1 | /* $Id: SUPR3HardenedVerify.cpp 93115 2022-01-01 11:31:46Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * VirtualBox Support Library - Verification of Hardened Installation.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2022 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 |
|
---|
28 | /*********************************************************************************************************************************
|
---|
29 | * Header Files *
|
---|
30 | *********************************************************************************************************************************/
|
---|
31 | #if defined(RT_OS_OS2)
|
---|
32 | # define INCL_BASE
|
---|
33 | # define INCL_ERRORS
|
---|
34 | # include <os2.h>
|
---|
35 | # include <stdio.h>
|
---|
36 | # include <stdlib.h>
|
---|
37 | # include <unistd.h>
|
---|
38 | # include <sys/fcntl.h>
|
---|
39 | # include <sys/errno.h>
|
---|
40 | # include <sys/syslimits.h>
|
---|
41 |
|
---|
42 | #elif defined(RT_OS_WINDOWS)
|
---|
43 | # include <iprt/nt/nt-and-windows.h>
|
---|
44 | # ifndef IN_SUP_HARDENED_R3
|
---|
45 | # include <stdio.h>
|
---|
46 | # endif
|
---|
47 |
|
---|
48 | #else /* UNIXes */
|
---|
49 | # include <sys/types.h>
|
---|
50 | # include <stdio.h>
|
---|
51 | # include <stdlib.h>
|
---|
52 | # include <dirent.h>
|
---|
53 | # include <dlfcn.h>
|
---|
54 | # include <fcntl.h>
|
---|
55 | # include <limits.h>
|
---|
56 | # include <errno.h>
|
---|
57 | # include <unistd.h>
|
---|
58 | # include <sys/stat.h>
|
---|
59 | # include <sys/time.h>
|
---|
60 | # include <sys/fcntl.h>
|
---|
61 | # include <pwd.h>
|
---|
62 | # ifdef RT_OS_DARWIN
|
---|
63 | # include <mach-o/dyld.h>
|
---|
64 | # endif
|
---|
65 |
|
---|
66 | #endif
|
---|
67 |
|
---|
68 | #include <VBox/sup.h>
|
---|
69 | #include <VBox/err.h>
|
---|
70 | #include <iprt/asm.h>
|
---|
71 | #include <iprt/ctype.h>
|
---|
72 | #include <iprt/param.h>
|
---|
73 | #include <iprt/path.h>
|
---|
74 | #include <iprt/string.h>
|
---|
75 | #include <iprt/utf16.h>
|
---|
76 |
|
---|
77 | #include "SUPLibInternal.h"
|
---|
78 | #if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
|
---|
79 | # define SUPHNTVI_NO_NT_STUFF
|
---|
80 | # include "win/SUPHardenedVerify-win.h"
|
---|
81 | #endif
|
---|
82 |
|
---|
83 |
|
---|
84 | /*********************************************************************************************************************************
|
---|
85 | * Defined Constants And Macros *
|
---|
86 | *********************************************************************************************************************************/
|
---|
87 | /** The max path length acceptable for a trusted path. */
|
---|
88 | #define SUPR3HARDENED_MAX_PATH 260U
|
---|
89 |
|
---|
90 | /** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
|
---|
91 | #define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
|
---|
92 |
|
---|
93 | #ifdef RT_OS_SOLARIS
|
---|
94 | # define dirfd(d) ((d)->d_fd)
|
---|
95 | #endif
|
---|
96 |
|
---|
97 | /** Compare table file names with externally supplied names. */
|
---|
98 | #if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
|
---|
99 | # define SUP_COMP_FILENAME RTStrICmp
|
---|
100 | #else
|
---|
101 | # define SUP_COMP_FILENAME suplibHardenedStrCmp
|
---|
102 | #endif
|
---|
103 |
|
---|
104 |
|
---|
105 | /*********************************************************************************************************************************
|
---|
106 | * Global Variables *
|
---|
107 | *********************************************************************************************************************************/
|
---|
108 | /**
|
---|
109 | * The files that gets verified.
|
---|
110 | *
|
---|
111 | * @todo This needs reviewing against the linux packages.
|
---|
112 | * @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
|
---|
113 | * the time being we're building the linux packages with SharedLib pointing to
|
---|
114 | * AppPrivArch (lazy bird).
|
---|
115 | *
|
---|
116 | * @remarks If you add executables here, you might need to update
|
---|
117 | * g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
|
---|
118 | */
|
---|
119 | static SUPINSTFILE const g_aSupInstallFiles[] =
|
---|
120 | {
|
---|
121 | /* type, dir, fOpt, "pszFile" */
|
---|
122 | /* ---------------------------------------------------------------------- */
|
---|
123 | { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
|
---|
124 | { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
|
---|
125 |
|
---|
126 | #ifdef VBOX_WITH_RAW_MODE
|
---|
127 | { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
|
---|
128 | { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
|
---|
129 | #endif
|
---|
130 |
|
---|
131 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
|
---|
132 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
|
---|
133 | #if HC_ARCH_BITS == 32
|
---|
134 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
|
---|
135 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
|
---|
136 | #endif
|
---|
137 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
|
---|
138 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
|
---|
139 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
|
---|
140 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
|
---|
141 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
|
---|
142 |
|
---|
143 | //#ifdef VBOX_WITH_DEBUGGER_GUI
|
---|
144 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
|
---|
145 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
|
---|
146 | //#endif
|
---|
147 |
|
---|
148 | //#ifdef VBOX_WITH_SHARED_CLIPBOARD
|
---|
149 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
|
---|
150 | //#endif
|
---|
151 | //#ifdef VBOX_WITH_SHARED_FOLDERS
|
---|
152 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
|
---|
153 | //#endif
|
---|
154 | //#ifdef VBOX_WITH_DRAG_AND_DROP
|
---|
155 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
|
---|
156 | //#endif
|
---|
157 | //#ifdef VBOX_WITH_GUEST_PROPS
|
---|
158 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
|
---|
159 | //#endif
|
---|
160 | //#ifdef VBOX_WITH_GUEST_CONTROL
|
---|
161 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
|
---|
162 | //#endif
|
---|
163 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
|
---|
164 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
|
---|
165 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
|
---|
166 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
|
---|
167 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
|
---|
168 |
|
---|
169 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
|
---|
170 |
|
---|
171 | #ifdef VBOX_WITH_MAIN
|
---|
172 | { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
|
---|
173 | #ifdef RT_OS_WINDOWS
|
---|
174 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
|
---|
175 | #else
|
---|
176 | { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
|
---|
177 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
|
---|
178 | { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
|
---|
179 | { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
|
---|
180 | { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
|
---|
181 | { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
|
---|
182 | #endif
|
---|
183 | #endif
|
---|
184 |
|
---|
185 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
|
---|
186 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
|
---|
187 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
|
---|
188 |
|
---|
189 | //#ifdef VBOX_WITH_HEADLESS
|
---|
190 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
|
---|
191 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
|
---|
192 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
|
---|
193 | //#endif
|
---|
194 |
|
---|
195 | //#ifdef VBOX_WITH_QTGUI
|
---|
196 | { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
|
---|
197 | # ifdef RT_OS_DARWIN
|
---|
198 | { kSupIFT_Exe, kSupID_AppMacHelper, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
|
---|
199 | # else
|
---|
200 | { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
|
---|
201 | # endif
|
---|
202 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBoxVM" SUPLIB_DLL_SUFF },
|
---|
203 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "UICommon" SUPLIB_DLL_SUFF },
|
---|
204 | # if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
|
---|
205 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
|
---|
206 | # endif
|
---|
207 | //#endif
|
---|
208 |
|
---|
209 | //#ifdef VBOX_WITH_VBOXSDL
|
---|
210 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
|
---|
211 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
|
---|
212 | //#endif
|
---|
213 |
|
---|
214 | //#ifdef VBOX_WITH_WEBSERVICES
|
---|
215 | { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
|
---|
216 | //#endif
|
---|
217 |
|
---|
218 | #ifdef RT_OS_LINUX
|
---|
219 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
|
---|
220 | #endif
|
---|
221 |
|
---|
222 | //#ifdef VBOX_WITH_NETFLT
|
---|
223 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
|
---|
224 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
|
---|
225 | //#endif
|
---|
226 |
|
---|
227 | //#ifdef VBOX_WITH_LWIP_NAT
|
---|
228 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
|
---|
229 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
|
---|
230 | //#endif
|
---|
231 | #if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
|
---|
232 | # define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
|
---|
233 | { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
|
---|
234 | { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
|
---|
235 | HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
|
---|
236 | HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
|
---|
237 | HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
|
---|
238 | HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
|
---|
239 | HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
|
---|
240 | # define HARDENED_TESTCASE_ENTRY(a_szName) \
|
---|
241 | { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
|
---|
242 | { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
|
---|
243 | HARDENED_TESTCASE_ENTRY("tstCFGM"),
|
---|
244 | HARDENED_TESTCASE_ENTRY("tstGIP-2"),
|
---|
245 | HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
|
---|
246 | HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
|
---|
247 | HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
|
---|
248 | HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
|
---|
249 | HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
|
---|
250 | HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
|
---|
251 | HARDENED_TESTCASE_ENTRY("tstSSM"),
|
---|
252 | #endif
|
---|
253 | };
|
---|
254 |
|
---|
255 |
|
---|
256 | /** Array parallel to g_aSupInstallFiles containing per-file status info. */
|
---|
257 | static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
|
---|
258 |
|
---|
259 | /** Array index by install directory specifier containing info about verified directories. */
|
---|
260 | static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
|
---|
261 |
|
---|
262 |
|
---|
263 | /**
|
---|
264 | * Assembles the path to a directory.
|
---|
265 | *
|
---|
266 | * @returns VINF_SUCCESS on success, some error code on failure (fFatal
|
---|
267 | * decides whether it returns or not).
|
---|
268 | *
|
---|
269 | * @param enmDir The directory.
|
---|
270 | * @param pszDst Where to assemble the path.
|
---|
271 | * @param cchDst The size of the buffer.
|
---|
272 | * @param fFatal Whether failures should be treated as fatal (true) or not (false).
|
---|
273 | * @param pFile The file (for darwin helper app paths).
|
---|
274 | */
|
---|
275 | static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal, PCSUPINSTFILE pFile)
|
---|
276 | {
|
---|
277 | int rc;
|
---|
278 | switch (enmDir)
|
---|
279 | {
|
---|
280 | case kSupID_AppBin:
|
---|
281 | rc = supR3HardenedPathAppBin(pszDst, cchDst);
|
---|
282 | break;
|
---|
283 | case kSupID_AppSharedLib:
|
---|
284 | rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
|
---|
285 | break;
|
---|
286 | case kSupID_AppPrivArch:
|
---|
287 | rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
|
---|
288 | break;
|
---|
289 | case kSupID_AppPrivArchComp:
|
---|
290 | rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
|
---|
291 | if (RT_SUCCESS(rc))
|
---|
292 | {
|
---|
293 | size_t off = suplibHardenedStrLen(pszDst);
|
---|
294 | if (cchDst - off >= sizeof("/components"))
|
---|
295 | suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
|
---|
296 | else
|
---|
297 | rc = VERR_BUFFER_OVERFLOW;
|
---|
298 | }
|
---|
299 | break;
|
---|
300 | case kSupID_AppPrivNoArch:
|
---|
301 | rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
|
---|
302 | break;
|
---|
303 | case kSupID_Testcase:
|
---|
304 | rc = supR3HardenedPathAppBin(pszDst, cchDst);
|
---|
305 | if (RT_SUCCESS(rc))
|
---|
306 | {
|
---|
307 | size_t off = suplibHardenedStrLen(pszDst);
|
---|
308 | if (cchDst - off >= sizeof("/testcase"))
|
---|
309 | suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
|
---|
310 | else
|
---|
311 | rc = VERR_BUFFER_OVERFLOW;
|
---|
312 | }
|
---|
313 | break;
|
---|
314 | #ifdef RT_OS_DARWIN
|
---|
315 | case kSupID_AppMacHelper:
|
---|
316 | rc = supR3HardenedPathAppBin(pszDst, cchDst);
|
---|
317 | if (RT_SUCCESS(rc))
|
---|
318 | {
|
---|
319 | /* Up one level from the VirtualBox.app/Contents/MacOS directory: */
|
---|
320 | size_t offDst = suplibHardenedStrLen(pszDst);
|
---|
321 | while (offDst > 1 && pszDst[offDst - 1] == '/')
|
---|
322 | offDst--;
|
---|
323 | while (offDst > 1 && pszDst[offDst - 1] != '/')
|
---|
324 | offDst--;
|
---|
325 |
|
---|
326 | /* Construct the path to the helper application's Contents/MacOS directory: */
|
---|
327 | size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
|
---|
328 | if (offDst + cchFile + sizeof("Resources/.app/Contents/MacOS") <= cchDst)
|
---|
329 | {
|
---|
330 | suplibHardenedMemCopy(&pszDst[offDst], RT_STR_TUPLE("Resources/"));
|
---|
331 | offDst += sizeof("Resources/") - 1;
|
---|
332 | suplibHardenedMemCopy(&pszDst[offDst], pFile->pszFile, cchFile);
|
---|
333 | offDst += cchFile;
|
---|
334 | suplibHardenedMemCopy(&pszDst[offDst], RT_STR_TUPLE(".app/Contents/MacOS") + 1);
|
---|
335 | }
|
---|
336 | else
|
---|
337 | rc = VERR_BUFFER_OVERFLOW;
|
---|
338 | }
|
---|
339 | break;
|
---|
340 | #endif
|
---|
341 | default:
|
---|
342 | return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
343 | "supR3HardenedMakePath: enmDir=%d\n", enmDir);
|
---|
344 | }
|
---|
345 | if (RT_FAILURE(rc))
|
---|
346 | supR3HardenedError(rc, fFatal,
|
---|
347 | "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
|
---|
348 | NOREF(pFile);
|
---|
349 | return rc;
|
---|
350 | }
|
---|
351 |
|
---|
352 |
|
---|
353 |
|
---|
354 | /**
|
---|
355 | * Assembles the path to a file table entry, with or without the actual filename.
|
---|
356 | *
|
---|
357 | * @returns VINF_SUCCESS on success, some error code on failure (fFatal
|
---|
358 | * decides whether it returns or not).
|
---|
359 | *
|
---|
360 | * @param pFile The file table entry.
|
---|
361 | * @param pszDst Where to assemble the path.
|
---|
362 | * @param cchDst The size of the buffer.
|
---|
363 | * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
|
---|
364 | * @param fFatal Whether failures should be treated as fatal (true) or not (false).
|
---|
365 | */
|
---|
366 | static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
|
---|
367 | {
|
---|
368 | /*
|
---|
369 | * Combine supR3HardenedMakePath and the filename.
|
---|
370 | */
|
---|
371 | int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal, pFile);
|
---|
372 | if (RT_SUCCESS(rc) && fWithFilename)
|
---|
373 | {
|
---|
374 | size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
|
---|
375 | size_t off = suplibHardenedStrLen(pszDst);
|
---|
376 | if (cchDst - off >= cchFile + 2)
|
---|
377 | {
|
---|
378 | pszDst[off++] = '/';
|
---|
379 | suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
|
---|
380 | }
|
---|
381 | else
|
---|
382 | rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
|
---|
383 | "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
|
---|
384 | pFile->pszFile, (long)off);
|
---|
385 | }
|
---|
386 | return rc;
|
---|
387 | }
|
---|
388 |
|
---|
389 |
|
---|
390 | /**
|
---|
391 | * Verifies a directory.
|
---|
392 | *
|
---|
393 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
394 | * fFatal is clear and if it's set the function wont return.
|
---|
395 | * @param enmDir The directory specifier.
|
---|
396 | * @param fFatal Whether validation failures should be treated as
|
---|
397 | * fatal (true) or not (false).
|
---|
398 | * @param pFile The file (for darwin helper app paths).
|
---|
399 | */
|
---|
400 | DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal, PCSUPINSTFILE pFile)
|
---|
401 | {
|
---|
402 | /*
|
---|
403 | * Validate the index just to be on the safe side...
|
---|
404 | */
|
---|
405 | if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
|
---|
406 | return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
407 | "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
|
---|
408 |
|
---|
409 | /*
|
---|
410 | * Already validated?
|
---|
411 | */
|
---|
412 | if (g_aSupVerifiedDirs[enmDir].fValidated)
|
---|
413 | return VINF_SUCCESS; /** @todo revalidate? */
|
---|
414 |
|
---|
415 | /* initialize the entry. */
|
---|
416 | if (g_aSupVerifiedDirs[enmDir].hDir != 0)
|
---|
417 | supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
418 | "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
|
---|
419 | (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
|
---|
420 | g_aSupVerifiedDirs[enmDir].hDir = -1;
|
---|
421 | g_aSupVerifiedDirs[enmDir].fValidated = false;
|
---|
422 |
|
---|
423 | /*
|
---|
424 | * Make the path and open the directory.
|
---|
425 | */
|
---|
426 | char szPath[RTPATH_MAX];
|
---|
427 | int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal, pFile);
|
---|
428 | if (RT_SUCCESS(rc))
|
---|
429 | {
|
---|
430 | #if defined(RT_OS_WINDOWS)
|
---|
431 | PRTUTF16 pwszPath;
|
---|
432 | rc = RTStrToUtf16(szPath, &pwszPath);
|
---|
433 | if (RT_SUCCESS(rc))
|
---|
434 | {
|
---|
435 | HANDLE hDir = CreateFileW(pwszPath,
|
---|
436 | GENERIC_READ,
|
---|
437 | FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
|
---|
438 | NULL,
|
---|
439 | OPEN_EXISTING,
|
---|
440 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
|
---|
441 | NULL);
|
---|
442 | if (hDir != INVALID_HANDLE_VALUE)
|
---|
443 | {
|
---|
444 | /** @todo check the type */
|
---|
445 | /* That's all on windows, for now at least... */
|
---|
446 | g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
|
---|
447 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
448 | }
|
---|
449 | else if (enmDir == kSupID_Testcase)
|
---|
450 | {
|
---|
451 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
452 | rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
|
---|
453 | }
|
---|
454 | else
|
---|
455 | {
|
---|
456 | int err = RtlGetLastWin32Error();
|
---|
457 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
458 | "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
|
---|
459 | szPath, err);
|
---|
460 | }
|
---|
461 | RTUtf16Free(pwszPath);
|
---|
462 | }
|
---|
463 | else
|
---|
464 | rc = supR3HardenedError(rc, fFatal,
|
---|
465 | "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
|
---|
466 |
|
---|
467 | #else /* UNIXY */
|
---|
468 | int fd = open(szPath, O_RDONLY, 0);
|
---|
469 | if (fd >= 0)
|
---|
470 | {
|
---|
471 | /*
|
---|
472 | * On unixy systems we'll make sure the directory is owned by root
|
---|
473 | * and not writable by the group and user.
|
---|
474 | */
|
---|
475 | struct stat st;
|
---|
476 | if (!fstat(fd, &st))
|
---|
477 | {
|
---|
478 |
|
---|
479 | if ( st.st_uid == 0
|
---|
480 | && !(st.st_mode & (S_IWGRP | S_IWOTH))
|
---|
481 | && S_ISDIR(st.st_mode))
|
---|
482 | {
|
---|
483 | g_aSupVerifiedDirs[enmDir].hDir = fd;
|
---|
484 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
485 | }
|
---|
486 | else
|
---|
487 | {
|
---|
488 | if (!S_ISDIR(st.st_mode))
|
---|
489 | rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
|
---|
490 | "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
|
---|
491 | szPath, (long)st.st_uid);
|
---|
492 | else if (st.st_uid)
|
---|
493 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
494 | "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
|
---|
495 | szPath, (long)st.st_uid);
|
---|
496 | else
|
---|
497 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
498 | "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
|
---|
499 | szPath, (long)st.st_mode);
|
---|
500 | close(fd);
|
---|
501 | }
|
---|
502 | }
|
---|
503 | else
|
---|
504 | {
|
---|
505 | int err = errno;
|
---|
506 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
507 | "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
|
---|
508 | szPath, strerror(err), err);
|
---|
509 | close(fd);
|
---|
510 | }
|
---|
511 | }
|
---|
512 | else if (enmDir == kSupID_Testcase)
|
---|
513 | {
|
---|
514 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
515 | rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
|
---|
516 | }
|
---|
517 | else
|
---|
518 | {
|
---|
519 | int err = errno;
|
---|
520 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
521 | "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
|
---|
522 | szPath, strerror(err), err);
|
---|
523 | }
|
---|
524 | #endif /* UNIXY */
|
---|
525 | }
|
---|
526 |
|
---|
527 | return rc;
|
---|
528 | }
|
---|
529 |
|
---|
530 |
|
---|
531 | #ifdef RT_OS_WINDOWS
|
---|
532 | /**
|
---|
533 | * Opens the file for verification.
|
---|
534 | *
|
---|
535 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
536 | * fFatal is clear and if it's set the function wont return.
|
---|
537 | * @param pFile The file entry.
|
---|
538 | * @param fFatal Whether validation failures should be treated as
|
---|
539 | * kl fatal (true) or not (false).
|
---|
540 | * @param phFile The file handle, set to -1 if we failed to open
|
---|
541 | * the file. The function may return VINF_SUCCESS
|
---|
542 | * and a -1 handle if the file is optional.
|
---|
543 | */
|
---|
544 | static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
|
---|
545 | {
|
---|
546 | *phFile = -1;
|
---|
547 |
|
---|
548 | char szPath[RTPATH_MAX];
|
---|
549 | int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
|
---|
550 | if (RT_SUCCESS(rc))
|
---|
551 | {
|
---|
552 | PRTUTF16 pwszPath;
|
---|
553 | rc = RTStrToUtf16(szPath, &pwszPath);
|
---|
554 | if (RT_SUCCESS(rc))
|
---|
555 | {
|
---|
556 | HANDLE hFile = CreateFileW(pwszPath,
|
---|
557 | GENERIC_READ,
|
---|
558 | FILE_SHARE_READ,
|
---|
559 | NULL,
|
---|
560 | OPEN_EXISTING,
|
---|
561 | FILE_ATTRIBUTE_NORMAL,
|
---|
562 | NULL);
|
---|
563 | if (hFile != INVALID_HANDLE_VALUE)
|
---|
564 | {
|
---|
565 | *phFile = (intptr_t)hFile;
|
---|
566 | rc = VINF_SUCCESS;
|
---|
567 | }
|
---|
568 | else
|
---|
569 | {
|
---|
570 | int err = RtlGetLastWin32Error();
|
---|
571 | if ( !pFile->fOptional
|
---|
572 | || ( err != ERROR_FILE_NOT_FOUND
|
---|
573 | && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
|
---|
574 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
575 | "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
|
---|
576 | }
|
---|
577 | RTUtf16Free(pwszPath);
|
---|
578 | }
|
---|
579 | else
|
---|
580 | rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
|
---|
581 | szPath, rc);
|
---|
582 | }
|
---|
583 | return rc;
|
---|
584 | }
|
---|
585 |
|
---|
586 |
|
---|
587 | /**
|
---|
588 | * Worker for supR3HardenedVerifyFileInternal.
|
---|
589 | *
|
---|
590 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
591 | * fFatal is clear and if it's set the function wont return.
|
---|
592 | * @param pFile The file entry.
|
---|
593 | * @param pVerified The verification record.
|
---|
594 | * @param fFatal Whether validation failures should be treated as
|
---|
595 | * fatal (true) or not (false).
|
---|
596 | * @param fLeaveFileOpen Whether the file should be left open.
|
---|
597 | */
|
---|
598 | static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
|
---|
599 | {
|
---|
600 | # if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
|
---|
601 |
|
---|
602 | /*
|
---|
603 | * Open the file if we have to.
|
---|
604 | */
|
---|
605 | int rc;
|
---|
606 | intptr_t hFileOpened;
|
---|
607 | intptr_t hFile = pVerified->hFile;
|
---|
608 | if (hFile != -1)
|
---|
609 | hFileOpened = -1;
|
---|
610 | else
|
---|
611 | {
|
---|
612 | rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
|
---|
613 | if (RT_FAILURE(rc))
|
---|
614 | return rc;
|
---|
615 | hFile = hFileOpened;
|
---|
616 | }
|
---|
617 |
|
---|
618 | /*
|
---|
619 | * Verify the signature.
|
---|
620 | */
|
---|
621 | char szErr[1024];
|
---|
622 | RTERRINFO ErrInfo;
|
---|
623 | RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
|
---|
624 |
|
---|
625 | uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
|
---|
626 | if (pFile->enmType == kSupIFT_Rc)
|
---|
627 | fFlags |= SUPHNTVI_F_RC_IMAGE;
|
---|
628 |
|
---|
629 | rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
|
---|
630 | if (RT_SUCCESS(rc))
|
---|
631 | pVerified->fCheckedSignature = true;
|
---|
632 | else
|
---|
633 | {
|
---|
634 | pVerified->fCheckedSignature = false;
|
---|
635 | rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
|
---|
636 | pFile->pszFile, rc, szErr);
|
---|
637 |
|
---|
638 | }
|
---|
639 |
|
---|
640 | /*
|
---|
641 | * Close the handle if we opened the file and we should close it.
|
---|
642 | */
|
---|
643 | if (hFileOpened != -1)
|
---|
644 | {
|
---|
645 | if (fLeaveFileOpen && RT_SUCCESS(rc))
|
---|
646 | pVerified->hFile = hFileOpened;
|
---|
647 | else
|
---|
648 | NtClose((HANDLE)hFileOpened);
|
---|
649 | }
|
---|
650 |
|
---|
651 | return rc;
|
---|
652 |
|
---|
653 | # else /* Not checking signatures. */
|
---|
654 | RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
|
---|
655 | return VINF_SUCCESS;
|
---|
656 | # endif /* Not checking signatures. */
|
---|
657 | }
|
---|
658 | #endif
|
---|
659 |
|
---|
660 |
|
---|
661 | /**
|
---|
662 | * Verifies a file entry.
|
---|
663 | *
|
---|
664 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
665 | * fFatal is clear and if it's set the function wont return.
|
---|
666 | *
|
---|
667 | * @param iFile The file table index of the file to be verified.
|
---|
668 | * @param fFatal Whether validation failures should be treated as
|
---|
669 | * fatal (true) or not (false).
|
---|
670 | * @param fLeaveFileOpen Whether the file should be left open.
|
---|
671 | * @param fVerifyAll Set if this is an verify all call and we will
|
---|
672 | * postpone signature checking.
|
---|
673 | */
|
---|
674 | static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
|
---|
675 | {
|
---|
676 | #ifndef RT_OS_WINDOWS
|
---|
677 | RT_NOREF1(fVerifyAll);
|
---|
678 | #endif
|
---|
679 | PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
|
---|
680 | PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
|
---|
681 |
|
---|
682 | /*
|
---|
683 | * Already done validation? Do signature validation if we haven't yet.
|
---|
684 | */
|
---|
685 | if (pVerified->fValidated)
|
---|
686 | {
|
---|
687 | /** @todo revalidate? Check that the file hasn't been replace or similar. */
|
---|
688 | #ifdef RT_OS_WINDOWS
|
---|
689 | if (!pVerified->fCheckedSignature && !fVerifyAll)
|
---|
690 | return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
|
---|
691 | #endif
|
---|
692 | return VINF_SUCCESS;
|
---|
693 | }
|
---|
694 |
|
---|
695 |
|
---|
696 | /* initialize the entry. */
|
---|
697 | if (pVerified->hFile != 0)
|
---|
698 | supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
699 | "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
|
---|
700 | (void *)pVerified->hFile, pFile->pszFile);
|
---|
701 | pVerified->hFile = -1;
|
---|
702 | pVerified->fValidated = false;
|
---|
703 | #ifdef RT_OS_WINDOWS
|
---|
704 | pVerified->fCheckedSignature = false;
|
---|
705 | #endif
|
---|
706 |
|
---|
707 | /*
|
---|
708 | * Verify the directory then proceed to open it.
|
---|
709 | * (This'll make sure the directory is opened and that we can (later)
|
---|
710 | * use openat if we wish.)
|
---|
711 | */
|
---|
712 | int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal, pFile);
|
---|
713 | if (RT_SUCCESS(rc))
|
---|
714 | {
|
---|
715 | #if defined(RT_OS_WINDOWS)
|
---|
716 | rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
|
---|
717 | if (RT_SUCCESS(rc))
|
---|
718 | {
|
---|
719 | if (!fVerifyAll)
|
---|
720 | rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
|
---|
721 | if (RT_SUCCESS(rc))
|
---|
722 | {
|
---|
723 | pVerified->fValidated = true;
|
---|
724 | if (!fLeaveFileOpen)
|
---|
725 | {
|
---|
726 | NtClose((HANDLE)pVerified->hFile);
|
---|
727 | pVerified->hFile = -1;
|
---|
728 | }
|
---|
729 | }
|
---|
730 | }
|
---|
731 | #else /* !RT_OS_WINDOWS */
|
---|
732 | char szPath[RTPATH_MAX];
|
---|
733 | rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
|
---|
734 | if (RT_SUCCESS(rc))
|
---|
735 | {
|
---|
736 | int fd = open(szPath, O_RDONLY, 0);
|
---|
737 | if (fd >= 0)
|
---|
738 | {
|
---|
739 | /*
|
---|
740 | * On unixy systems we'll make sure the file is owned by root
|
---|
741 | * and not writable by the group and user.
|
---|
742 | */
|
---|
743 | struct stat st;
|
---|
744 | if (!fstat(fd, &st))
|
---|
745 | {
|
---|
746 | if ( st.st_uid == 0
|
---|
747 | && !(st.st_mode & (S_IWGRP | S_IWOTH))
|
---|
748 | && S_ISREG(st.st_mode))
|
---|
749 | {
|
---|
750 | /* it's valid. */
|
---|
751 | if (fLeaveFileOpen)
|
---|
752 | pVerified->hFile = fd;
|
---|
753 | else
|
---|
754 | close(fd);
|
---|
755 | pVerified->fValidated = true;
|
---|
756 | }
|
---|
757 | else
|
---|
758 | {
|
---|
759 | if (!S_ISREG(st.st_mode))
|
---|
760 | rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
|
---|
761 | "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
|
---|
762 | szPath, (long)st.st_uid);
|
---|
763 | else if (st.st_uid)
|
---|
764 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
765 | "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
|
---|
766 | szPath, (long)st.st_uid);
|
---|
767 | else
|
---|
768 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
769 | "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
|
---|
770 | szPath, (long)st.st_mode);
|
---|
771 | close(fd);
|
---|
772 | }
|
---|
773 | }
|
---|
774 | else
|
---|
775 | {
|
---|
776 | int err = errno;
|
---|
777 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
778 | "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
|
---|
779 | szPath, strerror(err), err);
|
---|
780 | close(fd);
|
---|
781 | }
|
---|
782 | }
|
---|
783 | else
|
---|
784 | {
|
---|
785 | int err = errno;
|
---|
786 | if (!pFile->fOptional || err != ENOENT)
|
---|
787 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
788 | "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
|
---|
789 | szPath, strerror(err), err);
|
---|
790 | }
|
---|
791 | }
|
---|
792 | #endif /* !RT_OS_WINDOWS */
|
---|
793 | }
|
---|
794 |
|
---|
795 | return rc;
|
---|
796 | }
|
---|
797 |
|
---|
798 |
|
---|
799 | /**
|
---|
800 | * Verifies that the specified table entry matches the given filename.
|
---|
801 | *
|
---|
802 | * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
|
---|
803 | * error is returned or we terminate the application.
|
---|
804 | *
|
---|
805 | * @param iFile The file table index.
|
---|
806 | * @param pszFilename The filename.
|
---|
807 | * @param fFatal Whether validation failures should be treated as
|
---|
808 | * fatal (true) or not (false).
|
---|
809 | */
|
---|
810 | static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
|
---|
811 | {
|
---|
812 | PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
|
---|
813 |
|
---|
814 | /*
|
---|
815 | * Construct the full path for the file table entry
|
---|
816 | * and compare it with the specified file.
|
---|
817 | */
|
---|
818 | char szName[RTPATH_MAX];
|
---|
819 | int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
|
---|
820 | if (RT_FAILURE(rc))
|
---|
821 | return rc;
|
---|
822 | if (SUP_COMP_FILENAME(szName, pszFilename))
|
---|
823 | {
|
---|
824 | /*
|
---|
825 | * Normalize the two paths and compare again.
|
---|
826 | */
|
---|
827 | rc = VERR_NOT_SAME_DEVICE;
|
---|
828 | #if defined(RT_OS_WINDOWS)
|
---|
829 | LPSTR pszIgnored;
|
---|
830 | char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
|
---|
831 | if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
|
---|
832 | && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
|
---|
833 | if (!SUP_COMP_FILENAME(szName2, szName))
|
---|
834 | rc = VINF_SUCCESS;
|
---|
835 | #else
|
---|
836 | AssertCompile(RTPATH_MAX >= PATH_MAX);
|
---|
837 | char szName2[RTPATH_MAX];
|
---|
838 | if ( realpath(szName, szName2) != NULL
|
---|
839 | && realpath(pszFilename, szName) != NULL)
|
---|
840 | if (!SUP_COMP_FILENAME(szName2, szName))
|
---|
841 | rc = VINF_SUCCESS;
|
---|
842 | #endif
|
---|
843 |
|
---|
844 | if (RT_FAILURE(rc))
|
---|
845 | {
|
---|
846 | supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
|
---|
847 | return supR3HardenedError(rc, fFatal,
|
---|
848 | "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
|
---|
849 | pszFilename, szName);
|
---|
850 | }
|
---|
851 | }
|
---|
852 |
|
---|
853 | /*
|
---|
854 | * Check more stuff like the stat info if it's an already open file?
|
---|
855 | */
|
---|
856 |
|
---|
857 |
|
---|
858 |
|
---|
859 | return VINF_SUCCESS;
|
---|
860 | }
|
---|
861 |
|
---|
862 |
|
---|
863 | /**
|
---|
864 | * Verifies a file.
|
---|
865 | *
|
---|
866 | * @returns VINF_SUCCESS on success.
|
---|
867 | * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
|
---|
868 | * On verification failure, an error code will be returned when fFatal is clear,
|
---|
869 | * otherwise the program will be terminated.
|
---|
870 | *
|
---|
871 | * @param pszFilename The filename.
|
---|
872 | * @param fFatal Whether validation failures should be treated as
|
---|
873 | * fatal (true) or not (false).
|
---|
874 | */
|
---|
875 | DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
|
---|
876 | {
|
---|
877 | /*
|
---|
878 | * Lookup the file and check if it's the same file.
|
---|
879 | */
|
---|
880 | const char *pszName = supR3HardenedPathFilename(pszFilename);
|
---|
881 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
882 | if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
|
---|
883 | {
|
---|
884 | int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
|
---|
885 | if (RT_SUCCESS(rc))
|
---|
886 | rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
|
---|
887 | return rc;
|
---|
888 | }
|
---|
889 |
|
---|
890 | return VERR_NOT_FOUND;
|
---|
891 | }
|
---|
892 |
|
---|
893 |
|
---|
894 | /**
|
---|
895 | * Verifies a program, worker for supR3HardenedVerifyAll.
|
---|
896 | *
|
---|
897 | * @returns See supR3HardenedVerifyAll.
|
---|
898 | * @param pszProgName See supR3HardenedVerifyAll.
|
---|
899 | * @param pszExePath The path to the executable.
|
---|
900 | * @param fFatal See supR3HardenedVerifyAll.
|
---|
901 | * @param fLeaveOpen The leave open setting used by
|
---|
902 | * supR3HardenedVerifyAll.
|
---|
903 | * @param fMainFlags Flags supplied to SUPR3HardenedMain.
|
---|
904 | */
|
---|
905 | static int supR3HardenedVerifyProgram(const char *pszProgName, const char *pszExePath, bool fFatal,
|
---|
906 | bool fLeaveOpen, uint32_t fMainFlags)
|
---|
907 | {
|
---|
908 | /*
|
---|
909 | * Search the table looking for the executable and the DLL/DYLIB/SO.
|
---|
910 | * Note! On darwin we have a hack in place for VirtualBoxVM helper app
|
---|
911 | * to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
|
---|
912 | * that cchProgNameDll is equal or shorter to the exe name.
|
---|
913 | */
|
---|
914 | int rc = VINF_SUCCESS;
|
---|
915 | bool fExe = false;
|
---|
916 | bool fDll = false;
|
---|
917 | size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
|
---|
918 | #ifndef RT_OS_DARWIN
|
---|
919 | size_t const cchProgNameDll = cchProgNameExe;
|
---|
920 | NOREF(fMainFlags);
|
---|
921 | #else
|
---|
922 | size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
|
---|
923 | ? sizeof("VirtualBox") - 1
|
---|
924 | : cchProgNameExe;
|
---|
925 | if (cchProgNameDll > cchProgNameExe)
|
---|
926 | return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
927 | "supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
|
---|
928 | #endif
|
---|
929 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
930 | if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
|
---|
931 | {
|
---|
932 | if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
|
---|
933 | || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
|
---|
934 | && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
|
---|
935 | {
|
---|
936 | /* This only has to be found (once). */
|
---|
937 | if (fDll)
|
---|
938 | rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
939 | "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
|
---|
940 | else
|
---|
941 | rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
|
---|
942 | true /* fVerifyAll - check sign later, only final process need check it on load. */);
|
---|
943 | fDll = true;
|
---|
944 | }
|
---|
945 | else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
|
---|
946 | || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
|
---|
947 | && ( cchProgNameExe == cchProgNameDll
|
---|
948 | || !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
|
---|
949 | && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
|
---|
950 | {
|
---|
951 | /* Here we'll have to check that the specific program is the same as the entry. */
|
---|
952 | if (fExe)
|
---|
953 | rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
954 | "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
|
---|
955 | else
|
---|
956 | rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
|
---|
957 | fExe = true;
|
---|
958 |
|
---|
959 | supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
|
---|
960 | }
|
---|
961 | }
|
---|
962 |
|
---|
963 | /*
|
---|
964 | * Check the findings.
|
---|
965 | */
|
---|
966 | if (RT_SUCCESS(rc))
|
---|
967 | {
|
---|
968 | if (!fDll && !fExe)
|
---|
969 | rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
|
---|
970 | "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
|
---|
971 | else if (!fExe)
|
---|
972 | rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
|
---|
973 | "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
|
---|
974 | else if (!fDll)
|
---|
975 | rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
|
---|
976 | "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
|
---|
977 | }
|
---|
978 | return rc;
|
---|
979 | }
|
---|
980 |
|
---|
981 |
|
---|
982 | /**
|
---|
983 | * Verifies all the known files (called from SUPR3HardenedMain).
|
---|
984 | *
|
---|
985 | * @returns VINF_SUCCESS on success.
|
---|
986 | * On verification failure, an error code will be returned when fFatal is clear,
|
---|
987 | * otherwise the program will be terminated.
|
---|
988 | *
|
---|
989 | * @param fFatal Whether validation failures should be treated as
|
---|
990 | * fatal (true) or not (false).
|
---|
991 | * @param pszProgName The program name. This is used to verify that
|
---|
992 | * both the executable and corresponding
|
---|
993 | * DLL/DYLIB/SO are valid.
|
---|
994 | * @param pszExePath The path to the executable.
|
---|
995 | * @param fMainFlags Flags supplied to SUPR3HardenedMain.
|
---|
996 | */
|
---|
997 | DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName, const char *pszExePath, uint32_t fMainFlags)
|
---|
998 | {
|
---|
999 | /*
|
---|
1000 | * On windows
|
---|
1001 | */
|
---|
1002 | #if defined(RT_OS_WINDOWS)
|
---|
1003 | bool fLeaveOpen = true;
|
---|
1004 | #else
|
---|
1005 | bool fLeaveOpen = false;
|
---|
1006 | #endif
|
---|
1007 |
|
---|
1008 | /*
|
---|
1009 | * The verify all the files.
|
---|
1010 | */
|
---|
1011 | int rc = VINF_SUCCESS;
|
---|
1012 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
1013 | {
|
---|
1014 | int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
|
---|
1015 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
1016 | rc = rc2;
|
---|
1017 | }
|
---|
1018 |
|
---|
1019 | /*
|
---|
1020 | * Verify the program name, that is to say, check that it's in the table
|
---|
1021 | * (thus verified above) and verify the signature on platforms where we
|
---|
1022 | * sign things.
|
---|
1023 | */
|
---|
1024 | int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
|
---|
1025 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
1026 | rc2 = rc;
|
---|
1027 |
|
---|
1028 | return rc;
|
---|
1029 | }
|
---|
1030 |
|
---|
1031 |
|
---|
1032 | /**
|
---|
1033 | * Copies the N messages into the error buffer and returns @a rc.
|
---|
1034 | *
|
---|
1035 | * @returns Returns @a rc
|
---|
1036 | * @param rc The return code.
|
---|
1037 | * @param pErrInfo The error info structure.
|
---|
1038 | * @param cMsgs The number of messages in the ellipsis.
|
---|
1039 | * @param ... Message parts.
|
---|
1040 | */
|
---|
1041 | static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
|
---|
1042 | {
|
---|
1043 | if (pErrInfo)
|
---|
1044 | {
|
---|
1045 | size_t cbErr = pErrInfo->cbMsg;
|
---|
1046 | char *pszErr = pErrInfo->pszMsg;
|
---|
1047 |
|
---|
1048 | va_list va;
|
---|
1049 | va_start(va, cMsgs);
|
---|
1050 | while (cMsgs-- > 0 && cbErr > 0)
|
---|
1051 | {
|
---|
1052 | const char *pszMsg = va_arg(va, const char *);
|
---|
1053 | size_t cchMsg = RT_VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
|
---|
1054 | if (cchMsg >= cbErr)
|
---|
1055 | cchMsg = cbErr - 1;
|
---|
1056 | suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
|
---|
1057 | pszErr[cchMsg] = '\0';
|
---|
1058 | pszErr += cchMsg;
|
---|
1059 | cbErr -= cchMsg;
|
---|
1060 | }
|
---|
1061 | va_end(va);
|
---|
1062 |
|
---|
1063 | pErrInfo->rc = rc;
|
---|
1064 | pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
|
---|
1065 | }
|
---|
1066 |
|
---|
1067 | return rc;
|
---|
1068 | }
|
---|
1069 |
|
---|
1070 |
|
---|
1071 | #if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
|
---|
1072 | /**
|
---|
1073 | * Copies the four messages into the error buffer and returns @a rc.
|
---|
1074 | *
|
---|
1075 | * @returns Returns @a rc
|
---|
1076 | * @param rc The return code.
|
---|
1077 | * @param pErrInfo The error info structure.
|
---|
1078 | * @param pszMsg1 The first message part.
|
---|
1079 | * @param pszMsg2 The second message part.
|
---|
1080 | * @param pszMsg3 The third message part.
|
---|
1081 | * @param pszMsg4 The fourth message part.
|
---|
1082 | */
|
---|
1083 | static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
|
---|
1084 | const char *pszMsg2, const char *pszMsg3, const char *pszMsg4)
|
---|
1085 | {
|
---|
1086 | return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
|
---|
1087 | }
|
---|
1088 | #endif
|
---|
1089 |
|
---|
1090 |
|
---|
1091 | /**
|
---|
1092 | * Copies the three messages into the error buffer and returns @a rc.
|
---|
1093 | *
|
---|
1094 | * @returns Returns @a rc
|
---|
1095 | * @param rc The return code.
|
---|
1096 | * @param pErrInfo The error info structure.
|
---|
1097 | * @param pszMsg1 The first message part.
|
---|
1098 | * @param pszMsg2 The second message part.
|
---|
1099 | * @param pszMsg3 The third message part.
|
---|
1100 | */
|
---|
1101 | static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
|
---|
1102 | const char *pszMsg2, const char *pszMsg3)
|
---|
1103 | {
|
---|
1104 | return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
|
---|
1105 | }
|
---|
1106 |
|
---|
1107 |
|
---|
1108 | #ifdef SOME_UNUSED_FUNCTION
|
---|
1109 | /**
|
---|
1110 | * Copies the two messages into the error buffer and returns @a rc.
|
---|
1111 | *
|
---|
1112 | * @returns Returns @a rc
|
---|
1113 | * @param rc The return code.
|
---|
1114 | * @param pErrInfo The error info structure.
|
---|
1115 | * @param pszMsg1 The first message part.
|
---|
1116 | * @param pszMsg2 The second message part.
|
---|
1117 | */
|
---|
1118 | static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
|
---|
1119 | const char *pszMsg2)
|
---|
1120 | {
|
---|
1121 | return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
|
---|
1122 | }
|
---|
1123 | #endif
|
---|
1124 |
|
---|
1125 |
|
---|
1126 | #ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
|
---|
1127 | # if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
|
---|
1128 | /**
|
---|
1129 | * Copies the error message to the error buffer and returns @a rc.
|
---|
1130 | *
|
---|
1131 | * @returns Returns @a rc
|
---|
1132 | * @param rc The return code.
|
---|
1133 | * @param pErrInfo The error info structure.
|
---|
1134 | * @param pszMsg The message.
|
---|
1135 | */
|
---|
1136 | static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
|
---|
1137 | {
|
---|
1138 | return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
|
---|
1139 | }
|
---|
1140 | # endif
|
---|
1141 | #endif
|
---|
1142 |
|
---|
1143 |
|
---|
1144 | /**
|
---|
1145 | * Output from a successfull supR3HardenedVerifyPathSanity call.
|
---|
1146 | */
|
---|
1147 | typedef struct SUPR3HARDENEDPATHINFO
|
---|
1148 | {
|
---|
1149 | /** The length of the path in szCopy. */
|
---|
1150 | uint16_t cch;
|
---|
1151 | /** The number of path components. */
|
---|
1152 | uint16_t cComponents;
|
---|
1153 | /** Set if the path ends with slash, indicating that it's a directory
|
---|
1154 | * reference and not a file reference. The slash has been removed from
|
---|
1155 | * the copy. */
|
---|
1156 | bool fDirSlash;
|
---|
1157 | /** The offset where each path component starts, i.e. the char after the
|
---|
1158 | * slash. The array has cComponents + 1 entries, where the final one is
|
---|
1159 | * cch + 1 so that one can always terminate the current component by
|
---|
1160 | * szPath[aoffComponent[i] - 1] = '\0'. */
|
---|
1161 | uint16_t aoffComponents[32+1];
|
---|
1162 | /** A normalized copy of the path.
|
---|
1163 | * Reserve some extra space so we can be more relaxed about overflow
|
---|
1164 | * checks and terminator paddings, especially when recursing. */
|
---|
1165 | char szPath[SUPR3HARDENED_MAX_PATH * 2];
|
---|
1166 | } SUPR3HARDENEDPATHINFO;
|
---|
1167 | /** Pointer to a parsed path. */
|
---|
1168 | typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
|
---|
1169 |
|
---|
1170 |
|
---|
1171 | /**
|
---|
1172 | * Verifies that the path is absolutely sane, it also parses the path.
|
---|
1173 | *
|
---|
1174 | * A sane path starts at the root (w/ drive letter on DOS derived systems) and
|
---|
1175 | * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
|
---|
1176 | * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
|
---|
1177 | * paths are not supported.
|
---|
1178 | *
|
---|
1179 | * @returns VBox status code.
|
---|
1180 | * @param pszPath The path to check.
|
---|
1181 | * @param pErrInfo The error info structure.
|
---|
1182 | * @param pInfo Where to return a copy of the path along with
|
---|
1183 | * parsing information.
|
---|
1184 | */
|
---|
1185 | static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
|
---|
1186 | {
|
---|
1187 | const char *pszSrc = pszPath;
|
---|
1188 | char *pszDst = pInfo->szPath;
|
---|
1189 |
|
---|
1190 | /*
|
---|
1191 | * Check that it's an absolute path and copy the volume/root specifier.
|
---|
1192 | */
|
---|
1193 | #if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
|
---|
1194 | if ( !RT_C_IS_ALPHA(pszSrc[0])
|
---|
1195 | || pszSrc[1] != ':'
|
---|
1196 | || !RTPATH_IS_SLASH(pszSrc[2]))
|
---|
1197 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
|
---|
1198 |
|
---|
1199 | *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
|
---|
1200 | *pszDst++ = ':';
|
---|
1201 | *pszDst++ = RTPATH_SLASH;
|
---|
1202 | pszSrc += 3;
|
---|
1203 |
|
---|
1204 | #else
|
---|
1205 | if (!RTPATH_IS_SLASH(pszSrc[0]))
|
---|
1206 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
|
---|
1207 |
|
---|
1208 | *pszDst++ = RTPATH_SLASH;
|
---|
1209 | pszSrc += 1;
|
---|
1210 | #endif
|
---|
1211 |
|
---|
1212 | /*
|
---|
1213 | * No path specifying the root or something very shortly thereafter will
|
---|
1214 | * be approved of.
|
---|
1215 | */
|
---|
1216 | if (pszSrc[0] == '\0')
|
---|
1217 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
|
---|
1218 | if ( pszSrc[1] == '\0'
|
---|
1219 | || pszSrc[2] == '\0')
|
---|
1220 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
|
---|
1221 |
|
---|
1222 | #if RTPATH_STYLE == RTPATH_STR_F_STYLE_UNIX
|
---|
1223 | /*
|
---|
1224 | * Skip double slashes.
|
---|
1225 | */
|
---|
1226 | while (RTPATH_IS_SLASH(*pszSrc))
|
---|
1227 | pszSrc++;
|
---|
1228 | #else
|
---|
1229 | /*
|
---|
1230 | * The root slash should be alone to avoid UNC confusion.
|
---|
1231 | */
|
---|
1232 | if (RTPATH_IS_SLASH(pszSrc[0]))
|
---|
1233 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
|
---|
1234 | "The path is not clean of leading double slashes: '", pszPath, "'");
|
---|
1235 | #endif
|
---|
1236 | /*
|
---|
1237 | * Check each component. No parent references.
|
---|
1238 | */
|
---|
1239 | pInfo->cComponents = 0;
|
---|
1240 | pInfo->fDirSlash = false;
|
---|
1241 | while (pszSrc[0])
|
---|
1242 | {
|
---|
1243 | /* Sanity checks. */
|
---|
1244 | if ( pszSrc[0] == '.'
|
---|
1245 | && pszSrc[1] == '.'
|
---|
1246 | && RTPATH_IS_SLASH(pszSrc[2]))
|
---|
1247 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
|
---|
1248 | "The path is not absolute: '", pszPath, "'");
|
---|
1249 |
|
---|
1250 | /* Record the start of the component. */
|
---|
1251 | if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
|
---|
1252 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
|
---|
1253 | "The path has too many components: '", pszPath, "'");
|
---|
1254 | pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
|
---|
1255 |
|
---|
1256 | /* Traverse to the end of the component, copying it as we go along. */
|
---|
1257 | while (pszSrc[0])
|
---|
1258 | {
|
---|
1259 | if (RTPATH_IS_SLASH(pszSrc[0]))
|
---|
1260 | {
|
---|
1261 | pszSrc++;
|
---|
1262 | if (*pszSrc)
|
---|
1263 | *pszDst++ = RTPATH_SLASH;
|
---|
1264 | else
|
---|
1265 | pInfo->fDirSlash = true;
|
---|
1266 | break;
|
---|
1267 | }
|
---|
1268 | *pszDst++ = *pszSrc++;
|
---|
1269 | if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
|
---|
1270 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
|
---|
1271 | "The path is too long: '", pszPath, "'");
|
---|
1272 | }
|
---|
1273 |
|
---|
1274 | /* Skip double slashes. */
|
---|
1275 | while (RTPATH_IS_SLASH(*pszSrc))
|
---|
1276 | pszSrc++;
|
---|
1277 | }
|
---|
1278 |
|
---|
1279 | /* Terminate the string and enter its length. */
|
---|
1280 | pszDst[0] = '\0';
|
---|
1281 | pszDst[1] = '\0'; /* for aoffComponents */
|
---|
1282 | pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
|
---|
1283 | pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
|
---|
1284 |
|
---|
1285 | return VINF_SUCCESS;
|
---|
1286 | }
|
---|
1287 |
|
---|
1288 |
|
---|
1289 | /**
|
---|
1290 | * The state information collected by supR3HardenedVerifyFsObject.
|
---|
1291 | *
|
---|
1292 | * This can be used to verify that a directory we've opened for enumeration is
|
---|
1293 | * the same as the one that supR3HardenedVerifyFsObject just verified. It can
|
---|
1294 | * equally be used to verify a native specfied by the user.
|
---|
1295 | */
|
---|
1296 | typedef struct SUPR3HARDENEDFSOBJSTATE
|
---|
1297 | {
|
---|
1298 | #ifdef RT_OS_WINDOWS
|
---|
1299 | /** Not implemented for windows yet. */
|
---|
1300 | char chTodo;
|
---|
1301 | #else
|
---|
1302 | /** The stat output. */
|
---|
1303 | struct stat Stat;
|
---|
1304 | #endif
|
---|
1305 | } SUPR3HARDENEDFSOBJSTATE;
|
---|
1306 | /** Pointer to a file system object state. */
|
---|
1307 | typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
|
---|
1308 | /** Pointer to a const file system object state. */
|
---|
1309 | typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
|
---|
1310 |
|
---|
1311 |
|
---|
1312 | /**
|
---|
1313 | * Query information about a file system object by path.
|
---|
1314 | *
|
---|
1315 | * @returns VBox status code, error buffer filled on failure.
|
---|
1316 | * @param pszPath The path to the object.
|
---|
1317 | * @param pFsObjState Where to return the state information.
|
---|
1318 | * @param pErrInfo The error info structure.
|
---|
1319 | */
|
---|
1320 | static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
|
---|
1321 | {
|
---|
1322 | #if defined(RT_OS_WINDOWS)
|
---|
1323 | /** @todo Windows hardening. */
|
---|
1324 | pFsObjState->chTodo = 0;
|
---|
1325 | RT_NOREF2(pszPath, pErrInfo);
|
---|
1326 | return VINF_SUCCESS;
|
---|
1327 |
|
---|
1328 | #else
|
---|
1329 | /*
|
---|
1330 | * Stat the object, do not follow links.
|
---|
1331 | */
|
---|
1332 | if (lstat(pszPath, &pFsObjState->Stat) != 0)
|
---|
1333 | {
|
---|
1334 | /* Ignore access errors */
|
---|
1335 | if (errno != EACCES)
|
---|
1336 | return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
|
---|
1337 | 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
|
---|
1338 | }
|
---|
1339 |
|
---|
1340 | /*
|
---|
1341 | * Read ACLs.
|
---|
1342 | */
|
---|
1343 | /** @todo */
|
---|
1344 |
|
---|
1345 | return VINF_SUCCESS;
|
---|
1346 | #endif
|
---|
1347 | }
|
---|
1348 |
|
---|
1349 |
|
---|
1350 | /**
|
---|
1351 | * Query information about a file system object by native handle.
|
---|
1352 | *
|
---|
1353 | * @returns VBox status code, error buffer filled on failure.
|
---|
1354 | * @param hNative The native handle to the object @a pszPath
|
---|
1355 | * specifies and this should be verified to be the
|
---|
1356 | * same file system object.
|
---|
1357 | * @param pFsObjState Where to return the state information.
|
---|
1358 | * @param pszPath The path to the object. (For the error message
|
---|
1359 | * only.)
|
---|
1360 | * @param pErrInfo The error info structure.
|
---|
1361 | */
|
---|
1362 | static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
|
---|
1363 | char const *pszPath, PRTERRINFO pErrInfo)
|
---|
1364 | {
|
---|
1365 | #if defined(RT_OS_WINDOWS)
|
---|
1366 | /** @todo Windows hardening. */
|
---|
1367 | pFsObjState->chTodo = 0;
|
---|
1368 | RT_NOREF3(hNative, pszPath, pErrInfo);
|
---|
1369 | return VINF_SUCCESS;
|
---|
1370 |
|
---|
1371 | #else
|
---|
1372 | /*
|
---|
1373 | * Stat the object, do not follow links.
|
---|
1374 | */
|
---|
1375 | if (fstat((int)hNative, &pFsObjState->Stat) != 0)
|
---|
1376 | return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
|
---|
1377 | 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
|
---|
1378 |
|
---|
1379 | /*
|
---|
1380 | * Read ACLs.
|
---|
1381 | */
|
---|
1382 | /** @todo */
|
---|
1383 |
|
---|
1384 | return VINF_SUCCESS;
|
---|
1385 | #endif
|
---|
1386 | }
|
---|
1387 |
|
---|
1388 |
|
---|
1389 | /**
|
---|
1390 | * Verifies that the file system object indicated by the native handle is the
|
---|
1391 | * same as the one @a pFsObjState indicates.
|
---|
1392 | *
|
---|
1393 | * @returns VBox status code, error buffer filled on failure.
|
---|
1394 | * @param pFsObjState1 File system object information/state by path.
|
---|
1395 | * @param pFsObjState2 File system object information/state by handle.
|
---|
1396 | * @param pszPath The path to the object @a pFsObjState
|
---|
1397 | * describes. (For the error message.)
|
---|
1398 | * @param pErrInfo The error info structure.
|
---|
1399 | */
|
---|
1400 | static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
|
---|
1401 | const char *pszPath, PRTERRINFO pErrInfo)
|
---|
1402 | {
|
---|
1403 | #if defined(RT_OS_WINDOWS)
|
---|
1404 | /** @todo Windows hardening. */
|
---|
1405 | RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
|
---|
1406 | return VINF_SUCCESS;
|
---|
1407 |
|
---|
1408 | #elif defined(RT_OS_OS2)
|
---|
1409 | RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
|
---|
1410 | return VINF_SUCCESS;
|
---|
1411 |
|
---|
1412 | #else
|
---|
1413 | /*
|
---|
1414 | * Compare the ino+dev, then the uid+gid and finally the important mode
|
---|
1415 | * bits. Technically the first one should be enough, but we're paranoid.
|
---|
1416 | */
|
---|
1417 | if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
|
---|
1418 | || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
|
---|
1419 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
|
---|
1420 | "The native handle is not the same as '", pszPath, "' (ino/dev)");
|
---|
1421 | if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
|
---|
1422 | || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
|
---|
1423 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
|
---|
1424 | "The native handle is not the same as '", pszPath, "' (uid/gid)");
|
---|
1425 | if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
|
---|
1426 | != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
|
---|
1427 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
|
---|
1428 | "The native handle is not the same as '", pszPath, "' (mode)");
|
---|
1429 | return VINF_SUCCESS;
|
---|
1430 | #endif
|
---|
1431 | }
|
---|
1432 |
|
---|
1433 |
|
---|
1434 | /**
|
---|
1435 | * Verifies a file system object (file or directory).
|
---|
1436 | *
|
---|
1437 | * @returns VBox status code, error buffer filled on failure.
|
---|
1438 | * @param pFsObjState The file system object information/state to be
|
---|
1439 | * verified.
|
---|
1440 | * @param fDir Whether this is a directory or a file.
|
---|
1441 | * @param fRelaxed Whether we can be more relaxed about this
|
---|
1442 | * directory (only used for grand parent
|
---|
1443 | * directories).
|
---|
1444 | * @param fSymlinksAllowed Flag whether symlinks are allowed or not.
|
---|
1445 | * If allowed the symlink object is verified not the target.
|
---|
1446 | * @param pszPath The path to the object. For error messages and
|
---|
1447 | * securing a couple of hacks.
|
---|
1448 | * @param pErrInfo The error info structure.
|
---|
1449 | */
|
---|
1450 | static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
|
---|
1451 | bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
|
---|
1452 | {
|
---|
1453 | #if defined(RT_OS_WINDOWS)
|
---|
1454 | /** @todo Windows hardening. */
|
---|
1455 | RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
|
---|
1456 | return VINF_SUCCESS;
|
---|
1457 |
|
---|
1458 | #elif defined(RT_OS_OS2)
|
---|
1459 | /* No hardening here - it's a single user system. */
|
---|
1460 | RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
|
---|
1461 | return VINF_SUCCESS;
|
---|
1462 |
|
---|
1463 | #else
|
---|
1464 | /*
|
---|
1465 | * The owner must be root.
|
---|
1466 | *
|
---|
1467 | * This can be extended to include predefined system users if necessary.
|
---|
1468 | */
|
---|
1469 | if (pFsObjState->Stat.st_uid != 0)
|
---|
1470 | return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
|
---|
1471 |
|
---|
1472 | /*
|
---|
1473 | * The object type must be directory or file. It can be a symbolic link
|
---|
1474 | * if explicitely allowed. Otherwise this and other risky stuff is not allowed
|
---|
1475 | * (sorry dude, but we're paranoid on purpose here).
|
---|
1476 | */
|
---|
1477 | if ( !S_ISLNK(pFsObjState->Stat.st_mode)
|
---|
1478 | || !fSymlinksAllowed)
|
---|
1479 | {
|
---|
1480 |
|
---|
1481 | if ( !S_ISDIR(pFsObjState->Stat.st_mode)
|
---|
1482 | && !S_ISREG(pFsObjState->Stat.st_mode))
|
---|
1483 | {
|
---|
1484 | if (S_ISLNK(pFsObjState->Stat.st_mode))
|
---|
1485 | return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
|
---|
1486 | "Symlinks are not permitted: '", pszPath, "'");
|
---|
1487 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
|
---|
1488 | "Not regular file or directory: '", pszPath, "'");
|
---|
1489 | }
|
---|
1490 | if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
|
---|
1491 | {
|
---|
1492 | if (S_ISDIR(pFsObjState->Stat.st_mode))
|
---|
1493 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
1494 | "Expected file but found directory: '", pszPath, "'");
|
---|
1495 | return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
|
---|
1496 | "Expected directory but found file: '", pszPath, "'");
|
---|
1497 | }
|
---|
1498 | }
|
---|
1499 |
|
---|
1500 | /*
|
---|
1501 | * The group does not matter if it does not have write access, if it has
|
---|
1502 | * write access it must be group 0 (root/wheel/whatever).
|
---|
1503 | *
|
---|
1504 | * This can be extended to include predefined system groups or groups that
|
---|
1505 | * only root is member of.
|
---|
1506 | */
|
---|
1507 | if ( (pFsObjState->Stat.st_mode & S_IWGRP)
|
---|
1508 | && pFsObjState->Stat.st_gid != 0)
|
---|
1509 | {
|
---|
1510 | # ifdef RT_OS_DARWIN
|
---|
1511 | /* HACK ALERT: On Darwin /Applications is root:admin with admin having
|
---|
1512 | full access. So, to work around we relax the hardening a bit and
|
---|
1513 | permit grand parents and beyond to be group writable by admin. */
|
---|
1514 | /** @todo dynamically resolve the admin group? */
|
---|
1515 | bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
|
---|
1516 |
|
---|
1517 | # elif defined(RT_OS_FREEBSD)
|
---|
1518 | /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
|
---|
1519 | similar to /Applications on OS X (see above).
|
---|
1520 | On FreeBSD root is normally the only member of this group, on
|
---|
1521 | PC-BSD the default user is a member. */
|
---|
1522 | /** @todo dynamically resolve the operator group? */
|
---|
1523 | bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
|
---|
1524 | NOREF(fRelaxed);
|
---|
1525 | # elif defined(RT_OS_SOLARIS)
|
---|
1526 | /* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
|
---|
1527 | which the appropriate module is loaded.
|
---|
1528 | By default only root and daemon are part of that group.
|
---|
1529 | . */
|
---|
1530 | /** @todo dynamically resolve the bin group? */
|
---|
1531 | bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
|
---|
1532 | # else
|
---|
1533 | NOREF(fRelaxed);
|
---|
1534 | bool fBad = true;
|
---|
1535 | # endif
|
---|
1536 | if (fBad)
|
---|
1537 | return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
|
---|
1538 | "An unknown (and thus untrusted) group has write access to '", pszPath,
|
---|
1539 | "' and we therefore cannot trust the directory content or that of any subdirectory");
|
---|
1540 | }
|
---|
1541 |
|
---|
1542 | /*
|
---|
1543 | * World must not have write access. There is no relaxing this rule.
|
---|
1544 | * Linux exception: Symbolic links are always give permission 0777, there
|
---|
1545 | * is no lchmod or lchown APIs. The permissions on parent
|
---|
1546 | * directory that contains the symbolic link is what is
|
---|
1547 | * decising wrt to modifying it. (Caller is expected not
|
---|
1548 | * to allow symbolic links in the first path component.)
|
---|
1549 | */
|
---|
1550 | if ( (pFsObjState->Stat.st_mode & S_IWOTH)
|
---|
1551 | # ifdef RT_OS_LINUX
|
---|
1552 | && ( !S_ISLNK(pFsObjState->Stat.st_mode)
|
---|
1553 | || !fSymlinksAllowed /* paranoia */)
|
---|
1554 | # endif
|
---|
1555 | )
|
---|
1556 | return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
|
---|
1557 | "World writable: '", pszPath, "'");
|
---|
1558 |
|
---|
1559 | /*
|
---|
1560 | * Check the ACLs.
|
---|
1561 | */
|
---|
1562 | /** @todo */
|
---|
1563 |
|
---|
1564 | return VINF_SUCCESS;
|
---|
1565 | #endif
|
---|
1566 | }
|
---|
1567 |
|
---|
1568 |
|
---|
1569 | /**
|
---|
1570 | * Verifies that the file system object indicated by the native handle is the
|
---|
1571 | * same as the one @a pFsObjState indicates.
|
---|
1572 | *
|
---|
1573 | * @returns VBox status code, error buffer filled on failure.
|
---|
1574 | * @param hNative The native handle to the object @a pszPath
|
---|
1575 | * specifies and this should be verified to be the
|
---|
1576 | * same file system object.
|
---|
1577 | * @param pFsObjState The information/state returned by a previous
|
---|
1578 | * query call.
|
---|
1579 | * @param pszPath The path to the object @a pFsObjState
|
---|
1580 | * describes. (For the error message.)
|
---|
1581 | * @param pErrInfo The error info structure.
|
---|
1582 | */
|
---|
1583 | static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
|
---|
1584 | const char *pszPath, PRTERRINFO pErrInfo)
|
---|
1585 | {
|
---|
1586 | SUPR3HARDENEDFSOBJSTATE FsObjState2;
|
---|
1587 | int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
|
---|
1588 | if (RT_SUCCESS(rc))
|
---|
1589 | rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
|
---|
1590 | return rc;
|
---|
1591 | }
|
---|
1592 |
|
---|
1593 |
|
---|
1594 | /**
|
---|
1595 | * Does the recursive directory enumeration.
|
---|
1596 | *
|
---|
1597 | * @returns VBox status code, error buffer filled on failure.
|
---|
1598 | * @param pszDirPath The path buffer containing the subdirectory to
|
---|
1599 | * enumerate followed by a slash (this is never
|
---|
1600 | * the root slash). The buffer is RTPATH_MAX in
|
---|
1601 | * size and anything starting at @a cchDirPath
|
---|
1602 | * - 1 and beyond is scratch space.
|
---|
1603 | * @param cchDirPath The length of the directory path + slash.
|
---|
1604 | * @param pFsObjState Pointer to the file system object state buffer.
|
---|
1605 | * On input this will hold the stats for
|
---|
1606 | * the directory @a pszDirPath indicates and will
|
---|
1607 | * be used to verified that we're opening the same
|
---|
1608 | * thing.
|
---|
1609 | * @param fRecursive Whether to recurse into subdirectories.
|
---|
1610 | * @param pErrInfo The error info structure.
|
---|
1611 | */
|
---|
1612 | static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
|
---|
1613 | bool fRecursive, PRTERRINFO pErrInfo)
|
---|
1614 | {
|
---|
1615 | #if defined(RT_OS_WINDOWS)
|
---|
1616 | /** @todo Windows hardening. */
|
---|
1617 | RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
|
---|
1618 | return VINF_SUCCESS;
|
---|
1619 |
|
---|
1620 | #elif defined(RT_OS_OS2)
|
---|
1621 | /* No hardening here - it's a single user system. */
|
---|
1622 | RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
|
---|
1623 | return VINF_SUCCESS;
|
---|
1624 |
|
---|
1625 | #else
|
---|
1626 | /*
|
---|
1627 | * Open the directory. Now, we could probably eliminate opendir here
|
---|
1628 | * and go down on kernel API level (open + getdents for instance), however
|
---|
1629 | * that's not very portable and hopefully not necessary.
|
---|
1630 | */
|
---|
1631 | DIR *pDir = opendir(pszDirPath);
|
---|
1632 | if (!pDir)
|
---|
1633 | {
|
---|
1634 | /* Ignore access errors. */
|
---|
1635 | if (errno == EACCES)
|
---|
1636 | return VINF_SUCCESS;
|
---|
1637 | return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
|
---|
1638 | 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
|
---|
1639 | }
|
---|
1640 | if (dirfd(pDir) != -1)
|
---|
1641 | {
|
---|
1642 | int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
|
---|
1643 | if (RT_FAILURE(rc))
|
---|
1644 | {
|
---|
1645 | closedir(pDir);
|
---|
1646 | return rc;
|
---|
1647 | }
|
---|
1648 | }
|
---|
1649 |
|
---|
1650 | /*
|
---|
1651 | * Enumerate the directory, check all the requested bits.
|
---|
1652 | */
|
---|
1653 | int rc = VINF_SUCCESS;
|
---|
1654 | for (;;)
|
---|
1655 | {
|
---|
1656 | pszDirPath[cchDirPath] = '\0'; /* for error messages. */
|
---|
1657 |
|
---|
1658 | struct dirent Entry;
|
---|
1659 | struct dirent *pEntry;
|
---|
1660 | #if RT_GNUC_PREREQ(4, 6)
|
---|
1661 | # pragma GCC diagnostic push
|
---|
1662 | # pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
---|
1663 | #endif
|
---|
1664 | int iErr = readdir_r(pDir, &Entry, &pEntry);
|
---|
1665 | #if RT_GNUC_PREREQ(4, 6)
|
---|
1666 | # pragma GCC diagnostic pop
|
---|
1667 | #endif
|
---|
1668 | if (iErr)
|
---|
1669 | {
|
---|
1670 | rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
|
---|
1671 | 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
|
---|
1672 | break;
|
---|
1673 | }
|
---|
1674 | if (!pEntry)
|
---|
1675 | break;
|
---|
1676 |
|
---|
1677 | /*
|
---|
1678 | * Check the length and copy it into the path buffer so it can be
|
---|
1679 | * stat()'ed.
|
---|
1680 | */
|
---|
1681 | size_t cchName = suplibHardenedStrLen(pEntry->d_name);
|
---|
1682 | if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
|
---|
1683 | {
|
---|
1684 | rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
|
---|
1685 | 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
|
---|
1686 | break;
|
---|
1687 | }
|
---|
1688 | suplibHardenedMemCopy(&pszDirPath[cchDirPath], pEntry->d_name, cchName + 1);
|
---|
1689 |
|
---|
1690 | /*
|
---|
1691 | * Query the information about the entry and verify it.
|
---|
1692 | * (We don't bother skipping '.' and '..' at this point, a little bit
|
---|
1693 | * of extra checks doesn't hurt and neither requires relaxed handling.)
|
---|
1694 | */
|
---|
1695 | rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
|
---|
1696 | if (RT_SUCCESS(rc))
|
---|
1697 | break;
|
---|
1698 | rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
|
---|
1699 | false /*fSymlinksAllowed*/, pszDirPath, pErrInfo);
|
---|
1700 | if (RT_FAILURE(rc))
|
---|
1701 | break;
|
---|
1702 |
|
---|
1703 | /*
|
---|
1704 | * Recurse into subdirectories if requested.
|
---|
1705 | */
|
---|
1706 | if ( fRecursive
|
---|
1707 | && S_ISDIR(pFsObjState->Stat.st_mode)
|
---|
1708 | && suplibHardenedStrCmp(pEntry->d_name, ".")
|
---|
1709 | && suplibHardenedStrCmp(pEntry->d_name, ".."))
|
---|
1710 | {
|
---|
1711 | pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
|
---|
1712 | pszDirPath[cchDirPath + cchName + 1] = '\0';
|
---|
1713 |
|
---|
1714 | rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
|
---|
1715 | fRecursive, pErrInfo);
|
---|
1716 | if (RT_FAILURE(rc))
|
---|
1717 | break;
|
---|
1718 | }
|
---|
1719 | }
|
---|
1720 |
|
---|
1721 | closedir(pDir);
|
---|
1722 | return rc;
|
---|
1723 | #endif
|
---|
1724 | }
|
---|
1725 |
|
---|
1726 |
|
---|
1727 | /**
|
---|
1728 | * Worker for SUPR3HardenedVerifyDir.
|
---|
1729 | *
|
---|
1730 | * @returns See SUPR3HardenedVerifyDir.
|
---|
1731 | * @param pszDirPath See SUPR3HardenedVerifyDir.
|
---|
1732 | * @param fRecursive See SUPR3HardenedVerifyDir.
|
---|
1733 | * @param fCheckFiles See SUPR3HardenedVerifyDir.
|
---|
1734 | * @param pErrInfo See SUPR3HardenedVerifyDir.
|
---|
1735 | */
|
---|
1736 | DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
|
---|
1737 | {
|
---|
1738 | /*
|
---|
1739 | * Validate the input path and parse it.
|
---|
1740 | */
|
---|
1741 | SUPR3HARDENEDPATHINFO Info;
|
---|
1742 | int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
|
---|
1743 | if (RT_FAILURE(rc))
|
---|
1744 | return rc;
|
---|
1745 |
|
---|
1746 | /*
|
---|
1747 | * Verify each component from the root up.
|
---|
1748 | */
|
---|
1749 | SUPR3HARDENEDFSOBJSTATE FsObjState;
|
---|
1750 | uint32_t const cComponents = Info.cComponents;
|
---|
1751 | for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
|
---|
1752 | {
|
---|
1753 | bool fRelaxed = iComponent + 2 < cComponents;
|
---|
1754 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
|
---|
1755 | rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
|
---|
1756 | if (RT_SUCCESS(rc))
|
---|
1757 | rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed,
|
---|
1758 | false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
|
---|
1759 | if (RT_FAILURE(rc))
|
---|
1760 | return rc;
|
---|
1761 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
|
---|
1762 | }
|
---|
1763 |
|
---|
1764 | /*
|
---|
1765 | * Check files and subdirectories if requested.
|
---|
1766 | */
|
---|
1767 | if (fCheckFiles || fRecursive)
|
---|
1768 | {
|
---|
1769 | Info.szPath[Info.cch] = RTPATH_SLASH;
|
---|
1770 | Info.szPath[Info.cch + 1] = '\0';
|
---|
1771 | return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
|
---|
1772 | fRecursive, pErrInfo);
|
---|
1773 | }
|
---|
1774 |
|
---|
1775 | return VINF_SUCCESS;
|
---|
1776 | }
|
---|
1777 |
|
---|
1778 |
|
---|
1779 | /**
|
---|
1780 | * Verfies a file.
|
---|
1781 | *
|
---|
1782 | * @returns VBox status code, error buffer filled on failure.
|
---|
1783 | * @param pszFilename The file to verify.
|
---|
1784 | * @param hNativeFile Handle to the file, verify that it's the same
|
---|
1785 | * as we ended up with when verifying the path.
|
---|
1786 | * RTHCUINTPTR_MAX means NIL here.
|
---|
1787 | * @param fMaybe3rdParty Set if the file is could be a supplied by a
|
---|
1788 | * third party. Different validation rules may
|
---|
1789 | * apply to 3rd party code on some platforms.
|
---|
1790 | * @param pErrInfo Where to return extended error information.
|
---|
1791 | * Optional.
|
---|
1792 | */
|
---|
1793 | DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
|
---|
1794 | bool fMaybe3rdParty, PRTERRINFO pErrInfo)
|
---|
1795 | {
|
---|
1796 | /*
|
---|
1797 | * Validate the input path and parse it.
|
---|
1798 | */
|
---|
1799 | SUPR3HARDENEDPATHINFO Info;
|
---|
1800 | int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
|
---|
1801 | if (RT_FAILURE(rc))
|
---|
1802 | return rc;
|
---|
1803 | if (Info.fDirSlash)
|
---|
1804 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
1805 | "The file path specifies a directory: '", pszFilename, "'");
|
---|
1806 |
|
---|
1807 | /*
|
---|
1808 | * Verify each component from the root up.
|
---|
1809 | */
|
---|
1810 | SUPR3HARDENEDFSOBJSTATE FsObjState;
|
---|
1811 | uint32_t const cComponents = Info.cComponents;
|
---|
1812 | for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
|
---|
1813 | {
|
---|
1814 | bool fFinal = iComponent + 1 == cComponents;
|
---|
1815 | bool fRelaxed = iComponent + 2 < cComponents;
|
---|
1816 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
|
---|
1817 | rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
|
---|
1818 | if (RT_SUCCESS(rc))
|
---|
1819 | rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
|
---|
1820 | false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
|
---|
1821 | if (RT_FAILURE(rc))
|
---|
1822 | return rc;
|
---|
1823 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
|
---|
1824 | }
|
---|
1825 |
|
---|
1826 | /*
|
---|
1827 | * Verify the file handle against the last component, if specified.
|
---|
1828 | */
|
---|
1829 | if (hNativeFile != RTHCUINTPTR_MAX)
|
---|
1830 | {
|
---|
1831 | rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
|
---|
1832 | if (RT_FAILURE(rc))
|
---|
1833 | return rc;
|
---|
1834 | }
|
---|
1835 |
|
---|
1836 | #ifdef RT_OS_WINDOWS
|
---|
1837 | /*
|
---|
1838 | * The files shall be signed on windows, verify that.
|
---|
1839 | */
|
---|
1840 | rc = VINF_SUCCESS;
|
---|
1841 | HANDLE hVerify;
|
---|
1842 | if (hNativeFile == RTHCUINTPTR_MAX)
|
---|
1843 | {
|
---|
1844 | PRTUTF16 pwszPath;
|
---|
1845 | rc = RTStrToUtf16(pszFilename, &pwszPath);
|
---|
1846 | if (RT_SUCCESS(rc))
|
---|
1847 | {
|
---|
1848 | hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
---|
1849 | RTUtf16Free(pwszPath);
|
---|
1850 | }
|
---|
1851 | else
|
---|
1852 | {
|
---|
1853 | rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
|
---|
1854 | hVerify = INVALID_HANDLE_VALUE;
|
---|
1855 | }
|
---|
1856 | }
|
---|
1857 | else
|
---|
1858 | {
|
---|
1859 | NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
|
---|
1860 | GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
|
---|
1861 | if (!NT_SUCCESS(rcNt))
|
---|
1862 | hVerify = INVALID_HANDLE_VALUE;
|
---|
1863 | }
|
---|
1864 | if (hVerify != INVALID_HANDLE_VALUE)
|
---|
1865 | {
|
---|
1866 | # ifdef VBOX_WITH_HARDENING
|
---|
1867 | uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
|
---|
1868 | if (!fMaybe3rdParty)
|
---|
1869 | fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
|
---|
1870 | const char *pszSuffix = RTPathSuffix(pszFilename);
|
---|
1871 | if ( pszSuffix
|
---|
1872 | && pszSuffix[0] == '.'
|
---|
1873 | && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
|
---|
1874 | || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
|
---|
1875 | && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
|
---|
1876 | && pszSuffix[3] == '\0' )
|
---|
1877 | fFlags |= SUPHNTVI_F_RC_IMAGE;
|
---|
1878 | # ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
|
---|
1879 | rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
|
---|
1880 | # endif
|
---|
1881 | # else
|
---|
1882 | RT_NOREF1(fMaybe3rdParty);
|
---|
1883 | # endif
|
---|
1884 | NtClose(hVerify);
|
---|
1885 | }
|
---|
1886 | else if (RT_SUCCESS(rc))
|
---|
1887 | rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
|
---|
1888 | "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
|
---|
1889 | if (RT_FAILURE(rc))
|
---|
1890 | return rc;
|
---|
1891 | #else
|
---|
1892 | RT_NOREF1(fMaybe3rdParty);
|
---|
1893 | #endif
|
---|
1894 |
|
---|
1895 | return VINF_SUCCESS;
|
---|
1896 | }
|
---|
1897 |
|
---|
1898 |
|
---|
1899 | #if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
|
---|
1900 | /**
|
---|
1901 | * Verfies a file following symlinks.
|
---|
1902 | *
|
---|
1903 | * @returns VBox status code, error buffer filled on failure.
|
---|
1904 | * @param pszFilename The file to verify.
|
---|
1905 | * @param hNativeFile Handle to the file, verify that it's the same
|
---|
1906 | * as we ended up with when verifying the path.
|
---|
1907 | * RTHCUINTPTR_MAX means NIL here.
|
---|
1908 | * @param fMaybe3rdParty Set if the file is could be a supplied by a
|
---|
1909 | * third party. Different validation rules may
|
---|
1910 | * apply to 3rd party code on some platforms.
|
---|
1911 | * @param pErrInfo Where to return extended error information.
|
---|
1912 | * Optional.
|
---|
1913 | *
|
---|
1914 | * @note This is only used on OS X for libraries loaded with dlopen() because
|
---|
1915 | * the frameworks use symbolic links to point to the relevant library.
|
---|
1916 | *
|
---|
1917 | * @sa supR3HardenedVerifyFile
|
---|
1918 | */
|
---|
1919 | DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
|
---|
1920 | PRTERRINFO pErrInfo)
|
---|
1921 | {
|
---|
1922 | RT_NOREF1(fMaybe3rdParty);
|
---|
1923 |
|
---|
1924 | /*
|
---|
1925 | * Validate the input path and parse it.
|
---|
1926 | */
|
---|
1927 | SUPR3HARDENEDPATHINFO Info;
|
---|
1928 | int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
|
---|
1929 | if (RT_FAILURE(rc))
|
---|
1930 | return rc;
|
---|
1931 | if (Info.fDirSlash)
|
---|
1932 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
1933 | "The file path specifies a directory: '", pszFilename, "'");
|
---|
1934 |
|
---|
1935 | /*
|
---|
1936 | * Verify each component from the root up.
|
---|
1937 | */
|
---|
1938 | #ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
|
---|
1939 | uint32_t iLoops = 0;
|
---|
1940 | #endif
|
---|
1941 | SUPR3HARDENEDFSOBJSTATE FsObjState;
|
---|
1942 | uint32_t iComponent = 0;
|
---|
1943 | while (iComponent < Info.cComponents)
|
---|
1944 | {
|
---|
1945 | bool fFinal = iComponent + 1 == Info.cComponents;
|
---|
1946 | bool fRelaxed = iComponent + 2 < Info.cComponents;
|
---|
1947 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
|
---|
1948 | rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
|
---|
1949 | if (RT_SUCCESS(rc))
|
---|
1950 | {
|
---|
1951 | /*
|
---|
1952 | * In case the component is a symlink expand it and start from the beginning after
|
---|
1953 | * verifying it has the proper access rights.
|
---|
1954 | * Furthermore only allow symlinks which don't contain any .. or . in the target
|
---|
1955 | * (enforced by supR3HardenedVerifyPathSanity).
|
---|
1956 | */
|
---|
1957 | rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
|
---|
1958 | true /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
|
---|
1959 | if ( RT_SUCCESS(rc)
|
---|
1960 | && S_ISLNK(FsObjState.Stat.st_mode))
|
---|
1961 | {
|
---|
1962 | #if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
|
---|
1963 | char *pszFilenameResolved = realpath(pszFilename, NULL);
|
---|
1964 | if (pszFilenameResolved)
|
---|
1965 | {
|
---|
1966 | rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
|
---|
1967 | free(pszFilenameResolved);
|
---|
1968 | return rc;
|
---|
1969 | }
|
---|
1970 | else
|
---|
1971 | {
|
---|
1972 | int iErr = errno;
|
---|
1973 | supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
|
---|
1974 | "supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
|
---|
1975 | pszFilename, strerror(iErr), iErr);
|
---|
1976 | return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
|
---|
1977 | "realpath failed for '", pszFilename, "': ", strerror(iErr));
|
---|
1978 | }
|
---|
1979 | #else
|
---|
1980 | /* Don't loop forever. */
|
---|
1981 | iLoops++;
|
---|
1982 | if (iLoops < 8)
|
---|
1983 | {
|
---|
1984 | /*
|
---|
1985 | * Construct new path by replacing the current component by the symlink value.
|
---|
1986 | * Note! readlink() is a weird API that doesn't necessarily indicates if the
|
---|
1987 | * buffer is too small.
|
---|
1988 | */
|
---|
1989 | char szPath[RTPATH_MAX];
|
---|
1990 | size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
|
---|
1991 | size_t const cchAfter = fFinal ? 0 : 1 /*slash*/ + Info.cch - Info.aoffComponents[iComponent + 1];
|
---|
1992 | if (sizeof(szPath) > cchBefore + cchAfter + 2)
|
---|
1993 | {
|
---|
1994 | ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
|
---|
1995 | if (cchTarget > 0)
|
---|
1996 | {
|
---|
1997 | /* Some serious paranoia against embedded zero terminator and weird return values. */
|
---|
1998 | szPath[cchTarget] = '\0';
|
---|
1999 | size_t cchLink = strlen(szPath);
|
---|
2000 |
|
---|
2001 | /* Strip trailing dirslashes of non-final link. */
|
---|
2002 | if (!fFinal)
|
---|
2003 | while (cchLink > 1 and szPath[cchLink - 1] == '/')
|
---|
2004 | cchLink--;
|
---|
2005 |
|
---|
2006 | /* Check link value sanity and buffer size. */
|
---|
2007 | if (cchLink == 0)
|
---|
2008 | return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
|
---|
2009 | "Bad readlink return for '", Info.szPath, "'");
|
---|
2010 | if (szPath[0] == '/')
|
---|
2011 | return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
|
---|
2012 | "Absolute symbolic link not allowed: '", szPath, "'");
|
---|
2013 | if (cchBefore + cchLink + cchAfter + 1 /*terminator*/ > sizeof(szPath))
|
---|
2014 | return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
|
---|
2015 | "Symlinks causing too long path!");
|
---|
2016 |
|
---|
2017 | /* Construct the new path. */
|
---|
2018 | if (cchBefore)
|
---|
2019 | memmove(&szPath[cchBefore], &szPath[0], cchLink);
|
---|
2020 | memcpy(&szPath[0], Info.szPath, cchBefore);
|
---|
2021 | if (!cchAfter)
|
---|
2022 | szPath[cchBefore + cchLink] = '\0';
|
---|
2023 | else
|
---|
2024 | {
|
---|
2025 | szPath[cchBefore + cchLink] = RTPATH_SLASH;
|
---|
2026 | memcpy(&szPath[cchBefore + cchLink + 1],
|
---|
2027 | &Info.szPath[Info.aoffComponents[iComponent + 1]],
|
---|
2028 | cchAfter); /* cchAfter includes a zero terminator */
|
---|
2029 | }
|
---|
2030 |
|
---|
2031 | /* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
|
---|
2032 | rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
|
---|
2033 | if (RT_FAILURE(rc))
|
---|
2034 | return rc;
|
---|
2035 | if (Info.fDirSlash)
|
---|
2036 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
2037 | "The file path specifies a directory: '", szPath, "'");
|
---|
2038 |
|
---|
2039 | /* Restart from the current component. */
|
---|
2040 | continue;
|
---|
2041 | }
|
---|
2042 | int iErr = errno;
|
---|
2043 | supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
|
---|
2044 | "supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
|
---|
2045 | Info.szPath, strerror(iErr), iErr);
|
---|
2046 | return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
|
---|
2047 | "readlink failed for '", Info.szPath, "': ", strerror(iErr));
|
---|
2048 | }
|
---|
2049 | return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
|
---|
2050 | }
|
---|
2051 | else
|
---|
2052 | return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
|
---|
2053 | "Too many symbolic links: '", pszFilename, "'");
|
---|
2054 | #endif
|
---|
2055 | }
|
---|
2056 | }
|
---|
2057 | if (RT_FAILURE(rc))
|
---|
2058 | return rc;
|
---|
2059 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
|
---|
2060 | iComponent++;
|
---|
2061 | }
|
---|
2062 |
|
---|
2063 | /*
|
---|
2064 | * Verify the file handle against the last component, if specified.
|
---|
2065 | */
|
---|
2066 | if (hNativeFile != RTHCUINTPTR_MAX)
|
---|
2067 | {
|
---|
2068 | rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
|
---|
2069 | if (RT_FAILURE(rc))
|
---|
2070 | return rc;
|
---|
2071 | }
|
---|
2072 |
|
---|
2073 | return VINF_SUCCESS;
|
---|
2074 | }
|
---|
2075 | #endif /* RT_OS_DARWIN || RT_OS_LINUX */
|
---|
2076 |
|
---|
2077 |
|
---|
2078 | /**
|
---|
2079 | * Gets the pre-init data for the hand-over to the other version
|
---|
2080 | * of this code.
|
---|
2081 | *
|
---|
2082 | * The reason why we pass this information on is that it contains
|
---|
2083 | * open directories and files. Later it may include even more info
|
---|
2084 | * (int the verified arrays mostly).
|
---|
2085 | *
|
---|
2086 | * The receiver is supR3HardenedRecvPreInitData.
|
---|
2087 | *
|
---|
2088 | * @param pPreInitData Where to store it.
|
---|
2089 | */
|
---|
2090 | DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
|
---|
2091 | {
|
---|
2092 | pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
|
---|
2093 | pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
|
---|
2094 | pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
|
---|
2095 |
|
---|
2096 | pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
|
---|
2097 | pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
|
---|
2098 | }
|
---|
2099 |
|
---|
2100 |
|
---|
2101 | /**
|
---|
2102 | * Receives the pre-init data from the static executable stub.
|
---|
2103 | *
|
---|
2104 | * @returns VBox status code. Will not bitch on failure since the
|
---|
2105 | * runtime isn't ready for it, so that is left to the exe stub.
|
---|
2106 | *
|
---|
2107 | * @param pPreInitData The hand-over data.
|
---|
2108 | */
|
---|
2109 | DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
|
---|
2110 | {
|
---|
2111 | /*
|
---|
2112 | * Compare the array lengths and the contents of g_aSupInstallFiles.
|
---|
2113 | */
|
---|
2114 | if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
|
---|
2115 | || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
|
---|
2116 | return VERR_VERSION_MISMATCH;
|
---|
2117 | SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
|
---|
2118 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
2119 | if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
|
---|
2120 | || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
|
---|
2121 | || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
|
---|
2122 | || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
|
---|
2123 | return VERR_VERSION_MISMATCH;
|
---|
2124 |
|
---|
2125 | /*
|
---|
2126 | * Check that we're not called out of order.
|
---|
2127 | * If dynamic linking it screwed up, we may end up here.
|
---|
2128 | */
|
---|
2129 | if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
|
---|
2130 | || !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
|
---|
2131 | return VERR_WRONG_ORDER;
|
---|
2132 |
|
---|
2133 | /*
|
---|
2134 | * Copy the verification data over.
|
---|
2135 | */
|
---|
2136 | suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
|
---|
2137 | suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
|
---|
2138 | return VINF_SUCCESS;
|
---|
2139 | }
|
---|