VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 56743

Last change on this file since 56743 was 56733, checked in by vboxsync, 9 years ago

SUPHardNt: Allow hardened exectuable binaries in the 'testcase' subdirectory.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 69.1 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 56733 2015-07-01 14:01:43Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2015 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27/*******************************************************************************
28* Header Files *
29*******************************************************************************/
30#if defined(RT_OS_OS2)
31# define INCL_BASE
32# define INCL_ERRORS
33# include <os2.h>
34# include <stdio.h>
35# include <stdlib.h>
36# include <unistd.h>
37# include <sys/fcntl.h>
38# include <sys/errno.h>
39# include <sys/syslimits.h>
40
41#elif defined(RT_OS_WINDOWS)
42# include <iprt/nt/nt-and-windows.h>
43# ifndef IN_SUP_HARDENED_R3
44# include <stdio.h>
45# endif
46
47#else /* UNIXes */
48# include <sys/types.h>
49# include <stdio.h>
50# include <stdlib.h>
51# include <dirent.h>
52# include <dlfcn.h>
53# include <fcntl.h>
54# include <limits.h>
55# include <errno.h>
56# include <unistd.h>
57# include <sys/stat.h>
58# include <sys/time.h>
59# include <sys/fcntl.h>
60# include <pwd.h>
61# ifdef RT_OS_DARWIN
62# include <mach-o/dyld.h>
63# endif
64
65#endif
66
67#include <VBox/sup.h>
68#include <VBox/err.h>
69#include <iprt/asm.h>
70#include <iprt/ctype.h>
71#include <iprt/param.h>
72#include <iprt/path.h>
73#include <iprt/string.h>
74
75#include "SUPLibInternal.h"
76#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
77# define SUPHNTVI_NO_NT_STUFF
78# include "win/SUPHardenedVerify-win.h"
79#endif
80
81
82/*******************************************************************************
83* Defined Constants And Macros *
84*******************************************************************************/
85/** The max path length acceptable for a trusted path. */
86#define SUPR3HARDENED_MAX_PATH 260U
87
88#ifdef RT_OS_SOLARIS
89# define dirfd(d) ((d)->d_fd)
90#endif
91
92/** Compare table file names with externally supplied names. */
93#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
94# define SUP_COMP_FILENAME RTStrICmp
95#else
96# define SUP_COMP_FILENAME suplibHardenedStrCmp
97#endif
98
99
100/*******************************************************************************
101* Global Variables *
102*******************************************************************************/
103/**
104 * The files that gets verified.
105 *
106 * @todo This needs reviewing against the linux packages.
107 * @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
108 * the time being we're building the linux packages with SharedLib pointing to
109 * AppPrivArch (lazy bird).
110 */
111static SUPINSTFILE const g_aSupInstallFiles[] =
112{
113 /* type, dir, fOpt, "pszFile" */
114 /* ---------------------------------------------------------------------- */
115 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
116 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
117 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
118
119#ifdef VBOX_WITH_RAW_MODE
120 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
121 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
122 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2RC.rc" },
123#endif
124
125 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
126 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
127 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
128#if HC_ARCH_BITS == 32
129 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
130 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
131#endif
132 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
133 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
134 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
135
136//#ifdef VBOX_WITH_DEBUGGER_GUI
137 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
138 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
139//#endif
140
141//#ifdef VBOX_WITH_SHARED_CLIPBOARD
142 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
143//#endif
144//#ifdef VBOX_WITH_SHARED_FOLDERS
145 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
146//#endif
147//#ifdef VBOX_WITH_DRAG_AND_DROP
148 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
149//#endif
150//#ifdef VBOX_WITH_GUEST_PROPS
151 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
152//#endif
153//#ifdef VBOX_WITH_GUEST_CONTROL
154 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
155//#endif
156 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
157 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
158 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
159 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
160 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
161
162 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
163
164#ifdef VBOX_WITH_MAIN
165 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
166 #ifdef RT_OS_WINDOWS
167 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
168 #else
169 { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
170 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
171 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
172 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
173 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
174 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
175 #endif
176#endif
177
178 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
179 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
180 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
181
182//#ifdef VBOX_WITH_HEADLESS
183 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
184 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
185 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
186//#endif
187
188//#ifdef VBOX_WITH_QTGUI
189 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
190 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
191# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
192 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
193# endif
194//#endif
195
196//#ifdef VBOX_WITH_VBOXSDL
197 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
198 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
199//#endif
200
201//#ifdef VBOX_WITH_WEBSERVICES
202 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
203//#endif
204
205#ifdef RT_OS_LINUX
206 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
207#endif
208
209//#ifdef VBOX_WITH_NETFLT
210 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
211 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
212//#endif
213
214//#ifdef VBOX_WITH_LWIP_NAT
215 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
216 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
217//#endif
218#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
219# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
220 { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
221 { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
222 HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
223 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
224 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
225 HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
226 HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
227# define HARDENED_TESTCASE_ENTRY(a_szName) \
228 { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
229 { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
230 HARDENED_TESTCASE_ENTRY("tstCFGM"),
231 HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
232 HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
233 HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
234 HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
235 HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
236 HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
237 HARDENED_TESTCASE_ENTRY("tstSSM"),
238#endif
239};
240
241
242/** Array parallel to g_aSupInstallFiles containing per-file status info. */
243static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
244
245/** Array index by install directory specifier containing info about verified directories. */
246static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
247
248
249/**
250 * Assembles the path to a directory.
251 *
252 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
253 * decides whether it returns or not).
254 *
255 * @param enmDir The directory.
256 * @param pszDst Where to assemble the path.
257 * @param cchDst The size of the buffer.
258 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
259 */
260static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
261{
262 int rc;
263 switch (enmDir)
264 {
265 case kSupID_AppBin:
266 rc = supR3HardenedPathAppBin(pszDst, cchDst);
267 break;
268 case kSupID_AppSharedLib:
269 rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
270 break;
271 case kSupID_AppPrivArch:
272 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
273 break;
274 case kSupID_AppPrivArchComp:
275 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
276 if (RT_SUCCESS(rc))
277 {
278 size_t off = suplibHardenedStrLen(pszDst);
279 if (cchDst - off >= sizeof("/components"))
280 suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
281 else
282 rc = VERR_BUFFER_OVERFLOW;
283 }
284 break;
285 case kSupID_AppPrivNoArch:
286 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
287 break;
288 case kSupID_Testcase:
289 rc = supR3HardenedPathAppBin(pszDst, cchDst);
290 if (RT_SUCCESS(rc))
291 {
292 size_t off = suplibHardenedStrLen(pszDst);
293 if (cchDst - off >= sizeof("/testcase"))
294 suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
295 else
296 rc = VERR_BUFFER_OVERFLOW;
297 }
298 break;
299 default:
300 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
301 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
302 }
303 if (RT_FAILURE(rc))
304 supR3HardenedError(rc, fFatal,
305 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
306 return rc;
307}
308
309
310
311/**
312 * Assembles the path to a file table entry, with or without the actual filename.
313 *
314 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
315 * decides whether it returns or not).
316 *
317 * @param pFile The file table entry.
318 * @param pszDst Where to assemble the path.
319 * @param cchDst The size of the buffer.
320 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
321 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
322 */
323static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
324{
325 /*
326 * Combine supR3HardenedMakePath and the filename.
327 */
328 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
329 if (RT_SUCCESS(rc) && fWithFilename)
330 {
331 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
332 size_t off = suplibHardenedStrLen(pszDst);
333 if (cchDst - off >= cchFile + 2)
334 {
335 pszDst[off++] = '/';
336 suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
337 }
338 else
339 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
340 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
341 pFile->pszFile, (long)off);
342 }
343 return rc;
344}
345
346
347/**
348 * Verifies a directory.
349 *
350 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
351 * fFatal is clear and if it's set the function wont return.
352 * @param enmDir The directory specifier.
353 * @param fFatal Whether validation failures should be treated as
354 * fatal (true) or not (false).
355 */
356DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
357{
358 /*
359 * Validate the index just to be on the safe side...
360 */
361 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
362 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
363 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
364
365 /*
366 * Already validated?
367 */
368 if (g_aSupVerifiedDirs[enmDir].fValidated)
369 return VINF_SUCCESS; /** @todo revalidate? */
370
371 /* initialize the entry. */
372 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
373 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
374 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
375 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
376 g_aSupVerifiedDirs[enmDir].hDir = -1;
377 g_aSupVerifiedDirs[enmDir].fValidated = false;
378
379 /*
380 * Make the path and open the directory.
381 */
382 char szPath[RTPATH_MAX];
383 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
384 if (RT_SUCCESS(rc))
385 {
386#if defined(RT_OS_WINDOWS)
387 PRTUTF16 pwszPath;
388 rc = RTStrToUtf16(szPath, &pwszPath);
389 if (RT_SUCCESS(rc))
390 {
391 HANDLE hDir = CreateFileW(pwszPath,
392 GENERIC_READ,
393 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
394 NULL,
395 OPEN_EXISTING,
396 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
397 NULL);
398 if (hDir != INVALID_HANDLE_VALUE)
399 {
400 /** @todo check the type */
401 /* That's all on windows, for now at least... */
402 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
403 g_aSupVerifiedDirs[enmDir].fValidated = true;
404 }
405 else if (enmDir == kSupID_Testcase)
406 {
407 g_aSupVerifiedDirs[enmDir].fValidated = true;
408 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
409 }
410 else
411 {
412 int err = RtlGetLastWin32Error();
413 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
414 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
415 szPath, err);
416 }
417 RTUtf16Free(pwszPath);
418 }
419 else
420 rc = supR3HardenedError(rc, fFatal,
421 "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
422
423#else /* UNIXY */
424 int fd = open(szPath, O_RDONLY, 0);
425 if (fd >= 0)
426 {
427 /*
428 * On unixy systems we'll make sure the directory is owned by root
429 * and not writable by the group and user.
430 */
431 struct stat st;
432 if (!fstat(fd, &st))
433 {
434
435 if ( st.st_uid == 0
436 && !(st.st_mode & (S_IWGRP | S_IWOTH))
437 && S_ISDIR(st.st_mode))
438 {
439 g_aSupVerifiedDirs[enmDir].hDir = fd;
440 g_aSupVerifiedDirs[enmDir].fValidated = true;
441 }
442 else
443 {
444 if (!S_ISDIR(st.st_mode))
445 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
446 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
447 szPath, (long)st.st_uid);
448 else if (st.st_uid)
449 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
450 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
451 szPath, (long)st.st_uid);
452 else
453 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
454 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
455 szPath, (long)st.st_mode);
456 close(fd);
457 }
458 }
459 else
460 {
461 int err = errno;
462 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
463 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
464 szPath, strerror(err), err);
465 close(fd);
466 }
467 }
468 else if (enmDir == kSupID_Testcase)
469 {
470 g_aSupVerifiedDirs[enmDir].fValidated = true;
471 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
472 }
473 else
474 {
475 int err = errno;
476 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
477 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
478 szPath, strerror(err), err);
479 }
480#endif /* UNIXY */
481 }
482
483 return rc;
484}
485
486
487#ifdef RT_OS_WINDOWS
488/**
489 * Opens the file for verification.
490 *
491 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
492 * fFatal is clear and if it's set the function wont return.
493 * @param pFile The file entry.
494 * @param fFatal Whether validation failures should be treated as
495 * kl fatal (true) or not (false).
496 * @param phFile The file handle, set to -1 if we failed to open
497 * the file. The function may return VINF_SUCCESS
498 * and a -1 handle if the file is optional.
499 */
500static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
501{
502 *phFile = -1;
503
504 char szPath[RTPATH_MAX];
505 int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
506 if (RT_SUCCESS(rc))
507 {
508 PRTUTF16 pwszPath;
509 rc = RTStrToUtf16(szPath, &pwszPath);
510 if (RT_SUCCESS(rc))
511 {
512 HANDLE hFile = CreateFileW(pwszPath,
513 GENERIC_READ,
514 FILE_SHARE_READ,
515 NULL,
516 OPEN_EXISTING,
517 FILE_ATTRIBUTE_NORMAL,
518 NULL);
519 if (hFile != INVALID_HANDLE_VALUE)
520 {
521 *phFile = (intptr_t)hFile;
522 rc = VINF_SUCCESS;
523 }
524 else
525 {
526 int err = RtlGetLastWin32Error();
527 if ( !pFile->fOptional
528 || ( err != ERROR_FILE_NOT_FOUND
529 && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
530 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
531 "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
532 }
533 RTUtf16Free(pwszPath);
534 }
535 else
536 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
537 szPath, rc);
538 }
539 return rc;
540}
541
542
543/**
544 * Worker for supR3HardenedVerifyFileInternal.
545 *
546 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
547 * fFatal is clear and if it's set the function wont return.
548 * @param pFile The file entry.
549 * @param pVerified The verification record.
550 * @param fFatal Whether validation failures should be treated as
551 * fatal (true) or not (false).
552 * @param fLeaveFileOpen Whether the file should be left open.
553 */
554static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
555{
556# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
557
558 /*
559 * Open the file if we have to.
560 */
561 int rc;
562 intptr_t hFileOpened;
563 intptr_t hFile = pVerified->hFile;
564 if (hFile != -1)
565 hFileOpened = -1;
566 else
567 {
568 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
569 if (RT_FAILURE(rc))
570 return rc;
571 hFile = hFileOpened;
572 }
573
574 /*
575 * Verify the signature.
576 */
577 char szErr[1024];
578 RTERRINFO ErrInfo;
579 RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
580
581 uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
582 if (pFile->enmType == kSupIFT_Rc)
583 fFlags |= SUPHNTVI_F_RC_IMAGE;
584
585 rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
586 if (RT_SUCCESS(rc))
587 pVerified->fCheckedSignature = true;
588 else
589 {
590 pVerified->fCheckedSignature = false;
591 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
592 pFile->pszFile, rc, szErr);
593
594 }
595
596 /*
597 * Close the handle if we opened the file and we should close it.
598 */
599 if (hFileOpened != -1)
600 {
601 if (fLeaveFileOpen && RT_SUCCESS(rc))
602 pVerified->hFile = hFileOpened;
603 else
604 NtClose((HANDLE)hFileOpened);
605 }
606
607 return rc;
608
609# else /* Not checking signatures. */
610 return VINF_SUCCESS;
611# endif /* Not checking signatures. */
612}
613#endif
614
615
616/**
617 * Verifies a file entry.
618 *
619 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
620 * fFatal is clear and if it's set the function wont return.
621 *
622 * @param iFile The file table index of the file to be verified.
623 * @param fFatal Whether validation failures should be treated as
624 * fatal (true) or not (false).
625 * @param fLeaveFileOpen Whether the file should be left open.
626 * @param fVerifyAll Set if this is an verify all call and we will
627 * postpone signature checking.
628 */
629static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
630{
631 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
632 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
633
634 /*
635 * Already done validation? Do signature validation if we haven't yet.
636 */
637 if (pVerified->fValidated)
638 {
639 /** @todo revalidate? Check that the file hasn't been replace or similar. */
640#ifdef RT_OS_WINDOWS
641 if (!pVerified->fCheckedSignature && !fVerifyAll)
642 return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
643#endif
644 return VINF_SUCCESS;
645 }
646
647
648 /* initialize the entry. */
649 if (pVerified->hFile != 0)
650 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
651 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
652 (void *)pVerified->hFile, pFile->pszFile);
653 pVerified->hFile = -1;
654 pVerified->fValidated = false;
655#ifdef RT_OS_WINDOWS
656 pVerified->fCheckedSignature = false;
657#endif
658
659 /*
660 * Verify the directory then proceed to open it.
661 * (This'll make sure the directory is opened and that we can (later)
662 * use openat if we wish.)
663 */
664 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
665 if (RT_SUCCESS(rc))
666 {
667#if defined(RT_OS_WINDOWS)
668 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
669 if (RT_SUCCESS(rc))
670 {
671 if (!fVerifyAll)
672 rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
673 if (RT_SUCCESS(rc))
674 {
675 pVerified->fValidated = true;
676 if (!fLeaveFileOpen)
677 {
678 NtClose((HANDLE)pVerified->hFile);
679 pVerified->hFile = -1;
680 }
681 }
682 }
683#else /* !RT_OS_WINDOWS */
684 char szPath[RTPATH_MAX];
685 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
686 if (RT_SUCCESS(rc))
687 {
688 int fd = open(szPath, O_RDONLY, 0);
689 if (fd >= 0)
690 {
691 /*
692 * On unixy systems we'll make sure the file is owned by root
693 * and not writable by the group and user.
694 */
695 struct stat st;
696 if (!fstat(fd, &st))
697 {
698 if ( st.st_uid == 0
699 && !(st.st_mode & (S_IWGRP | S_IWOTH))
700 && S_ISREG(st.st_mode))
701 {
702 /* it's valid. */
703 if (fLeaveFileOpen)
704 pVerified->hFile = fd;
705 else
706 close(fd);
707 pVerified->fValidated = true;
708 }
709 else
710 {
711 if (!S_ISREG(st.st_mode))
712 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
713 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
714 szPath, (long)st.st_uid);
715 else if (st.st_uid)
716 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
717 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
718 szPath, (long)st.st_uid);
719 else
720 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
721 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
722 szPath, (long)st.st_mode);
723 close(fd);
724 }
725 }
726 else
727 {
728 int err = errno;
729 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
730 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
731 szPath, strerror(err), err);
732 close(fd);
733 }
734 }
735 else
736 {
737 int err = errno;
738 if (!pFile->fOptional || err != ENOENT)
739 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
740 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
741 szPath, strerror(err), err);
742 }
743 }
744#endif /* !RT_OS_WINDOWS */
745 }
746
747 return rc;
748}
749
750
751/**
752 * Verifies that the specified table entry matches the given filename.
753 *
754 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
755 * error is returned or we terminate the application.
756 *
757 * @param iFile The file table index.
758 * @param pszFilename The filename.
759 * @param fFatal Whether validation failures should be treated as
760 * fatal (true) or not (false).
761 */
762static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
763{
764 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
765
766 /*
767 * Construct the full path for the file table entry
768 * and compare it with the specified file.
769 */
770 char szName[RTPATH_MAX];
771 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
772 if (RT_FAILURE(rc))
773 return rc;
774 if (SUP_COMP_FILENAME(szName, pszFilename))
775 {
776 /*
777 * Normalize the two paths and compare again.
778 */
779 rc = VERR_NOT_SAME_DEVICE;
780#if defined(RT_OS_WINDOWS)
781 LPSTR pszIgnored;
782 char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
783 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
784 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
785 if (!SUP_COMP_FILENAME(szName2, szName))
786 rc = VINF_SUCCESS;
787#else
788 AssertCompile(RTPATH_MAX >= PATH_MAX);
789 char szName2[RTPATH_MAX];
790 if ( realpath(szName, szName2) != NULL
791 && realpath(pszFilename, szName) != NULL)
792 if (!SUP_COMP_FILENAME(szName2, szName))
793 rc = VINF_SUCCESS;
794#endif
795
796 if (RT_FAILURE(rc))
797 {
798 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
799 return supR3HardenedError(rc, fFatal,
800 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
801 pszFilename, szName);
802 }
803 }
804
805 /*
806 * Check more stuff like the stat info if it's an already open file?
807 */
808
809
810
811 return VINF_SUCCESS;
812}
813
814
815/**
816 * Verifies a file.
817 *
818 * @returns VINF_SUCCESS on success.
819 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
820 * On verification failure, an error code will be returned when fFatal is clear,
821 * otherwise the program will be terminated.
822 *
823 * @param pszFilename The filename.
824 * @param fFatal Whether validation failures should be treated as
825 * fatal (true) or not (false).
826 */
827DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
828{
829 /*
830 * Lookup the file and check if it's the same file.
831 */
832 const char *pszName = supR3HardenedPathFilename(pszFilename);
833 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
834 if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
835 {
836 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
837 if (RT_SUCCESS(rc))
838 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
839 return rc;
840 }
841
842 return VERR_NOT_FOUND;
843}
844
845
846/**
847 * Verifies a program, worker for supR3HardenedVerifyAll.
848 *
849 * @returns See supR3HardenedVerifyAll.
850 * @param pszProgName See supR3HardenedVerifyAll.
851 * @param pszExePath The path to the executable.
852 * @param fFatal See supR3HardenedVerifyAll.
853 * @param fLeaveOpen The leave open setting used by
854 * supR3HardenedVerifyAll.
855 */
856static int supR3HardenedVerifyProgram(const char *pszProgName, const char *pszExePath, bool fFatal, bool fLeaveOpen)
857{
858 /*
859 * Search the table looking for the executable and the DLL/DYLIB/SO.
860 */
861 int rc = VINF_SUCCESS;
862 bool fExe = false;
863 bool fDll = false;
864 size_t const cchProgName = suplibHardenedStrLen(pszProgName);
865 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
866 if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
867 {
868 if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
869 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
870 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
871 {
872 /* This only has to be found (once). */
873 if (fDll)
874 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
875 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
876 else
877 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
878 true /* fVerifyAll - check sign later, only final process need check it on load. */);
879 fDll = true;
880 }
881 else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
882 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
883 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
884 {
885 /* Here we'll have to check that the specific program is the same as the entry. */
886 if (fExe)
887 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
888 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
889 else
890 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
891 fExe = true;
892
893 supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
894 }
895 }
896
897 /*
898 * Check the findings.
899 */
900 if (RT_SUCCESS(rc))
901 {
902 if (!fDll && !fExe)
903 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
904 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
905 else if (!fExe)
906 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
907 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
908 else if (!fDll)
909 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
910 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
911 }
912 return rc;
913}
914
915
916/**
917 * Verifies all the known files (called from SUPR3HardenedMain).
918 *
919 * @returns VINF_SUCCESS on success.
920 * On verification failure, an error code will be returned when fFatal is clear,
921 * otherwise the program will be terminated.
922 *
923 * @param fFatal Whether validation failures should be treated as
924 * fatal (true) or not (false).
925 * @param pszProgName The program name. This is used to verify that
926 * both the executable and corresponding
927 * DLL/DYLIB/SO are valid.
928 * @param pszExePath The path to the executable.
929 */
930DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName, const char *pszExePath)
931{
932 /*
933 * On windows
934 */
935#if defined(RT_OS_WINDOWS)
936 bool fLeaveOpen = true;
937#else
938 bool fLeaveOpen = false;
939#endif
940
941 /*
942 * The verify all the files.
943 */
944 int rc = VINF_SUCCESS;
945 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
946 {
947 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
948 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
949 rc = rc2;
950 }
951
952 /*
953 * Verify the program name, that is to say, check that it's in the table
954 * (thus verified above) and verify the signature on platforms where we
955 * sign things.
956 */
957 int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen);
958 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
959 rc2 = rc;
960
961 return rc;
962}
963
964
965/**
966 * Copies the N messages into the error buffer and returns @a rc.
967 *
968 * @returns Returns @a rc
969 * @param rc The return code.
970 * @param pErrInfo The error info structure.
971 * @param cMsgs The number of messages in the ellipsis.
972 * @param ... Message parts.
973 */
974static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
975{
976 if (pErrInfo)
977 {
978 size_t cbErr = pErrInfo->cbMsg;
979 char *pszErr = pErrInfo->pszMsg;
980
981 va_list va;
982 va_start(va, cMsgs);
983 while (cMsgs-- > 0 && cbErr > 0)
984 {
985 const char *pszMsg = va_arg(va, const char *);
986 size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
987 if (cchMsg >= cbErr)
988 cchMsg = cbErr - 1;
989 suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
990 pszErr[cchMsg] = '\0';
991 pszErr += cchMsg;
992 cbErr -= cchMsg;
993 }
994 va_end(va);
995
996 pErrInfo->rc = rc;
997 pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
998 }
999
1000 return rc;
1001}
1002
1003
1004/**
1005 * Copies the three messages into the error buffer and returns @a rc.
1006 *
1007 * @returns Returns @a rc
1008 * @param rc The return code.
1009 * @param pErrInfo The error info structure.
1010 * @param pszMsg1 The first message part.
1011 * @param pszMsg2 The second message part.
1012 * @param pszMsg3 The third message part.
1013 */
1014static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1015 const char *pszMsg2, const char *pszMsg3)
1016{
1017 return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1018}
1019
1020#ifdef SOME_UNUSED_FUNCTION
1021
1022/**
1023 * Copies the two messages into the error buffer and returns @a rc.
1024 *
1025 * @returns Returns @a rc
1026 * @param rc The return code.
1027 * @param pErrInfo The error info structure.
1028 * @param pszMsg1 The first message part.
1029 * @param pszMsg2 The second message part.
1030 */
1031static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1032 const char *pszMsg2)
1033{
1034 return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1035}
1036
1037
1038/**
1039 * Copies the error message to the error buffer and returns @a rc.
1040 *
1041 * @returns Returns @a rc
1042 * @param rc The return code.
1043 * @param pErrInfo The error info structure.
1044 * @param pszMsg The message.
1045 */
1046static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1047{
1048 return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1049}
1050
1051#endif /* SOME_UNUSED_FUNCTION */
1052
1053/**
1054 * Output from a successfull supR3HardenedVerifyPathSanity call.
1055 */
1056typedef struct SUPR3HARDENEDPATHINFO
1057{
1058 /** The length of the path in szCopy. */
1059 uint16_t cch;
1060 /** The number of path components. */
1061 uint16_t cComponents;
1062 /** Set if the path ends with slash, indicating that it's a directory
1063 * reference and not a file reference. The slash has been removed from
1064 * the copy. */
1065 bool fDirSlash;
1066 /** The offset where each path component starts, i.e. the char after the
1067 * slash. The array has cComponents + 1 entries, where the final one is
1068 * cch + 1 so that one can always terminate the current component by
1069 * szPath[aoffComponent[i] - 1] = '\0'. */
1070 uint16_t aoffComponents[32+1];
1071 /** A normalized copy of the path.
1072 * Reserve some extra space so we can be more relaxed about overflow
1073 * checks and terminator paddings, especially when recursing. */
1074 char szPath[SUPR3HARDENED_MAX_PATH * 2];
1075} SUPR3HARDENEDPATHINFO;
1076/** Pointer to a parsed path. */
1077typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1078
1079
1080/**
1081 * Verifies that the path is absolutely sane, it also parses the path.
1082 *
1083 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
1084 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1085 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1086 * paths are not supported.
1087 *
1088 * @returns VBox status code.
1089 * @param pszPath The path to check.
1090 * @param pErrInfo The error info structure.
1091 * @param pInfo Where to return a copy of the path along with
1092 * parsing information.
1093 */
1094static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1095{
1096 const char *pszSrc = pszPath;
1097 char *pszDst = pInfo->szPath;
1098
1099 /*
1100 * Check that it's an absolute path and copy the volume/root specifier.
1101 */
1102#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1103 if ( !RT_C_IS_ALPHA(pszSrc[0])
1104 || pszSrc[1] != ':'
1105 || !RTPATH_IS_SLASH(pszSrc[2]))
1106 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1107
1108 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1109 *pszDst++ = ':';
1110 *pszDst++ = RTPATH_SLASH;
1111 pszSrc += 3;
1112
1113#else
1114 if (!RTPATH_IS_SLASH(pszSrc[0]))
1115 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1116
1117 *pszDst++ = RTPATH_SLASH;
1118 pszSrc += 1;
1119#endif
1120
1121 /*
1122 * No path specifying the root or something very shortly thereafter will
1123 * be approved of.
1124 */
1125 if (pszSrc[0] == '\0')
1126 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1127 if ( pszSrc[1] == '\0'
1128 || pszSrc[2] == '\0')
1129 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1130
1131 /*
1132 * Check each component. No parent references or double slashes.
1133 */
1134 pInfo->cComponents = 0;
1135 pInfo->fDirSlash = false;
1136 while (pszSrc[0])
1137 {
1138 /* Sanity checks. */
1139 if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
1140 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1141 "The path is not clean of double slashes: '", pszPath, "'");
1142 if ( pszSrc[0] == '.'
1143 && pszSrc[1] == '.'
1144 && RTPATH_IS_SLASH(pszSrc[2]))
1145 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1146 "The path is not absolute: '", pszPath, "'");
1147
1148 /* Record the start of the component. */
1149 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1150 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1151 "The path has too many components: '", pszPath, "'");
1152 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1153
1154 /* Traverse to the end of the component, copying it as we go along. */
1155 while (pszSrc[0])
1156 {
1157 if (RTPATH_IS_SLASH(pszSrc[0]))
1158 {
1159 pszSrc++;
1160 if (*pszSrc)
1161 *pszDst++ = RTPATH_SLASH;
1162 else
1163 pInfo->fDirSlash = true;
1164 break;
1165 }
1166 *pszDst++ = *pszSrc++;
1167 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1168 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1169 "The path is too long: '", pszPath, "'");
1170 }
1171 }
1172
1173 /* Terminate the string and enter its length. */
1174 pszDst[0] = '\0';
1175 pszDst[1] = '\0'; /* for aoffComponents */
1176 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1177 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1178
1179 return VINF_SUCCESS;
1180}
1181
1182
1183/**
1184 * The state information collected by supR3HardenedVerifyFsObject.
1185 *
1186 * This can be used to verify that a directory we've opened for enumeration is
1187 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
1188 * equally be used to verify a native specfied by the user.
1189 */
1190typedef struct SUPR3HARDENEDFSOBJSTATE
1191{
1192#ifdef RT_OS_WINDOWS
1193 /** Not implemented for windows yet. */
1194 char chTodo;
1195#else
1196 /** The stat output. */
1197 struct stat Stat;
1198#endif
1199} SUPR3HARDENEDFSOBJSTATE;
1200/** Pointer to a file system object state. */
1201typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1202/** Pointer to a const file system object state. */
1203typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1204
1205
1206/**
1207 * Query information about a file system object by path.
1208 *
1209 * @returns VBox status code, error buffer filled on failure.
1210 * @param pszPath The path to the object.
1211 * @param pFsObjState Where to return the state information.
1212 * @param pErrInfo The error info structure.
1213 */
1214static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1215{
1216#if defined(RT_OS_WINDOWS)
1217 /** @todo Windows hardening. */
1218 pFsObjState->chTodo = 0;
1219 return VINF_SUCCESS;
1220
1221#else
1222 /*
1223 * Stat the object, do not follow links.
1224 */
1225 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1226 {
1227 /* Ignore access errors */
1228 if (errno != EACCES)
1229 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1230 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1231 }
1232
1233 /*
1234 * Read ACLs.
1235 */
1236 /** @todo */
1237
1238 return VINF_SUCCESS;
1239#endif
1240}
1241
1242
1243/**
1244 * Query information about a file system object by native handle.
1245 *
1246 * @returns VBox status code, error buffer filled on failure.
1247 * @param hNative The native handle to the object @a pszPath
1248 * specifies and this should be verified to be the
1249 * same file system object.
1250 * @param pFsObjState Where to return the state information.
1251 * @param pszPath The path to the object. (For the error message
1252 * only.)
1253 * @param pErrInfo The error info structure.
1254 */
1255static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1256 char const *pszPath, PRTERRINFO pErrInfo)
1257{
1258#if defined(RT_OS_WINDOWS)
1259 /** @todo Windows hardening. */
1260 pFsObjState->chTodo = 0;
1261 return VINF_SUCCESS;
1262
1263#else
1264 /*
1265 * Stat the object, do not follow links.
1266 */
1267 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1268 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1269 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1270
1271 /*
1272 * Read ACLs.
1273 */
1274 /** @todo */
1275
1276 return VINF_SUCCESS;
1277#endif
1278}
1279
1280
1281/**
1282 * Verifies that the file system object indicated by the native handle is the
1283 * same as the one @a pFsObjState indicates.
1284 *
1285 * @returns VBox status code, error buffer filled on failure.
1286 * @param pFsObjState1 File system object information/state by path.
1287 * @param pFsObjState2 File system object information/state by handle.
1288 * @param pszPath The path to the object @a pFsObjState
1289 * describes. (For the error message.)
1290 * @param pErrInfo The error info structure.
1291 */
1292static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1293 const char *pszPath, PRTERRINFO pErrInfo)
1294{
1295#if defined(RT_OS_WINDOWS)
1296 /** @todo Windows hardening. */
1297 return VINF_SUCCESS;
1298
1299#elif defined(RT_OS_OS2)
1300 return VINF_SUCCESS;
1301
1302#else
1303 /*
1304 * Compare the ino+dev, then the uid+gid and finally the important mode
1305 * bits. Technically the first one should be enough, but we're paranoid.
1306 */
1307 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1308 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1309 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1310 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1311 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1312 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1313 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1314 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1315 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1316 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1317 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1318 "The native handle is not the same as '", pszPath, "' (mode)");
1319 return VINF_SUCCESS;
1320#endif
1321}
1322
1323
1324/**
1325 * Verifies a file system object (file or directory).
1326 *
1327 * @returns VBox status code, error buffer filled on failure.
1328 * @param pFsObjState The file system object information/state to be
1329 * verified.
1330 * @param fDir Whether this is a directory or a file.
1331 * @param fRelaxed Whether we can be more relaxed about this
1332 * directory (only used for grand parent
1333 * directories).
1334 * @param pszPath The path to the object. For error messages and
1335 * securing a couple of hacks.
1336 * @param pErrInfo The error info structure.
1337 */
1338static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1339 const char *pszPath, PRTERRINFO pErrInfo)
1340{
1341#if defined(RT_OS_WINDOWS)
1342 /** @todo Windows hardening. */
1343 NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1344 return VINF_SUCCESS;
1345
1346#elif defined(RT_OS_OS2)
1347 /* No hardening here - it's a single user system. */
1348 NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1349 return VINF_SUCCESS;
1350
1351#else
1352 /*
1353 * The owner must be root.
1354 *
1355 * This can be extended to include predefined system users if necessary.
1356 */
1357 if (pFsObjState->Stat.st_uid != 0)
1358 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1359
1360 /*
1361 * The object type must be directory or file, no symbolic links or other
1362 * risky stuff (sorry dude, but we're paranoid on purpose here).
1363 */
1364 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1365 && !S_ISREG(pFsObjState->Stat.st_mode))
1366 {
1367 if (S_ISLNK(pFsObjState->Stat.st_mode))
1368 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1369 "Symlinks are not permitted: '", pszPath, "'");
1370 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1371 "Not regular file or directory: '", pszPath, "'");
1372 }
1373 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1374 {
1375 if (S_ISDIR(pFsObjState->Stat.st_mode))
1376 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1377 "Expected file but found directory: '", pszPath, "'");
1378 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1379 "Expected directory but found file: '", pszPath, "'");
1380 }
1381
1382 /*
1383 * The group does not matter if it does not have write access, if it has
1384 * write access it must be group 0 (root/wheel/whatever).
1385 *
1386 * This can be extended to include predefined system groups or groups that
1387 * only root is member of.
1388 */
1389 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1390 && pFsObjState->Stat.st_gid != 0)
1391 {
1392#ifdef RT_OS_DARWIN
1393 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1394 full access. So, to work around we relax the hardening a bit and
1395 permit grand parents and beyond to be group writable by admin. */
1396 /** @todo dynamically resolve the admin group? */
1397 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
1398
1399#elif defined(RT_OS_FREEBSD)
1400 /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1401 similar to /Applications on OS X (see above).
1402 On FreeBSD root is normally the only member of this group, on
1403 PC-BSD the default user is a member. */
1404 /** @todo dynamically resolve the operator group? */
1405 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
1406 NOREF(fRelaxed);
1407#else
1408 NOREF(fRelaxed);
1409 bool fBad = true;
1410#endif
1411 if (fBad)
1412 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1413 "An unknown (and thus untrusted) group has write access to '", pszPath,
1414 "' and we therefore cannot trust the directory content or that of any subdirectory");
1415 }
1416
1417 /*
1418 * World must not have write access. There is no relaxing this rule.
1419 */
1420 if (pFsObjState->Stat.st_mode & S_IWOTH)
1421 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1422 "World writable: '", pszPath, "'");
1423
1424 /*
1425 * Check the ACLs.
1426 */
1427 /** @todo */
1428
1429 return VINF_SUCCESS;
1430#endif
1431}
1432
1433
1434/**
1435 * Verifies that the file system object indicated by the native handle is the
1436 * same as the one @a pFsObjState indicates.
1437 *
1438 * @returns VBox status code, error buffer filled on failure.
1439 * @param hNative The native handle to the object @a pszPath
1440 * specifies and this should be verified to be the
1441 * same file system object.
1442 * @param pFsObjState The information/state returned by a previous
1443 * query call.
1444 * @param pszPath The path to the object @a pFsObjState
1445 * describes. (For the error message.)
1446 * @param pErrInfo The error info structure.
1447 */
1448static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1449 const char *pszPath, PRTERRINFO pErrInfo)
1450{
1451 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1452 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1453 if (RT_SUCCESS(rc))
1454 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1455 return rc;
1456}
1457
1458
1459/**
1460 * Does the recursive directory enumeration.
1461 *
1462 * @returns VBox status code, error buffer filled on failure.
1463 * @param pszDirPath The path buffer containing the subdirectory to
1464 * enumerate followed by a slash (this is never
1465 * the root slash). The buffer is RTPATH_MAX in
1466 * size and anything starting at @a cchDirPath
1467 * - 1 and beyond is scratch space.
1468 * @param cchDirPath The length of the directory path + slash.
1469 * @param pFsObjState Pointer to the file system object state buffer.
1470 * On input this will hold the stats for
1471 * the directory @a pszDirPath indicates and will
1472 * be used to verified that we're opening the same
1473 * thing.
1474 * @param fRecursive Whether to recurse into subdirectories.
1475 * @param pErrInfo The error info structure.
1476 */
1477static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1478 bool fRecursive, PRTERRINFO pErrInfo)
1479{
1480#if defined(RT_OS_WINDOWS)
1481 /** @todo Windows hardening. */
1482 return VINF_SUCCESS;
1483
1484#elif defined(RT_OS_OS2)
1485 /* No hardening here - it's a single user system. */
1486 return VINF_SUCCESS;
1487
1488#else
1489 /*
1490 * Open the directory. Now, we could probably eliminate opendir here
1491 * and go down on kernel API level (open + getdents for instance), however
1492 * that's not very portable and hopefully not necessary.
1493 */
1494 DIR *pDir = opendir(pszDirPath);
1495 if (!pDir)
1496 {
1497 /* Ignore access errors. */
1498 if (errno == EACCES)
1499 return VINF_SUCCESS;
1500 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1501 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1502 }
1503 if (dirfd(pDir) != -1)
1504 {
1505 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1506 if (RT_FAILURE(rc))
1507 {
1508 closedir(pDir);
1509 return rc;
1510 }
1511 }
1512
1513 /*
1514 * Enumerate the directory, check all the requested bits.
1515 */
1516 int rc = VINF_SUCCESS;
1517 for (;;)
1518 {
1519 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1520
1521 struct dirent Entry;
1522 struct dirent *pEntry;
1523 int iErr = readdir_r(pDir, &Entry, &pEntry);
1524 if (iErr)
1525 {
1526 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1527 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1528 break;
1529 }
1530 if (!pEntry)
1531 break;
1532
1533 /*
1534 * Check the length and copy it into the path buffer so it can be
1535 * stat()'ed.
1536 */
1537 size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1538 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1539 {
1540 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1541 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1542 break;
1543 }
1544 suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1545
1546 /*
1547 * Query the information about the entry and verify it.
1548 * (We don't bother skipping '.' and '..' at this point, a little bit
1549 * of extra checks doesn't hurt and neither requires relaxed handling.)
1550 */
1551 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1552 if (RT_SUCCESS(rc))
1553 break;
1554 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1555 pszDirPath, pErrInfo);
1556 if (RT_FAILURE(rc))
1557 break;
1558
1559 /*
1560 * Recurse into subdirectories if requested.
1561 */
1562 if ( fRecursive
1563 && S_ISDIR(pFsObjState->Stat.st_mode)
1564 && suplibHardenedStrCmp(pEntry->d_name, ".")
1565 && suplibHardenedStrCmp(pEntry->d_name, ".."))
1566 {
1567 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1568 pszDirPath[cchDirPath + cchName + 1] = '\0';
1569
1570 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1571 fRecursive, pErrInfo);
1572 if (RT_FAILURE(rc))
1573 break;
1574 }
1575 }
1576
1577 closedir(pDir);
1578 return VINF_SUCCESS;
1579#endif
1580}
1581
1582
1583/**
1584 * Worker for SUPR3HardenedVerifyDir.
1585 *
1586 * @returns See SUPR3HardenedVerifyDir.
1587 * @param pszDirPath See SUPR3HardenedVerifyDir.
1588 * @param fRecursive See SUPR3HardenedVerifyDir.
1589 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1590 * @param pErrInfo See SUPR3HardenedVerifyDir.
1591 */
1592DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1593{
1594 /*
1595 * Validate the input path and parse it.
1596 */
1597 SUPR3HARDENEDPATHINFO Info;
1598 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1599 if (RT_FAILURE(rc))
1600 return rc;
1601
1602 /*
1603 * Verify each component from the root up.
1604 */
1605 SUPR3HARDENEDFSOBJSTATE FsObjState;
1606 uint32_t const cComponents = Info.cComponents;
1607 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1608 {
1609 bool fRelaxed = iComponent + 2 < cComponents;
1610 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1611 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1612 if (RT_SUCCESS(rc))
1613 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed, Info.szPath, pErrInfo);
1614 if (RT_FAILURE(rc))
1615 return rc;
1616 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1617 }
1618
1619 /*
1620 * Check files and subdirectories if requested.
1621 */
1622 if (fCheckFiles || fRecursive)
1623 {
1624 Info.szPath[Info.cch] = RTPATH_SLASH;
1625 Info.szPath[Info.cch + 1] = '\0';
1626 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1627 fRecursive, pErrInfo);
1628 }
1629
1630 return VINF_SUCCESS;
1631}
1632
1633
1634/**
1635 * Verfies a file.
1636 *
1637 * @returns VBox status code, error buffer filled on failure.
1638 * @param pszFilename The file to verify.
1639 * @param hNativeFile Handle to the file, verify that it's the same
1640 * as we ended up with when verifying the path.
1641 * RTHCUINTPTR_MAX means NIL here.
1642 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1643 * third party. Different validation rules may
1644 * apply to 3rd party code on some platforms.
1645 * @param pErrInfo Where to return extended error information.
1646 * Optional.
1647 */
1648DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1649 bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1650{
1651 /*
1652 * Validate the input path and parse it.
1653 */
1654 SUPR3HARDENEDPATHINFO Info;
1655 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1656 if (RT_FAILURE(rc))
1657 return rc;
1658 if (Info.fDirSlash)
1659 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1660 "The file path specifies a directory: '", pszFilename, "'");
1661
1662 /*
1663 * Verify each component from the root up.
1664 */
1665 SUPR3HARDENEDFSOBJSTATE FsObjState;
1666 uint32_t const cComponents = Info.cComponents;
1667 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1668 {
1669 bool fFinal = iComponent + 1 == cComponents;
1670 bool fRelaxed = iComponent + 2 < cComponents;
1671 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1672 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1673 if (RT_SUCCESS(rc))
1674 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed, Info.szPath, pErrInfo);
1675 if (RT_FAILURE(rc))
1676 return rc;
1677 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1678 }
1679
1680 /*
1681 * Verify the file handle against the last component, if specified.
1682 */
1683 if (hNativeFile != RTHCUINTPTR_MAX)
1684 {
1685 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1686 if (RT_FAILURE(rc))
1687 return rc;
1688 }
1689
1690#ifdef RT_OS_WINDOWS
1691 /*
1692 * The files shall be signed on windows, verify that.
1693 */
1694 rc = VINF_SUCCESS;
1695 HANDLE hVerify;
1696 if (hNativeFile == RTHCUINTPTR_MAX)
1697 {
1698 PRTUTF16 pwszPath;
1699 rc = RTStrToUtf16(pszFilename, &pwszPath);
1700 if (RT_SUCCESS(rc))
1701 {
1702 hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1703 RTUtf16Free(pwszPath);
1704 }
1705 else
1706 rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1707 }
1708 else
1709 {
1710 NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1711 GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
1712 if (!NT_SUCCESS(rcNt))
1713 hVerify = INVALID_HANDLE_VALUE;
1714 }
1715 if (hVerify != INVALID_HANDLE_VALUE)
1716 {
1717# ifdef VBOX_WITH_HARDENING
1718 uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1719 if (!fMaybe3rdParty)
1720 fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1721 const char *pszSuffix = RTPathSuffix(pszFilename);
1722 if ( pszSuffix
1723 && pszSuffix[0] == '.'
1724 && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1725 || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1726 && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1727 && pszSuffix[3] == '\0' )
1728 fFlags |= SUPHNTVI_F_RC_IMAGE;
1729# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1730 rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1731# endif
1732# endif
1733 NtClose(hVerify);
1734 }
1735 else if (RT_SUCCESS(rc))
1736 rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1737 "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1738 if (RT_FAILURE(rc))
1739 return rc;
1740#endif
1741
1742 return VINF_SUCCESS;
1743}
1744
1745
1746/**
1747 * Gets the pre-init data for the hand-over to the other version
1748 * of this code.
1749 *
1750 * The reason why we pass this information on is that it contains
1751 * open directories and files. Later it may include even more info
1752 * (int the verified arrays mostly).
1753 *
1754 * The receiver is supR3HardenedRecvPreInitData.
1755 *
1756 * @param pPreInitData Where to store it.
1757 */
1758DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1759{
1760 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1761 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1762 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1763
1764 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1765 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1766}
1767
1768
1769/**
1770 * Receives the pre-init data from the static executable stub.
1771 *
1772 * @returns VBox status code. Will not bitch on failure since the
1773 * runtime isn't ready for it, so that is left to the exe stub.
1774 *
1775 * @param pPreInitData The hand-over data.
1776 */
1777DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1778{
1779 /*
1780 * Compare the array lengths and the contents of g_aSupInstallFiles.
1781 */
1782 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1783 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1784 return VERR_VERSION_MISMATCH;
1785 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1786 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1787 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1788 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1789 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1790 || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1791 return VERR_VERSION_MISMATCH;
1792
1793 /*
1794 * Check that we're not called out of order.
1795 * If dynamic linking it screwed up, we may end up here.
1796 */
1797 if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1798 || ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1799 return VERR_WRONG_ORDER;
1800
1801 /*
1802 * Copy the verification data over.
1803 */
1804 suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1805 suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1806 return VINF_SUCCESS;
1807}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette