VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp@ 57276

Last change on this file since 57276 was 56819, checked in by vboxsync, 10 years ago

build fix

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 65.5 KB
Line 
1/* $Id: SUPR3HardenedMain.cpp 56819 2015-07-06 14:18:13Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Hardened main().
4 */
5
6/*
7 * Copyright (C) 2006-2015 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27/*******************************************************************************
28* Header Files *
29*******************************************************************************/
30#if defined(RT_OS_OS2)
31# define INCL_BASE
32# define INCL_ERRORS
33# include <os2.h>
34# include <stdio.h>
35# include <stdlib.h>
36# include <dlfcn.h>
37# include <unistd.h>
38
39#elif RT_OS_WINDOWS
40# include <iprt/nt/nt-and-windows.h>
41
42#else /* UNIXes */
43# include <iprt/types.h> /* stdint fun on darwin. */
44
45# include <stdio.h>
46# include <stdlib.h>
47# include <dlfcn.h>
48# include <limits.h>
49# include <errno.h>
50# include <unistd.h>
51# include <sys/stat.h>
52# include <sys/time.h>
53# include <sys/types.h>
54# if defined(RT_OS_LINUX)
55# undef USE_LIB_PCAP /* don't depend on libcap as we had to depend on either
56 libcap1 or libcap2 */
57
58# undef _POSIX_SOURCE
59# include <linux/types.h> /* sys/capabilities from uek-headers require this */
60# include <sys/capability.h>
61# include <sys/prctl.h>
62# ifndef CAP_TO_MASK
63# define CAP_TO_MASK(cap) RT_BIT(cap)
64# endif
65# elif defined(RT_OS_FREEBSD)
66# include <sys/param.h>
67# include <sys/sysctl.h>
68# elif defined(RT_OS_SOLARIS)
69# include <priv.h>
70# endif
71# include <pwd.h>
72# ifdef RT_OS_DARWIN
73# include <mach-o/dyld.h>
74# endif
75
76#endif
77
78#include <VBox/sup.h>
79#include <VBox/err.h>
80#ifdef RT_OS_WINDOWS
81# include <VBox/version.h>
82#endif
83#include <iprt/ctype.h>
84#include <iprt/string.h>
85#include <iprt/initterm.h>
86#include <iprt/param.h>
87
88#include "SUPLibInternal.h"
89
90
91/*******************************************************************************
92* Defined Constants And Macros *
93*******************************************************************************/
94/** @def SUP_HARDENED_SUID
95 * Whether we're employing set-user-ID-on-execute in the hardening.
96 */
97#if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
98# define SUP_HARDENED_SUID
99#else
100# undef SUP_HARDENED_SUID
101#endif
102
103/** @def SUP_HARDENED_SYM
104 * Decorate a symbol that's resolved dynamically.
105 */
106#ifdef RT_OS_OS2
107# define SUP_HARDENED_SYM(sym) "_" sym
108#else
109# define SUP_HARDENED_SYM(sym) sym
110#endif
111
112
113/*******************************************************************************
114* Structures and Typedefs *
115*******************************************************************************/
116/** @see RTR3InitEx */
117typedef DECLCALLBACK(int) FNRTR3INITEX(uint32_t iVersion, uint32_t fFlags, int cArgs,
118 char **papszArgs, const char *pszProgramPath);
119typedef FNRTR3INITEX *PFNRTR3INITEX;
120
121/** @see RTLogRelPrintf */
122typedef DECLCALLBACK(void) FNRTLOGRELPRINTF(const char *pszFormat, ...);
123typedef FNRTLOGRELPRINTF *PFNRTLOGRELPRINTF;
124
125
126/*******************************************************************************
127* Global Variables *
128*******************************************************************************/
129/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
130static SUPPREINITDATA g_SupPreInitData;
131/** The program executable path. */
132#ifndef RT_OS_WINDOWS
133static
134#endif
135char g_szSupLibHardenedExePath[RTPATH_MAX];
136/** The application bin directory path. */
137static char g_szSupLibHardenedAppBinPath[RTPATH_MAX];
138
139/** The program name. */
140static const char *g_pszSupLibHardenedProgName;
141/** The flags passed to SUPR3HardenedMain. */
142static uint32_t g_fSupHardenedMain;
143
144#ifdef SUP_HARDENED_SUID
145/** The real UID at startup. */
146static uid_t g_uid;
147/** The real GID at startup. */
148static gid_t g_gid;
149# ifdef RT_OS_LINUX
150static uint32_t g_uCaps;
151# endif
152#endif
153
154/** The startup log file. */
155#ifdef RT_OS_WINDOWS
156static HANDLE g_hStartupLog = NULL;
157#else
158static int g_hStartupLog = -1;
159#endif
160/** The number of bytes we've written to the startup log. */
161static uint32_t volatile g_cbStartupLog = 0;
162
163/** The current SUPR3HardenedMain state / location. */
164SUPR3HARDENEDMAINSTATE g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED;
165AssertCompileSize(g_enmSupR3HardenedMainState, sizeof(uint32_t));
166
167#ifdef RT_OS_WINDOWS
168/** Pointer to VBoxRT's RTLogRelPrintf function so we can write errors to the
169 * release log at runtime. */
170static PFNRTLOGRELPRINTF g_pfnRTLogRelPrintf = NULL;
171/** Log volume name (for attempting volume flush). */
172static RTUTF16 g_wszStartupLogVol[16];
173#endif
174
175
176/*******************************************************************************
177* Internal Functions *
178*******************************************************************************/
179#ifdef SUP_HARDENED_SUID
180static void supR3HardenedMainDropPrivileges(void);
181#endif
182static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
183
184
185/**
186 * Safely copy one or more strings into the given buffer.
187 *
188 * @returns VINF_SUCCESS or VERR_BUFFER_OVERFLOW.
189 * @param pszDst The destionation buffer.
190 * @param cbDst The size of the destination buffer.
191 * @param ... One or more zero terminated strings, ending with
192 * a NULL.
193 */
194static int suplibHardenedStrCopyEx(char *pszDst, size_t cbDst, ...)
195{
196 int rc = VINF_SUCCESS;
197
198 if (cbDst == 0)
199 return VERR_BUFFER_OVERFLOW;
200
201 va_list va;
202 va_start(va, cbDst);
203 for (;;)
204 {
205 const char *pszSrc = va_arg(va, const char *);
206 if (!pszSrc)
207 break;
208
209 size_t cchSrc = suplibHardenedStrLen(pszSrc);
210 if (cchSrc < cbDst)
211 {
212 suplibHardenedMemCopy(pszDst, pszSrc, cchSrc);
213 pszDst += cchSrc;
214 cbDst -= cchSrc;
215 }
216 else
217 {
218 rc = VERR_BUFFER_OVERFLOW;
219 if (cbDst > 1)
220 {
221 suplibHardenedMemCopy(pszDst, pszSrc, cbDst - 1);
222 pszDst += cbDst - 1;
223 cbDst = 1;
224 }
225 }
226 *pszDst = '\0';
227 }
228 va_end(va);
229
230 return rc;
231}
232
233
234/**
235 * Exit current process in the quickest possible fashion.
236 *
237 * @param rcExit The exit code.
238 */
239DECLNORETURN(void) suplibHardenedExit(RTEXITCODE rcExit)
240{
241 for (;;)
242 {
243#ifdef RT_OS_WINDOWS
244 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
245 ExitProcess(rcExit);
246 if (RtlExitUserProcess != NULL)
247 RtlExitUserProcess(rcExit);
248 NtTerminateProcess(NtCurrentProcess(), rcExit);
249#else
250 _Exit(rcExit);
251#endif
252 }
253}
254
255
256/**
257 * Writes a substring to standard error.
258 *
259 * @param pch The start of the substring.
260 * @param cch The length of the substring.
261 */
262static void suplibHardenedPrintStrN(const char *pch, size_t cch)
263{
264#ifdef RT_OS_WINDOWS
265 HANDLE hStdOut = NtCurrentPeb()->ProcessParameters->StandardOutput;
266 if (hStdOut != NULL)
267 {
268 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
269 {
270 DWORD cbWritten;
271 WriteFile(hStdOut, pch, (DWORD)cch, &cbWritten, NULL);
272 }
273 /* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */
274 else if (NtWriteFile != NULL && ((uintptr_t)hStdOut & 3) == 0)
275 {
276 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
277 NtWriteFile(hStdOut, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
278 &Ios, (PVOID)pch, (ULONG)cch, NULL /*ByteOffset*/, NULL /*Key*/);
279 }
280 }
281#else
282 (void)write(2, pch, cch);
283#endif
284}
285
286
287/**
288 * Writes a string to standard error.
289 *
290 * @param psz The string.
291 */
292static void suplibHardenedPrintStr(const char *psz)
293{
294 suplibHardenedPrintStrN(psz, suplibHardenedStrLen(psz));
295}
296
297
298/**
299 * Writes a char to standard error.
300 *
301 * @param ch The character value to write.
302 */
303static void suplibHardenedPrintChr(char ch)
304{
305 suplibHardenedPrintStrN(&ch, 1);
306}
307
308
309/**
310 * Writes a decimal number to stdard error.
311 *
312 * @param uValue The value.
313 */
314static void suplibHardenedPrintDecimal(uint64_t uValue)
315{
316 char szBuf[64];
317 char *pszEnd = &szBuf[sizeof(szBuf) - 1];
318 char *psz = pszEnd;
319
320 *psz-- = '\0';
321
322 do
323 {
324 *psz-- = '0' + (uValue % 10);
325 uValue /= 10;
326 } while (uValue > 0);
327
328 psz++;
329 suplibHardenedPrintStrN(psz, pszEnd - psz);
330}
331
332
333/**
334 * Writes a hexadecimal or octal number to standard error.
335 *
336 * @param uValue The value.
337 * @param uBase The base (16 or 8).
338 * @param fFlags Format flags.
339 */
340static void suplibHardenedPrintHexOctal(uint64_t uValue, unsigned uBase, uint32_t fFlags)
341{
342 static char const s_achDigitsLower[17] = "0123456789abcdef";
343 static char const s_achDigitsUpper[17] = "0123456789ABCDEF";
344 const char *pchDigits = !(fFlags & RTSTR_F_CAPITAL) ? s_achDigitsLower : s_achDigitsUpper;
345 unsigned cShift = uBase == 16 ? 4 : 3;
346 unsigned fDigitMask = uBase == 16 ? 0xf : 7;
347 char szBuf[64];
348 char *pszEnd = &szBuf[sizeof(szBuf) - 1];
349 char *psz = pszEnd;
350
351 *psz-- = '\0';
352
353 do
354 {
355 *psz-- = pchDigits[uValue & fDigitMask];
356 uValue >>= cShift;
357 } while (uValue > 0);
358
359 if ((fFlags & RTSTR_F_SPECIAL) && uBase == 16)
360 {
361 *psz-- = !(fFlags & RTSTR_F_CAPITAL) ? 'x' : 'X';
362 *psz-- = '0';
363 }
364
365 psz++;
366 suplibHardenedPrintStrN(psz, pszEnd - psz);
367}
368
369
370/**
371 * Writes a wide character string to standard error.
372 *
373 * @param pwsz The string.
374 */
375static void suplibHardenedPrintWideStr(PCRTUTF16 pwsz)
376{
377 for (;;)
378 {
379 RTUTF16 wc = *pwsz++;
380 if (!wc)
381 return;
382 if ( (wc < 0x7f && wc >= 0x20)
383 || wc == '\n'
384 || wc == '\r')
385 suplibHardenedPrintChr((char)wc);
386 else
387 {
388 suplibHardenedPrintStrN(RT_STR_TUPLE("\\x"));
389 suplibHardenedPrintHexOctal(wc, 16, 0);
390 }
391 }
392}
393
394#ifdef IPRT_NO_CRT
395
396/** Buffer structure used by suplibHardenedOutput. */
397struct SUPLIBHARDENEDOUTPUTBUF
398{
399 size_t off;
400 char szBuf[2048];
401};
402
403/** Callback for RTStrFormatV, see FNRTSTROUTPUT. */
404static DECLCALLBACK(size_t) suplibHardenedOutput(void *pvArg, const char *pachChars, size_t cbChars)
405{
406 SUPLIBHARDENEDOUTPUTBUF *pBuf = (SUPLIBHARDENEDOUTPUTBUF *)pvArg;
407 size_t cbTodo = cbChars;
408 for (;;)
409 {
410 size_t cbSpace = sizeof(pBuf->szBuf) - pBuf->off - 1;
411
412 /* Flush the buffer? */
413 if ( cbSpace == 0
414 || (cbTodo == 0 && pBuf->off))
415 {
416 suplibHardenedPrintStrN(pBuf->szBuf, pBuf->off);
417# ifdef RT_OS_WINDOWS
418 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
419 OutputDebugString(pBuf->szBuf);
420# endif
421 pBuf->off = 0;
422 cbSpace = sizeof(pBuf->szBuf) - 1;
423 }
424
425 /* Copy the string into the buffer. */
426 if (cbTodo == 1)
427 {
428 pBuf->szBuf[pBuf->off++] = *pachChars;
429 break;
430 }
431 if (cbSpace >= cbTodo)
432 {
433 memcpy(&pBuf->szBuf[pBuf->off], pachChars, cbTodo);
434 pBuf->off += cbTodo;
435 break;
436 }
437 memcpy(&pBuf->szBuf[pBuf->off], pachChars, cbSpace);
438 pBuf->off += cbSpace;
439 cbTodo -= cbSpace;
440 }
441 pBuf->szBuf[pBuf->off] = '\0';
442
443 return cbChars;
444}
445
446#endif /* IPRT_NO_CRT */
447
448/**
449 * Simple printf to standard error.
450 *
451 * @param pszFormat The format string.
452 * @param va Arguments to format.
453 */
454DECLHIDDEN(void) suplibHardenedPrintFV(const char *pszFormat, va_list va)
455{
456#ifdef IPRT_NO_CRT
457 /*
458 * Use buffered output here to avoid character mixing on the windows
459 * console and to enable us to use OutputDebugString.
460 */
461 SUPLIBHARDENEDOUTPUTBUF Buf;
462 Buf.off = 0;
463 Buf.szBuf[0] = '\0';
464 RTStrFormatV(suplibHardenedOutput, &Buf, NULL, NULL, pszFormat, va);
465
466#else /* !IPRT_NO_CRT */
467 /*
468 * Format loop.
469 */
470 char ch;
471 const char *pszLast = pszFormat;
472 for (;;)
473 {
474 ch = *pszFormat;
475 if (!ch)
476 break;
477 pszFormat++;
478
479 if (ch == '%')
480 {
481 /*
482 * Format argument.
483 */
484
485 /* Flush unwritten bits. */
486 if (pszLast != pszFormat - 1)
487 suplibHardenedPrintStrN(pszLast, pszFormat - pszLast - 1);
488 pszLast = pszFormat;
489 ch = *pszFormat++;
490
491 /* flags. */
492 uint32_t fFlags = 0;
493 for (;;)
494 {
495 if (ch == '#') fFlags |= RTSTR_F_SPECIAL;
496 else if (ch == '-') fFlags |= RTSTR_F_LEFT;
497 else if (ch == '+') fFlags |= RTSTR_F_PLUS;
498 else if (ch == ' ') fFlags |= RTSTR_F_BLANK;
499 else if (ch == '0') fFlags |= RTSTR_F_ZEROPAD;
500 else if (ch == '\'') fFlags |= RTSTR_F_THOUSAND_SEP;
501 else break;
502 ch = *pszFormat++;
503 }
504
505 /* Width and precision - ignored. */
506 while (RT_C_IS_DIGIT(ch))
507 ch = *pszFormat++;
508 if (ch == '*')
509 va_arg(va, int);
510 if (ch == '.')
511 {
512 do ch = *pszFormat++;
513 while (RT_C_IS_DIGIT(ch));
514 if (ch == '*')
515 va_arg(va, int);
516 }
517
518 /* Size. */
519 char chArgSize = 0;
520 switch (ch)
521 {
522 case 'z':
523 case 'L':
524 case 'j':
525 case 't':
526 chArgSize = ch;
527 ch = *pszFormat++;
528 break;
529
530 case 'l':
531 chArgSize = ch;
532 ch = *pszFormat++;
533 if (ch == 'l')
534 {
535 chArgSize = 'L';
536 ch = *pszFormat++;
537 }
538 break;
539
540 case 'h':
541 chArgSize = ch;
542 ch = *pszFormat++;
543 if (ch == 'h')
544 {
545 chArgSize = 'H';
546 ch = *pszFormat++;
547 }
548 break;
549 }
550
551 /*
552 * Do type specific formatting.
553 */
554 switch (ch)
555 {
556 case 'c':
557 ch = (char)va_arg(va, int);
558 suplibHardenedPrintChr(ch);
559 break;
560
561 case 's':
562 if (chArgSize == 'l')
563 {
564 PCRTUTF16 pwszStr = va_arg(va, PCRTUTF16 );
565 if (RT_VALID_PTR(pwszStr))
566 suplibHardenedPrintWideStr(pwszStr);
567 else
568 suplibHardenedPrintStr("<NULL>");
569 }
570 else
571 {
572 const char *pszStr = va_arg(va, const char *);
573 if (!RT_VALID_PTR(pszStr))
574 pszStr = "<NULL>";
575 suplibHardenedPrintStr(pszStr);
576 }
577 break;
578
579 case 'd':
580 case 'i':
581 {
582 int64_t iValue;
583 if (chArgSize == 'L' || chArgSize == 'j')
584 iValue = va_arg(va, int64_t);
585 else if (chArgSize == 'l')
586 iValue = va_arg(va, signed long);
587 else if (chArgSize == 'z' || chArgSize == 't')
588 iValue = va_arg(va, intptr_t);
589 else
590 iValue = va_arg(va, signed int);
591 if (iValue < 0)
592 {
593 suplibHardenedPrintChr('-');
594 iValue = -iValue;
595 }
596 suplibHardenedPrintDecimal(iValue);
597 break;
598 }
599
600 case 'p':
601 case 'x':
602 case 'X':
603 case 'u':
604 case 'o':
605 {
606 unsigned uBase = 10;
607 uint64_t uValue;
608
609 switch (ch)
610 {
611 case 'p':
612 fFlags |= RTSTR_F_ZEROPAD; /* Note not standard behaviour (but I like it this way!) */
613 uBase = 16;
614 break;
615 case 'X':
616 fFlags |= RTSTR_F_CAPITAL;
617 case 'x':
618 uBase = 16;
619 break;
620 case 'u':
621 uBase = 10;
622 break;
623 case 'o':
624 uBase = 8;
625 break;
626 }
627
628 if (ch == 'p' || chArgSize == 'z' || chArgSize == 't')
629 uValue = va_arg(va, uintptr_t);
630 else if (chArgSize == 'L' || chArgSize == 'j')
631 uValue = va_arg(va, uint64_t);
632 else if (chArgSize == 'l')
633 uValue = va_arg(va, unsigned long);
634 else
635 uValue = va_arg(va, unsigned int);
636
637 if (uBase == 10)
638 suplibHardenedPrintDecimal(uValue);
639 else
640 suplibHardenedPrintHexOctal(uValue, uBase, fFlags);
641 break;
642 }
643
644 case 'R':
645 if (pszFormat[0] == 'r' && pszFormat[1] == 'c')
646 {
647 int iValue = va_arg(va, int);
648 if (iValue < 0)
649 {
650 suplibHardenedPrintChr('-');
651 iValue = -iValue;
652 }
653 suplibHardenedPrintDecimal(iValue);
654 pszFormat += 2;
655 break;
656 }
657 /* fall thru */
658
659 /*
660 * Custom format.
661 */
662 default:
663 suplibHardenedPrintStr("[bad format: ");
664 suplibHardenedPrintStrN(pszLast, pszFormat - pszLast);
665 suplibHardenedPrintChr(']');
666 break;
667 }
668
669 /* continue */
670 pszLast = pszFormat;
671 }
672 }
673
674 /* Flush the last bits of the string. */
675 if (pszLast != pszFormat)
676 suplibHardenedPrintStrN(pszLast, pszFormat - pszLast);
677#endif /* !IPRT_NO_CRT */
678}
679
680
681/**
682 * Prints to standard error.
683 *
684 * @param pszFormat The format string.
685 * @param ... Arguments to format.
686 */
687DECLHIDDEN(void) suplibHardenedPrintF(const char *pszFormat, ...)
688{
689 va_list va;
690 va_start(va, pszFormat);
691 suplibHardenedPrintFV(pszFormat, va);
692 va_end(va);
693}
694
695
696/**
697 * @copydoc RTPathStripFilename.
698 */
699static void suplibHardenedPathStripFilename(char *pszPath)
700{
701 char *psz = pszPath;
702 char *pszLastSep = pszPath;
703
704 for (;; psz++)
705 {
706 switch (*psz)
707 {
708 /* handle separators. */
709#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
710 case ':':
711 pszLastSep = psz + 1;
712 break;
713
714 case '\\':
715#endif
716 case '/':
717 pszLastSep = psz;
718 break;
719
720 /* the end */
721 case '\0':
722 if (pszLastSep == pszPath)
723 *pszLastSep++ = '.';
724 *pszLastSep = '\0';
725 return;
726 }
727 }
728 /* will never get here */
729}
730
731
732/**
733 * @copydoc RTPathFilename
734 */
735DECLHIDDEN(char *) supR3HardenedPathFilename(const char *pszPath)
736{
737 const char *psz = pszPath;
738 const char *pszLastComp = pszPath;
739
740 for (;; psz++)
741 {
742 switch (*psz)
743 {
744 /* handle separators. */
745#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
746 case ':':
747 pszLastComp = psz + 1;
748 break;
749
750 case '\\':
751#endif
752 case '/':
753 pszLastComp = psz + 1;
754 break;
755
756 /* the end */
757 case '\0':
758 if (*pszLastComp)
759 return (char *)(void *)pszLastComp;
760 return NULL;
761 }
762 }
763
764 /* will never get here */
765 return NULL;
766}
767
768
769/**
770 * @copydoc RTPathAppPrivateNoArch
771 */
772DECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
773{
774#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
775 const char *pszSrcPath = RTPATH_APP_PRIVATE;
776 size_t cchPathPrivateNoArch = suplibHardenedStrLen(pszSrcPath);
777 if (cchPathPrivateNoArch >= cchPath)
778 supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateNoArch, cchPath);
779 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
780 return VINF_SUCCESS;
781
782#else
783 return supR3HardenedPathAppBin(pszPath, cchPath);
784#endif
785}
786
787
788/**
789 * @copydoc RTPathAppPrivateArch
790 */
791DECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
792{
793#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
794 const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
795 size_t cchPathPrivateArch = suplibHardenedStrLen(pszSrcPath);
796 if (cchPathPrivateArch >= cchPath)
797 supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateArch, cchPath);
798 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
799 return VINF_SUCCESS;
800
801#else
802 return supR3HardenedPathAppBin(pszPath, cchPath);
803#endif
804}
805
806
807/**
808 * @copydoc RTPathSharedLibs
809 */
810DECLHIDDEN(int) supR3HardenedPathAppSharedLibs(char *pszPath, size_t cchPath)
811{
812#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
813 const char *pszSrcPath = RTPATH_SHARED_LIBS;
814 size_t cchPathSharedLibs = suplibHardenedStrLen(pszSrcPath);
815 if (cchPathSharedLibs >= cchPath)
816 supR3HardenedFatal("supR3HardenedPathAppSharedLibs: Buffer overflow, %zu >= %zu\n", cchPathSharedLibs, cchPath);
817 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
818 return VINF_SUCCESS;
819
820#else
821 return supR3HardenedPathAppBin(pszPath, cchPath);
822#endif
823}
824
825
826/**
827 * @copydoc RTPathAppDocs
828 */
829DECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
830{
831#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
832 const char *pszSrcPath = RTPATH_APP_DOCS;
833 size_t cchPathAppDocs = suplibHardenedStrLen(pszSrcPath);
834 if (cchPathAppDocs >= cchPath)
835 supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %zu >= %zu\n", cchPathAppDocs, cchPath);
836 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathAppDocs + 1);
837 return VINF_SUCCESS;
838
839#else
840 return supR3HardenedPathAppBin(pszPath, cchPath);
841#endif
842}
843
844
845/**
846 * Returns the full path to the executable.
847 *
848 * @returns IPRT status code.
849 * @param pszPath Where to store it.
850 * @param cchPath How big that buffer is.
851 */
852static void supR3HardenedGetFullExePath(void)
853{
854 /*
855 * Get the program filename.
856 *
857 * Most UNIXes have no API for obtaining the executable path, but provides a symbolic
858 * link in the proc file system that tells who was exec'ed. The bad thing about this
859 * is that we have to use readlink, one of the weirder UNIX APIs.
860 *
861 * Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
862 */
863#if defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS)
864# ifdef RT_OS_LINUX
865 int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
866
867# elif defined(RT_OS_SOLARIS)
868 char szFileBuf[PATH_MAX + 1];
869 sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
870 int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
871
872# else /* RT_OS_FREEBSD */
873 int aiName[4];
874 aiName[0] = CTL_KERN;
875 aiName[1] = KERN_PROC;
876 aiName[2] = KERN_PROC_PATHNAME;
877 aiName[3] = getpid();
878
879 size_t cbPath = sizeof(g_szSupLibHardenedExePath);
880 if (sysctl(aiName, RT_ELEMENTS(aiName), g_szSupLibHardenedExePath, &cbPath, NULL, 0) < 0)
881 supR3HardenedFatal("supR3HardenedExecDir: sysctl failed\n");
882 g_szSupLibHardenedExePath[sizeof(g_szSupLibHardenedExePath) - 1] = '\0';
883 int cchLink = suplibHardenedStrLen(g_szSupLibHardenedExePath); /* paranoid? can't we use cbPath? */
884
885# endif
886 if (cchLink < 0 || cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
887 supR3HardenedFatal("supR3HardenedExecDir: couldn't read \"%s\", errno=%d cchLink=%d\n",
888 g_szSupLibHardenedExePath, errno, cchLink);
889 g_szSupLibHardenedExePath[cchLink] = '\0';
890
891#elif defined(RT_OS_OS2) || defined(RT_OS_L4)
892 _execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
893
894#elif defined(RT_OS_DARWIN)
895 const char *pszImageName = _dyld_get_image_name(0);
896 if (!pszImageName)
897 supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed\n");
898 size_t cchImageName = suplibHardenedStrLen(pszImageName);
899 if (!cchImageName || cchImageName >= sizeof(g_szSupLibHardenedExePath))
900 supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
901 suplibHardenedMemCopy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
902
903#elif defined(RT_OS_WINDOWS)
904 char *pszDst = g_szSupLibHardenedExePath;
905 int rc = RTUtf16ToUtf8Ex(g_wszSupLibHardenedExePath, RTSTR_MAX, &pszDst, sizeof(g_szSupLibHardenedExePath), NULL);
906 if (RT_FAILURE(rc))
907 supR3HardenedFatal("supR3HardenedExecDir: RTUtf16ToUtf8Ex failed, rc=%Rrc\n", rc);
908#else
909# error needs porting.
910#endif
911
912 /*
913 * Determine the application binary directory location.
914 */
915 suplibHardenedStrCopy(g_szSupLibHardenedAppBinPath, g_szSupLibHardenedExePath);
916 suplibHardenedPathStripFilename(g_szSupLibHardenedAppBinPath);
917
918 if (g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED)
919 supR3HardenedFatal("supR3HardenedExecDir: Called before SUPR3HardenedMain! (%d)\n", g_enmSupR3HardenedMainState);
920 switch (g_fSupHardenedMain & SUPSECMAIN_FLAGS_LOC_MASK)
921 {
922 case SUPSECMAIN_FLAGS_LOC_APP_BIN:
923 break;
924 case SUPSECMAIN_FLAGS_LOC_TESTCASE:
925 suplibHardenedPathStripFilename(g_szSupLibHardenedAppBinPath);
926 break;
927 default:
928 supR3HardenedFatal("supR3HardenedExecDir: Unknown program binary location: %#x\n", g_fSupHardenedMain);
929 }
930}
931
932
933#ifdef RT_OS_LINUX
934/**
935 * Checks if we can read /proc/self/exe.
936 *
937 * This is used on linux to see if we have to call init
938 * with program path or not.
939 *
940 * @returns true / false.
941 */
942static bool supR3HardenedMainIsProcSelfExeAccssible(void)
943{
944 char szPath[RTPATH_MAX];
945 int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
946 return cchLink != -1;
947}
948#endif /* RT_OS_LINUX */
949
950
951
952/**
953 * @copydoc RTPathExecDir
954 * @remarks not quite like RTPathExecDir actually...
955 */
956DECLHIDDEN(int) supR3HardenedPathAppBin(char *pszPath, size_t cchPath)
957{
958 /*
959 * Lazy init (probably not required).
960 */
961 if (!g_szSupLibHardenedAppBinPath[0])
962 supR3HardenedGetFullExePath();
963
964 /*
965 * Calc the length and check if there is space before copying.
966 */
967 size_t cch = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath) + 1;
968 if (cch <= cchPath)
969 {
970 suplibHardenedMemCopy(pszPath, g_szSupLibHardenedAppBinPath, cch + 1);
971 return VINF_SUCCESS;
972 }
973
974 supR3HardenedFatal("supR3HardenedPathAppBin: Buffer too small (%u < %u)\n", cchPath, cch);
975 return VERR_BUFFER_OVERFLOW;
976}
977
978
979#ifdef RT_OS_WINDOWS
980extern "C" uint32_t g_uNtVerCombined;
981#endif
982
983DECLHIDDEN(void) supR3HardenedOpenLog(int *pcArgs, char **papszArgs)
984{
985 static const char s_szLogOption[] = "--sup-startup-log=";
986
987 /*
988 * Scan the argument vector.
989 */
990 int cArgs = *pcArgs;
991 for (int iArg = 1; iArg < cArgs; iArg++)
992 if (strncmp(papszArgs[iArg], s_szLogOption, sizeof(s_szLogOption) - 1) == 0)
993 {
994 const char *pszLogFile = &papszArgs[iArg][sizeof(s_szLogOption) - 1];
995
996 /*
997 * Drop the argument from the vector (has trailing NULL entry).
998 */
999 memmove(&papszArgs[iArg], &papszArgs[iArg + 1], (cArgs - iArg) * sizeof(papszArgs[0]));
1000 *pcArgs -= 1;
1001 cArgs -= 1;
1002
1003 /*
1004 * Open the log file, unless we've already opened one.
1005 * First argument takes precedence
1006 */
1007#ifdef RT_OS_WINDOWS
1008 if (g_hStartupLog == NULL)
1009 {
1010 int rc = RTNtPathOpen(pszLogFile,
1011 GENERIC_WRITE | SYNCHRONIZE,
1012 FILE_ATTRIBUTE_NORMAL,
1013 FILE_SHARE_READ | FILE_SHARE_WRITE,
1014 FILE_OPEN_IF,
1015 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
1016 OBJ_CASE_INSENSITIVE,
1017 &g_hStartupLog,
1018 NULL);
1019 if (RT_SUCCESS(rc))
1020 {
1021 SUP_DPRINTF(("Log file opened: " VBOX_VERSION_STRING "r%u g_hStartupLog=%p g_uNtVerCombined=%#x\n",
1022 VBOX_SVN_REV, g_hStartupLog, g_uNtVerCombined));
1023
1024 /*
1025 * If the path contains a drive volume, save it so we can
1026 * use it to flush the volume containing the log file.
1027 */
1028 if (RT_C_IS_ALPHA(pszLogFile[0]) && pszLogFile[1] == ':')
1029 {
1030 RTUtf16CopyAscii(g_wszStartupLogVol, RT_ELEMENTS(g_wszStartupLogVol), "\\??\\");
1031 g_wszStartupLogVol[sizeof("\\??\\") - 1] = RT_C_TO_UPPER(pszLogFile[0]);
1032 g_wszStartupLogVol[sizeof("\\??\\") + 0] = ':';
1033 g_wszStartupLogVol[sizeof("\\??\\") + 1] = '\0';
1034 }
1035 }
1036 else
1037 g_hStartupLog = NULL;
1038 }
1039#else
1040 //g_hStartupLog = open()
1041#endif
1042 }
1043}
1044
1045
1046DECLHIDDEN(void) supR3HardenedLogV(const char *pszFormat, va_list va)
1047{
1048#ifdef RT_OS_WINDOWS
1049 if ( g_hStartupLog != NULL
1050 && g_cbStartupLog < 16*_1M)
1051 {
1052 char szBuf[5120];
1053 PCLIENT_ID pSelfId = &((PTEB)NtCurrentTeb())->ClientId;
1054 size_t cchPrefix = RTStrPrintf(szBuf, sizeof(szBuf), "%x.%x: ", pSelfId->UniqueProcess, pSelfId->UniqueThread);
1055 size_t cch = RTStrPrintfV(&szBuf[cchPrefix], sizeof(szBuf) - cchPrefix, pszFormat, va) + cchPrefix;
1056
1057 if ((size_t)cch >= sizeof(szBuf))
1058 cch = sizeof(szBuf) - 1;
1059
1060 if (!cch || szBuf[cch - 1] != '\n')
1061 szBuf[cch++] = '\n';
1062
1063 ASMAtomicAddU32(&g_cbStartupLog, (uint32_t)cch);
1064
1065 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1066 LARGE_INTEGER Offset;
1067 Offset.QuadPart = -1; /* Write to end of file. */
1068 NtWriteFile(g_hStartupLog, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
1069 &Ios, szBuf, (ULONG)cch, &Offset, NULL /*Key*/);
1070 }
1071#else
1072 /* later */
1073#endif
1074}
1075
1076
1077DECLHIDDEN(void) supR3HardenedLog(const char *pszFormat, ...)
1078{
1079 va_list va;
1080 va_start(va, pszFormat);
1081 supR3HardenedLogV(pszFormat, va);
1082 va_end(va);
1083}
1084
1085
1086DECLHIDDEN(void) supR3HardenedLogFlush(void)
1087{
1088#ifdef RT_OS_WINDOWS
1089 if ( g_hStartupLog != NULL
1090 && g_cbStartupLog < 16*_1M)
1091 {
1092 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1093 NTSTATUS rcNt = NtFlushBuffersFile(g_hStartupLog, &Ios);
1094
1095 /*
1096 * Try flush the volume containing the log file too.
1097 */
1098 if (g_wszStartupLogVol[0])
1099 {
1100 HANDLE hLogVol = RTNT_INVALID_HANDLE_VALUE;
1101 UNICODE_STRING NtName;
1102 NtName.Buffer = g_wszStartupLogVol;
1103 NtName.Length = (USHORT)(RTUtf16Len(g_wszStartupLogVol) * sizeof(RTUTF16));
1104 NtName.MaximumLength = NtName.Length + 1;
1105 OBJECT_ATTRIBUTES ObjAttr;
1106 InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
1107 RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
1108 rcNt = NtCreateFile(&hLogVol,
1109 GENERIC_WRITE | GENERIC_READ | SYNCHRONIZE | FILE_READ_ATTRIBUTES,
1110 &ObjAttr,
1111 &Ios,
1112 NULL /* Allocation Size*/,
1113 0 /*FileAttributes*/,
1114 FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
1115 FILE_OPEN,
1116 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
1117 NULL /*EaBuffer*/,
1118 0 /*EaLength*/);
1119 if (NT_SUCCESS(rcNt))
1120 rcNt = Ios.Status;
1121 if (NT_SUCCESS(rcNt))
1122 {
1123 RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
1124 rcNt = NtFlushBuffersFile(hLogVol, &Ios);
1125 NtClose(hLogVol);
1126 }
1127 else
1128 {
1129 /* This may have sideeffects similar to what we want... */
1130 hLogVol = RTNT_INVALID_HANDLE_VALUE;
1131 RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
1132 rcNt = NtCreateFile(&hLogVol,
1133 GENERIC_READ | SYNCHRONIZE | FILE_READ_ATTRIBUTES,
1134 &ObjAttr,
1135 &Ios,
1136 NULL /* Allocation Size*/,
1137 0 /*FileAttributes*/,
1138 FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
1139 FILE_OPEN,
1140 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
1141 NULL /*EaBuffer*/,
1142 0 /*EaLength*/);
1143 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
1144 NtClose(hLogVol);
1145 }
1146 }
1147 }
1148#else
1149 /* later */
1150#endif
1151}
1152
1153
1154/**
1155 * Prints the message prefix.
1156 */
1157static void suplibHardenedPrintPrefix(void)
1158{
1159 if (g_pszSupLibHardenedProgName)
1160 suplibHardenedPrintStr(g_pszSupLibHardenedProgName);
1161 suplibHardenedPrintStr(": ");
1162}
1163
1164
1165DECLHIDDEN(void) supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, va_list va)
1166{
1167 /*
1168 * First to the log.
1169 */
1170 supR3HardenedLog("Error %d in %s! (enmWhat=%d)\n", rc, pszWhere, enmWhat);
1171 va_list vaCopy;
1172 va_copy(vaCopy, va);
1173 supR3HardenedLogV(pszMsgFmt, vaCopy);
1174 va_end(vaCopy);
1175
1176#ifdef RT_OS_WINDOWS
1177 /*
1178 * The release log.
1179 */
1180 if (g_pfnRTLogRelPrintf)
1181 {
1182 va_copy(vaCopy, va);
1183 g_pfnRTLogRelPrintf("supR3HardenedFatalMsgV: %s enmWhat=%d rc=%Rrc (%#x)\n", pszWhere, enmWhat, rc);
1184 g_pfnRTLogRelPrintf("supR3HardenedFatalMsgV: %N\n", pszMsgFmt, &vaCopy);
1185 va_end(vaCopy);
1186 }
1187#endif
1188
1189 /*
1190 * Then to the console.
1191 */
1192 suplibHardenedPrintPrefix();
1193 suplibHardenedPrintF("Error %d in %s!\n", rc, pszWhere);
1194
1195 suplibHardenedPrintPrefix();
1196 va_copy(vaCopy, va);
1197 suplibHardenedPrintFV(pszMsgFmt, vaCopy);
1198 va_end(vaCopy);
1199 suplibHardenedPrintChr('\n');
1200
1201 switch (enmWhat)
1202 {
1203 case kSupInitOp_Driver:
1204 suplibHardenedPrintChr('\n');
1205 suplibHardenedPrintPrefix();
1206 suplibHardenedPrintStr("Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n");
1207 break;
1208
1209 case kSupInitOp_Misc:
1210 case kSupInitOp_IPRT:
1211 case kSupInitOp_Integrity:
1212 case kSupInitOp_RootCheck:
1213 suplibHardenedPrintChr('\n');
1214 suplibHardenedPrintPrefix();
1215 suplibHardenedPrintStr("Tip! It may help to reinstall VirtualBox.\n");
1216 break;
1217
1218 default:
1219 /* no hints here */
1220 break;
1221 }
1222
1223 /*
1224 * Finally, TrustedError if appropriate.
1225 */
1226 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
1227 {
1228#ifdef SUP_HARDENED_SUID
1229 /*
1230 * Drop any root privileges we might be holding, this won't return
1231 * if it fails but end up calling supR3HardenedFatal[V].
1232 */
1233 supR3HardenedMainDropPrivileges();
1234#endif
1235
1236 /*
1237 * Now try resolve and call the TrustedError entry point if we can
1238 * find it. We'll fork before we attempt this because that way the
1239 * session management in main will see us exiting immediately (if
1240 * it's involved with us).
1241 */
1242#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
1243 int pid = fork();
1244 if (pid <= 0)
1245#endif
1246 {
1247 static volatile bool s_fRecursive = false; /* Loader hooks may cause recursion. */
1248 if (!s_fRecursive)
1249 {
1250 s_fRecursive = true;
1251
1252 PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
1253 if (pfnTrustedError)
1254 pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
1255
1256 s_fRecursive = false;
1257 }
1258 }
1259 }
1260#if defined(RT_OS_WINDOWS)
1261 /*
1262 * Report the error to the parent if this happens during early VM init.
1263 */
1264 else if ( g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
1265 && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
1266 supR3HardenedWinReportErrorToParent(pszWhere, enmWhat, rc, pszMsgFmt, va);
1267#endif
1268
1269 /*
1270 * Quit
1271 */
1272 suplibHardenedExit(RTEXITCODE_FAILURE);
1273}
1274
1275
1276DECLHIDDEN(void) supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, ...)
1277{
1278 va_list va;
1279 va_start(va, pszMsgFmt);
1280 supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
1281 va_end(va);
1282}
1283
1284
1285DECLHIDDEN(void) supR3HardenedFatalV(const char *pszFormat, va_list va)
1286{
1287 supR3HardenedLog("Fatal error:\n");
1288 va_list vaCopy;
1289 va_copy(vaCopy, va);
1290 supR3HardenedLogV(pszFormat, vaCopy);
1291 va_end(vaCopy);
1292
1293#if defined(RT_OS_WINDOWS)
1294 /*
1295 * Report the error to the parent if this happens during early VM init.
1296 */
1297 if ( g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
1298 && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
1299 supR3HardenedWinReportErrorToParent(NULL, kSupInitOp_Invalid, VERR_INTERNAL_ERROR, pszFormat, va);
1300 else
1301#endif
1302 {
1303#ifdef RT_OS_WINDOWS
1304 if (g_pfnRTLogRelPrintf)
1305 {
1306 va_copy(vaCopy, va);
1307 g_pfnRTLogRelPrintf("supR3HardenedFatalV: %N", pszFormat, &vaCopy);
1308 va_end(vaCopy);
1309 }
1310#endif
1311
1312 suplibHardenedPrintPrefix();
1313 suplibHardenedPrintFV(pszFormat, va);
1314 }
1315
1316 suplibHardenedExit(RTEXITCODE_FAILURE);
1317}
1318
1319
1320DECLHIDDEN(void) supR3HardenedFatal(const char *pszFormat, ...)
1321{
1322 va_list va;
1323 va_start(va, pszFormat);
1324 supR3HardenedFatalV(pszFormat, va);
1325 va_end(va);
1326}
1327
1328
1329DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
1330{
1331 if (fFatal)
1332 supR3HardenedFatalV(pszFormat, va);
1333
1334 supR3HardenedLog("Error (rc=%d):\n", rc);
1335 va_list vaCopy;
1336 va_copy(vaCopy, va);
1337 supR3HardenedLogV(pszFormat, vaCopy);
1338 va_end(vaCopy);
1339
1340#ifdef RT_OS_WINDOWS
1341 if (g_pfnRTLogRelPrintf)
1342 {
1343 va_copy(vaCopy, va);
1344 g_pfnRTLogRelPrintf("supR3HardenedErrorV: %N", pszFormat, &vaCopy);
1345 va_end(vaCopy);
1346 }
1347#endif
1348
1349 suplibHardenedPrintPrefix();
1350 suplibHardenedPrintFV(pszFormat, va);
1351
1352 return rc;
1353}
1354
1355
1356DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
1357{
1358 va_list va;
1359 va_start(va, pszFormat);
1360 supR3HardenedErrorV(rc, fFatal, pszFormat, va);
1361 va_end(va);
1362 return rc;
1363}
1364
1365
1366
1367/**
1368 * Attempts to open /dev/vboxdrv (or equvivalent).
1369 *
1370 * @remarks This function will not return on failure.
1371 */
1372DECLHIDDEN(void) supR3HardenedMainOpenDevice(void)
1373{
1374 RTERRINFOSTATIC ErrInfo;
1375 SUPINITOP enmWhat = kSupInitOp_Driver;
1376 int rc = suplibOsInit(&g_SupPreInitData.Data, false /*fPreInit*/, true /*fUnrestricted*/,
1377 &enmWhat, RTErrInfoInitStatic(&ErrInfo));
1378 if (RT_SUCCESS(rc))
1379 return;
1380
1381 if (RTErrInfoIsSet(&ErrInfo.Core))
1382 supR3HardenedFatalMsg("suplibOsInit", enmWhat, rc, "%s", ErrInfo.szMsg);
1383
1384 switch (rc)
1385 {
1386 /** @todo better messages! */
1387 case VERR_VM_DRIVER_NOT_INSTALLED:
1388 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver not installed");
1389 case VERR_VM_DRIVER_NOT_ACCESSIBLE:
1390 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver not accessible");
1391 case VERR_VM_DRIVER_LOAD_ERROR:
1392 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_VM_DRIVER_LOAD_ERROR");
1393 case VERR_VM_DRIVER_OPEN_ERROR:
1394 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_VM_DRIVER_OPEN_ERROR");
1395 case VERR_VM_DRIVER_VERSION_MISMATCH:
1396 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver version mismatch");
1397 case VERR_ACCESS_DENIED:
1398 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_ACCESS_DENIED");
1399 case VERR_NO_MEMORY:
1400 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel memory allocation/mapping failed");
1401 case VERR_SUPDRV_HARDENING_EVIL_HANDLE:
1402 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPDRV_HARDENING_EVIL_HANDLE");
1403 case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_0:
1404 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_0");
1405 case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_1:
1406 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_1");
1407 case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_2:
1408 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_2");
1409 default:
1410 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Unknown rc=%d (%Rrc)", rc, rc);
1411 }
1412}
1413
1414
1415#ifdef SUP_HARDENED_SUID
1416
1417/**
1418 * Grabs extra non-root capabilities / privileges that we might require.
1419 *
1420 * This is currently only used for being able to do ICMP from the NAT engine.
1421 *
1422 * @note We still have root privileges at the time of this call.
1423 */
1424static void supR3HardenedMainGrabCapabilites(void)
1425{
1426# if defined(RT_OS_LINUX)
1427 /*
1428 * We are about to drop all our privileges. Remove all capabilities but
1429 * keep the cap_net_raw capability for ICMP sockets for the NAT stack.
1430 */
1431 if (g_uCaps != 0)
1432 {
1433# ifdef USE_LIB_PCAP
1434 /* XXX cap_net_bind_service */
1435 if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep")))
1436 prctl(PR_SET_KEEPCAPS, 1 /*keep=*/, 0, 0, 0);
1437 prctl(PR_SET_DUMPABLE, 1 /*dump*/, 0, 0, 0);
1438# else
1439 cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
1440 cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap));
1441 memset(hdr, 0, sizeof(*hdr));
1442 hdr->version = _LINUX_CAPABILITY_VERSION;
1443 memset(cap, 0, sizeof(*cap));
1444 cap->effective = g_uCaps;
1445 cap->permitted = g_uCaps;
1446 if (!capset(hdr, cap))
1447 prctl(PR_SET_KEEPCAPS, 1 /*keep*/, 0, 0, 0);
1448 prctl(PR_SET_DUMPABLE, 1 /*dump*/, 0, 0, 0);
1449# endif /* !USE_LIB_PCAP */
1450 }
1451
1452# elif defined(RT_OS_SOLARIS)
1453 /*
1454 * Add net_icmpaccess privilege to effective privileges and limit
1455 * permitted privileges before completely dropping root privileges.
1456 * This requires dropping root privileges temporarily to get the normal
1457 * user's privileges.
1458 */
1459 seteuid(g_uid);
1460 priv_set_t *pPrivEffective = priv_allocset();
1461 priv_set_t *pPrivNew = priv_allocset();
1462 if (pPrivEffective && pPrivNew)
1463 {
1464 int rc = getppriv(PRIV_EFFECTIVE, pPrivEffective);
1465 seteuid(0);
1466 if (!rc)
1467 {
1468 priv_copyset(pPrivEffective, pPrivNew);
1469 rc = priv_addset(pPrivNew, PRIV_NET_ICMPACCESS);
1470 if (!rc)
1471 {
1472 /* Order is important, as one can't set a privilege which is
1473 * not in the permitted privilege set. */
1474 rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivNew);
1475 if (rc)
1476 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
1477 rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivNew);
1478 if (rc)
1479 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
1480 }
1481 else
1482 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to add NET_ICMPACCESS privilege.\n");
1483 }
1484 }
1485 else
1486 {
1487 /* for memory allocation failures just continue */
1488 seteuid(0);
1489 }
1490
1491 if (pPrivEffective)
1492 priv_freeset(pPrivEffective);
1493 if (pPrivNew)
1494 priv_freeset(pPrivNew);
1495# endif
1496}
1497
1498/*
1499 * Look at the environment for some special options.
1500 */
1501static void supR3GrabOptions(void)
1502{
1503 const char *pszOpt;
1504
1505# ifdef RT_OS_LINUX
1506 g_uCaps = 0;
1507
1508 /*
1509 * Do _not_ perform any capability-related system calls for root processes
1510 * (leaving g_uCaps at 0).
1511 * (Hint: getuid gets the real user id, not the effective.)
1512 */
1513 if (getuid() != 0)
1514 {
1515 /*
1516 * CAP_NET_RAW.
1517 * Default: enabled.
1518 * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'.
1519 */
1520 pszOpt = getenv("VBOX_HARD_CAP_NET_RAW");
1521 if ( !pszOpt
1522 || memcmp(pszOpt, "0", sizeof("0")) != 0)
1523 g_uCaps = CAP_TO_MASK(CAP_NET_RAW);
1524
1525 /*
1526 * CAP_NET_BIND_SERVICE.
1527 * Default: disabled.
1528 * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'.
1529 */
1530 pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE");
1531 if ( pszOpt
1532 && memcmp(pszOpt, "0", sizeof("0")) != 0)
1533 g_uCaps |= CAP_TO_MASK(CAP_NET_BIND_SERVICE);
1534 }
1535# endif
1536}
1537
1538/**
1539 * Drop any root privileges we might be holding.
1540 */
1541static void supR3HardenedMainDropPrivileges(void)
1542{
1543 /*
1544 * Try use setre[ug]id since this will clear the save uid/gid and thus
1545 * leave fewer traces behind that libs like GTK+ may pick up.
1546 */
1547 uid_t euid, ruid, suid;
1548 gid_t egid, rgid, sgid;
1549# if defined(RT_OS_DARWIN)
1550 /* The really great thing here is that setreuid isn't available on
1551 OS X 10.4, libc emulates it. While 10.4 have a slightly different and
1552 non-standard setuid implementation compared to 10.5, the following
1553 works the same way with both version since we're super user (10.5 req).
1554 The following will set all three variants of the group and user IDs. */
1555 setgid(g_gid);
1556 setuid(g_uid);
1557 euid = geteuid();
1558 ruid = suid = getuid();
1559 egid = getegid();
1560 rgid = sgid = getgid();
1561
1562# elif defined(RT_OS_SOLARIS)
1563 /* Solaris doesn't have setresuid, but the setreuid interface is BSD
1564 compatible and will set the saved uid to euid when we pass it a ruid
1565 that isn't -1 (which we do). */
1566 setregid(g_gid, g_gid);
1567 setreuid(g_uid, g_uid);
1568 euid = geteuid();
1569 ruid = suid = getuid();
1570 egid = getegid();
1571 rgid = sgid = getgid();
1572
1573# else
1574 /* This is the preferred one, full control no questions about semantics.
1575 PORTME: If this isn't work, try join one of two other gangs above. */
1576 setresgid(g_gid, g_gid, g_gid);
1577 setresuid(g_uid, g_uid, g_uid);
1578 if (getresuid(&ruid, &euid, &suid) != 0)
1579 {
1580 euid = geteuid();
1581 ruid = suid = getuid();
1582 }
1583 if (getresgid(&rgid, &egid, &sgid) != 0)
1584 {
1585 egid = getegid();
1586 rgid = sgid = getgid();
1587 }
1588# endif
1589
1590
1591 /* Check that it worked out all right. */
1592 if ( euid != g_uid
1593 || ruid != g_uid
1594 || suid != g_uid
1595 || egid != g_gid
1596 || rgid != g_gid
1597 || sgid != g_gid)
1598 supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
1599 " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
1600 euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);
1601
1602# if RT_OS_LINUX
1603 /*
1604 * Re-enable the cap_net_raw capability which was disabled during setresuid.
1605 */
1606 if (g_uCaps != 0)
1607 {
1608# ifdef USE_LIB_PCAP
1609 /** @todo Warn if that does not work? */
1610 /* XXX cap_net_bind_service */
1611 cap_set_proc(cap_from_text("cap_net_raw+ep"));
1612# else
1613 cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
1614 cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap));
1615 memset(hdr, 0, sizeof(*hdr));
1616 hdr->version = _LINUX_CAPABILITY_VERSION;
1617 memset(cap, 0, sizeof(*cap));
1618 cap->effective = g_uCaps;
1619 cap->permitted = g_uCaps;
1620 /** @todo Warn if that does not work? */
1621 capset(hdr, cap);
1622# endif /* !USE_LIB_PCAP */
1623 }
1624# endif
1625}
1626
1627#endif /* SUP_HARDENED_SUID */
1628
1629/**
1630 * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
1631 * and calls RTR3InitEx.
1632 *
1633 * @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
1634 *
1635 * @remarks VBoxRT contains both IPRT and SUPR3.
1636 * @remarks This function will not return on failure.
1637 */
1638static void supR3HardenedMainInitRuntime(uint32_t fFlags)
1639{
1640 /*
1641 * Construct the name.
1642 */
1643 char szPath[RTPATH_MAX];
1644 supR3HardenedPathAppSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
1645 suplibHardenedStrCat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);
1646
1647 /*
1648 * Open it and resolve the symbols.
1649 */
1650#if defined(RT_OS_WINDOWS)
1651 HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, g_fSupHardenedMain);
1652 if (!hMod)
1653 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
1654 "LoadLibrary \"%s\" failed (rc=%d)",
1655 szPath, RtlGetLastWin32Error());
1656 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
1657 if (!pfnRTInitEx)
1658 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
1659 "Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
1660 szPath, RtlGetLastWin32Error());
1661
1662 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
1663 if (!pfnSUPPreInit)
1664 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
1665 "Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
1666 szPath, RtlGetLastWin32Error());
1667
1668 g_pfnRTLogRelPrintf = (PFNRTLOGRELPRINTF)GetProcAddress(hMod, SUP_HARDENED_SYM("RTLogRelPrintf"));
1669 Assert(g_pfnRTLogRelPrintf); /* Not fatal in non-strict builds. */
1670
1671#else
1672 /* the dlopen crowd */
1673 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
1674 if (!pvMod)
1675 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
1676 "dlopen(\"%s\",) failed: %s",
1677 szPath, dlerror());
1678 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
1679 if (!pfnRTInitEx)
1680 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
1681 "Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
1682 szPath, dlerror());
1683 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
1684 if (!pfnSUPPreInit)
1685 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
1686 "Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
1687 szPath, dlerror());
1688#endif
1689
1690 /*
1691 * Make the calls.
1692 */
1693 supR3HardenedGetPreInitData(&g_SupPreInitData);
1694 int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
1695 if (RT_FAILURE(rc))
1696 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
1697 "supR3PreInit failed with rc=%d", rc);
1698 const char *pszExePath = NULL;
1699#ifdef RT_OS_LINUX
1700 if (!supR3HardenedMainIsProcSelfExeAccssible())
1701 pszExePath = g_szSupLibHardenedExePath;
1702#endif
1703 rc = pfnRTInitEx(RTR3INIT_VER_1,
1704 fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV ? 0 : RTR3INIT_FLAGS_SUPLIB,
1705 0 /*cArgs*/, NULL /*papszArgs*/, pszExePath);
1706 if (RT_FAILURE(rc))
1707 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
1708 "RTR3InitEx failed with rc=%d", rc);
1709
1710#if defined(RT_OS_WINDOWS)
1711 /*
1712 * Windows: Create thread that terminates the process when the parent stub
1713 * process terminates (VBoxNetDHCP, Ctrl-C, etc).
1714 */
1715 if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
1716 supR3HardenedWinCreateParentWatcherThread(hMod);
1717#endif
1718}
1719
1720
1721/**
1722 * Construct the path to the DLL/SO/DYLIB containing the actual program.
1723 *
1724 * @returns VBox status code.
1725 * @param pszProgName The program name.
1726 * @param fMainFlags The flags passed to SUPR3HardenedMain.
1727 * @param pszPath The output buffer.
1728 * @param cbPath The size of the output buffer, in bytes. Must be at
1729 * least 128 bytes!
1730 */
1731static int supR3HardenedMainGetTrustedLib(const char *pszProgName, uint32_t fMainFlags, char *pszPath, size_t cbPath)
1732{
1733 supR3HardenedPathAppPrivateArch(pszPath, sizeof(cbPath) - 10);
1734 const char *pszSubDirSlash;
1735 switch (g_fSupHardenedMain & SUPSECMAIN_FLAGS_LOC_MASK)
1736 {
1737 case SUPSECMAIN_FLAGS_LOC_APP_BIN:
1738 pszSubDirSlash = "/";
1739 break;
1740 case SUPSECMAIN_FLAGS_LOC_TESTCASE:
1741 pszSubDirSlash = "/testcase/";
1742 break;
1743 default:
1744 pszSubDirSlash = "/";
1745 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Unknown program binary location: %#x\n", g_fSupHardenedMain);
1746 }
1747#ifdef RT_OS_DARWIN
1748 if (fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP)
1749 pszProgName = "VirtualBox";
1750#endif
1751 size_t cch = suplibHardenedStrLen(pszPath);
1752 return suplibHardenedStrCopyEx(&pszPath[cch], cbPath - cch, pszSubDirSlash, pszProgName, SUPLIB_DLL_SUFF, NULL);
1753}
1754
1755
1756/**
1757 * Loads the DLL/SO/DYLIB containing the actual program and
1758 * resolves the TrustedError symbol.
1759 *
1760 * This is very similar to supR3HardenedMainGetTrustedMain().
1761 *
1762 * @returns Pointer to the trusted error symbol if it is exported, NULL
1763 * and no error messages otherwise.
1764 * @param pszProgName The program name.
1765 */
1766static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
1767{
1768 /*
1769 * Don't bother if the main() function didn't advertise any TrustedError
1770 * export. It's both a waste of time and may trigger additional problems,
1771 * confusing or obscuring the original issue.
1772 */
1773 if (!(g_fSupHardenedMain & SUPSECMAIN_FLAGS_TRUSTED_ERROR))
1774 return NULL;
1775
1776 /*
1777 * Construct the name.
1778 */
1779 char szPath[RTPATH_MAX];
1780 supR3HardenedMainGetTrustedLib(pszProgName, g_fSupHardenedMain, szPath, sizeof(szPath));
1781
1782 /*
1783 * Open it and resolve the symbol.
1784 */
1785#if defined(RT_OS_WINDOWS)
1786 supR3HardenedWinEnableThreadCreation();
1787 HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, 0 /*fMainFlags*/);
1788 if (!hMod)
1789 return NULL;
1790 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
1791 if (!pfn)
1792 return NULL;
1793 return (PFNSUPTRUSTEDERROR)pfn;
1794
1795#else
1796 /* the dlopen crowd */
1797 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
1798 if (!pvMod)
1799 return NULL;
1800 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
1801 if (!pvSym)
1802 return NULL;
1803 return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
1804#endif
1805}
1806
1807
1808/**
1809 * Loads the DLL/SO/DYLIB containing the actual program and
1810 * resolves the TrustedMain symbol.
1811 *
1812 * @returns Pointer to the trusted main of the actual program.
1813 * @param pszProgName The program name.
1814 * @param fMainFlags The flags passed to SUPR3HardenedMain.
1815 * @remarks This function will not return on failure.
1816 */
1817static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName, uint32_t fMainFlags)
1818{
1819 /*
1820 * Construct the name.
1821 */
1822 char szPath[RTPATH_MAX];
1823 supR3HardenedMainGetTrustedLib(pszProgName, fMainFlags, szPath, sizeof(szPath));
1824
1825 /*
1826 * Open it and resolve the symbol.
1827 */
1828#if defined(RT_OS_WINDOWS)
1829 HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, 0 /*fMainFlags*/);
1830 if (!hMod)
1831 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibrary \"%s\" failed, rc=%d\n",
1832 szPath, RtlGetLastWin32Error());
1833 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
1834 if (!pfn)
1835 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
1836 szPath, RtlGetLastWin32Error());
1837 return (PFNSUPTRUSTEDMAIN)pfn;
1838
1839#else
1840 /* the dlopen crowd */
1841 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
1842 if (!pvMod)
1843 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
1844 szPath, dlerror());
1845 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
1846 if (!pvSym)
1847 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
1848 szPath, dlerror());
1849 return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
1850#endif
1851}
1852
1853
1854/**
1855 * Secure main.
1856 *
1857 * This is used for the set-user-ID-on-execute binaries on unixy systems
1858 * and when using the open-vboxdrv-via-root-service setup on Windows.
1859 *
1860 * This function will perform the integrity checks of the VirtualBox
1861 * installation, open the support driver, open the root service (later),
1862 * and load the DLL corresponding to \a pszProgName and execute its main
1863 * function.
1864 *
1865 * @returns Return code appropriate for main().
1866 *
1867 * @param pszProgName The program name. This will be used to figure out which
1868 * DLL/SO/DYLIB to load and execute.
1869 * @param fFlags Flags.
1870 * @param argc The argument count.
1871 * @param argv The argument vector.
1872 * @param envp The environment vector.
1873 */
1874DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
1875{
1876 SUP_DPRINTF(("SUPR3HardenedMain: pszProgName=%s fFlags=%#x\n", pszProgName, fFlags));
1877 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED;
1878
1879 /*
1880 * Note! At this point there is no IPRT, so we will have to stick
1881 * to basic CRT functions that everyone agree upon.
1882 */
1883 g_pszSupLibHardenedProgName = pszProgName;
1884 g_fSupHardenedMain = fFlags;
1885 g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
1886 g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;
1887#ifdef RT_OS_WINDOWS
1888 if (!g_fSupEarlyProcessInit)
1889#endif
1890 g_SupPreInitData.Data.hDevice = SUP_HDEVICE_NIL;
1891
1892 /*
1893 * Determine the full exe path as we'll be needing it for the verify all
1894 * call(s) below. (We have to do this early on Linux because we * *might*
1895 * not be able to access /proc/self/exe after the seteuid call.)
1896 */
1897 supR3HardenedGetFullExePath();
1898#ifdef RT_OS_WINDOWS
1899 supR3HardenedWinInitAppBin(fFlags);
1900#endif
1901
1902#ifdef SUP_HARDENED_SUID
1903 /*
1904 * Grab any options from the environment.
1905 */
1906 supR3GrabOptions();
1907
1908 /*
1909 * Check that we're root, if we aren't then the installation is butchered.
1910 */
1911 g_uid = getuid();
1912 g_gid = getgid();
1913 if (geteuid() != 0 /* root */)
1914 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
1915 "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
1916 geteuid(), getegid(), g_uid, g_gid);
1917#endif /* SUP_HARDENED_SUID */
1918
1919#ifdef RT_OS_WINDOWS
1920 /*
1921 * Windows: First respawn. On Windows we will respawn the process twice to establish
1922 * something we can put some kind of reliable trust in. The first respawning aims
1923 * at dropping compatibility layers and process "security" solutions.
1924 */
1925 if ( !g_fSupEarlyProcessInit
1926 && !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
1927 && supR3HardenedWinIsReSpawnNeeded(1 /*iWhich*/, argc, argv))
1928 {
1929 SUP_DPRINTF(("SUPR3HardenedMain: Respawn #1\n"));
1930 supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV, false /*fAvastKludge*/);
1931 supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
1932 return supR3HardenedWinReSpawn(1 /*iWhich*/);
1933 }
1934
1935 /*
1936 * Windows: Initialize the image verification global data so we can verify the
1937 * signature of the process image and hook the core of the DLL loader API so we
1938 * can check the signature of all DLLs mapped into the process. (Already done
1939 * by early VM process init.)
1940 */
1941 if (!g_fSupEarlyProcessInit)
1942 supR3HardenedWinInit(fFlags, true /*fAvastKludge*/);
1943#endif /* RT_OS_WINDOWS */
1944
1945 /*
1946 * Validate the installation.
1947 */
1948 supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
1949
1950 /*
1951 * The next steps are only taken if we actually need to access the support
1952 * driver. (Already done by early process init.)
1953 */
1954 if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
1955 {
1956#ifdef RT_OS_WINDOWS
1957 /*
1958 * Windows: Must have done early process init if we get here.
1959 */
1960 if (!g_fSupEarlyProcessInit)
1961 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_Integrity, VERR_WRONG_ORDER,
1962 "Early process init was somehow skipped.");
1963
1964 /*
1965 * Windows: The second respawn. This time we make a special arrangement
1966 * with vboxdrv to monitor access to the new process from its inception.
1967 */
1968 if (supR3HardenedWinIsReSpawnNeeded(2 /* iWhich*/, argc, argv))
1969 {
1970 SUP_DPRINTF(("SUPR3HardenedMain: Respawn #2\n"));
1971 return supR3HardenedWinReSpawn(2 /* iWhich*/);
1972 }
1973 SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
1974 supR3HardenedWinFlushLoaderCache();
1975
1976#else
1977 /*
1978 * Open the vboxdrv device.
1979 */
1980 supR3HardenedMainOpenDevice();
1981#endif /* !RT_OS_WINDOWS */
1982 }
1983
1984#ifdef RT_OS_WINDOWS
1985 /*
1986 * Windows: Enable the use of windows APIs to verify images at load time.
1987 */
1988 supR3HardenedWinEnableThreadCreation();
1989 supR3HardenedWinFlushLoaderCache();
1990 supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation(g_pszSupLibHardenedProgName);
1991 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERIFY_TRUST_READY;
1992#endif
1993
1994#ifdef SUP_HARDENED_SUID
1995 /*
1996 * Grab additional capabilities / privileges.
1997 */
1998 supR3HardenedMainGrabCapabilites();
1999
2000 /*
2001 * Drop any root privileges we might be holding (won't return on failure)
2002 */
2003 supR3HardenedMainDropPrivileges();
2004#endif
2005
2006 /*
2007 * Load the IPRT, hand the SUPLib part the open driver and
2008 * call RTR3InitEx.
2009 */
2010 SUP_DPRINTF(("SUPR3HardenedMain: Load Runtime...\n"));
2011 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_INIT_RUNTIME;
2012 supR3HardenedMainInitRuntime(fFlags);
2013#ifdef RT_OS_WINDOWS
2014 supR3HardenedWinModifyDllSearchPath(fFlags, g_szSupLibHardenedAppBinPath);
2015#endif
2016
2017 /*
2018 * Load the DLL/SO/DYLIB containing the actual program
2019 * and pass control to it.
2020 */
2021 SUP_DPRINTF(("SUPR3HardenedMain: Load TrustedMain...\n"));
2022 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_GET_TRUSTED_MAIN;
2023 PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName, fFlags);
2024
2025 SUP_DPRINTF(("SUPR3HardenedMain: Calling TrustedMain (%p)...\n", pfnTrustedMain));
2026 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_CALLED_TRUSTED_MAIN;
2027 return pfnTrustedMain(argc, argv, envp);
2028}
2029
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette