SUPR3HardenedVerify.cpp@ 11794

Last change on this file since 11794 was 11725, checked in by vboxsync, 16 years ago
#3076: Merged in the branch with the alternate driver authentication method. (34468:HEAD)
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 30.8 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 11725 2008-08-27 22:21:47Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2008 Sun Microsystems, Inc.
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*
26	* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
27	* Clara, CA 95054 USA or visit http://www.sun.com if you need
28	* additional information or have any questions.
29	*/
30
31	/*******************************************************************************
32	* Header Files *
33	*******************************************************************************/
34	#if defined(RT_OS_OS2)
35	# define INCL_BASE
36	# define INCL_ERRORS
37	# include <os2.h>
38	# include <stdio.h>
39
40	#elif defined(RT_OS_WINDOWS)
41	# include <Windows.h>
42	# include <stdio.h>
43
44	#else /* UNIXes */
45	# include <sys/types.h>
46	# include <stdio.h>
47	# include <stdlib.h>
48	# include <dlfcn.h>
49	# include <fcntl.h>
50	# include <limits.h>
51	# include <errno.h>
52	# include <unistd.h>
53	# include <sys/stat.h>
54	# include <sys/time.h>
55	# include <sys/fcntl.h>
56	# include <stdio.h>
57	# include <pwd.h>
58	# ifdef RT_OS_DARWIN
59	# include <mach-o/dyld.h>
60	# endif
61
62	#endif
63
64	#include <VBox/sup.h>
65	#include <VBox/err.h>
66	#include <iprt/string.h>
67	#include <iprt/param.h>
68
69	#include "SUPLibInternal.h"
70
71
72
73
74	/*******************************************************************************
75	* Global Variables *
76	*******************************************************************************/
77	/**
78	* The files that gets verified.
79	*
80	* @todo This needs reviewing against the linux packages.
81	* @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
82	* the time being we're building the linux packages with SharedLib pointing to
83	* AppPrivArch (lazy bird).
84	*/
85	static SUPINSTFILE const g_aSupInstallFiles[] =
86	{
87	/* type, dir,fOptional, pszFile */
88	/* ---------------------------------------------------------------------- */
89	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
90	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
91	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
92
93	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMGC.gc" },
94	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
95	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
96
97	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
98	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
99	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
100	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
101	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
102	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
103
104	//#ifdef VBOX_WITH_DEBUGGER_GUI
105	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
106	//#endif
107
108	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
109	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
110	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
111
112	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxManage" SUPLIB_EXE_SUFF },
113
114	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
115	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxSettings" SUPLIB_DLL_SUFF },
116	#ifdef RT_OS_WINDOWS
117	/** @todo */
118	#else
119	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
120	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
121	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
122	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
123	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
124	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
125	#endif
126
127	//#ifdef VBOX_WITH_VRDP
128	{ kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
129	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
130	//#endif
131
132	//#ifdef VBOX_WITH_HEADLESS
133	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
134	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
135	//#endif
136
137	//#ifdef VBOX_WITH_QT4GUI
138	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
139	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
140	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
141	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
142	# endif
143	//#endif
144
145	//#ifdef VBOX_WITH_QTGUI
146	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox3" SUPLIB_EXE_SUFF },
147	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox3" SUPLIB_DLL_SUFF },
148	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
149	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard3" SUPLIB_DLL_SUFF },
150	# endif
151	//#endif
152
153	//#ifdef VBOX_WITH_VBOXSDL
154	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
155	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
156	//#endif
157
158	//#ifdef VBOX_WITH_VBOXBFE
159	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxBFE" SUPLIB_EXE_SUFF },
160	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxBFE" SUPLIB_DLL_SUFF },
161	//#endif
162
163	//#ifdef VBOX_WITH_WEBSERVICES
164	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
165	//#endif
166
167	#ifdef RT_OS_LINUX
168	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
169	#endif
170	};
171
172
173	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
174	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
175
176	/** Array index by install directory specifier containing info about verified directories. */
177	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
178
179
180	/**
181	* Assembles the path to a dirtory.
182	*
183	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
184	* decides whether it returns or not).
185	*
186	* @param enmDir The directory.
187	* @param pszDst Where to assemble the path.
188	* @param cchDst The size of the buffer.
189	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
190	*/
191	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
192	{
193	int rc;
194	switch (enmDir)
195	{
196	case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
197	case kSupID_Bin:
198	rc = supR3HardenedPathProgram(pszDst, cchDst);
199	break;
200	case kSupID_SharedLib:
201	rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
202	break;
203	case kSupID_AppPrivArch:
204	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
205	break;
206	case kSupID_AppPrivArchComp:
207	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
208	if (RT_SUCCESS(rc))
209	{
210	size_t off = strlen(pszDst);
211	if (cchDst - off >= sizeof("/components"))
212	memcpy(&pszDst[off], "/components", sizeof("/components"));
213	else
214	rc = VERR_BUFFER_OVERFLOW;
215	}
216	break;
217	case kSupID_AppPrivNoArch:
218	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
219	break;
220	default:
221	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
222	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
223	}
224	if (RT_FAILURE(rc))
225	supR3HardenedError(rc, fFatal,
226	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
227	return rc;
228	}
229
230
231
232	/**
233	* Assembles the path to a file table entry, with or without the actual filename.
234	*
235	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
236	* decides whether it returns or not).
237	*
238	* @param pFile The file table entry.
239	* @param pszDst Where to assemble the path.
240	* @param cchDst The size of the buffer.
241	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
242	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
243	*/
244	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
245	{
246	/*
247	* Combine supR3HardenedMakePath and the filename.
248	*/
249	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
250	if (RT_SUCCESS(rc))
251	{
252	size_t cchFile = strlen(pFile->pszFile);
253	size_t off = strlen(pszDst);
254	if (cchDst - off >= cchFile + 2)
255	{
256	pszDst[off++] = '/';
257	memcpy(&pszDst[off], pFile->pszFile, cchFile + 1);
258	}
259	else
260	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
261	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
262	pFile->pszFile, (long)off);
263	}
264	return rc;
265	}
266
267
268	/**
269	* Verifies a directory.
270	*
271	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
272	* fFatal is clear and if it's set the function wont return.
273	* @param enmDir The directory specifier.
274	* @param fFatal Whether validation failures should be treated as
275	* fatal (true) or not (false).
276	*/
277	DECLHIDDEN(int) supR3HardenedVerifyDir(SUPINSTDIR enmDir, bool fFatal)
278	{
279	/*
280	* Validate the index just to be on the safe side...
281	*/
282	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
283	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
284	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
285
286	/*
287	* Already validated?
288	*/
289	if (g_aSupVerifiedDirs[enmDir].fValidated)
290	return VINF_SUCCESS; /** @todo revalidate? */
291
292	/* initialize the entry. */
293	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
294	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
295	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
296	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
297	g_aSupVerifiedDirs[enmDir].hDir = -1;
298	g_aSupVerifiedDirs[enmDir].fValidated = false;
299
300	/*
301	* Make the path and open the directory.
302	*/
303	char szPath[RTPATH_MAX];
304	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
305	if (RT_SUCCESS(rc))
306	{
307	#if defined(RT_OS_WINDOWS)
308	HANDLE hDir = CreateFile(szPath,
309	GENERIC_READ,
310	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
311	NULL,
312	OPEN_ALWAYS,
313	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
314	NULL);
315	if (hDir != INVALID_HANDLE_VALUE)
316	{
317	/** @todo check the type */
318	/* That's all on windows, for now at least... */
319	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
320	g_aSupVerifiedDirs[enmDir].fValidated = true;
321	}
322	else
323	{
324	int err = GetLastError();
325	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
326	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
327	szPath, err);
328	}
329	#else /* UNIXY */
330	int fd = open(szPath, O_RDONLY, 0);
331	if (fd >= 0)
332	{
333	/*
334	* On unixy systems we'll make sure the directory is owned by root
335	* and not writable by the group and user.
336	*/
337	struct stat st;
338	if (!fstat(fd, &st))
339	{
340
341	if ( st.st_uid == 0
342	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
343	&& S_ISDIR(st.st_mode))
344	{
345	g_aSupVerifiedDirs[enmDir].hDir = fd;
346	g_aSupVerifiedDirs[enmDir].fValidated = true;
347	}
348	else
349	{
350	if (!S_ISDIR(st.st_mode))
351	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
352	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
353	szPath, (long)st.st_uid);
354	else if (st.st_uid)
355	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
356	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
357	szPath, (long)st.st_uid);
358	else
359	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
360	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
361	szPath, (long)st.st_mode);
362	close(fd);
363	}
364	}
365	else
366	{
367	int err = errno;
368	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
369	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
370	szPath, strerror(err), err);
371	close(fd);
372	}
373	}
374	else
375	{
376	int err = errno;
377	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
378	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
379	szPath, strerror(err), err);
380	}
381	#endif /* UNIXY */
382	}
383
384	return rc;
385	}
386
387
388	/**
389	* Verifies a file entry.
390	*
391	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
392	* fFatal is clear and if it's set the function wont return.
393	*
394	* @param iFile The file table index of the file to be verified.
395	* @param fFatal Whether validation failures should be treated as
396	* fatal (true) or not (false).
397	* @param fLeaveFileOpen Whether the file should be left open.
398	*/
399	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen)
400	{
401	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
402	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
403
404	/*
405	* Already done?
406	*/
407	if (pVerified->fValidated)
408	return VINF_SUCCESS; /** @todo revalidate? */
409
410
411	/* initialize the entry. */
412	if (pVerified->hFile != 0)
413	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
414	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
415	(void *)pVerified->hFile, pFile->pszFile);
416	pVerified->hFile = -1;
417	pVerified->fValidated = false;
418
419	/*
420	* Verify the directory then proceed to open it.
421	* (This'll make sure the directory is opened and that we can (later)
422	* use openat if we wish.)
423	*/
424	int rc = supR3HardenedVerifyDir(pFile->enmDir, fFatal);
425	if (RT_SUCCESS(rc))
426	{
427	char szPath[RTPATH_MAX];
428	int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true, fFatal);
429	if (RT_SUCCESS(rc))
430	{
431	#if defined(RT_OS_WINDOWS)
432	HANDLE hFile = CreateFile(szPath,
433	GENERIC_READ,
434	FILE_SHARE_READ,
435	NULL,
436	OPEN_ALWAYS,
437	FILE_ATTRIBUTE_NORMAL,
438	NULL);
439	if (hFile != INVALID_HANDLE_VALUE)
440	{
441	/** @todo Check the type, and verify the signature (separate function so we can skip it). */
442	{
443	/* it's valid. */
444	if (fLeaveFileOpen)
445	pVerified->hFile = (intptr_t)hFile;
446	else
447	CloseHandle(hFile);
448	pVerified->fValidated = true;
449	}
450	}
451	else
452	{
453	int err = GetLastError();
454	if (!pFile->fOptional \|\| err != ERROR_FILE_NOT_FOUND)
455	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
456	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": err=%d\n",
457	szPath, err);
458	}
459	#else /* UNIXY */
460	int fd = open(szPath, O_RDONLY, 0);
461	if (fd >= 0)
462	{
463	/*
464	* On unixy systems we'll make sure the directory is owned by root
465	* and not writable by the group and user.
466	*/
467	struct stat st;
468	if (!fstat(fd, &st))
469	{
470	if ( st.st_uid == 0
471	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
472	&& S_ISREG(st.st_mode))
473	{
474	/* it's valid. */
475	if (fLeaveFileOpen)
476	pVerified->hFile = fd;
477	else
478	close(fd);
479	pVerified->fValidated = true;
480	}
481	else
482	{
483	if (!S_ISREG(st.st_mode))
484	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
485	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
486	szPath, (long)st.st_uid);
487	else if (st.st_uid)
488	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
489	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
490	szPath, (long)st.st_uid);
491	else
492	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
493	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
494	szPath, (long)st.st_mode);
495	close(fd);
496	}
497	}
498	else
499	{
500	int err = errno;
501	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
502	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
503	szPath, strerror(err), err);
504	close(fd);
505	}
506	}
507	else
508	{
509	int err = errno;
510	if (!pFile->fOptional \|\| err != ENOENT)
511	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
512	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
513	szPath, strerror(err), err);
514	}
515	#endif /* UNIXY */
516	}
517	}
518
519	return rc;
520	}
521
522
523	/**
524	* Verifies that the specified table entry matches the given filename.
525	*
526	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
527	* error is returned or we terminate the application.
528	*
529	* @param iFile The file table index.
530	* @param pszFilename The filename.
531	* @param fFatal Whether validation failures should be treated as
532	* fatal (true) or not (false).
533	*/
534	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
535	{
536	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
537
538	/*
539	* Construct the full path for the file table entry
540	* and compare it with the specified file.
541	*/
542	char szName[RTPATH_MAX];
543	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
544	if (RT_FAILURE(rc))
545	return rc;
546	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
547	if (stricmp(szName, pszFilename))
548	#else
549	if (strcmp(szName, pszFilename))
550	#endif
551	{
552	/*
553	* Normalize the two paths and compare again.
554	*/
555	rc = VERR_NOT_SAME_DEVICE;
556	#if defined(RT_OS_WINDOWS)
557	LPSTR pszIgnored;
558	char szName2[RTPATH_MAX];
559	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
560	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
561	if (!stricmp(szName2, szName))
562	rc = VINF_SUCCESS;
563	#else
564	AssertCompile(RTPATH_MAX >= PATH_MAX);
565	char szName2[RTPATH_MAX];
566	if ( realpath(szName, szName2) != NULL
567	&& realpath(pszFilename, szName) != NULL)
568	if (!strcmp(szName2, szName))
569	rc = VINF_SUCCESS;
570	#endif
571
572	if (RT_FAILURE(rc))
573	{
574	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
575	return supR3HardenedError(rc, fFatal,
576	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
577	pszFilename, szName);
578	}
579	}
580
581	/*
582	* Check more stuff like the stat info if it's an already open file?
583	*/
584
585
586
587	return VINF_SUCCESS;
588	}
589
590
591	/**
592	* Verifies a file.
593	*
594	* @returns VINF_SUCCESS on success.
595	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
596	* On verfication failure, an error code will be returned when fFatal is clear,
597	* otherwise the program will be termindated.
598	*
599	* @param pszFilename The filename.
600	* @param fFatal Whether validation failures should be treated as
601	* fatal (true) or not (false).
602	*/
603	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, bool fFatal)
604	{
605	/*
606	* Lookup the file and check if it's the same file.
607	*/
608	const char *pszName = supR3HardenedPathFilename(pszFilename);
609	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
610	if (!strcmp(pszName, g_aSupInstallFiles[iFile].pszFile))
611	{
612	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
613	if (RT_SUCCESS(rc))
614	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */);
615	return rc;
616	}
617
618	return VERR_NOT_FOUND;
619	}
620
621
622	/**
623	* Verifies a program, worker for supR3HardenedVerifyAll.
624	*
625	* @returns See supR3HardenedVerifyAll.
626	* @param pszProgName See supR3HardenedVerifyAll.
627	* @param fFatal See supR3HardenedVerifyAll.
628	*/
629	static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal)
630	{
631	/*
632	* Search the table looking for the executable and the DLL/DYLIB/SO.
633	*/
634	int rc = VINF_SUCCESS;
635	bool fExe = false;
636	bool fDll = false;
637	size_t const cchProgName = strlen(pszProgName);
638	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
639	if (!strncmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
640	{
641	if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
642	&& !strcmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
643	{
644	/* This only has to be found (once). */
645	if (fDll)
646	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
647	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
648	fDll = true;
649	}
650	else if ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
651	&& !strcmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
652	{
653	/* Here we'll have to check that the specific program is the same as the entry. */
654	if (fExe)
655	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
656	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
657	fExe = true;
658
659	char szFilename[RTPATH_MAX];
660	int rc2 = supR3HardenedPathProgram(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
661	if (RT_SUCCESS(rc2))
662	{
663	strcat(szFilename, "/");
664	strcat(szFilename, g_aSupInstallFiles[iFile].pszFile);
665	supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
666	}
667	else
668	rc = supR3HardenedError(rc2, fFatal,
669	"supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
670	}
671	}
672
673	/*
674	* Check the findings.
675	*/
676	if (!fDll && !fExe)
677	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
678	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
679	else if (!fExe)
680	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
681	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
682	else if (!fDll)
683	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
684	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
685	return rc;
686	}
687
688
689
690	/**
691	* Verifies all the known files.
692	*
693	* @returns VINF_SUCCESS on success.
694	* On verfication failure, an error code will be returned when fFatal is clear,
695	* otherwise the program will be termindated.
696	*
697	* @param fFatal Whether validation failures should be treated as
698	* fatal (true) or not (false).
699	* @param fLeaveFilesOpen If set, all the verfied files are left open.
700	* @param pszProgName Optional program name. This is used by SUPR3HardenedMain
701	* to verify that both the executable and corresponding
702	* DLL/DYLIB/SO are valid.
703	*/
704	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, bool fLeaveFilesOpen, const char *pszProgName)
705	{
706	/*
707	* The verify all the files.
708	*/
709	int rc = VINF_SUCCESS;
710	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
711	{
712	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveFilesOpen);
713	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
714	rc = rc2;
715	}
716
717	/*
718	* Verify the program name if specified, that is to say, just check that
719	* it's in the table (=> we've already verified it).
720	*/
721	if (pszProgName)
722	{
723	int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal);
724	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
725	rc2 = rc;
726	}
727
728	return rc;
729	}
730
731
732	/**
733	* Gets the pre-init data for the hand-over to the other version
734	* of this code.
735	*
736	* The reason why we pass this information on is that it contains
737	* open directories and files. Later it may include even more info
738	* (int the verified arrays mostly).
739	*
740	* The receiver is supR3HardenedRecvPreInitData.
741	*
742	* @param pPreInitData Where to store it.
743	*/
744	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
745	{
746	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
747	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
748	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
749
750	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
751	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
752	}
753
754
755	/**
756	* Receives the pre-init data from the static executable stub.
757	*
758	* @returns VBox status code. Will not bitch on failure since the
759	* runtime isn't ready for it, so that is left to the exe stub.
760	*
761	* @param pPreInitData The hand-over data.
762	*/
763	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
764	{
765	/*
766	* Compare the array lengths and the contents of g_aSupInstallFiles.
767	*/
768	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
769	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
770	return VERR_VERSION_MISMATCH;
771	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
772	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
773	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
774	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
775	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
776	\|\| strcmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
777	return VERR_VERSION_MISMATCH;
778
779	/*
780	* Check that we're not called out of order.
781	* If dynamic linking it screwed up, we may end up here.
782	*/
783	if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
784	\|\| ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
785	return VERR_WRONG_ORDER;
786
787	/*
788	* Copy the verification data over.
789	*/
790	memcpy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
791	memcpy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
792	return VINF_SUCCESS;
793	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 11794

Download in other formats: