SUPR3HardenedVerify.cpp@ 54998

Last change on this file since 54998 was 54453, checked in by vboxsync, 10 years ago
Runtime/testcase: tstRTR0ThreadPreemption rename fixes.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 69.6 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 54453 2015-02-24 15:05:45Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2013 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27	/*******************************************************************************
28	* Header Files *
29	*******************************************************************************/
30	#if defined(RT_OS_OS2)
31	# define INCL_BASE
32	# define INCL_ERRORS
33	# include <os2.h>
34	# include <stdio.h>
35	# include <stdlib.h>
36	# include <unistd.h>
37	# include <sys/fcntl.h>
38	# include <sys/errno.h>
39	# include <sys/syslimits.h>
40
41	#elif defined(RT_OS_WINDOWS)
42	# include <iprt/nt/nt-and-windows.h>
43	# ifndef IN_SUP_HARDENED_R3
44	# include <stdio.h>
45	# endif
46
47	#else /* UNIXes */
48	# include <sys/types.h>
49	# include <stdio.h>
50	# include <stdlib.h>
51	# include <dirent.h>
52	# include <dlfcn.h>
53	# include <fcntl.h>
54	# include <limits.h>
55	# include <errno.h>
56	# include <unistd.h>
57	# include <sys/stat.h>
58	# include <sys/time.h>
59	# include <sys/fcntl.h>
60	# include <pwd.h>
61	# ifdef RT_OS_DARWIN
62	# include <mach-o/dyld.h>
63	# endif
64
65	#endif
66
67	#include <VBox/sup.h>
68	#include <VBox/err.h>
69	#include <iprt/asm.h>
70	#include <iprt/ctype.h>
71	#include <iprt/param.h>
72	#include <iprt/path.h>
73	#include <iprt/string.h>
74
75	#include "SUPLibInternal.h"
76	#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
77	# define SUPHNTVI_NO_NT_STUFF
78	# include "win/SUPHardenedVerify-win.h"
79	#endif
80
81
82	/*******************************************************************************
83	* Defined Constants And Macros *
84	*******************************************************************************/
85	/** The max path length acceptable for a trusted path. */
86	#define SUPR3HARDENED_MAX_PATH 260U
87
88	#ifdef RT_OS_SOLARIS
89	# define dirfd(d) ((d)->d_fd)
90	#endif
91
92	/** Compare table file names with externally supplied names. */
93	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
94	# define SUP_COMP_FILENAME RTStrICmp
95	#else
96	# define SUP_COMP_FILENAME suplibHardenedStrCmp
97	#endif
98
99
100	/*******************************************************************************
101	* Global Variables *
102	*******************************************************************************/
103	/**
104	* The files that gets verified.
105	*
106	* @todo This needs reviewing against the linux packages.
107	* @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
108	* the time being we're building the linux packages with SharedLib pointing to
109	* AppPrivArch (lazy bird).
110	*/
111	static SUPINSTFILE const g_aSupInstallFiles[] =
112	{
113	/* type, dir, fOpt, "pszFile" */
114	/* ---------------------------------------------------------------------- */
115	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
116	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
117	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
118
119	#ifdef VBOX_WITH_RAW_MODE
120	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMGC.gc" },
121	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
122	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
123	#endif
124
125	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
126	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
127	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
128	#if HC_ARCH_BITS == 32
129	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
130	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
131	#endif
132	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
133	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
134	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
135
136	//#ifdef VBOX_WITH_DEBUGGER_GUI
137	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
138	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
139	//#endif
140
141	//#ifdef VBOX_WITH_SHARED_CLIPBOARD
142	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
143	//#endif
144	//#ifdef VBOX_WITH_SHARED_FOLDERS
145	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
146	//#endif
147	//#ifdef VBOX_WITH_DRAG_AND_DROP
148	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
149	//#endif
150	//#ifdef VBOX_WITH_GUEST_PROPS
151	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
152	//#endif
153	//#ifdef VBOX_WITH_GUEST_CONTROL
154	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
155	//#endif
156	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
157	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
158	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
159	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
160	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
161
162	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
163
164	#ifdef VBOX_WITH_MAIN
165	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
166	#ifdef RT_OS_WINDOWS
167	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
168	#else
169	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
170	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
171	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
172	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
173	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
174	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
175	#endif
176	#endif
177
178	{ kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
179	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
180	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
181
182	//#ifdef VBOX_WITH_HEADLESS
183	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
184	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
185	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
186	//#endif
187
188	//#ifdef VBOX_WITH_QTGUI
189	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
190	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
191	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
192	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
193	# endif
194	//#endif
195
196	//#ifdef VBOX_WITH_VBOXSDL
197	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
198	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
199	//#endif
200
201	//#ifdef VBOX_WITH_WEBSERVICES
202	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
203	//#endif
204
205	#ifdef RT_OS_LINUX
206	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
207	#endif
208
209	//#ifdef VBOX_WITH_NETFLT
210	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
211	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
212	//#endif
213
214	//#ifdef VBOX_WITH_LWIP_NAT
215	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
216	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
217	//#endif
218	#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
219	# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
220	{ kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
221	{ kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
222	HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
223	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
224	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
225	HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
226	HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
227	# define HARDENED_TESTCASE_ENTRY(a_szName) \
228	{ kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
229	{ kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
230	HARDENED_TESTCASE_ENTRY("tstCFGM"),
231	HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
232	HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
233	HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
234	HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
235	HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
236	HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
237	HARDENED_TESTCASE_ENTRY("tstSSM"),
238	#endif
239	};
240
241
242	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
243	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
244
245	/** Array index by install directory specifier containing info about verified directories. */
246	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
247
248
249	/**
250	* Assembles the path to a directory.
251	*
252	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
253	* decides whether it returns or not).
254	*
255	* @param enmDir The directory.
256	* @param pszDst Where to assemble the path.
257	* @param cchDst The size of the buffer.
258	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
259	*/
260	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
261	{
262	int rc;
263	switch (enmDir)
264	{
265	case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
266	case kSupID_Bin:
267	rc = supR3HardenedPathExecDir(pszDst, cchDst);
268	break;
269	case kSupID_SharedLib:
270	rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
271	break;
272	case kSupID_AppPrivArch:
273	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
274	break;
275	case kSupID_AppPrivArchComp:
276	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
277	if (RT_SUCCESS(rc))
278	{
279	size_t off = suplibHardenedStrLen(pszDst);
280	if (cchDst - off >= sizeof("/components"))
281	suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
282	else
283	rc = VERR_BUFFER_OVERFLOW;
284	}
285	break;
286	case kSupID_AppPrivNoArch:
287	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
288	break;
289	case kSupID_Testcase:
290	rc = supR3HardenedPathExecDir(pszDst, cchDst);
291	if (RT_SUCCESS(rc))
292	{
293	size_t off = suplibHardenedStrLen(pszDst);
294	if (cchDst - off >= sizeof("/testcase"))
295	suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
296	else
297	rc = VERR_BUFFER_OVERFLOW;
298	}
299	break;
300	default:
301	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
302	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
303	}
304	if (RT_FAILURE(rc))
305	supR3HardenedError(rc, fFatal,
306	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
307	return rc;
308	}
309
310
311
312	/**
313	* Assembles the path to a file table entry, with or without the actual filename.
314	*
315	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
316	* decides whether it returns or not).
317	*
318	* @param pFile The file table entry.
319	* @param pszDst Where to assemble the path.
320	* @param cchDst The size of the buffer.
321	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
322	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
323	*/
324	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
325	{
326	/*
327	* Combine supR3HardenedMakePath and the filename.
328	*/
329	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
330	if (RT_SUCCESS(rc) && fWithFilename)
331	{
332	size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
333	size_t off = suplibHardenedStrLen(pszDst);
334	if (cchDst - off >= cchFile + 2)
335	{
336	pszDst[off++] = '/';
337	suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
338	}
339	else
340	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
341	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
342	pFile->pszFile, (long)off);
343	}
344	return rc;
345	}
346
347
348	/**
349	* Verifies a directory.
350	*
351	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
352	* fFatal is clear and if it's set the function wont return.
353	* @param enmDir The directory specifier.
354	* @param fFatal Whether validation failures should be treated as
355	* fatal (true) or not (false).
356	*/
357	DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
358	{
359	/*
360	* Validate the index just to be on the safe side...
361	*/
362	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
363	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
364	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
365
366	/*
367	* Already validated?
368	*/
369	if (g_aSupVerifiedDirs[enmDir].fValidated)
370	return VINF_SUCCESS; /** @todo revalidate? */
371
372	/* initialize the entry. */
373	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
374	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
375	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
376	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
377	g_aSupVerifiedDirs[enmDir].hDir = -1;
378	g_aSupVerifiedDirs[enmDir].fValidated = false;
379
380	/*
381	* Make the path and open the directory.
382	*/
383	char szPath[RTPATH_MAX];
384	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
385	if (RT_SUCCESS(rc))
386	{
387	#if defined(RT_OS_WINDOWS)
388	PRTUTF16 pwszPath;
389	rc = RTStrToUtf16(szPath, &pwszPath);
390	if (RT_SUCCESS(rc))
391	{
392	HANDLE hDir = CreateFileW(pwszPath,
393	GENERIC_READ,
394	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
395	NULL,
396	OPEN_EXISTING,
397	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
398	NULL);
399	if (hDir != INVALID_HANDLE_VALUE)
400	{
401	/** @todo check the type */
402	/* That's all on windows, for now at least... */
403	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
404	g_aSupVerifiedDirs[enmDir].fValidated = true;
405	}
406	else if (enmDir == kSupID_Testcase)
407	{
408	g_aSupVerifiedDirs[enmDir].fValidated = true;
409	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
410	}
411	else
412	{
413	int err = RtlGetLastWin32Error();
414	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
415	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
416	szPath, err);
417	}
418	RTUtf16Free(pwszPath);
419	}
420	else
421	rc = supR3HardenedError(rc, fFatal,
422	"supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
423
424	#else /* UNIXY */
425	int fd = open(szPath, O_RDONLY, 0);
426	if (fd >= 0)
427	{
428	/*
429	* On unixy systems we'll make sure the directory is owned by root
430	* and not writable by the group and user.
431	*/
432	struct stat st;
433	if (!fstat(fd, &st))
434	{
435
436	if ( st.st_uid == 0
437	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
438	&& S_ISDIR(st.st_mode))
439	{
440	g_aSupVerifiedDirs[enmDir].hDir = fd;
441	g_aSupVerifiedDirs[enmDir].fValidated = true;
442	}
443	else
444	{
445	if (!S_ISDIR(st.st_mode))
446	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
447	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
448	szPath, (long)st.st_uid);
449	else if (st.st_uid)
450	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
451	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
452	szPath, (long)st.st_uid);
453	else
454	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
455	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
456	szPath, (long)st.st_mode);
457	close(fd);
458	}
459	}
460	else
461	{
462	int err = errno;
463	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
464	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
465	szPath, strerror(err), err);
466	close(fd);
467	}
468	}
469	else if (enmDir == kSupID_Testcase)
470	{
471	g_aSupVerifiedDirs[enmDir].fValidated = true;
472	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
473	}
474	else
475	{
476	int err = errno;
477	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
478	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
479	szPath, strerror(err), err);
480	}
481	#endif /* UNIXY */
482	}
483
484	return rc;
485	}
486
487
488	#ifdef RT_OS_WINDOWS
489	/**
490	* Opens the file for verification.
491	*
492	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
493	* fFatal is clear and if it's set the function wont return.
494	* @param pFile The file entry.
495	* @param fFatal Whether validation failures should be treated as
496	* kl fatal (true) or not (false).
497	* @param phFile The file handle, set to -1 if we failed to open
498	* the file. The function may return VINF_SUCCESS
499	* and a -1 handle if the file is optional.
500	*/
501	static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
502	{
503	*phFile = -1;
504
505	char szPath[RTPATH_MAX];
506	int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
507	if (RT_SUCCESS(rc))
508	{
509	PRTUTF16 pwszPath;
510	rc = RTStrToUtf16(szPath, &pwszPath);
511	if (RT_SUCCESS(rc))
512	{
513	HANDLE hFile = CreateFileW(pwszPath,
514	GENERIC_READ,
515	FILE_SHARE_READ,
516	NULL,
517	OPEN_EXISTING,
518	FILE_ATTRIBUTE_NORMAL,
519	NULL);
520	if (hFile != INVALID_HANDLE_VALUE)
521	{
522	*phFile = (intptr_t)hFile;
523	rc = VINF_SUCCESS;
524	}
525	else
526	{
527	int err = RtlGetLastWin32Error();
528	if ( !pFile->fOptional
529	\|\| ( err != ERROR_FILE_NOT_FOUND
530	&& (err != ERROR_PATH_NOT_FOUND \|\| pFile->enmDir != kSupID_Testcase) ) )
531	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
532	"supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
533	}
534	RTUtf16Free(pwszPath);
535	}
536	else
537	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
538	szPath, rc);
539	}
540	return rc;
541	}
542
543
544	/**
545	* Worker for supR3HardenedVerifyFileInternal.
546	*
547	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
548	* fFatal is clear and if it's set the function wont return.
549	* @param pFile The file entry.
550	* @param pVerified The verification record.
551	* @param fFatal Whether validation failures should be treated as
552	* fatal (true) or not (false).
553	* @param fLeaveFileOpen Whether the file should be left open.
554	*/
555	static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
556	{
557	# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
558
559	/*
560	* Open the file if we have to.
561	*/
562	int rc;
563	intptr_t hFileOpened;
564	intptr_t hFile = pVerified->hFile;
565	if (hFile != -1)
566	hFileOpened = -1;
567	else
568	{
569	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
570	if (RT_FAILURE(rc))
571	return rc;
572	hFile = hFileOpened;
573	}
574
575	/*
576	* Verify the signature.
577	*/
578	char szErr[1024];
579	RTERRINFO ErrInfo;
580	RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
581
582	uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
583	if (pFile->enmType == kSupIFT_Rc)
584	fFlags \|= SUPHNTVI_F_RC_IMAGE;
585
586	rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
587	if (RT_SUCCESS(rc))
588	pVerified->fCheckedSignature = true;
589	else
590	{
591	pVerified->fCheckedSignature = false;
592	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
593	pFile->pszFile, rc, szErr);
594
595	}
596
597	/*
598	* Close the handle if we opened the file and we should close it.
599	*/
600	if (hFileOpened != -1)
601	{
602	if (fLeaveFileOpen && RT_SUCCESS(rc))
603	pVerified->hFile = hFileOpened;
604	else
605	NtClose((HANDLE)hFileOpened);
606	}
607
608	return rc;
609
610	# else /* Not checking signatures. */
611	return VINF_SUCCESS;
612	# endif /* Not checking signatures. */
613	}
614	#endif
615
616
617	/**
618	* Verifies a file entry.
619	*
620	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
621	* fFatal is clear and if it's set the function wont return.
622	*
623	* @param iFile The file table index of the file to be verified.
624	* @param fFatal Whether validation failures should be treated as
625	* fatal (true) or not (false).
626	* @param fLeaveFileOpen Whether the file should be left open.
627	* @param fVerifyAll Set if this is an verify all call and we will
628	* postpone signature checking.
629	*/
630	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
631	{
632	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
633	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
634
635	/*
636	* Already done validation? Do signature validation if we haven't yet.
637	*/
638	if (pVerified->fValidated)
639	{
640	/** @todo revalidate? Check that the file hasn't been replace or similar. */
641	#ifdef RT_OS_WINDOWS
642	if (!pVerified->fCheckedSignature && !fVerifyAll)
643	return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
644	#endif
645	return VINF_SUCCESS;
646	}
647
648
649	/* initialize the entry. */
650	if (pVerified->hFile != 0)
651	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
652	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
653	(void *)pVerified->hFile, pFile->pszFile);
654	pVerified->hFile = -1;
655	pVerified->fValidated = false;
656	#ifdef RT_OS_WINDOWS
657	pVerified->fCheckedSignature = false;
658	#endif
659
660	/*
661	* Verify the directory then proceed to open it.
662	* (This'll make sure the directory is opened and that we can (later)
663	* use openat if we wish.)
664	*/
665	int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
666	if (RT_SUCCESS(rc))
667	{
668	#if defined(RT_OS_WINDOWS)
669	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
670	if (RT_SUCCESS(rc))
671	{
672	if (!fVerifyAll)
673	rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
674	if (RT_SUCCESS(rc))
675	{
676	pVerified->fValidated = true;
677	if (!fLeaveFileOpen)
678	{
679	NtClose((HANDLE)pVerified->hFile);
680	pVerified->hFile = -1;
681	}
682	}
683	}
684	#else /* !RT_OS_WINDOWS */
685	char szPath[RTPATH_MAX];
686	rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
687	if (RT_SUCCESS(rc))
688	{
689	int fd = open(szPath, O_RDONLY, 0);
690	if (fd >= 0)
691	{
692	/*
693	* On unixy systems we'll make sure the file is owned by root
694	* and not writable by the group and user.
695	*/
696	struct stat st;
697	if (!fstat(fd, &st))
698	{
699	if ( st.st_uid == 0
700	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
701	&& S_ISREG(st.st_mode))
702	{
703	/* it's valid. */
704	if (fLeaveFileOpen)
705	pVerified->hFile = fd;
706	else
707	close(fd);
708	pVerified->fValidated = true;
709	}
710	else
711	{
712	if (!S_ISREG(st.st_mode))
713	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
714	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
715	szPath, (long)st.st_uid);
716	else if (st.st_uid)
717	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
718	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
719	szPath, (long)st.st_uid);
720	else
721	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
722	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
723	szPath, (long)st.st_mode);
724	close(fd);
725	}
726	}
727	else
728	{
729	int err = errno;
730	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
731	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
732	szPath, strerror(err), err);
733	close(fd);
734	}
735	}
736	else
737	{
738	int err = errno;
739	if (!pFile->fOptional \|\| err != ENOENT)
740	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
741	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
742	szPath, strerror(err), err);
743	}
744	}
745	#endif /* !RT_OS_WINDOWS */
746	}
747
748	return rc;
749	}
750
751
752	/**
753	* Verifies that the specified table entry matches the given filename.
754	*
755	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
756	* error is returned or we terminate the application.
757	*
758	* @param iFile The file table index.
759	* @param pszFilename The filename.
760	* @param fFatal Whether validation failures should be treated as
761	* fatal (true) or not (false).
762	*/
763	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
764	{
765	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
766
767	/*
768	* Construct the full path for the file table entry
769	* and compare it with the specified file.
770	*/
771	char szName[RTPATH_MAX];
772	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
773	if (RT_FAILURE(rc))
774	return rc;
775	if (SUP_COMP_FILENAME(szName, pszFilename))
776	{
777	/*
778	* Normalize the two paths and compare again.
779	*/
780	rc = VERR_NOT_SAME_DEVICE;
781	#if defined(RT_OS_WINDOWS)
782	LPSTR pszIgnored;
783	char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
784	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
785	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
786	if (!SUP_COMP_FILENAME(szName2, szName))
787	rc = VINF_SUCCESS;
788	#else
789	AssertCompile(RTPATH_MAX >= PATH_MAX);
790	char szName2[RTPATH_MAX];
791	if ( realpath(szName, szName2) != NULL
792	&& realpath(pszFilename, szName) != NULL)
793	if (!SUP_COMP_FILENAME(szName2, szName))
794	rc = VINF_SUCCESS;
795	#endif
796
797	if (RT_FAILURE(rc))
798	{
799	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
800	return supR3HardenedError(rc, fFatal,
801	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
802	pszFilename, szName);
803	}
804	}
805
806	/*
807	* Check more stuff like the stat info if it's an already open file?
808	*/
809
810
811
812	return VINF_SUCCESS;
813	}
814
815
816	/**
817	* Verifies a file.
818	*
819	* @returns VINF_SUCCESS on success.
820	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
821	* On verification failure, an error code will be returned when fFatal is clear,
822	* otherwise the program will be terminated.
823	*
824	* @param pszFilename The filename.
825	* @param fFatal Whether validation failures should be treated as
826	* fatal (true) or not (false).
827	*/
828	DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
829	{
830	/*
831	* Lookup the file and check if it's the same file.
832	*/
833	const char *pszName = supR3HardenedPathFilename(pszFilename);
834	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
835	if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
836	{
837	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
838	if (RT_SUCCESS(rc))
839	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen /, false / fVerifyAll */);
840	return rc;
841	}
842
843	return VERR_NOT_FOUND;
844	}
845
846
847	/**
848	* Verifies a program, worker for supR3HardenedVerifyAll.
849	*
850	* @returns See supR3HardenedVerifyAll.
851	* @param pszProgName See supR3HardenedVerifyAll.
852	* @param fFatal See supR3HardenedVerifyAll.
853	* @param fLeaveOpen The leave open setting used by
854	* supR3HardenedVerifyAll.
855	*/
856	static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal, bool fLeaveOpen)
857	{
858	/*
859	* Search the table looking for the executable and the DLL/DYLIB/SO.
860	*/
861	int rc = VINF_SUCCESS;
862	bool fExe = false;
863	bool fDll = false;
864	size_t const cchProgName = suplibHardenedStrLen(pszProgName);
865	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
866	if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
867	{
868	if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
869	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
870	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
871	{
872	/* This only has to be found (once). */
873	if (fDll)
874	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
875	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
876	else
877	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
878	true /* fVerifyAll - check sign later, only final process need check it on load. */);
879	fDll = true;
880	}
881	else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
882	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
883	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
884	{
885	/* Here we'll have to check that the specific program is the same as the entry. */
886	if (fExe)
887	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
888	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
889	else
890	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
891	fExe = true;
892
893	char szFilename[RTPATH_MAX];
894	int rc2 = supR3HardenedPathExecDir(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
895	if (RT_SUCCESS(rc2))
896	{
897	suplibHardenedStrCat(szFilename, "/");
898	suplibHardenedStrCat(szFilename, g_aSupInstallFiles[iFile].pszFile);
899	supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
900	}
901	else
902	rc = supR3HardenedError(rc2, fFatal,
903	"supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
904	}
905	}
906
907	/*
908	* Check the findings.
909	*/
910	if (RT_SUCCESS(rc))
911	{
912	if (!fDll && !fExe)
913	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
914	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
915	else if (!fExe)
916	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
917	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
918	else if (!fDll)
919	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
920	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
921	}
922	return rc;
923	}
924
925
926	/**
927	* Verifies all the known files (called from SUPR3HardenedMain).
928	*
929	* @returns VINF_SUCCESS on success.
930	* On verification failure, an error code will be returned when fFatal is clear,
931	* otherwise the program will be terminated.
932	*
933	* @param fFatal Whether validation failures should be treated as
934	* fatal (true) or not (false).
935	* @param pszProgName The program name. This is used to verify that
936	* both the executable and corresponding
937	* DLL/DYLIB/SO are valid.
938	*/
939	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName)
940	{
941	/*
942	* On windows
943	*/
944	#if defined(RT_OS_WINDOWS)
945	bool fLeaveOpen = true;
946	#else
947	bool fLeaveOpen = false;
948	#endif
949
950	/*
951	* The verify all the files.
952	*/
953	int rc = VINF_SUCCESS;
954	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
955	{
956	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
957	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
958	rc = rc2;
959	}
960
961	/*
962	* Verify the program name, that is to say, check that it's in the table
963	* (thus verified above) and verify the signature on platforms where we
964	* sign things.
965	*/
966	int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal, fLeaveOpen);
967	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
968	rc2 = rc;
969
970	return rc;
971	}
972
973
974	/**
975	* Copies the N messages into the error buffer and returns @a rc.
976	*
977	* @returns Returns @a rc
978	* @param rc The return code.
979	* @param pErrInfo The error info structure.
980	* @param cMsgs The number of messages in the ellipsis.
981	* @param ... Message parts.
982	*/
983	static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
984	{
985	if (pErrInfo)
986	{
987	size_t cbErr = pErrInfo->cbMsg;
988	char *pszErr = pErrInfo->pszMsg;
989
990	va_list va;
991	va_start(va, cMsgs);
992	while (cMsgs-- > 0 && cbErr > 0)
993	{
994	const char pszMsg = va_arg(va, const char );
995	size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
996	if (cchMsg >= cbErr)
997	cchMsg = cbErr - 1;
998	suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
999	pszErr[cchMsg] = '\0';
1000	pszErr += cchMsg;
1001	cbErr -= cchMsg;
1002	}
1003	va_end(va);
1004
1005	pErrInfo->rc = rc;
1006	pErrInfo->fFlags \|= RTERRINFO_FLAGS_SET;
1007	}
1008
1009	return rc;
1010	}
1011
1012
1013	/**
1014	* Copies the three messages into the error buffer and returns @a rc.
1015	*
1016	* @returns Returns @a rc
1017	* @param rc The return code.
1018	* @param pErrInfo The error info structure.
1019	* @param pszMsg1 The first message part.
1020	* @param pszMsg2 The second message part.
1021	* @param pszMsg3 The third message part.
1022	*/
1023	static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1024	const char pszMsg2, const char pszMsg3)
1025	{
1026	return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1027	}
1028
1029	#ifdef SOME_UNUSED_FUNCTION
1030
1031	/**
1032	* Copies the two messages into the error buffer and returns @a rc.
1033	*
1034	* @returns Returns @a rc
1035	* @param rc The return code.
1036	* @param pErrInfo The error info structure.
1037	* @param pszMsg1 The first message part.
1038	* @param pszMsg2 The second message part.
1039	*/
1040	static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1041	const char *pszMsg2)
1042	{
1043	return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1044	}
1045
1046
1047	/**
1048	* Copies the error message to the error buffer and returns @a rc.
1049	*
1050	* @returns Returns @a rc
1051	* @param rc The return code.
1052	* @param pErrInfo The error info structure.
1053	* @param pszMsg The message.
1054	*/
1055	static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1056	{
1057	return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1058	}
1059
1060	#endif /* SOME_UNUSED_FUNCTION */
1061
1062	/**
1063	* Output from a successfull supR3HardenedVerifyPathSanity call.
1064	*/
1065	typedef struct SUPR3HARDENEDPATHINFO
1066	{
1067	/** The length of the path in szCopy. */
1068	uint16_t cch;
1069	/** The number of path components. */
1070	uint16_t cComponents;
1071	/** Set if the path ends with slash, indicating that it's a directory
1072	* reference and not a file reference. The slash has been removed from
1073	* the copy. */
1074	bool fDirSlash;
1075	/** The offset where each path component starts, i.e. the char after the
1076	* slash. The array has cComponents + 1 entries, where the final one is
1077	* cch + 1 so that one can always terminate the current component by
1078	* szPath[aoffComponent[i] - 1] = '\0'. */
1079	uint16_t aoffComponents[32+1];
1080	/** A normalized copy of the path.
1081	* Reserve some extra space so we can be more relaxed about overflow
1082	* checks and terminator paddings, especially when recursing. */
1083	char szPath[SUPR3HARDENED_MAX_PATH * 2];
1084	} SUPR3HARDENEDPATHINFO;
1085	/** Pointer to a parsed path. */
1086	typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1087
1088
1089	/**
1090	* Verifies that the path is absolutely sane, it also parses the path.
1091	*
1092	* A sane path starts at the root (w/ drive letter on DOS derived systems) and
1093	* does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1094	* Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1095	* paths are not supported.
1096	*
1097	* @returns VBox status code.
1098	* @param pszPath The path to check.
1099	* @param pErrInfo The error info structure.
1100	* @param pInfo Where to return a copy of the path along with
1101	* parsing information.
1102	*/
1103	static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1104	{
1105	const char *pszSrc = pszPath;
1106	char *pszDst = pInfo->szPath;
1107
1108	/*
1109	* Check that it's an absolute path and copy the volume/root specifier.
1110	*/
1111	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
1112	if ( !RT_C_IS_ALPHA(pszSrc[0])
1113	\|\| pszSrc[1] != ':'
1114	\|\| !RTPATH_IS_SLASH(pszSrc[2]))
1115	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1116
1117	*pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1118	*pszDst++ = ':';
1119	*pszDst++ = RTPATH_SLASH;
1120	pszSrc += 3;
1121
1122	#else
1123	if (!RTPATH_IS_SLASH(pszSrc[0]))
1124	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1125
1126	*pszDst++ = RTPATH_SLASH;
1127	pszSrc += 1;
1128	#endif
1129
1130	/*
1131	* No path specifying the root or something very shortly thereafter will
1132	* be approved of.
1133	*/
1134	if (pszSrc[0] == '\0')
1135	return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1136	if ( pszSrc[1] == '\0'
1137	\|\| pszSrc[2] == '\0')
1138	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1139
1140	/*
1141	* Check each component. No parent references or double slashes.
1142	*/
1143	pInfo->cComponents = 0;
1144	pInfo->fDirSlash = false;
1145	while (pszSrc[0])
1146	{
1147	/* Sanity checks. */
1148	if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
1149	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1150	"The path is not clean of double slashes: '", pszPath, "'");
1151	if ( pszSrc[0] == '.'
1152	&& pszSrc[1] == '.'
1153	&& RTPATH_IS_SLASH(pszSrc[2]))
1154	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1155	"The path is not absolute: '", pszPath, "'");
1156
1157	/* Record the start of the component. */
1158	if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1159	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1160	"The path has too many components: '", pszPath, "'");
1161	pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1162
1163	/* Traverse to the end of the component, copying it as we go along. */
1164	while (pszSrc[0])
1165	{
1166	if (RTPATH_IS_SLASH(pszSrc[0]))
1167	{
1168	pszSrc++;
1169	if (*pszSrc)
1170	*pszDst++ = RTPATH_SLASH;
1171	else
1172	pInfo->fDirSlash = true;
1173	break;
1174	}
1175	pszDst++ = pszSrc++;
1176	if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1177	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1178	"The path is too long: '", pszPath, "'");
1179	}
1180	}
1181
1182	/* Terminate the string and enter its length. */
1183	pszDst[0] = '\0';
1184	pszDst[1] = '\0'; /* for aoffComponents */
1185	pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1186	pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1187
1188	return VINF_SUCCESS;
1189	}
1190
1191
1192	/**
1193	* The state information collected by supR3HardenedVerifyFsObject.
1194	*
1195	* This can be used to verify that a directory we've opened for enumeration is
1196	* the same as the one that supR3HardenedVerifyFsObject just verified. It can
1197	* equally be used to verify a native specfied by the user.
1198	*/
1199	typedef struct SUPR3HARDENEDFSOBJSTATE
1200	{
1201	#ifdef RT_OS_WINDOWS
1202	/** Not implemented for windows yet. */
1203	char chTodo;
1204	#else
1205	/** The stat output. */
1206	struct stat Stat;
1207	#endif
1208	} SUPR3HARDENEDFSOBJSTATE;
1209	/** Pointer to a file system object state. */
1210	typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1211	/** Pointer to a const file system object state. */
1212	typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1213
1214
1215	/**
1216	* Query information about a file system object by path.
1217	*
1218	* @returns VBox status code, error buffer filled on failure.
1219	* @param pszPath The path to the object.
1220	* @param pFsObjState Where to return the state information.
1221	* @param pErrInfo The error info structure.
1222	*/
1223	static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1224	{
1225	#if defined(RT_OS_WINDOWS)
1226	/** @todo Windows hardening. */
1227	pFsObjState->chTodo = 0;
1228	return VINF_SUCCESS;
1229
1230	#else
1231	/*
1232	* Stat the object, do not follow links.
1233	*/
1234	if (lstat(pszPath, &pFsObjState->Stat) != 0)
1235	{
1236	/* Ignore access errors */
1237	if (errno != EACCES)
1238	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1239	5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1240	}
1241
1242	/*
1243	* Read ACLs.
1244	*/
1245	/** @todo */
1246
1247	return VINF_SUCCESS;
1248	#endif
1249	}
1250
1251
1252	/**
1253	* Query information about a file system object by native handle.
1254	*
1255	* @returns VBox status code, error buffer filled on failure.
1256	* @param hNative The native handle to the object @a pszPath
1257	* specifies and this should be verified to be the
1258	* same file system object.
1259	* @param pFsObjState Where to return the state information.
1260	* @param pszPath The path to the object. (For the error message
1261	* only.)
1262	* @param pErrInfo The error info structure.
1263	*/
1264	static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1265	char const *pszPath, PRTERRINFO pErrInfo)
1266	{
1267	#if defined(RT_OS_WINDOWS)
1268	/** @todo Windows hardening. */
1269	pFsObjState->chTodo = 0;
1270	return VINF_SUCCESS;
1271
1272	#else
1273	/*
1274	* Stat the object, do not follow links.
1275	*/
1276	if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1277	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1278	5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1279
1280	/*
1281	* Read ACLs.
1282	*/
1283	/** @todo */
1284
1285	return VINF_SUCCESS;
1286	#endif
1287	}
1288
1289
1290	/**
1291	* Verifies that the file system object indicated by the native handle is the
1292	* same as the one @a pFsObjState indicates.
1293	*
1294	* @returns VBox status code, error buffer filled on failure.
1295	* @param pFsObjState1 File system object information/state by path.
1296	* @param pFsObjState2 File system object information/state by handle.
1297	* @param pszPath The path to the object @a pFsObjState
1298	* describes. (For the error message.)
1299	* @param pErrInfo The error info structure.
1300	*/
1301	static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1302	const char *pszPath, PRTERRINFO pErrInfo)
1303	{
1304	#if defined(RT_OS_WINDOWS)
1305	/** @todo Windows hardening. */
1306	return VINF_SUCCESS;
1307
1308	#elif defined(RT_OS_OS2)
1309	return VINF_SUCCESS;
1310
1311	#else
1312	/*
1313	* Compare the ino+dev, then the uid+gid and finally the important mode
1314	* bits. Technically the first one should be enough, but we're paranoid.
1315	*/
1316	if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1317	\|\| pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1318	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1319	"The native handle is not the same as '", pszPath, "' (ino/dev)");
1320	if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1321	\|\| pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1322	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1323	"The native handle is not the same as '", pszPath, "' (uid/gid)");
1324	if ( (pFsObjState1->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH))
1325	!= (pFsObjState2->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH)))
1326	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1327	"The native handle is not the same as '", pszPath, "' (mode)");
1328	return VINF_SUCCESS;
1329	#endif
1330	}
1331
1332
1333	/**
1334	* Verifies a file system object (file or directory).
1335	*
1336	* @returns VBox status code, error buffer filled on failure.
1337	* @param pFsObjState The file system object information/state to be
1338	* verified.
1339	* @param fDir Whether this is a directory or a file.
1340	* @param fRelaxed Whether we can be more relaxed about this
1341	* directory (only used for grand parent
1342	* directories).
1343	* @param pszPath The path to the object. For error messages and
1344	* securing a couple of hacks.
1345	* @param pErrInfo The error info structure.
1346	*/
1347	static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1348	const char *pszPath, PRTERRINFO pErrInfo)
1349	{
1350	#if defined(RT_OS_WINDOWS)
1351	/** @todo Windows hardening. */
1352	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1353	return VINF_SUCCESS;
1354
1355	#elif defined(RT_OS_OS2)
1356	/* No hardening here - it's a single user system. */
1357	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1358	return VINF_SUCCESS;
1359
1360	#else
1361	/*
1362	* The owner must be root.
1363	*
1364	* This can be extended to include predefined system users if necessary.
1365	*/
1366	if (pFsObjState->Stat.st_uid != 0)
1367	return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1368
1369	/*
1370	* The object type must be directory or file, no symbolic links or other
1371	* risky stuff (sorry dude, but we're paranoid on purpose here).
1372	*/
1373	if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1374	&& !S_ISREG(pFsObjState->Stat.st_mode))
1375	{
1376	if (S_ISLNK(pFsObjState->Stat.st_mode))
1377	return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1378	"Symlinks are not permitted: '", pszPath, "'");
1379	return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1380	"Not regular file or directory: '", pszPath, "'");
1381	}
1382	if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1383	{
1384	if (S_ISDIR(pFsObjState->Stat.st_mode))
1385	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1386	"Expected file but found directory: '", pszPath, "'");
1387	return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1388	"Expected directory but found file: '", pszPath, "'");
1389	}
1390
1391	/*
1392	* The group does not matter if it does not have write access, if it has
1393	* write access it must be group 0 (root/wheel/whatever).
1394	*
1395	* This can be extended to include predefined system groups or groups that
1396	* only root is member of.
1397	*/
1398	if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1399	&& pFsObjState->Stat.st_gid != 0)
1400	{
1401	#ifdef RT_OS_DARWIN
1402	/* HACK ALERT: On Darwin /Applications is root:admin with admin having
1403	full access. So, to work around we relax the hardening a bit and
1404	permit grand parents and beyond to be group writable by admin. */
1405	/** @todo dynamically resolve the admin group? */
1406	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 80 /admin/ \|\| suplibHardenedStrCmp(pszPath, "/Applications");
1407
1408	#elif defined(RT_OS_FREEBSD)
1409	/* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1410	similar to /Applications on OS X (see above).
1411	On FreeBSD root is normally the only member of this group, on
1412	PC-BSD the default user is a member. */
1413	/** @todo dynamically resolve the operator group? */
1414	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 5 /operator/ \|\| suplibHardenedStrCmp(pszPath, "/usr/pbi");
1415	NOREF(fRelaxed);
1416	#else
1417	NOREF(fRelaxed);
1418	bool fBad = true;
1419	#endif
1420	if (fBad)
1421	return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1422	"An unknown (and thus untrusted) group has write access to '", pszPath,
1423	"' and we therefore cannot trust the directory content or that of any subdirectory");
1424	}
1425
1426	/*
1427	* World must not have write access. There is no relaxing this rule.
1428	*/
1429	if (pFsObjState->Stat.st_mode & S_IWOTH)
1430	return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1431	"World writable: '", pszPath, "'");
1432
1433	/*
1434	* Check the ACLs.
1435	*/
1436	/** @todo */
1437
1438	return VINF_SUCCESS;
1439	#endif
1440	}
1441
1442
1443	/**
1444	* Verifies that the file system object indicated by the native handle is the
1445	* same as the one @a pFsObjState indicates.
1446	*
1447	* @returns VBox status code, error buffer filled on failure.
1448	* @param hNative The native handle to the object @a pszPath
1449	* specifies and this should be verified to be the
1450	* same file system object.
1451	* @param pFsObjState The information/state returned by a previous
1452	* query call.
1453	* @param pszPath The path to the object @a pFsObjState
1454	* describes. (For the error message.)
1455	* @param pErrInfo The error info structure.
1456	*/
1457	static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1458	const char *pszPath, PRTERRINFO pErrInfo)
1459	{
1460	SUPR3HARDENEDFSOBJSTATE FsObjState2;
1461	int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1462	if (RT_SUCCESS(rc))
1463	rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1464	return rc;
1465	}
1466
1467
1468	/**
1469	* Does the recursive directory enumeration.
1470	*
1471	* @returns VBox status code, error buffer filled on failure.
1472	* @param pszDirPath The path buffer containing the subdirectory to
1473	* enumerate followed by a slash (this is never
1474	* the root slash). The buffer is RTPATH_MAX in
1475	* size and anything starting at @a cchDirPath
1476	* - 1 and beyond is scratch space.
1477	* @param cchDirPath The length of the directory path + slash.
1478	* @param pFsObjState Pointer to the file system object state buffer.
1479	* On input this will hold the stats for
1480	* the directory @a pszDirPath indicates and will
1481	* be used to verified that we're opening the same
1482	* thing.
1483	* @param fRecursive Whether to recurse into subdirectories.
1484	* @param pErrInfo The error info structure.
1485	*/
1486	static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1487	bool fRecursive, PRTERRINFO pErrInfo)
1488	{
1489	#if defined(RT_OS_WINDOWS)
1490	/** @todo Windows hardening. */
1491	return VINF_SUCCESS;
1492
1493	#elif defined(RT_OS_OS2)
1494	/* No hardening here - it's a single user system. */
1495	return VINF_SUCCESS;
1496
1497	#else
1498	/*
1499	* Open the directory. Now, we could probably eliminate opendir here
1500	* and go down on kernel API level (open + getdents for instance), however
1501	* that's not very portable and hopefully not necessary.
1502	*/
1503	DIR *pDir = opendir(pszDirPath);
1504	if (!pDir)
1505	{
1506	/* Ignore access errors. */
1507	if (errno == EACCES)
1508	return VINF_SUCCESS;
1509	return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1510	5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1511	}
1512	if (dirfd(pDir) != -1)
1513	{
1514	int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1515	if (RT_FAILURE(rc))
1516	{
1517	closedir(pDir);
1518	return rc;
1519	}
1520	}
1521
1522	/*
1523	* Enumerate the directory, check all the requested bits.
1524	*/
1525	int rc = VINF_SUCCESS;
1526	for (;;)
1527	{
1528	pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1529
1530	struct dirent Entry;
1531	struct dirent *pEntry;
1532	int iErr = readdir_r(pDir, &Entry, &pEntry);
1533	if (iErr)
1534	{
1535	rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1536	5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1537	break;
1538	}
1539	if (!pEntry)
1540	break;
1541
1542	/*
1543	* Check the length and copy it into the path buffer so it can be
1544	* stat()'ed.
1545	*/
1546	size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1547	if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1548	{
1549	rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1550	4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1551	break;
1552	}
1553	suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1554
1555	/*
1556	* Query the information about the entry and verify it.
1557	* (We don't bother skipping '.' and '..' at this point, a little bit
1558	* of extra checks doesn't hurt and neither requires relaxed handling.)
1559	*/
1560	rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1561	if (RT_SUCCESS(rc))
1562	break;
1563	rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /fRelaxed/,
1564	pszDirPath, pErrInfo);
1565	if (RT_FAILURE(rc))
1566	break;
1567
1568	/*
1569	* Recurse into subdirectories if requested.
1570	*/
1571	if ( fRecursive
1572	&& S_ISDIR(pFsObjState->Stat.st_mode)
1573	&& suplibHardenedStrCmp(pEntry->d_name, ".")
1574	&& suplibHardenedStrCmp(pEntry->d_name, ".."))
1575	{
1576	pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1577	pszDirPath[cchDirPath + cchName + 1] = '\0';
1578
1579	rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1580	fRecursive, pErrInfo);
1581	if (RT_FAILURE(rc))
1582	break;
1583	}
1584	}
1585
1586	closedir(pDir);
1587	return VINF_SUCCESS;
1588	#endif
1589	}
1590
1591
1592	/**
1593	* Worker for SUPR3HardenedVerifyDir.
1594	*
1595	* @returns See SUPR3HardenedVerifyDir.
1596	* @param pszDirPath See SUPR3HardenedVerifyDir.
1597	* @param fRecursive See SUPR3HardenedVerifyDir.
1598	* @param fCheckFiles See SUPR3HardenedVerifyDir.
1599	* @param pErrInfo See SUPR3HardenedVerifyDir.
1600	*/
1601	DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1602	{
1603	/*
1604	* Validate the input path and parse it.
1605	*/
1606	SUPR3HARDENEDPATHINFO Info;
1607	int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1608	if (RT_FAILURE(rc))
1609	return rc;
1610
1611	/*
1612	* Verify each component from the root up.
1613	*/
1614	SUPR3HARDENEDFSOBJSTATE FsObjState;
1615	uint32_t const cComponents = Info.cComponents;
1616	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1617	{
1618	bool fRelaxed = iComponent + 2 < cComponents;
1619	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1620	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1621	if (RT_SUCCESS(rc))
1622	rc = supR3HardenedVerifyFsObject(&FsObjState, true /fDir/, fRelaxed, Info.szPath, pErrInfo);
1623	if (RT_FAILURE(rc))
1624	return rc;
1625	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1626	}
1627
1628	/*
1629	* Check files and subdirectories if requested.
1630	*/
1631	if (fCheckFiles \|\| fRecursive)
1632	{
1633	Info.szPath[Info.cch] = RTPATH_SLASH;
1634	Info.szPath[Info.cch + 1] = '\0';
1635	return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1636	fRecursive, pErrInfo);
1637	}
1638
1639	return VINF_SUCCESS;
1640	}
1641
1642
1643	/**
1644	* Verfies a file.
1645	*
1646	* @returns VBox status code, error buffer filled on failure.
1647	* @param pszFilename The file to verify.
1648	* @param hNativeFile Handle to the file, verify that it's the same
1649	* as we ended up with when verifying the path.
1650	* RTHCUINTPTR_MAX means NIL here.
1651	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1652	* third party. Different validation rules may
1653	* apply to 3rd party code on some platforms.
1654	* @param pErrInfo Where to return extended error information.
1655	* Optional.
1656	*/
1657	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1658	bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1659	{
1660	/*
1661	* Validate the input path and parse it.
1662	*/
1663	SUPR3HARDENEDPATHINFO Info;
1664	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1665	if (RT_FAILURE(rc))
1666	return rc;
1667	if (Info.fDirSlash)
1668	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1669	"The file path specifies a directory: '", pszFilename, "'");
1670
1671	/*
1672	* Verify each component from the root up.
1673	*/
1674	SUPR3HARDENEDFSOBJSTATE FsObjState;
1675	uint32_t const cComponents = Info.cComponents;
1676	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1677	{
1678	bool fFinal = iComponent + 1 == cComponents;
1679	bool fRelaxed = iComponent + 2 < cComponents;
1680	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1681	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1682	if (RT_SUCCESS(rc))
1683	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed, Info.szPath, pErrInfo);
1684	if (RT_FAILURE(rc))
1685	return rc;
1686	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1687	}
1688
1689	/*
1690	* Verify the file handle against the last component, if specified.
1691	*/
1692	if (hNativeFile != RTHCUINTPTR_MAX)
1693	{
1694	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1695	if (RT_FAILURE(rc))
1696	return rc;
1697	}
1698
1699	#ifdef RT_OS_WINDOWS
1700	/*
1701	* The files shall be signed on windows, verify that.
1702	*/
1703	rc = VINF_SUCCESS;
1704	HANDLE hVerify;
1705	if (hNativeFile == RTHCUINTPTR_MAX)
1706	{
1707	PRTUTF16 pwszPath;
1708	rc = RTStrToUtf16(pszFilename, &pwszPath);
1709	if (RT_SUCCESS(rc))
1710	{
1711	hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1712	RTUtf16Free(pwszPath);
1713	}
1714	else
1715	rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1716	}
1717	else
1718	{
1719	NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1720	GENERIC_READ, 0 /HandleAttributes/, 0 /Options/);
1721	if (!NT_SUCCESS(rcNt))
1722	hVerify = INVALID_HANDLE_VALUE;
1723	}
1724	if (hVerify != INVALID_HANDLE_VALUE)
1725	{
1726	# ifdef VBOX_WITH_HARDENING
1727	uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1728	if (!fMaybe3rdParty)
1729	fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1730	const char *pszSuffix = RTPathSuffix(pszFilename);
1731	if ( pszSuffix
1732	&& pszSuffix[0] == '.'
1733	&& ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1734	\|\| RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1735	&& RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1736	&& pszSuffix[3] == '\0' )
1737	fFlags \|= SUPHNTVI_F_RC_IMAGE;
1738	# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1739	rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1740	# endif
1741	# endif
1742	NtClose(hVerify);
1743	}
1744	else if (RT_SUCCESS(rc))
1745	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1746	"Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1747	if (RT_FAILURE(rc))
1748	return rc;
1749	#endif
1750
1751	return VINF_SUCCESS;
1752	}
1753
1754
1755	/**
1756	* Gets the pre-init data for the hand-over to the other version
1757	* of this code.
1758	*
1759	* The reason why we pass this information on is that it contains
1760	* open directories and files. Later it may include even more info
1761	* (int the verified arrays mostly).
1762	*
1763	* The receiver is supR3HardenedRecvPreInitData.
1764	*
1765	* @param pPreInitData Where to store it.
1766	*/
1767	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1768	{
1769	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1770	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1771	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1772
1773	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1774	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1775	}
1776
1777
1778	/**
1779	* Receives the pre-init data from the static executable stub.
1780	*
1781	* @returns VBox status code. Will not bitch on failure since the
1782	* runtime isn't ready for it, so that is left to the exe stub.
1783	*
1784	* @param pPreInitData The hand-over data.
1785	*/
1786	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1787	{
1788	/*
1789	* Compare the array lengths and the contents of g_aSupInstallFiles.
1790	*/
1791	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1792	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1793	return VERR_VERSION_MISMATCH;
1794	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1795	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1796	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1797	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1798	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1799	\|\| suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1800	return VERR_VERSION_MISMATCH;
1801
1802	/*
1803	* Check that we're not called out of order.
1804	* If dynamic linking it screwed up, we may end up here.
1805	*/
1806	if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1807	\|\| ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1808	return VERR_WRONG_ORDER;
1809
1810	/*
1811	* Copy the verification data over.
1812	*/
1813	suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1814	suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1815	return VINF_SUCCESS;
1816	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 54998

Download in other formats: