SUPR3HardenedVerify.cpp@ 66608

Last change on this file since 66608 was 66608, checked in by vboxsync, 8 years ago
HostDrivers/Support: bugref:8740 Relax the path constraints
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 81.5 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 66608 2017-04-19 10:35:06Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2016 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.215389.xyz. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#if defined(RT_OS_OS2)
32	# define INCL_BASE
33	# define INCL_ERRORS
34	# include <os2.h>
35	# include <stdio.h>
36	# include <stdlib.h>
37	# include <unistd.h>
38	# include <sys/fcntl.h>
39	# include <sys/errno.h>
40	# include <sys/syslimits.h>
41
42	#elif defined(RT_OS_WINDOWS)
43	# include <iprt/nt/nt-and-windows.h>
44	# ifndef IN_SUP_HARDENED_R3
45	# include <stdio.h>
46	# endif
47
48	#else /* UNIXes */
49	# include <sys/types.h>
50	# include <stdio.h>
51	# include <stdlib.h>
52	# include <dirent.h>
53	# include <dlfcn.h>
54	# include <fcntl.h>
55	# include <limits.h>
56	# include <errno.h>
57	# include <unistd.h>
58	# include <sys/stat.h>
59	# include <sys/time.h>
60	# include <sys/fcntl.h>
61	# include <pwd.h>
62	# ifdef RT_OS_DARWIN
63	# include <mach-o/dyld.h>
64	# endif
65
66	#endif
67
68	#include <VBox/sup.h>
69	#include <VBox/err.h>
70	#include <iprt/asm.h>
71	#include <iprt/ctype.h>
72	#include <iprt/param.h>
73	#include <iprt/path.h>
74	#include <iprt/string.h>
75
76	#include "SUPLibInternal.h"
77	#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
78	# define SUPHNTVI_NO_NT_STUFF
79	# include "win/SUPHardenedVerify-win.h"
80	#endif
81
82
83	/*********************************************************************************************************************************
84	* Defined Constants And Macros *
85	*********************************************************************************************************************************/
86	/** The max path length acceptable for a trusted path. */
87	#define SUPR3HARDENED_MAX_PATH 260U
88
89	#ifdef RT_OS_SOLARIS
90	# define dirfd(d) ((d)->d_fd)
91	#endif
92
93	/** Compare table file names with externally supplied names. */
94	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
95	# define SUP_COMP_FILENAME RTStrICmp
96	#else
97	# define SUP_COMP_FILENAME suplibHardenedStrCmp
98	#endif
99
100
101	/*********************************************************************************************************************************
102	* Global Variables *
103	*********************************************************************************************************************************/
104	/**
105	* The files that gets verified.
106	*
107	* @todo This needs reviewing against the linux packages.
108	* @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
109	* the time being we're building the linux packages with SharedLib pointing to
110	* AppPrivArch (lazy bird).
111	*
112	* @remarks If you add executables here, you might need to update
113	* g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
114	*/
115	static SUPINSTFILE const g_aSupInstallFiles[] =
116	{
117	/* type, dir, fOpt, "pszFile" */
118	/* ---------------------------------------------------------------------- */
119	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
120	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
121	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
122
123	#ifdef VBOX_WITH_RAW_MODE
124	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
125	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
126	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2RC.rc" },
127	#endif
128
129	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
130	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
131	#ifdef VBOX_WITH_REM
132	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
133	#endif
134	#if HC_ARCH_BITS == 32
135	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
136	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
137	#endif
138	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
139	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
140	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
141	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
142	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
143
144	//#ifdef VBOX_WITH_DEBUGGER_GUI
145	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
146	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
147	//#endif
148
149	//#ifdef VBOX_WITH_SHARED_CLIPBOARD
150	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
151	//#endif
152	//#ifdef VBOX_WITH_SHARED_FOLDERS
153	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
154	//#endif
155	//#ifdef VBOX_WITH_DRAG_AND_DROP
156	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
157	//#endif
158	//#ifdef VBOX_WITH_GUEST_PROPS
159	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
160	//#endif
161	//#ifdef VBOX_WITH_GUEST_CONTROL
162	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
163	//#endif
164	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
165	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
166	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
167	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
168	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
169
170	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
171
172	#ifdef VBOX_WITH_MAIN
173	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
174	#ifdef RT_OS_WINDOWS
175	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
176	#else
177	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
178	{ kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
179	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
180	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
181	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
182	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
183	#endif
184	#endif
185
186	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
187	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
188	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
189
190	//#ifdef VBOX_WITH_HEADLESS
191	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
192	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
193	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
194	//#endif
195
196	//#ifdef VBOX_WITH_QTGUI
197	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
198	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
199	# ifdef RT_OS_DARWIN
200	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
201	# endif
202	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
203	{ kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
204	# endif
205	//#endif
206
207	//#ifdef VBOX_WITH_VBOXSDL
208	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
209	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
210	//#endif
211
212	//#ifdef VBOX_WITH_WEBSERVICES
213	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
214	//#endif
215
216	#ifdef RT_OS_LINUX
217	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
218	#endif
219
220	//#ifdef VBOX_WITH_NETFLT
221	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
222	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
223	//#endif
224
225	//#ifdef VBOX_WITH_LWIP_NAT
226	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
227	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
228	//#endif
229	#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
230	# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
231	{ kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
232	{ kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
233	HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
234	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
235	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
236	HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
237	HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
238	# define HARDENED_TESTCASE_ENTRY(a_szName) \
239	{ kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
240	{ kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
241	HARDENED_TESTCASE_ENTRY("tstCFGM"),
242	HARDENED_TESTCASE_ENTRY("tstGIP-2"),
243	HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
244	HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
245	HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
246	HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
247	HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
248	HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
249	HARDENED_TESTCASE_ENTRY("tstSSM"),
250	#endif
251	};
252
253
254	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
255	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
256
257	/** Array index by install directory specifier containing info about verified directories. */
258	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
259
260
261	/**
262	* Assembles the path to a directory.
263	*
264	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
265	* decides whether it returns or not).
266	*
267	* @param enmDir The directory.
268	* @param pszDst Where to assemble the path.
269	* @param cchDst The size of the buffer.
270	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
271	*/
272	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
273	{
274	int rc;
275	switch (enmDir)
276	{
277	case kSupID_AppBin:
278	rc = supR3HardenedPathAppBin(pszDst, cchDst);
279	break;
280	case kSupID_AppSharedLib:
281	rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
282	break;
283	case kSupID_AppPrivArch:
284	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
285	break;
286	case kSupID_AppPrivArchComp:
287	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
288	if (RT_SUCCESS(rc))
289	{
290	size_t off = suplibHardenedStrLen(pszDst);
291	if (cchDst - off >= sizeof("/components"))
292	suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
293	else
294	rc = VERR_BUFFER_OVERFLOW;
295	}
296	break;
297	case kSupID_AppPrivNoArch:
298	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
299	break;
300	case kSupID_Testcase:
301	rc = supR3HardenedPathAppBin(pszDst, cchDst);
302	if (RT_SUCCESS(rc))
303	{
304	size_t off = suplibHardenedStrLen(pszDst);
305	if (cchDst - off >= sizeof("/testcase"))
306	suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
307	else
308	rc = VERR_BUFFER_OVERFLOW;
309	}
310	break;
311	default:
312	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
313	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
314	}
315	if (RT_FAILURE(rc))
316	supR3HardenedError(rc, fFatal,
317	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
318	return rc;
319	}
320
321
322
323	/**
324	* Assembles the path to a file table entry, with or without the actual filename.
325	*
326	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
327	* decides whether it returns or not).
328	*
329	* @param pFile The file table entry.
330	* @param pszDst Where to assemble the path.
331	* @param cchDst The size of the buffer.
332	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
333	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
334	*/
335	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
336	{
337	/*
338	* Combine supR3HardenedMakePath and the filename.
339	*/
340	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
341	if (RT_SUCCESS(rc) && fWithFilename)
342	{
343	size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
344	size_t off = suplibHardenedStrLen(pszDst);
345	if (cchDst - off >= cchFile + 2)
346	{
347	pszDst[off++] = '/';
348	suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
349	}
350	else
351	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
352	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
353	pFile->pszFile, (long)off);
354	}
355	return rc;
356	}
357
358
359	/**
360	* Verifies a directory.
361	*
362	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
363	* fFatal is clear and if it's set the function wont return.
364	* @param enmDir The directory specifier.
365	* @param fFatal Whether validation failures should be treated as
366	* fatal (true) or not (false).
367	*/
368	DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
369	{
370	/*
371	* Validate the index just to be on the safe side...
372	*/
373	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
374	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
375	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
376
377	/*
378	* Already validated?
379	*/
380	if (g_aSupVerifiedDirs[enmDir].fValidated)
381	return VINF_SUCCESS; /** @todo revalidate? */
382
383	/* initialize the entry. */
384	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
385	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
386	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
387	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
388	g_aSupVerifiedDirs[enmDir].hDir = -1;
389	g_aSupVerifiedDirs[enmDir].fValidated = false;
390
391	/*
392	* Make the path and open the directory.
393	*/
394	char szPath[RTPATH_MAX];
395	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
396	if (RT_SUCCESS(rc))
397	{
398	#if defined(RT_OS_WINDOWS)
399	PRTUTF16 pwszPath;
400	rc = RTStrToUtf16(szPath, &pwszPath);
401	if (RT_SUCCESS(rc))
402	{
403	HANDLE hDir = CreateFileW(pwszPath,
404	GENERIC_READ,
405	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
406	NULL,
407	OPEN_EXISTING,
408	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
409	NULL);
410	if (hDir != INVALID_HANDLE_VALUE)
411	{
412	/** @todo check the type */
413	/* That's all on windows, for now at least... */
414	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
415	g_aSupVerifiedDirs[enmDir].fValidated = true;
416	}
417	else if (enmDir == kSupID_Testcase)
418	{
419	g_aSupVerifiedDirs[enmDir].fValidated = true;
420	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
421	}
422	else
423	{
424	int err = RtlGetLastWin32Error();
425	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
426	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
427	szPath, err);
428	}
429	RTUtf16Free(pwszPath);
430	}
431	else
432	rc = supR3HardenedError(rc, fFatal,
433	"supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
434
435	#else /* UNIXY */
436	int fd = open(szPath, O_RDONLY, 0);
437	if (fd >= 0)
438	{
439	/*
440	* On unixy systems we'll make sure the directory is owned by root
441	* and not writable by the group and user.
442	*/
443	struct stat st;
444	if (!fstat(fd, &st))
445	{
446
447	if ( st.st_uid == 0
448	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
449	&& S_ISDIR(st.st_mode))
450	{
451	g_aSupVerifiedDirs[enmDir].hDir = fd;
452	g_aSupVerifiedDirs[enmDir].fValidated = true;
453	}
454	else
455	{
456	if (!S_ISDIR(st.st_mode))
457	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
458	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
459	szPath, (long)st.st_uid);
460	else if (st.st_uid)
461	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
462	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
463	szPath, (long)st.st_uid);
464	else
465	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
466	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
467	szPath, (long)st.st_mode);
468	close(fd);
469	}
470	}
471	else
472	{
473	int err = errno;
474	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
475	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
476	szPath, strerror(err), err);
477	close(fd);
478	}
479	}
480	else if (enmDir == kSupID_Testcase)
481	{
482	g_aSupVerifiedDirs[enmDir].fValidated = true;
483	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
484	}
485	else
486	{
487	int err = errno;
488	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
489	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
490	szPath, strerror(err), err);
491	}
492	#endif /* UNIXY */
493	}
494
495	return rc;
496	}
497
498
499	#ifdef RT_OS_WINDOWS
500	/**
501	* Opens the file for verification.
502	*
503	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
504	* fFatal is clear and if it's set the function wont return.
505	* @param pFile The file entry.
506	* @param fFatal Whether validation failures should be treated as
507	* kl fatal (true) or not (false).
508	* @param phFile The file handle, set to -1 if we failed to open
509	* the file. The function may return VINF_SUCCESS
510	* and a -1 handle if the file is optional.
511	*/
512	static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
513	{
514	*phFile = -1;
515
516	char szPath[RTPATH_MAX];
517	int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
518	if (RT_SUCCESS(rc))
519	{
520	PRTUTF16 pwszPath;
521	rc = RTStrToUtf16(szPath, &pwszPath);
522	if (RT_SUCCESS(rc))
523	{
524	HANDLE hFile = CreateFileW(pwszPath,
525	GENERIC_READ,
526	FILE_SHARE_READ,
527	NULL,
528	OPEN_EXISTING,
529	FILE_ATTRIBUTE_NORMAL,
530	NULL);
531	if (hFile != INVALID_HANDLE_VALUE)
532	{
533	*phFile = (intptr_t)hFile;
534	rc = VINF_SUCCESS;
535	}
536	else
537	{
538	int err = RtlGetLastWin32Error();
539	if ( !pFile->fOptional
540	\|\| ( err != ERROR_FILE_NOT_FOUND
541	&& (err != ERROR_PATH_NOT_FOUND \|\| pFile->enmDir != kSupID_Testcase) ) )
542	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
543	"supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
544	}
545	RTUtf16Free(pwszPath);
546	}
547	else
548	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
549	szPath, rc);
550	}
551	return rc;
552	}
553
554
555	/**
556	* Worker for supR3HardenedVerifyFileInternal.
557	*
558	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
559	* fFatal is clear and if it's set the function wont return.
560	* @param pFile The file entry.
561	* @param pVerified The verification record.
562	* @param fFatal Whether validation failures should be treated as
563	* fatal (true) or not (false).
564	* @param fLeaveFileOpen Whether the file should be left open.
565	*/
566	static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
567	{
568	# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
569
570	/*
571	* Open the file if we have to.
572	*/
573	int rc;
574	intptr_t hFileOpened;
575	intptr_t hFile = pVerified->hFile;
576	if (hFile != -1)
577	hFileOpened = -1;
578	else
579	{
580	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
581	if (RT_FAILURE(rc))
582	return rc;
583	hFile = hFileOpened;
584	}
585
586	/*
587	* Verify the signature.
588	*/
589	char szErr[1024];
590	RTERRINFO ErrInfo;
591	RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
592
593	uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
594	if (pFile->enmType == kSupIFT_Rc)
595	fFlags \|= SUPHNTVI_F_RC_IMAGE;
596
597	rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
598	if (RT_SUCCESS(rc))
599	pVerified->fCheckedSignature = true;
600	else
601	{
602	pVerified->fCheckedSignature = false;
603	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
604	pFile->pszFile, rc, szErr);
605
606	}
607
608	/*
609	* Close the handle if we opened the file and we should close it.
610	*/
611	if (hFileOpened != -1)
612	{
613	if (fLeaveFileOpen && RT_SUCCESS(rc))
614	pVerified->hFile = hFileOpened;
615	else
616	NtClose((HANDLE)hFileOpened);
617	}
618
619	return rc;
620
621	# else /* Not checking signatures. */
622	RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
623	return VINF_SUCCESS;
624	# endif /* Not checking signatures. */
625	}
626	#endif
627
628
629	/**
630	* Verifies a file entry.
631	*
632	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
633	* fFatal is clear and if it's set the function wont return.
634	*
635	* @param iFile The file table index of the file to be verified.
636	* @param fFatal Whether validation failures should be treated as
637	* fatal (true) or not (false).
638	* @param fLeaveFileOpen Whether the file should be left open.
639	* @param fVerifyAll Set if this is an verify all call and we will
640	* postpone signature checking.
641	*/
642	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
643	{
644	#ifndef RT_OS_WINDOWS
645	RT_NOREF1(fVerifyAll);
646	#endif
647	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
648	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
649
650	/*
651	* Already done validation? Do signature validation if we haven't yet.
652	*/
653	if (pVerified->fValidated)
654	{
655	/** @todo revalidate? Check that the file hasn't been replace or similar. */
656	#ifdef RT_OS_WINDOWS
657	if (!pVerified->fCheckedSignature && !fVerifyAll)
658	return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
659	#endif
660	return VINF_SUCCESS;
661	}
662
663
664	/* initialize the entry. */
665	if (pVerified->hFile != 0)
666	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
667	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
668	(void *)pVerified->hFile, pFile->pszFile);
669	pVerified->hFile = -1;
670	pVerified->fValidated = false;
671	#ifdef RT_OS_WINDOWS
672	pVerified->fCheckedSignature = false;
673	#endif
674
675	/*
676	* Verify the directory then proceed to open it.
677	* (This'll make sure the directory is opened and that we can (later)
678	* use openat if we wish.)
679	*/
680	int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
681	if (RT_SUCCESS(rc))
682	{
683	#if defined(RT_OS_WINDOWS)
684	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
685	if (RT_SUCCESS(rc))
686	{
687	if (!fVerifyAll)
688	rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
689	if (RT_SUCCESS(rc))
690	{
691	pVerified->fValidated = true;
692	if (!fLeaveFileOpen)
693	{
694	NtClose((HANDLE)pVerified->hFile);
695	pVerified->hFile = -1;
696	}
697	}
698	}
699	#else /* !RT_OS_WINDOWS */
700	char szPath[RTPATH_MAX];
701	rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
702	if (RT_SUCCESS(rc))
703	{
704	int fd = open(szPath, O_RDONLY, 0);
705	if (fd >= 0)
706	{
707	/*
708	* On unixy systems we'll make sure the file is owned by root
709	* and not writable by the group and user.
710	*/
711	struct stat st;
712	if (!fstat(fd, &st))
713	{
714	if ( st.st_uid == 0
715	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
716	&& S_ISREG(st.st_mode))
717	{
718	/* it's valid. */
719	if (fLeaveFileOpen)
720	pVerified->hFile = fd;
721	else
722	close(fd);
723	pVerified->fValidated = true;
724	}
725	else
726	{
727	if (!S_ISREG(st.st_mode))
728	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
729	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
730	szPath, (long)st.st_uid);
731	else if (st.st_uid)
732	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
733	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
734	szPath, (long)st.st_uid);
735	else
736	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
737	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
738	szPath, (long)st.st_mode);
739	close(fd);
740	}
741	}
742	else
743	{
744	int err = errno;
745	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
746	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
747	szPath, strerror(err), err);
748	close(fd);
749	}
750	}
751	else
752	{
753	int err = errno;
754	if (!pFile->fOptional \|\| err != ENOENT)
755	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
756	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
757	szPath, strerror(err), err);
758	}
759	}
760	#endif /* !RT_OS_WINDOWS */
761	}
762
763	return rc;
764	}
765
766
767	/**
768	* Verifies that the specified table entry matches the given filename.
769	*
770	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
771	* error is returned or we terminate the application.
772	*
773	* @param iFile The file table index.
774	* @param pszFilename The filename.
775	* @param fFatal Whether validation failures should be treated as
776	* fatal (true) or not (false).
777	*/
778	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
779	{
780	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
781
782	/*
783	* Construct the full path for the file table entry
784	* and compare it with the specified file.
785	*/
786	char szName[RTPATH_MAX];
787	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
788	if (RT_FAILURE(rc))
789	return rc;
790	if (SUP_COMP_FILENAME(szName, pszFilename))
791	{
792	/*
793	* Normalize the two paths and compare again.
794	*/
795	rc = VERR_NOT_SAME_DEVICE;
796	#if defined(RT_OS_WINDOWS)
797	LPSTR pszIgnored;
798	char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
799	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
800	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
801	if (!SUP_COMP_FILENAME(szName2, szName))
802	rc = VINF_SUCCESS;
803	#else
804	AssertCompile(RTPATH_MAX >= PATH_MAX);
805	char szName2[RTPATH_MAX];
806	if ( realpath(szName, szName2) != NULL
807	&& realpath(pszFilename, szName) != NULL)
808	if (!SUP_COMP_FILENAME(szName2, szName))
809	rc = VINF_SUCCESS;
810	#endif
811
812	if (RT_FAILURE(rc))
813	{
814	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
815	return supR3HardenedError(rc, fFatal,
816	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
817	pszFilename, szName);
818	}
819	}
820
821	/*
822	* Check more stuff like the stat info if it's an already open file?
823	*/
824
825
826
827	return VINF_SUCCESS;
828	}
829
830
831	/**
832	* Verifies a file.
833	*
834	* @returns VINF_SUCCESS on success.
835	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
836	* On verification failure, an error code will be returned when fFatal is clear,
837	* otherwise the program will be terminated.
838	*
839	* @param pszFilename The filename.
840	* @param fFatal Whether validation failures should be treated as
841	* fatal (true) or not (false).
842	*/
843	DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
844	{
845	/*
846	* Lookup the file and check if it's the same file.
847	*/
848	const char *pszName = supR3HardenedPathFilename(pszFilename);
849	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
850	if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
851	{
852	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
853	if (RT_SUCCESS(rc))
854	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen /, false / fVerifyAll */);
855	return rc;
856	}
857
858	return VERR_NOT_FOUND;
859	}
860
861
862	/**
863	* Verifies a program, worker for supR3HardenedVerifyAll.
864	*
865	* @returns See supR3HardenedVerifyAll.
866	* @param pszProgName See supR3HardenedVerifyAll.
867	* @param pszExePath The path to the executable.
868	* @param fFatal See supR3HardenedVerifyAll.
869	* @param fLeaveOpen The leave open setting used by
870	* supR3HardenedVerifyAll.
871	* @param fMainFlags Flags supplied to SUPR3HardenedMain.
872	*/
873	static int supR3HardenedVerifyProgram(const char pszProgName, const char pszExePath, bool fFatal,
874	bool fLeaveOpen, uint32_t fMainFlags)
875	{
876	/*
877	* Search the table looking for the executable and the DLL/DYLIB/SO.
878	* Note! On darwin we have a hack in place for VirtualBoxVM helper app
879	* to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
880	* that cchProgNameDll is equal or shorter to the exe name.
881	*/
882	int rc = VINF_SUCCESS;
883	bool fExe = false;
884	bool fDll = false;
885	size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
886	#ifndef RT_OS_DARWIN
887	size_t const cchProgNameDll = cchProgNameExe;
888	NOREF(fMainFlags);
889	#else
890	size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
891	? sizeof("VirtualBox") - 1
892	: cchProgNameExe;
893	if (cchProgNameDll > cchProgNameExe)
894	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
895	"supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
896	#endif
897	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
898	if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
899	{
900	if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
901	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
902	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
903	{
904	/* This only has to be found (once). */
905	if (fDll)
906	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
907	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
908	else
909	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
910	true /* fVerifyAll - check sign later, only final process need check it on load. */);
911	fDll = true;
912	}
913	else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
914	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
915	&& ( cchProgNameExe == cchProgNameDll
916	\|\| !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
917	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
918	{
919	/* Here we'll have to check that the specific program is the same as the entry. */
920	if (fExe)
921	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
922	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
923	else
924	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
925	fExe = true;
926
927	supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
928	}
929	}
930
931	/*
932	* Check the findings.
933	*/
934	if (RT_SUCCESS(rc))
935	{
936	if (!fDll && !fExe)
937	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
938	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
939	else if (!fExe)
940	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
941	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
942	else if (!fDll)
943	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
944	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
945	}
946	return rc;
947	}
948
949
950	/**
951	* Verifies all the known files (called from SUPR3HardenedMain).
952	*
953	* @returns VINF_SUCCESS on success.
954	* On verification failure, an error code will be returned when fFatal is clear,
955	* otherwise the program will be terminated.
956	*
957	* @param fFatal Whether validation failures should be treated as
958	* fatal (true) or not (false).
959	* @param pszProgName The program name. This is used to verify that
960	* both the executable and corresponding
961	* DLL/DYLIB/SO are valid.
962	* @param pszExePath The path to the executable.
963	* @param fMainFlags Flags supplied to SUPR3HardenedMain.
964	*/
965	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char pszProgName, const char pszExePath, uint32_t fMainFlags)
966	{
967	/*
968	* On windows
969	*/
970	#if defined(RT_OS_WINDOWS)
971	bool fLeaveOpen = true;
972	#else
973	bool fLeaveOpen = false;
974	#endif
975
976	/*
977	* The verify all the files.
978	*/
979	int rc = VINF_SUCCESS;
980	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
981	{
982	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
983	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
984	rc = rc2;
985	}
986
987	/*
988	* Verify the program name, that is to say, check that it's in the table
989	* (thus verified above) and verify the signature on platforms where we
990	* sign things.
991	*/
992	int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
993	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
994	rc2 = rc;
995
996	return rc;
997	}
998
999
1000	/**
1001	* Copies the N messages into the error buffer and returns @a rc.
1002	*
1003	* @returns Returns @a rc
1004	* @param rc The return code.
1005	* @param pErrInfo The error info structure.
1006	* @param cMsgs The number of messages in the ellipsis.
1007	* @param ... Message parts.
1008	*/
1009	static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
1010	{
1011	if (pErrInfo)
1012	{
1013	size_t cbErr = pErrInfo->cbMsg;
1014	char *pszErr = pErrInfo->pszMsg;
1015
1016	va_list va;
1017	va_start(va, cMsgs);
1018	while (cMsgs-- > 0 && cbErr > 0)
1019	{
1020	const char pszMsg = va_arg(va, const char );
1021	size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
1022	if (cchMsg >= cbErr)
1023	cchMsg = cbErr - 1;
1024	suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
1025	pszErr[cchMsg] = '\0';
1026	pszErr += cchMsg;
1027	cbErr -= cchMsg;
1028	}
1029	va_end(va);
1030
1031	pErrInfo->rc = rc;
1032	pErrInfo->fFlags \|= RTERRINFO_FLAGS_SET;
1033	}
1034
1035	return rc;
1036	}
1037
1038	#ifdef RT_OS_DARWIN
1039	/**
1040	* Copies the four messages into the error buffer and returns @a rc.
1041	*
1042	* @returns Returns @a rc
1043	* @param rc The return code.
1044	* @param pErrInfo The error info structure.
1045	* @param pszMsg1 The first message part.
1046	* @param pszMsg2 The second message part.
1047	* @param pszMsg3 The third message part.
1048	* @param pszMsg4 The fourth message part.
1049	*/
1050	static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1051	const char pszMsg2, const char pszMsg3, const char *pszMsg4)
1052	{
1053	return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
1054	}
1055	#endif /* RT_OS_DARWIN */
1056
1057
1058	/**
1059	* Copies the three messages into the error buffer and returns @a rc.
1060	*
1061	* @returns Returns @a rc
1062	* @param rc The return code.
1063	* @param pErrInfo The error info structure.
1064	* @param pszMsg1 The first message part.
1065	* @param pszMsg2 The second message part.
1066	* @param pszMsg3 The third message part.
1067	*/
1068	static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1069	const char pszMsg2, const char pszMsg3)
1070	{
1071	return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1072	}
1073
1074	#ifdef SOME_UNUSED_FUNCTION
1075
1076	/**
1077	* Copies the two messages into the error buffer and returns @a rc.
1078	*
1079	* @returns Returns @a rc
1080	* @param rc The return code.
1081	* @param pErrInfo The error info structure.
1082	* @param pszMsg1 The first message part.
1083	* @param pszMsg2 The second message part.
1084	*/
1085	static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1086	const char *pszMsg2)
1087	{
1088	return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1089	}
1090
1091	#endif /* SOME_UNUSED_FUNCTION */
1092
1093	#ifdef RT_OS_DARWIN
1094
1095	/**
1096	* Copies the error message to the error buffer and returns @a rc.
1097	*
1098	* @returns Returns @a rc
1099	* @param rc The return code.
1100	* @param pErrInfo The error info structure.
1101	* @param pszMsg The message.
1102	*/
1103	static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1104	{
1105	return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1106	}
1107
1108	#endif
1109
1110
1111	/**
1112	* Output from a successfull supR3HardenedVerifyPathSanity call.
1113	*/
1114	typedef struct SUPR3HARDENEDPATHINFO
1115	{
1116	/** The length of the path in szCopy. */
1117	uint16_t cch;
1118	/** The number of path components. */
1119	uint16_t cComponents;
1120	/** Set if the path ends with slash, indicating that it's a directory
1121	* reference and not a file reference. The slash has been removed from
1122	* the copy. */
1123	bool fDirSlash;
1124	/** The offset where each path component starts, i.e. the char after the
1125	* slash. The array has cComponents + 1 entries, where the final one is
1126	* cch + 1 so that one can always terminate the current component by
1127	* szPath[aoffComponent[i] - 1] = '\0'. */
1128	uint16_t aoffComponents[32+1];
1129	/** A normalized copy of the path.
1130	* Reserve some extra space so we can be more relaxed about overflow
1131	* checks and terminator paddings, especially when recursing. */
1132	char szPath[SUPR3HARDENED_MAX_PATH * 2];
1133	} SUPR3HARDENEDPATHINFO;
1134	/** Pointer to a parsed path. */
1135	typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1136
1137
1138	/**
1139	* Verifies that the path is absolutely sane, it also parses the path.
1140	*
1141	* A sane path starts at the root (w/ drive letter on DOS derived systems) and
1142	* does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1143	* Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1144	* paths are not supported.
1145	*
1146	* @returns VBox status code.
1147	* @param pszPath The path to check.
1148	* @param pErrInfo The error info structure.
1149	* @param pInfo Where to return a copy of the path along with
1150	* parsing information.
1151	*/
1152	static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1153	{
1154	const char *pszSrc = pszPath;
1155	char *pszDst = pInfo->szPath;
1156
1157	/*
1158	* Check that it's an absolute path and copy the volume/root specifier.
1159	*/
1160	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
1161	if ( !RT_C_IS_ALPHA(pszSrc[0])
1162	\|\| pszSrc[1] != ':'
1163	\|\| !RTPATH_IS_SLASH(pszSrc[2]))
1164	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1165
1166	*pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1167	*pszDst++ = ':';
1168	*pszDst++ = RTPATH_SLASH;
1169	pszSrc += 3;
1170
1171	#else
1172	if (!RTPATH_IS_SLASH(pszSrc[0]))
1173	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1174
1175	*pszDst++ = RTPATH_SLASH;
1176	pszSrc += 1;
1177	#endif
1178
1179	/*
1180	* No path specifying the root or something very shortly thereafter will
1181	* be approved of.
1182	*/
1183	if (pszSrc[0] == '\0')
1184	return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1185	if ( pszSrc[1] == '\0'
1186	\|\| pszSrc[2] == '\0')
1187	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1188
1189	/*
1190	* The root slash should be alone to avoid UNC confusion.
1191	*/
1192	if (RTPATH_IS_SLASH(pszSrc[0]))
1193	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1194	"The path is not clean of leading double slashes: '", pszPath, "'");
1195	/*
1196	* Check each component. No parent references.
1197	*/
1198	pInfo->cComponents = 0;
1199	pInfo->fDirSlash = false;
1200	while (pszSrc[0])
1201	{
1202	/* Sanity checks. */
1203	if ( pszSrc[0] == '.'
1204	&& pszSrc[1] == '.'
1205	&& RTPATH_IS_SLASH(pszSrc[2]))
1206	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1207	"The path is not absolute: '", pszPath, "'");
1208
1209	/* Record the start of the component. */
1210	if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1211	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1212	"The path has too many components: '", pszPath, "'");
1213	pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1214
1215	/* Traverse to the end of the component, copying it as we go along. */
1216	while (pszSrc[0])
1217	{
1218	if (RTPATH_IS_SLASH(pszSrc[0]))
1219	{
1220	pszSrc++;
1221	if (*pszSrc)
1222	*pszDst++ = RTPATH_SLASH;
1223	else
1224	pInfo->fDirSlash = true;
1225	break;
1226	}
1227	pszDst++ = pszSrc++;
1228	if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1229	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1230	"The path is too long: '", pszPath, "'");
1231	}
1232
1233	/* Skip double slashes. */
1234	while (RTPATH_IS_SLASH(*pszSrc))
1235	pszSrc++;
1236	}
1237
1238	/* Terminate the string and enter its length. */
1239	pszDst[0] = '\0';
1240	pszDst[1] = '\0'; /* for aoffComponents */
1241	pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1242	pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1243
1244	return VINF_SUCCESS;
1245	}
1246
1247
1248	/**
1249	* The state information collected by supR3HardenedVerifyFsObject.
1250	*
1251	* This can be used to verify that a directory we've opened for enumeration is
1252	* the same as the one that supR3HardenedVerifyFsObject just verified. It can
1253	* equally be used to verify a native specfied by the user.
1254	*/
1255	typedef struct SUPR3HARDENEDFSOBJSTATE
1256	{
1257	#ifdef RT_OS_WINDOWS
1258	/** Not implemented for windows yet. */
1259	char chTodo;
1260	#else
1261	/** The stat output. */
1262	struct stat Stat;
1263	#endif
1264	} SUPR3HARDENEDFSOBJSTATE;
1265	/** Pointer to a file system object state. */
1266	typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1267	/** Pointer to a const file system object state. */
1268	typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1269
1270
1271	/**
1272	* Query information about a file system object by path.
1273	*
1274	* @returns VBox status code, error buffer filled on failure.
1275	* @param pszPath The path to the object.
1276	* @param pFsObjState Where to return the state information.
1277	* @param pErrInfo The error info structure.
1278	*/
1279	static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1280	{
1281	#if defined(RT_OS_WINDOWS)
1282	/** @todo Windows hardening. */
1283	pFsObjState->chTodo = 0;
1284	RT_NOREF2(pszPath, pErrInfo);
1285	return VINF_SUCCESS;
1286
1287	#else
1288	/*
1289	* Stat the object, do not follow links.
1290	*/
1291	if (lstat(pszPath, &pFsObjState->Stat) != 0)
1292	{
1293	/* Ignore access errors */
1294	if (errno != EACCES)
1295	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1296	5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1297	}
1298
1299	/*
1300	* Read ACLs.
1301	*/
1302	/** @todo */
1303
1304	return VINF_SUCCESS;
1305	#endif
1306	}
1307
1308
1309	/**
1310	* Query information about a file system object by native handle.
1311	*
1312	* @returns VBox status code, error buffer filled on failure.
1313	* @param hNative The native handle to the object @a pszPath
1314	* specifies and this should be verified to be the
1315	* same file system object.
1316	* @param pFsObjState Where to return the state information.
1317	* @param pszPath The path to the object. (For the error message
1318	* only.)
1319	* @param pErrInfo The error info structure.
1320	*/
1321	static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1322	char const *pszPath, PRTERRINFO pErrInfo)
1323	{
1324	#if defined(RT_OS_WINDOWS)
1325	/** @todo Windows hardening. */
1326	pFsObjState->chTodo = 0;
1327	RT_NOREF3(hNative, pszPath, pErrInfo);
1328	return VINF_SUCCESS;
1329
1330	#else
1331	/*
1332	* Stat the object, do not follow links.
1333	*/
1334	if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1335	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1336	5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1337
1338	/*
1339	* Read ACLs.
1340	*/
1341	/** @todo */
1342
1343	return VINF_SUCCESS;
1344	#endif
1345	}
1346
1347
1348	/**
1349	* Verifies that the file system object indicated by the native handle is the
1350	* same as the one @a pFsObjState indicates.
1351	*
1352	* @returns VBox status code, error buffer filled on failure.
1353	* @param pFsObjState1 File system object information/state by path.
1354	* @param pFsObjState2 File system object information/state by handle.
1355	* @param pszPath The path to the object @a pFsObjState
1356	* describes. (For the error message.)
1357	* @param pErrInfo The error info structure.
1358	*/
1359	static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1360	const char *pszPath, PRTERRINFO pErrInfo)
1361	{
1362	#if defined(RT_OS_WINDOWS)
1363	/** @todo Windows hardening. */
1364	RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1365	return VINF_SUCCESS;
1366
1367	#elif defined(RT_OS_OS2)
1368	RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1369	return VINF_SUCCESS;
1370
1371	#else
1372	/*
1373	* Compare the ino+dev, then the uid+gid and finally the important mode
1374	* bits. Technically the first one should be enough, but we're paranoid.
1375	*/
1376	if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1377	\|\| pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1378	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1379	"The native handle is not the same as '", pszPath, "' (ino/dev)");
1380	if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1381	\|\| pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1382	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1383	"The native handle is not the same as '", pszPath, "' (uid/gid)");
1384	if ( (pFsObjState1->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH))
1385	!= (pFsObjState2->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH)))
1386	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1387	"The native handle is not the same as '", pszPath, "' (mode)");
1388	return VINF_SUCCESS;
1389	#endif
1390	}
1391
1392
1393	/**
1394	* Verifies a file system object (file or directory).
1395	*
1396	* @returns VBox status code, error buffer filled on failure.
1397	* @param pFsObjState The file system object information/state to be
1398	* verified.
1399	* @param fDir Whether this is a directory or a file.
1400	* @param fRelaxed Whether we can be more relaxed about this
1401	* directory (only used for grand parent
1402	* directories).
1403	* @param fSymlinksAllowed Flag whether symlinks are allowed or not.
1404	* If allowed the symlink object is verified not the target.
1405	* @param pszPath The path to the object. For error messages and
1406	* securing a couple of hacks.
1407	* @param pErrInfo The error info structure.
1408	*/
1409	static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1410	bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
1411	{
1412	#if defined(RT_OS_WINDOWS)
1413	/** @todo Windows hardening. */
1414	RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1415	return VINF_SUCCESS;
1416
1417	#elif defined(RT_OS_OS2)
1418	/* No hardening here - it's a single user system. */
1419	RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1420	return VINF_SUCCESS;
1421
1422	#else
1423	/*
1424	* The owner must be root.
1425	*
1426	* This can be extended to include predefined system users if necessary.
1427	*/
1428	if (pFsObjState->Stat.st_uid != 0)
1429	return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1430
1431	/*
1432	* The object type must be directory or file. It can be a symbolic link
1433	* if explicitely allowed. Otherwise this and other risky stuff is not allowed
1434	* (sorry dude, but we're paranoid on purpose here).
1435	*/
1436	if ( !S_ISLNK(pFsObjState->Stat.st_mode)
1437	\|\| !fSymlinksAllowed)
1438	{
1439
1440	if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1441	&& !S_ISREG(pFsObjState->Stat.st_mode))
1442	{
1443	if (S_ISLNK(pFsObjState->Stat.st_mode))
1444	return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1445	"Symlinks are not permitted: '", pszPath, "'");
1446	return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1447	"Not regular file or directory: '", pszPath, "'");
1448	}
1449	if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1450	{
1451	if (S_ISDIR(pFsObjState->Stat.st_mode))
1452	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1453	"Expected file but found directory: '", pszPath, "'");
1454	return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1455	"Expected directory but found file: '", pszPath, "'");
1456	}
1457	}
1458
1459	/*
1460	* The group does not matter if it does not have write access, if it has
1461	* write access it must be group 0 (root/wheel/whatever).
1462	*
1463	* This can be extended to include predefined system groups or groups that
1464	* only root is member of.
1465	*/
1466	if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1467	&& pFsObjState->Stat.st_gid != 0)
1468	{
1469	#ifdef RT_OS_DARWIN
1470	/* HACK ALERT: On Darwin /Applications is root:admin with admin having
1471	full access. So, to work around we relax the hardening a bit and
1472	permit grand parents and beyond to be group writable by admin. */
1473	/** @todo dynamically resolve the admin group? */
1474	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 80 /admin/ \|\| suplibHardenedStrCmp(pszPath, "/Applications");
1475
1476	#elif defined(RT_OS_FREEBSD)
1477	/* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1478	similar to /Applications on OS X (see above).
1479	On FreeBSD root is normally the only member of this group, on
1480	PC-BSD the default user is a member. */
1481	/** @todo dynamically resolve the operator group? */
1482	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 5 /operator/ \|\| suplibHardenedStrCmp(pszPath, "/usr/pbi");
1483	NOREF(fRelaxed);
1484	#elif defined(RT_OS_SOLARIS)
1485	/* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
1486	which the appropriate module is loaded.
1487	By default only root and daemon are part of that group.
1488	. */
1489	/** @todo dynamically resolve the bin group? */
1490	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 2 /bin/ \|\| suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
1491	#else
1492	NOREF(fRelaxed);
1493	bool fBad = true;
1494	#endif
1495	if (fBad)
1496	return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1497	"An unknown (and thus untrusted) group has write access to '", pszPath,
1498	"' and we therefore cannot trust the directory content or that of any subdirectory");
1499	}
1500
1501	/*
1502	* World must not have write access. There is no relaxing this rule.
1503	*/
1504	if (pFsObjState->Stat.st_mode & S_IWOTH)
1505	return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1506	"World writable: '", pszPath, "'");
1507
1508	/*
1509	* Check the ACLs.
1510	*/
1511	/** @todo */
1512
1513	return VINF_SUCCESS;
1514	#endif
1515	}
1516
1517
1518	/**
1519	* Verifies that the file system object indicated by the native handle is the
1520	* same as the one @a pFsObjState indicates.
1521	*
1522	* @returns VBox status code, error buffer filled on failure.
1523	* @param hNative The native handle to the object @a pszPath
1524	* specifies and this should be verified to be the
1525	* same file system object.
1526	* @param pFsObjState The information/state returned by a previous
1527	* query call.
1528	* @param pszPath The path to the object @a pFsObjState
1529	* describes. (For the error message.)
1530	* @param pErrInfo The error info structure.
1531	*/
1532	static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1533	const char *pszPath, PRTERRINFO pErrInfo)
1534	{
1535	SUPR3HARDENEDFSOBJSTATE FsObjState2;
1536	int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1537	if (RT_SUCCESS(rc))
1538	rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1539	return rc;
1540	}
1541
1542
1543	/**
1544	* Does the recursive directory enumeration.
1545	*
1546	* @returns VBox status code, error buffer filled on failure.
1547	* @param pszDirPath The path buffer containing the subdirectory to
1548	* enumerate followed by a slash (this is never
1549	* the root slash). The buffer is RTPATH_MAX in
1550	* size and anything starting at @a cchDirPath
1551	* - 1 and beyond is scratch space.
1552	* @param cchDirPath The length of the directory path + slash.
1553	* @param pFsObjState Pointer to the file system object state buffer.
1554	* On input this will hold the stats for
1555	* the directory @a pszDirPath indicates and will
1556	* be used to verified that we're opening the same
1557	* thing.
1558	* @param fRecursive Whether to recurse into subdirectories.
1559	* @param pErrInfo The error info structure.
1560	*/
1561	static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1562	bool fRecursive, PRTERRINFO pErrInfo)
1563	{
1564	#if defined(RT_OS_WINDOWS)
1565	/** @todo Windows hardening. */
1566	RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1567	return VINF_SUCCESS;
1568
1569	#elif defined(RT_OS_OS2)
1570	/* No hardening here - it's a single user system. */
1571	RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1572	return VINF_SUCCESS;
1573
1574	#else
1575	/*
1576	* Open the directory. Now, we could probably eliminate opendir here
1577	* and go down on kernel API level (open + getdents for instance), however
1578	* that's not very portable and hopefully not necessary.
1579	*/
1580	DIR *pDir = opendir(pszDirPath);
1581	if (!pDir)
1582	{
1583	/* Ignore access errors. */
1584	if (errno == EACCES)
1585	return VINF_SUCCESS;
1586	return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1587	5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1588	}
1589	if (dirfd(pDir) != -1)
1590	{
1591	int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1592	if (RT_FAILURE(rc))
1593	{
1594	closedir(pDir);
1595	return rc;
1596	}
1597	}
1598
1599	/*
1600	* Enumerate the directory, check all the requested bits.
1601	*/
1602	int rc = VINF_SUCCESS;
1603	for (;;)
1604	{
1605	pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1606
1607	struct dirent Entry;
1608	struct dirent *pEntry;
1609	#if RT_GNUC_PREREQ(4, 6)
1610	# pragma GCC diagnostic push
1611	# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
1612	#endif
1613	int iErr = readdir_r(pDir, &Entry, &pEntry);
1614	#if RT_GNUC_PREREQ(4, 6)
1615	# pragma GCC diagnostic pop
1616	#endif
1617	if (iErr)
1618	{
1619	rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1620	5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1621	break;
1622	}
1623	if (!pEntry)
1624	break;
1625
1626	/*
1627	* Check the length and copy it into the path buffer so it can be
1628	* stat()'ed.
1629	*/
1630	size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1631	if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1632	{
1633	rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1634	4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1635	break;
1636	}
1637	suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1638
1639	/*
1640	* Query the information about the entry and verify it.
1641	* (We don't bother skipping '.' and '..' at this point, a little bit
1642	* of extra checks doesn't hurt and neither requires relaxed handling.)
1643	*/
1644	rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1645	if (RT_SUCCESS(rc))
1646	break;
1647	rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /fRelaxed/,
1648	false /fSymlinksAllowed/, pszDirPath, pErrInfo);
1649	if (RT_FAILURE(rc))
1650	break;
1651
1652	/*
1653	* Recurse into subdirectories if requested.
1654	*/
1655	if ( fRecursive
1656	&& S_ISDIR(pFsObjState->Stat.st_mode)
1657	&& suplibHardenedStrCmp(pEntry->d_name, ".")
1658	&& suplibHardenedStrCmp(pEntry->d_name, ".."))
1659	{
1660	pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1661	pszDirPath[cchDirPath + cchName + 1] = '\0';
1662
1663	rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1664	fRecursive, pErrInfo);
1665	if (RT_FAILURE(rc))
1666	break;
1667	}
1668	}
1669
1670	closedir(pDir);
1671	return VINF_SUCCESS;
1672	#endif
1673	}
1674
1675
1676	/**
1677	* Worker for SUPR3HardenedVerifyDir.
1678	*
1679	* @returns See SUPR3HardenedVerifyDir.
1680	* @param pszDirPath See SUPR3HardenedVerifyDir.
1681	* @param fRecursive See SUPR3HardenedVerifyDir.
1682	* @param fCheckFiles See SUPR3HardenedVerifyDir.
1683	* @param pErrInfo See SUPR3HardenedVerifyDir.
1684	*/
1685	DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1686	{
1687	/*
1688	* Validate the input path and parse it.
1689	*/
1690	SUPR3HARDENEDPATHINFO Info;
1691	int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1692	if (RT_FAILURE(rc))
1693	return rc;
1694
1695	/*
1696	* Verify each component from the root up.
1697	*/
1698	SUPR3HARDENEDFSOBJSTATE FsObjState;
1699	uint32_t const cComponents = Info.cComponents;
1700	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1701	{
1702	bool fRelaxed = iComponent + 2 < cComponents;
1703	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1704	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1705	if (RT_SUCCESS(rc))
1706	rc = supR3HardenedVerifyFsObject(&FsObjState, true /fDir/, fRelaxed,
1707	false /fSymlinksAllowed/, Info.szPath, pErrInfo);
1708	if (RT_FAILURE(rc))
1709	return rc;
1710	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1711	}
1712
1713	/*
1714	* Check files and subdirectories if requested.
1715	*/
1716	if (fCheckFiles \|\| fRecursive)
1717	{
1718	Info.szPath[Info.cch] = RTPATH_SLASH;
1719	Info.szPath[Info.cch + 1] = '\0';
1720	return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1721	fRecursive, pErrInfo);
1722	}
1723
1724	return VINF_SUCCESS;
1725	}
1726
1727
1728	/**
1729	* Verfies a file.
1730	*
1731	* @returns VBox status code, error buffer filled on failure.
1732	* @param pszFilename The file to verify.
1733	* @param hNativeFile Handle to the file, verify that it's the same
1734	* as we ended up with when verifying the path.
1735	* RTHCUINTPTR_MAX means NIL here.
1736	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1737	* third party. Different validation rules may
1738	* apply to 3rd party code on some platforms.
1739	* @param pErrInfo Where to return extended error information.
1740	* Optional.
1741	*/
1742	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1743	bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1744	{
1745	/*
1746	* Validate the input path and parse it.
1747	*/
1748	SUPR3HARDENEDPATHINFO Info;
1749	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1750	if (RT_FAILURE(rc))
1751	return rc;
1752	if (Info.fDirSlash)
1753	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1754	"The file path specifies a directory: '", pszFilename, "'");
1755
1756	/*
1757	* Verify each component from the root up.
1758	*/
1759	SUPR3HARDENEDFSOBJSTATE FsObjState;
1760	uint32_t const cComponents = Info.cComponents;
1761	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1762	{
1763	bool fFinal = iComponent + 1 == cComponents;
1764	bool fRelaxed = iComponent + 2 < cComponents;
1765	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1766	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1767	if (RT_SUCCESS(rc))
1768	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed,
1769	false /fSymlinksAllowed/, Info.szPath, pErrInfo);
1770	if (RT_FAILURE(rc))
1771	return rc;
1772	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1773	}
1774
1775	/*
1776	* Verify the file handle against the last component, if specified.
1777	*/
1778	if (hNativeFile != RTHCUINTPTR_MAX)
1779	{
1780	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1781	if (RT_FAILURE(rc))
1782	return rc;
1783	}
1784
1785	#ifdef RT_OS_WINDOWS
1786	/*
1787	* The files shall be signed on windows, verify that.
1788	*/
1789	rc = VINF_SUCCESS;
1790	HANDLE hVerify;
1791	if (hNativeFile == RTHCUINTPTR_MAX)
1792	{
1793	PRTUTF16 pwszPath;
1794	rc = RTStrToUtf16(pszFilename, &pwszPath);
1795	if (RT_SUCCESS(rc))
1796	{
1797	hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1798	RTUtf16Free(pwszPath);
1799	}
1800	else
1801	{
1802	rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1803	hVerify = INVALID_HANDLE_VALUE;
1804	}
1805	}
1806	else
1807	{
1808	NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1809	GENERIC_READ, 0 /HandleAttributes/, 0 /Options/);
1810	if (!NT_SUCCESS(rcNt))
1811	hVerify = INVALID_HANDLE_VALUE;
1812	}
1813	if (hVerify != INVALID_HANDLE_VALUE)
1814	{
1815	# ifdef VBOX_WITH_HARDENING
1816	uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1817	if (!fMaybe3rdParty)
1818	fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1819	const char *pszSuffix = RTPathSuffix(pszFilename);
1820	if ( pszSuffix
1821	&& pszSuffix[0] == '.'
1822	&& ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1823	\|\| RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1824	&& RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1825	&& pszSuffix[3] == '\0' )
1826	fFlags \|= SUPHNTVI_F_RC_IMAGE;
1827	# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1828	rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1829	# endif
1830	# else
1831	RT_NOREF1(fMaybe3rdParty);
1832	# endif
1833	NtClose(hVerify);
1834	}
1835	else if (RT_SUCCESS(rc))
1836	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1837	"Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1838	if (RT_FAILURE(rc))
1839	return rc;
1840	#else
1841	RT_NOREF1(fMaybe3rdParty);
1842	#endif
1843
1844	return VINF_SUCCESS;
1845	}
1846
1847
1848	#ifdef RT_OS_DARWIN
1849	/**
1850	* Verfies a file following symlinks.
1851	*
1852	* @returns VBox status code, error buffer filled on failure.
1853	* @param pszFilename The file to verify.
1854	* @param hNativeFile Handle to the file, verify that it's the same
1855	* as we ended up with when verifying the path.
1856	* RTHCUINTPTR_MAX means NIL here.
1857	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1858	* third party. Different validation rules may
1859	* apply to 3rd party code on some platforms.
1860	* @param pErrInfo Where to return extended error information.
1861	* Optional.
1862	*
1863	* @note This is only used on OS X for libraries loaded with dlopen() because
1864	* the frameworks use symbolic links to point to the relevant library.
1865	*
1866	* @sa supR3HardenedVerifyFile
1867	*/
1868	DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
1869	PRTERRINFO pErrInfo)
1870	{
1871	RT_NOREF1(fMaybe3rdParty);
1872
1873	/*
1874	* Validate the input path and parse it.
1875	*/
1876	SUPR3HARDENEDPATHINFO Info;
1877	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1878	if (RT_FAILURE(rc))
1879	return rc;
1880	if (Info.fDirSlash)
1881	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1882	"The file path specifies a directory: '", pszFilename, "'");
1883
1884	/*
1885	* Verify each component from the root up.
1886	*/
1887	uint32_t iLoops = 0;
1888	SUPR3HARDENEDFSOBJSTATE FsObjState;
1889	uint32_t iComponent = 0;
1890	while (iComponent < Info.cComponents)
1891	{
1892	bool fFinal = iComponent + 1 == Info.cComponents;
1893	bool fRelaxed = iComponent + 2 < Info.cComponents;
1894	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1895	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1896	if (RT_SUCCESS(rc))
1897	{
1898	/*
1899	* In case the component is a symlink expand it and start from the beginning after
1900	* verifying it has the proper access rights.
1901	* Furthermore only allow symlinks which don't contain any .. or . in the target
1902	* (enforced by supR3HardenedVerifyPathSanity).
1903	*/
1904	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed,
1905	true /fSymlinksAllowed/, Info.szPath, pErrInfo);
1906	if ( RT_SUCCESS(rc)
1907	&& S_ISLNK(FsObjState.Stat.st_mode))
1908	{
1909	/* Don't loop forever. */
1910	iLoops++;
1911	if (iLoops < 8)
1912	{
1913	/*
1914	* Construct new path by replacing the current component by the symlink value.
1915	* Note! readlink() is a weird API that doesn't necessarily indicates if the
1916	* buffer is too small.
1917	*/
1918	char szPath[RTPATH_MAX];
1919	size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
1920	size_t const cchAfter = fFinal ? 0 : 1 /slash/ + Info.cch - Info.aoffComponents[iComponent + 1];
1921	if (sizeof(szPath) > cchBefore + cchAfter + 2)
1922	{
1923	ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
1924	if (cchTarget > 0)
1925	{
1926	/* Some serious paranoia against embedded zero terminator and weird return values. */
1927	szPath[cchTarget] = '\0';
1928	size_t cchLink = strlen(szPath);
1929
1930	/* Strip trailing dirslashes of non-final link. */
1931	if (!fFinal)
1932	while (cchLink > 1 and szPath[cchLink - 1] == '/')
1933	cchLink--;
1934
1935	/* Check link value sanity and buffer size. */
1936	if (cchLink == 0)
1937	return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
1938	"Bad readlink return for '", Info.szPath, "'");
1939	if (szPath[0] == '/')
1940	return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
1941	"Absolute symbolic link not allowed: '", szPath, "'");
1942	if (cchBefore + cchLink + cchAfter + 1 /terminator/ > sizeof(szPath))
1943	return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1944	"Symlinks causing too long path!");
1945
1946	/* Construct the new path. */
1947	if (cchBefore)
1948	memmove(&szPath[cchBefore], &szPath[0], cchLink);
1949	memcpy(&szPath[0], Info.szPath, cchBefore);
1950	if (!cchAfter)
1951	szPath[cchBefore + cchLink] = '\0';
1952	else
1953	{
1954	szPath[cchBefore + cchLink] = RTPATH_SLASH;
1955	memcpy(&szPath[cchBefore + cchLink + 1],
1956	&Info.szPath[Info.aoffComponents[iComponent + 1]],
1957	cchAfter); /* cchAfter includes a zero terminator */
1958	}
1959
1960	/* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
1961	rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
1962	if (RT_FAILURE(rc))
1963	return rc;
1964	if (Info.fDirSlash)
1965	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1966	"The file path specifies a directory: '", szPath, "'");
1967
1968	/* Restart from the current component. */
1969	continue;
1970	}
1971	int iErr = errno;
1972	supR3HardenedError(VERR_ACCESS_DENIED, false /fFatal/,
1973	"supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
1974	Info.szPath, strerror(iErr), iErr);
1975	return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
1976	"readlink failed for '", Info.szPath, "': ", strerror(iErr));
1977	}
1978	return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
1979	}
1980	else
1981	return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
1982	"Too many symbolic links: '", pszFilename, "'");
1983	}
1984	}
1985	if (RT_FAILURE(rc))
1986	return rc;
1987	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1988	iComponent++;
1989	}
1990
1991	/*
1992	* Verify the file handle against the last component, if specified.
1993	*/
1994	if (hNativeFile != RTHCUINTPTR_MAX)
1995	{
1996	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1997	if (RT_FAILURE(rc))
1998	return rc;
1999	}
2000
2001	return VINF_SUCCESS;
2002	}
2003	#endif /* RT_OS_DARWIN */
2004
2005
2006	/**
2007	* Gets the pre-init data for the hand-over to the other version
2008	* of this code.
2009	*
2010	* The reason why we pass this information on is that it contains
2011	* open directories and files. Later it may include even more info
2012	* (int the verified arrays mostly).
2013	*
2014	* The receiver is supR3HardenedRecvPreInitData.
2015	*
2016	* @param pPreInitData Where to store it.
2017	*/
2018	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
2019	{
2020	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
2021	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
2022	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
2023
2024	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
2025	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
2026	}
2027
2028
2029	/**
2030	* Receives the pre-init data from the static executable stub.
2031	*
2032	* @returns VBox status code. Will not bitch on failure since the
2033	* runtime isn't ready for it, so that is left to the exe stub.
2034	*
2035	* @param pPreInitData The hand-over data.
2036	*/
2037	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
2038	{
2039	/*
2040	* Compare the array lengths and the contents of g_aSupInstallFiles.
2041	*/
2042	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
2043	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
2044	return VERR_VERSION_MISMATCH;
2045	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
2046	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
2047	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
2048	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
2049	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
2050	\|\| suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
2051	return VERR_VERSION_MISMATCH;
2052
2053	/*
2054	* Check that we're not called out of order.
2055	* If dynamic linking it screwed up, we may end up here.
2056	*/
2057	if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
2058	\|\| !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
2059	return VERR_WRONG_ORDER;
2060
2061	/*
2062	* Copy the verification data over.
2063	*/
2064	suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
2065	suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
2066	return VINF_SUCCESS;
2067	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 66608

Download in other formats: