if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
906 {
907 if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
908 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
909 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
910 {
911 /* This only has to be found (once). */
912 if (fDll)
913 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
914 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
915 else
916 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
917 true /* fVerifyAll - check sign later, only final process need check it on load. */);
918 fDll = true;
919 }
920 else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
921 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
922 && ( cchProgNameExe == cchProgNameDll
923 || !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
924 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
925 {
926 /* Here we'll have to check that the specific program is the same as the entry. */
927 if (fExe)
928 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
929 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
930 else
931 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
932 fExe = true;
933
934 supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
935 }
936 }
937
938 /*
939 * Check the findings.
940 */
941 if (RT_SUCCESS(rc))
942 {
943 if (!fDll && !fExe)
944 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
945 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
946 else if (!fExe)
947 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
948 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
949 else if (!fDll)
950 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
951 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
952 }
953 return rc;
954}
955
956
957/**
958 * Verifies all the known files (called from SUPR3HardenedMain).
959 *
960 * @returns VINF_SUCCESS on success.
961 * On verification failure, an error code will be returned when fFatal is clear,
962 * otherwise the program will be terminated.
963 *
964 * @param fFatal Whether validation failures should be treated as
965 * fatal (true) or not (false).
966 * @param pszProgName The program name. This is used to verify that
967 * both the executable and corresponding
968 * DLL/DYLIB/SO are valid.
969 * @param pszExePath The path to the executable.
970 * @param fMainFlags Flags supplied to SUPR3HardenedMain.
971 */
972DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName, const char *pszExePath, uint32_t fMainFlags)
973{
974 /*
975 * On windows
976 */
977#if defined(RT_OS_WINDOWS)
978 bool fLeaveOpen = true;
979#else
980 bool fLeaveOpen = false;
981#endif
982
983 /*
984 * The verify all the files.
985 */
986 int rc = VINF_SUCCESS;
987 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
988 {
989 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
990 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
991 rc = rc2;
992 }
993
994 /*
995 * Verify the program name, that is to say, check that it's in the table
996 * (thus verified above) and verify the signature on platforms where we
997 * sign things.
998 */
999 int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
1000 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
1001 rc2 = rc;
1002
1003 return rc;
1004}
1005
1006
1007/**
1008 * Copies the N messages into the error buffer and returns @a rc.
1009 *
1010 * @returns Returns @a rc
1011 * @param rc The return code.
1012 * @param pErrInfo The error info structure.
1013 * @param cMsgs The number of messages in the ellipsis.
1014 * @param ... Message parts.
1015 */
1016static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
1017{
1018 if (pErrInfo)
1019 {
1020 size_t cbErr = pErrInfo->cbMsg;
1021 char *pszErr = pErrInfo->pszMsg;
1022
1023 va_list va;
1024 va_start(va, cMsgs);
1025 while (cMsgs-- > 0 && cbErr > 0)
1026 {
1027 const char *pszMsg = va_arg(va, const char *);
1028 size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
1029 if (cchMsg >= cbErr)
1030 cchMsg = cbErr - 1;
1031 suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
1032 pszErr[cchMsg] = '\0';
1033 pszErr += cchMsg;
1034 cbErr -= cchMsg;
1035 }
1036 va_end(va);
1037
1038 pErrInfo->rc = rc;
1039 pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
1040 }
1041
1042 return rc;
1043}
1044
1045
1046#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1047/**
1048 * Copies the four messages into the error buffer and returns @a rc.
1049 *
1050 * @returns Returns @a rc
1051 * @param rc The return code.
1052 * @param pErrInfo The error info structure.
1053 * @param pszMsg1 The first message part.
1054 * @param pszMsg2 The second message part.
1055 * @param pszMsg3 The third message part.
1056 * @param pszMsg4 The fourth message part.
1057 */
1058static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1059 const char *pszMsg2, const char *pszMsg3, const char *pszMsg4)
1060{
1061 return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
1062}
1063#endif
1064
1065
1066/**
1067 * Copies the three messages into the error buffer and returns @a rc.
1068 *
1069 * @returns Returns @a rc
1070 * @param rc The return code.
1071 * @param pErrInfo The error info structure.
1072 * @param pszMsg1 The first message part.
1073 * @param pszMsg2 The second message part.
1074 * @param pszMsg3 The third message part.
1075 */
1076static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1077 const char *pszMsg2, const char *pszMsg3)
1078{
1079 return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1080}
1081
1082
1083#ifdef SOME_UNUSED_FUNCTION
1084/**
1085 * Copies the two messages into the error buffer and returns @a rc.
1086 *
1087 * @returns Returns @a rc
1088 * @param rc The return code.
1089 * @param pErrInfo The error info structure.
1090 * @param pszMsg1 The first message part.
1091 * @param pszMsg2 The second message part.
1092 */
1093static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1094 const char *pszMsg2)
1095{
1096 return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1097}
1098#endif
1099
1100
1101#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1102# if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1103/**
1104 * Copies the error message to the error buffer and returns @a rc.
1105 *
1106 * @returns Returns @a rc
1107 * @param rc The return code.
1108 * @param pErrInfo The error info structure.
1109 * @param pszMsg The message.
1110 */
1111static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1112{
1113 return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1114}
1115# endif
1116#endif
1117
1118
1119/**
1120 * Output from a successfull supR3HardenedVerifyPathSanity call.
1121 */
1122typedef struct SUPR3HARDENEDPATHINFO
1123{
1124 /** The length of the path in szCopy. */
1125 uint16_t cch;
1126 /** The number of path components. */
1127 uint16_t cComponents;
1128 /** Set if the path ends with slash, indicating that it's a directory
1129 * reference and not a file reference. The slash has been removed from
1130 * the copy. */
1131 bool fDirSlash;
1132 /** The offset where each path component starts, i.e. the char after the
1133 * slash. The array has cComponents + 1 entries, where the final one is
1134 * cch + 1 so that one can always terminate the current component by
1135 * szPath[aoffComponent[i] - 1] = '\0'. */
1136 uint16_t aoffComponents[32+1];
1137 /** A normalized copy of the path.
1138 * Reserve some extra space so we can be more relaxed about overflow
1139 * checks and terminator paddings, especially when recursing. */
1140 char szPath[SUPR3HARDENED_MAX_PATH * 2];
1141} SUPR3HARDENEDPATHINFO;
1142/** Pointer to a parsed path. */
1143typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1144
1145
1146/**
1147 * Verifies that the path is absolutely sane, it also parses the path.
1148 *
1149 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
1150 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1151 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1152 * paths are not supported.
1153 *
1154 * @returns VBox status code.
1155 * @param pszPath The path to check.
1156 * @param pErrInfo The error info structure.
1157 * @param pInfo Where to return a copy of the path along with
1158 * parsing information.
1159 */
1160static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1161{
1162 const char *pszSrc = pszPath;
1163 char *pszDst = pInfo->szPath;
1164
1165 /*
1166 * Check that it's an absolute path and copy the volume/root specifier.
1167 */
1168#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1169 if ( !RT_C_IS_ALPHA(pszSrc[0])
1170 || pszSrc[1] != ':'
1171 || !RTPATH_IS_SLASH(pszSrc[2]))
1172 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1173
1174 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1175 *pszDst++ = ':';
1176 *pszDst++ = RTPATH_SLASH;
1177 pszSrc += 3;
1178
1179#else
1180 if (!RTPATH_IS_SLASH(pszSrc[0]))
1181 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1182
1183 *pszDst++ = RTPATH_SLASH;
1184 pszSrc += 1;
1185#endif
1186
1187 /*
1188 * No path specifying the root or something very shortly thereafter will
1189 * be approved of.
1190 */
1191 if (pszSrc[0] == '\0')
1192 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1193 if ( pszSrc[1] == '\0'
1194 || pszSrc[2] == '\0')
1195 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1196
1197#if RTPATH_STYLE == RTPATH_STR_F_STYLE_UNIX
1198 /*
1199 * Skip double slashes.
1200 */
1201 while (RTPATH_IS_SLASH(*pszSrc))
1202 pszSrc++;
1203#else
1204 /*
1205 * The root slash should be alone to avoid UNC confusion.
1206 */
1207 if (RTPATH_IS_SLASH(pszSrc[0]))
1208 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1209 "The path is not clean of leading double slashes: '", pszPath, "'");
1210#endif
1211 /*
1212 * Check each component. No parent references.
1213 */
1214 pInfo->cComponents = 0;
1215 pInfo->fDirSlash = false;
1216 while (pszSrc[0])
1217 {
1218 /* Sanity checks. */
1219 if ( pszSrc[0] == '.'
1220 && pszSrc[1] == '.'
1221 && RTPATH_IS_SLASH(pszSrc[2]))
1222 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1223 "The path is not absolute: '", pszPath, "'");
1224
1225 /* Record the start of the component. */
1226 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1227 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1228 "The path has too many components: '", pszPath, "'");
1229 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1230
1231 /* Traverse to the end of the component, copying it as we go along. */
1232 while (pszSrc[0])
1233 {
1234 if (RTPATH_IS_SLASH(pszSrc[0]))
1235 {
1236 pszSrc++;
1237 if (*pszSrc)
1238 *pszDst++ = RTPATH_SLASH;
1239 else
1240 pInfo->fDirSlash = true;
1241 break;
1242 }
1243 *pszDst++ = *pszSrc++;
1244 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1245 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1246 "The path is too long: '", pszPath, "'");
1247 }
1248
1249 /* Skip double slashes. */
1250 while (RTPATH_IS_SLASH(*pszSrc))
1251 pszSrc++;
1252 }
1253
1254 /* Terminate the string and enter its length. */
1255 pszDst[0] = '\0';
1256 pszDst[1] = '\0'; /* for aoffComponents */
1257 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1258 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1259
1260 return VINF_SUCCESS;
1261}
1262
1263
1264/**
1265 * The state information collected by supR3HardenedVerifyFsObject.
1266 *
1267 * This can be used to verify that a directory we've opened for enumeration is
1268 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
1269 * equally be used to verify a native specfied by the user.
1270 */
1271typedef struct SUPR3HARDENEDFSOBJSTATE
1272{
1273#ifdef RT_OS_WINDOWS
1274 /** Not implemented for windows yet. */
1275 char chTodo;
1276#else
1277 /** The stat output. */
1278 struct stat Stat;
1279#endif
1280} SUPR3HARDENEDFSOBJSTATE;
1281/** Pointer to a file system object state. */
1282typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1283/** Pointer to a const file system object state. */
1284typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1285
1286
1287/**
1288 * Query information about a file system object by path.
1289 *
1290 * @returns VBox status code, error buffer filled on failure.
1291 * @param pszPath The path to the object.
1292 * @param pFsObjState Where to return the state information.
1293 * @param pErrInfo The error info structure.
1294 */
1295static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1296{
1297#if defined(RT_OS_WINDOWS)
1298 /** @todo Windows hardening. */
1299 pFsObjState->chTodo = 0;
1300 RT_NOREF2(pszPath, pErrInfo);
1301 return VINF_SUCCESS;
1302
1303#else
1304 /*
1305 * Stat the object, do not follow links.
1306 */
1307 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1308 {
1309 /* Ignore access errors */
1310 if (errno != EACCES)
1311 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1312 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1313 }
1314
1315 /*
1316 * Read ACLs.
1317 */
1318 /** @todo */
1319
1320 return VINF_SUCCESS;
1321#endif
1322}
1323
1324
1325/**
1326 * Query information about a file system object by native handle.
1327 *
1328 * @returns VBox status code, error buffer filled on failure.
1329 * @param hNative The native handle to the object @a pszPath
1330 * specifies and this should be verified to be the
1331 * same file system object.
1332 * @param pFsObjState Where to return the state information.
1333 * @param pszPath The path to the object. (For the error message
1334 * only.)
1335 * @param pErrInfo The error info structure.
1336 */
1337static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1338 char const *pszPath, PRTERRINFO pErrInfo)
1339{
1340#if defined(RT_OS_WINDOWS)
1341 /** @todo Windows hardening. */
1342 pFsObjState->chTodo = 0;
1343 RT_NOREF3(hNative, pszPath, pErrInfo);
1344 return VINF_SUCCESS;
1345
1346#else
1347 /*
1348 * Stat the object, do not follow links.
1349 */
1350 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1351 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1352 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1353
1354 /*
1355 * Read ACLs.
1356 */
1357 /** @todo */
1358
1359 return VINF_SUCCESS;
1360#endif
1361}
1362
1363
1364/**
1365 * Verifies that the file system object indicated by the native handle is the
1366 * same as the one @a pFsObjState indicates.
1367 *
1368 * @returns VBox status code, error buffer filled on failure.
1369 * @param pFsObjState1 File system object information/state by path.
1370 * @param pFsObjState2 File system object information/state by handle.
1371 * @param pszPath The path to the object @a pFsObjState
1372 * describes. (For the error message.)
1373 * @param pErrInfo The error info structure.
1374 */
1375static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1376 const char *pszPath, PRTERRINFO pErrInfo)
1377{
1378#if defined(RT_OS_WINDOWS)
1379 /** @todo Windows hardening. */
1380 RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1381 return VINF_SUCCESS;
1382
1383#elif defined(RT_OS_OS2)
1384 RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1385 return VINF_SUCCESS;
1386
1387#else
1388 /*
1389 * Compare the ino+dev, then the uid+gid and finally the important mode
1390 * bits. Technically the first one should be enough, but we're paranoid.
1391 */
1392 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1393 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1394 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1395 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1396 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1397 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1398 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1399 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1400 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1401 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1402 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1403 "The native handle is not the same as '", pszPath, "' (mode)");
1404 return VINF_SUCCESS;
1405#endif
1406}
1407
1408
1409/**
1410 * Verifies a file system object (file or directory).
1411 *
1412 * @returns VBox status code, error buffer filled on failure.
1413 * @param pFsObjState The file system object information/state to be
1414 * verified.
1415 * @param fDir Whether this is a directory or a file.
1416 * @param fRelaxed Whether we can be more relaxed about this
1417 * directory (only used for grand parent
1418 * directories).
1419 * @param fSymlinksAllowed Flag whether symlinks are allowed or not.
1420 * If allowed the symlink object is verified not the target.
1421 * @param pszPath The path to the object. For error messages and
1422 * securing a couple of hacks.
1423 * @param pErrInfo The error info structure.
1424 */
1425static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1426 bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
1427{
1428#if defined(RT_OS_WINDOWS)
1429 /** @todo Windows hardening. */
1430 RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1431 return VINF_SUCCESS;
1432
1433#elif defined(RT_OS_OS2)
1434 /* No hardening here - it's a single user system. */
1435 RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1436 return VINF_SUCCESS;
1437
1438#else
1439 /*
1440 * The owner must be root.
1441 *
1442 * This can be extended to include predefined system users if necessary.
1443 */
1444 if (pFsObjState->Stat.st_uid != 0)
1445 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1446
1447 /*
1448 * The object type must be directory or file. It can be a symbolic link
1449 * if explicitely allowed. Otherwise this and other risky stuff is not allowed
1450 * (sorry dude, but we're paranoid on purpose here).
1451 */
1452 if ( !S_ISLNK(pFsObjState->Stat.st_mode)
1453 || !fSymlinksAllowed)
1454 {
1455
1456 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1457 && !S_ISREG(pFsObjState->Stat.st_mode))
1458 {
1459 if (S_ISLNK(pFsObjState->Stat.st_mode))
1460 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1461 "Symlinks are not permitted: '", pszPath, "'");
1462 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1463 "Not regular file or directory: '", pszPath, "'");
1464 }
1465 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1466 {
1467 if (S_ISDIR(pFsObjState->Stat.st_mode))
1468 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1469 "Expected file but found directory: '", pszPath, "'");
1470 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1471 "Expected directory but found file: '", pszPath, "'");
1472 }
1473 }
1474
1475 /*
1476 * The group does not matter if it does not have write access, if it has
1477 * write access it must be group 0 (root/wheel/whatever).
1478 *
1479 * This can be extended to include predefined system groups or groups that
1480 * only root is member of.
1481 */
1482 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1483 && pFsObjState->Stat.st_gid != 0)
1484 {
1485# ifdef RT_OS_DARWIN
1486 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1487 full access. So, to work around we relax the hardening a bit and
1488 permit grand parents and beyond to be group writable by admin. */
1489 /** @todo dynamically resolve the admin group? */
1490 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
1491
1492# elif defined(RT_OS_FREEBSD)
1493 /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1494 similar to /Applications on OS X (see above).
1495 On FreeBSD root is normally the only member of this group, on
1496 PC-BSD the default user is a member. */
1497 /** @todo dynamically resolve the operator group? */
1498 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
1499 NOREF(fRelaxed);
1500# elif defined(RT_OS_SOLARIS)
1501 /* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
1502 which the appropriate module is loaded.
1503 By default only root and daemon are part of that group.
1504 . */
1505 /** @todo dynamically resolve the bin group? */
1506 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
1507# else
1508 NOREF(fRelaxed);
1509 bool fBad = true;
1510# endif
1511 if (fBad)
1512 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1513 "An unknown (and thus untrusted) group has write access to '", pszPath,
1514 "' and we therefore cannot trust the directory content or that of any subdirectory");
1515 }
1516
1517 /*
1518 * World must not have write access. There is no relaxing this rule.
1519 * Linux exception: Symbolic links are always give permission 0777, there
1520 * is no lchmod or lchown APIs. The permissions on parent
1521 * directory that contains the symbolic link is what is
1522 * decising wrt to modifying it. (Caller is expected not
1523 * to allow symbolic links in the first path component.)
1524 */
1525 if ( (pFsObjState->Stat.st_mode & S_IWOTH)
1526# ifdef RT_OS_LINUX
1527 && ( !S_ISLNK(pFsObjState->Stat.st_mode)
1528 || !fSymlinksAllowed /* paranoia */)
1529# endif
1530 )
1531 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1532 "World writable: '", pszPath, "'");
1533
1534 /*
1535 * Check the ACLs.
1536 */
1537 /** @todo */
1538
1539 return VINF_SUCCESS;
1540#endif
1541}
1542
1543
1544/**
1545 * Verifies that the file system object indicated by the native handle is the
1546 * same as the one @a pFsObjState indicates.
1547 *
1548 * @returns VBox status code, error buffer filled on failure.
1549 * @param hNative The native handle to the object @a pszPath
1550 * specifies and this should be verified to be the
1551 * same file system object.
1552 * @param pFsObjState The information/state returned by a previous
1553 * query call.
1554 * @param pszPath The path to the object @a pFsObjState
1555 * describes. (For the error message.)
1556 * @param pErrInfo The error info structure.
1557 */
1558static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1559 const char *pszPath, PRTERRINFO pErrInfo)
1560{
1561 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1562 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1563 if (RT_SUCCESS(rc))
1564 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1565 return rc;
1566}
1567
1568
1569/**
1570 * Does the recursive directory enumeration.
1571 *
1572 * @returns VBox status code, error buffer filled on failure.
1573 * @param pszDirPath The path buffer containing the subdirectory to
1574 * enumerate followed by a slash (this is never
1575 * the root slash). The buffer is RTPATH_MAX in
1576 * size and anything starting at @a cchDirPath
1577 * - 1 and beyond is scratch space.
1578 * @param cchDirPath The length of the directory path + slash.
1579 * @param pFsObjState Pointer to the file system object state buffer.
1580 * On input this will hold the stats for
1581 * the directory @a pszDirPath indicates and will
1582 * be used to verified that we're opening the same
1583 * thing.
1584 * @param fRecursive Whether to recurse into subdirectories.
1585 * @param pErrInfo The error info structure.
1586 */
1587static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1588 bool fRecursive, PRTERRINFO pErrInfo)
1589{
1590#if defined(RT_OS_WINDOWS)
1591 /** @todo Windows hardening. */
1592 RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1593 return VINF_SUCCESS;
1594
1595#elif defined(RT_OS_OS2)
1596 /* No hardening here - it's a single user system. */
1597 RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1598 return VINF_SUCCESS;
1599
1600#else
1601 /*
1602 * Open the directory. Now, we could probably eliminate opendir here
1603 * and go down on kernel API level (open + getdents for instance), however
1604 * that's not very portable and hopefully not necessary.
1605 */
1606 DIR *pDir = opendir(pszDirPath);
1607 if (!pDir)
1608 {
1609 /* Ignore access errors. */
1610 if (errno == EACCES)
1611 return VINF_SUCCESS;
1612 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1613 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1614 }
1615 if (dirfd(pDir) != -1)
1616 {
1617 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1618 if (RT_FAILURE(rc))
1619 {
1620 closedir(pDir);
1621 return rc;
1622 }
1623 }
1624
1625 /*
1626 * Enumerate the directory, check all the requested bits.
1627 */
1628 int rc = VINF_SUCCESS;
1629 for (;;)
1630 {
1631 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1632
1633 struct dirent Entry;
1634 struct dirent *pEntry;
1635#if RT_GNUC_PREREQ(4, 6)
1636# pragma GCC diagnostic push
1637# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
1638#endif
1639 int iErr = readdir_r(pDir, &Entry, &pEntry);
1640#if RT_GNUC_PREREQ(4, 6)
1641# pragma GCC diagnostic pop
1642#endif
1643 if (iErr)
1644 {
1645 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1646 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1647 break;
1648 }
1649 if (!pEntry)
1650 break;
1651
1652 /*
1653 * Check the length and copy it into the path buffer so it can be
1654 * stat()'ed.
1655 */
1656 size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1657 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1658 {
1659 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1660 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1661 break;
1662 }
1663 suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1664
1665 /*
1666 * Query the information about the entry and verify it.
1667 * (We don't bother skipping '.' and '..' at this point, a little bit
1668 * of extra checks doesn't hurt and neither requires relaxed handling.)
1669 */
1670 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1671 if (RT_SUCCESS(rc))
1672 break;
1673 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1674 false /*fSymlinksAllowed*/, pszDirPath, pErrInfo);
1675 if (RT_FAILURE(rc))
1676 break;
1677
1678 /*
1679 * Recurse into subdirectories if requested.
1680 */
1681 if ( fRecursive
1682 && S_ISDIR(pFsObjState->Stat.st_mode)
1683 && suplibHardenedStrCmp(pEntry->d_name, ".")
1684 && suplibHardenedStrCmp(pEntry->d_name, ".."))
1685 {
1686 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1687 pszDirPath[cchDirPath + cchName + 1] = '\0';
1688
1689 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1690 fRecursive, pErrInfo);
1691 if (RT_FAILURE(rc))
1692 break;
1693 }
1694 }
1695
1696 closedir(pDir);
1697 return VINF_SUCCESS;
1698#endif
1699}
1700
1701
1702/**
1703 * Worker for SUPR3HardenedVerifyDir.
1704 *
1705 * @returns See SUPR3HardenedVerifyDir.
1706 * @param pszDirPath See SUPR3HardenedVerifyDir.
1707 * @param fRecursive See SUPR3HardenedVerifyDir.
1708 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1709 * @param pErrInfo See SUPR3HardenedVerifyDir.
1710 */
1711DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1712{
1713 /*
1714 * Validate the input path and parse it.
1715 */
1716 SUPR3HARDENEDPATHINFO Info;
1717 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1718 if (RT_FAILURE(rc))
1719 return rc;
1720
1721 /*
1722 * Verify each component from the root up.
1723 */
1724 SUPR3HARDENEDFSOBJSTATE FsObjState;
1725 uint32_t const cComponents = Info.cComponents;
1726 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1727 {
1728 bool fRelaxed = iComponent + 2 < cComponents;
1729 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1730 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1731 if (RT_SUCCESS(rc))
1732 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed,
1733 false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1734 if (RT_FAILURE(rc))
1735 return rc;
1736 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1737 }
1738
1739 /*
1740 * Check files and subdirectories if requested.
1741 */
1742 if (fCheckFiles || fRecursive)
1743 {
1744 Info.szPath[Info.cch] = RTPATH_SLASH;
1745 Info.szPath[Info.cch + 1] = '\0';
1746 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1747 fRecursive, pErrInfo);
1748 }
1749
1750 return VINF_SUCCESS;
1751}
1752
1753
1754/**
1755 * Verfies a file.
1756 *
1757 * @returns VBox status code, error buffer filled on failure.
1758 * @param pszFilename The file to verify.
1759 * @param hNativeFile Handle to the file, verify that it's the same
1760 * as we ended up with when verifying the path.
1761 * RTHCUINTPTR_MAX means NIL here.
1762 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1763 * third party. Different validation rules may
1764 * apply to 3rd party code on some platforms.
1765 * @param pErrInfo Where to return extended error information.
1766 * Optional.
1767 */
1768DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1769 bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1770{
1771 /*
1772 * Validate the input path and parse it.
1773 */
1774 SUPR3HARDENEDPATHINFO Info;
1775 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1776 if (RT_FAILURE(rc))
1777 return rc;
1778 if (Info.fDirSlash)
1779 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1780 "The file path specifies a directory: '", pszFilename, "'");
1781
1782 /*
1783 * Verify each component from the root up.
1784 */
1785 SUPR3HARDENEDFSOBJSTATE FsObjState;
1786 uint32_t const cComponents = Info.cComponents;
1787 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1788 {
1789 bool fFinal = iComponent + 1 == cComponents;
1790 bool fRelaxed = iComponent + 2 < cComponents;
1791 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1792 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1793 if (RT_SUCCESS(rc))
1794 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
1795 false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1796 if (RT_FAILURE(rc))
1797 return rc;
1798 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1799 }
1800
1801 /*
1802 * Verify the file handle against the last component, if specified.
1803 */
1804 if (hNativeFile != RTHCUINTPTR_MAX)
1805 {
1806 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1807 if (RT_FAILURE(rc))
1808 return rc;
1809 }
1810
1811#ifdef RT_OS_WINDOWS
1812 /*
1813 * The files shall be signed on windows, verify that.
1814 */
1815 rc = VINF_SUCCESS;
1816 HANDLE hVerify;
1817 if (hNativeFile == RTHCUINTPTR_MAX)
1818 {
1819 PRTUTF16 pwszPath;
1820 rc = RTStrToUtf16(pszFilename, &pwszPath);
1821 if (RT_SUCCESS(rc))
1822 {
1823 hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1824 RTUtf16Free(pwszPath);
1825 }
1826 else
1827 {
1828 rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1829 hVerify = INVALID_HANDLE_VALUE;
1830 }
1831 }
1832 else
1833 {
1834 NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1835 GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
1836 if (!NT_SUCCESS(rcNt))
1837 hVerify = INVALID_HANDLE_VALUE;
1838 }
1839 if (hVerify != INVALID_HANDLE_VALUE)
1840 {
1841# ifdef VBOX_WITH_HARDENING
1842 uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1843 if (!fMaybe3rdParty)
1844 fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1845 const char *pszSuffix = RTPathSuffix(pszFilename);
1846 if ( pszSuffix
1847 && pszSuffix[0] == '.'
1848 && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1849 || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1850 && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1851 && pszSuffix[3] == '\0' )
1852 fFlags |= SUPHNTVI_F_RC_IMAGE;
1853# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1854 rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1855# endif
1856# else
1857 RT_NOREF1(fMaybe3rdParty);
1858# endif
1859 NtClose(hVerify);
1860 }
1861 else if (RT_SUCCESS(rc))
1862 rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1863 "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1864 if (RT_FAILURE(rc))
1865 return rc;
1866#else
1867 RT_NOREF1(fMaybe3rdParty);
1868#endif
1869
1870 return VINF_SUCCESS;
1871}
1872
1873
1874#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1875/**
1876 * Verfies a file following symlinks.
1877 *
1878 * @returns VBox status code, error buffer filled on failure.
1879 * @param pszFilename The file to verify.
1880 * @param hNativeFile Handle to the file, verify that it's the same
1881 * as we ended up with when verifying the path.
1882 * RTHCUINTPTR_MAX means NIL here.
1883 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1884 * third party. Different validation rules may
1885 * apply to 3rd party code on some platforms.
1886 * @param pErrInfo Where to return extended error information.
1887 * Optional.
1888 *
1889 * @note This is only used on OS X for libraries loaded with dlopen() because
1890 * the frameworks use symbolic links to point to the relevant library.
1891 *
1892 * @sa supR3HardenedVerifyFile
1893 */
1894DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
1895 PRTERRINFO pErrInfo)
1896{
1897 RT_NOREF1(fMaybe3rdParty);
1898
1899 /*
1900 * Validate the input path and parse it.
1901 */
1902 SUPR3HARDENEDPATHINFO Info;
1903 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1904 if (RT_FAILURE(rc))
1905 return rc;
1906 if (Info.fDirSlash)
1907 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1908 "The file path specifies a directory: '", pszFilename, "'");
1909
1910 /*
1911 * Verify each component from the root up.
1912 */
1913#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1914 uint32_t iLoops = 0;
1915#endif
1916 SUPR3HARDENEDFSOBJSTATE FsObjState;
1917 uint32_t iComponent = 0;
1918 while (iComponent < Info.cComponents)
1919 {
1920 bool fFinal = iComponent + 1 == Info.cComponents;
1921 bool fRelaxed = iComponent + 2 < Info.cComponents;
1922 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1923 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1924 if (RT_SUCCESS(rc))
1925 {
1926 /*
1927 * In case the component is a symlink expand it and start from the beginning after
1928 * verifying it has the proper access rights.
1929 * Furthermore only allow symlinks which don't contain any .. or . in the target
1930 * (enforced by supR3HardenedVerifyPathSanity).
1931 */
1932 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
1933 true /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1934 if ( RT_SUCCESS(rc)
1935 && S_ISLNK(FsObjState.Stat.st_mode))
1936 {
1937#if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
1938 char *pszFilenameResolved = realpath(pszFilename, NULL);
1939 if (pszFilenameResolved)
1940 {
1941 rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
1942 free(pszFilenameResolved);
1943 return rc;
1944 }
1945 else
1946 {
1947 int iErr = errno;
1948 supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
1949 "supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
1950 pszFilename, strerror(iErr), iErr);
1951 return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
1952 "realpath failed for '", pszFilename, "': ", strerror(iErr));
1953 }
1954#else
1955 /* Don't loop forever. */
1956 iLoops++;
1957 if (iLoops < 8)
1958 {
1959 /*
1960 * Construct new path by replacing the current component by the symlink value.
1961 * Note! readlink() is a weird API that doesn't necessarily indicates if the
1962 * buffer is too small.
1963 */
1964 char szPath[RTPATH_MAX];
1965 size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
1966 size_t const cchAfter = fFinal ? 0 : 1 /*slash*/ + Info.cch - Info.aoffComponents[iComponent + 1];
1967 if (sizeof(szPath) > cchBefore + cchAfter + 2)
1968 {
1969 ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
1970 if (cchTarget > 0)
1971 {
1972 /* Some serious paranoia against embedded zero terminator and weird return values. */
1973 szPath[cchTarget] = '\0';
1974 size_t cchLink = strlen(szPath);
1975
1976 /* Strip trailing dirslashes of non-final link. */
1977 if (!fFinal)
1978 while (cchLink > 1 and szPath[cchLink - 1] == '/')
1979 cchLink--;
1980
1981 /* Check link value sanity and buffer size. */
1982 if (cchLink == 0)
1983 return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
1984 "Bad readlink return for '", Info.szPath, "'");
1985 if (szPath[0] == '/')
1986 return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
1987 "Absolute symbolic link not allowed: '", szPath, "'");
1988 if (cchBefore + cchLink + cchAfter + 1 /*terminator*/ > sizeof(szPath))
1989 return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1990 "Symlinks causing too long path!");
1991
1992 /* Construct the new path. */
1993 if (cchBefore)
1994 memmove(&szPath[cchBefore], &szPath[0], cchLink);
1995 memcpy(&szPath[0], Info.szPath, cchBefore);
1996 if (!cchAfter)
1997 szPath[cchBefore + cchLink] = '\0';
1998 else
1999 {
2000 szPath[cchBefore + cchLink] = RTPATH_SLASH;
2001 memcpy(&szPath[cchBefore + cchLink + 1],
2002 &Info.szPath[Info.aoffComponents[iComponent + 1]],
2003 cchAfter); /* cchAfter includes a zero terminator */
2004 }
2005
2006 /* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
2007 rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
2008 if (RT_FAILURE(rc))
2009 return rc;
2010 if (Info.fDirSlash)
2011 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
2012 "The file path specifies a directory: '", szPath, "'");
2013
2014 /* Restart from the current component. */
2015 continue;
2016 }
2017 int iErr = errno;
2018 supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
2019 "supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
2020 Info.szPath, strerror(iErr), iErr);
2021 return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
2022 "readlink failed for '", Info.szPath, "': ", strerror(iErr));
2023 }
2024 return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
2025 }
2026 else
2027 return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
2028 "Too many symbolic links: '", pszFilename, "'");
2029#endif
2030 }
2031 }
2032 if (RT_FAILURE(rc))
2033 return rc;
2034 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
2035 iComponent++;
2036 }
2037
2038 /*
2039 * Verify the file handle against the last component, if specified.
2040 */
2041 if (hNativeFile != RTHCUINTPTR_MAX)
2042 {
2043 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
2044 if (RT_FAILURE(rc))
2045 return rc;
2046 }
2047
2048 return VINF_SUCCESS;
2049}
2050#endif /* RT_OS_DARWIN || RT_OS_LINUX */
2051
2052
2053/**
2054 * Gets the pre-init data for the hand-over to the other version
2055 * of this code.
2056 *
2057 * The reason why we pass this information on is that it contains
2058 * open directories and files. Later it may include even more info
2059 * (int the verified arrays mostly).
2060 *
2061 * The receiver is supR3HardenedRecvPreInitData.
2062 *
2063 * @param pPreInitData Where to store it.
2064 */
2065DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
2066{
2067 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
2068 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
2069 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
2070
2071 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
2072 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
2073}
2074
2075
2076/**
2077 * Receives the pre-init data from the static executable stub.
2078 *
2079 * @returns VBox status code. Will not bitch on failure since the
2080 * runtime isn't ready for it, so that is left to the exe stub.
2081 *
2082 * @param pPreInitData The hand-over data.
2083 */
2084DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
2085{
2086 /*
2087 * Compare the array lengths and the contents of g_aSupInstallFiles.
2088 */
2089 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
2090 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
2091 return VERR_VERSION_MISMATCH;
2092 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
2093 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
2094 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
2095 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
2096 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
2097 || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
2098 return VERR_VERSION_MISMATCH;
2099
2100 /*
2101 * Check that we're not called out of order.
2102 * If dynamic linking it screwed up, we may end up here.
2103 */
2104 if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
2105 || !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
2106 return VERR_WRONG_ORDER;
2107
2108 /*
2109 * Copy the verification data over.
2110 */
2111 suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
2112 suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
2113 return VINF_SUCCESS;
2114}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette