VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp@ 87593

Last change on this file since 87593 was 87593, checked in by vboxsync, 3 years ago

SUP: doxygen fix
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 98.9 KB
Line 
1/* $Id: SUPR3HardenedMain.cpp 87593 2021-02-03 20:21:54Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Hardened main().
4 */
5
6/*
7 * Copyright (C) 2006-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27/** @page pg_hardening %VirtualBox %VM Process Hardening
28 *
29 * The %VM process hardening is to prevent malicious software from using
30 * %VirtualBox as a vehicle to obtain kernel level access.
31 *
32 * The %VirtualBox %VMM requires supervisor (kernel) level access to the CPU.
33 * For both practical and historical reasons, part of the %VMM is realized in
34 * ring-3, with a rich interface to the kernel part. While the device
35 * emulations can be executed exclusively in ring-3, we have performance
36 * optimizations that loads device emulation code into ring-0 and our special
37 * raw-mode execution context (none VT-x/AMD-V mode) for handling frequent
38 * operations a lot more efficiently. These share data between all three
39 * context (ring-3, ring-0 and raw-mode). All this poses a rather broad attack
40 * surface, which the hardening protects.
41 *
42 * The hardening focuses primarily on restricting access to the support driver,
43 * VBoxDrv or vboxdrv depending on the OS, as it is ultimately the link and
44 * instigator of the communication between ring-3 and the ring-0 and raw-mode
45 * contexts. A secondary focus is to make sure malicious code cannot be loaded
46 * and executed in the %VM process. Exactly how we go about this depends a lot
47 * on the host OS.
48 *
49 * @section sec_hardening_supdrv The Support Driver Interfaces
50 *
51 * The support driver has several interfaces thru which it can be accessed:
52 * - /dev/vboxdrv (win: \\Device\\VBoxDrv) for full unrestricted access.
53 * Offers a rich I/O control interface, which needs protecting.
54 * - /dev/vboxdrvu (win: \\Device\\VBoxDrvU) for restricted access, which
55 * VBoxSVC uses to query VT-x and AMD-V capabilities. This does not
56 * require protecting, though we limit it to the vboxgroup on some
57 * systems.
58 * - \\Device\\VBoxDrvStub on Windows for protecting the second stub
59 * process and its child, the %VM process. This is an open+close
60 * interface, only available to partially verified stub processes.
61 * - \\Device\\VBoxDrvErrorInfo on Windows for obtaining detailed error
62 * information on a previous attempt to open \\Device\\VBoxDrv or
63 * \\Device\\VBoxDrvStub. Open, read and close only interface.
64 *
65 * The rest of VBox accesses the device interface thru the support library,
66 * @ref grp_sup "SUPR3" / sup.h.
67 *
68 * The support driver also exposes a set of functions and data that other VBox
69 * ring-0 modules can import from. This includes much of the IPRT we need in
70 * the ring-0 part of the %VMM and device emulations.
71 *
72 * The ring-0 part of the %VMM and device emulations are loaded via the
73 * #SUPR3LoadModule and #SUPR3LoadServiceModule support library function, which
74 * both translates to a sequence of I/O controls against /dev/vboxdrv. On
75 * Windows we use the native kernel loader to load the module, while on the
76 * other systems ring-3 prepares the bits with help from the IPRT loader code.
77 *
78 *
79 * @section sec_hardening_unix Hardening on UNIX-like OSes
80 *
81 * On UNIX-like systems (Solaris, Linux, darwin, freebsd, ...) we put our trust
82 * in root and that root knows what he/she/it is doing.
83 *
84 * We only allow root to get full unrestricted access to the support driver.
85 * The device node corresponding to unrestricted access (/dev/vboxdrv) is own by
86 * root and has a 0600 access mode (i.e. only accessible to the owner, root). In
87 * addition to this file system level restriction, the support driver also
88 * checks that the effective user ID (EUID) is root when it is being opened.
89 *
90 * The %VM processes temporarily assume root privileges using the set-uid-bit on
91 * the executable with root as owner. In fact, all the files and directories we
92 * install are owned by root and the wheel (or equivalent gid = 0) group,
93 * including extension pack files.
94 *
95 * The executable with the set-uid-to-root-bit set is a stub binary that has no
96 * unnecessary library dependencies (only libc, pthreads, dynamic linker) and
97 * simply calls #SUPR3HardenedMain. It does the following:
98 * 1. Validate the VirtualBox installation (#supR3HardenedVerifyAll):
99 * - Check that the executable file of the process is one of the known
100 * VirtualBox executables.
101 * - Check that all mandatory files are present.
102 * - Check that all installed files and directories (both optional and
103 * mandatory ones) are owned by root:wheel and are not writable by
104 * anyone except root.
105 * - Check that all the parent directories, all the way up to the root
106 * if possible, only permits root (or system admin) to change them.
107 * This is that to rule out unintentional rename races.
108 * - On some systems we may also validate the cryptographic signtures
109 * of executable images.
110 *
111 * 2. Open a file descriptor for the support device driver
112 * (#supR3HardenedMainOpenDevice).
113 *
114 * 3. Grab ICMP capabilities for NAT ping support, if required by the OS
115 * (#supR3HardenedMainGrabCapabilites).
116 *
117 * 4. Correctly drop the root privileges
118 * (#supR3HardenedMainDropPrivileges).
119 *
120 * 5. Load the VBoxRT dynamic link library and hand over the file
121 * descriptor to the support library code in it
122 * (#supR3HardenedMainInitRuntime).
123 *
124 * 6. Load the dynamic library containing the actual %VM front end code and
125 * run it (tail of #SUPR3HardenedMain).
126 *
127 * The set-uid-to-root stub executable is paired with a dynamic link library
128 * which export one TrustedMain entry point (see #FNSUPTRUSTEDMAIN) that we
129 * call. In case of error reporting, the library may also export a TrustedError
130 * function (#FNSUPTRUSTEDERROR).
131 *
132 * That the set-uid-to-root-bit modifies the dynamic linker behavior on all
133 * systems, even after we've dropped back to the real user ID, is something we
134 * take advantage of. The dynamic linkers takes special care to prevent users
135 * from using clever tricks to inject their own code into set-uid processes and
136 * causing privilege escalation issues. This is the exact help we need.
137 *
138 * The VirtualBox installation location is hardcoded, which means the any
139 * dynamic linker paths embedded or inferred from the executable and dynamic
140 * libraries are also hardcoded. This helps eliminating search path attack
141 * vectors at the cost of being inflexible regarding installation location.
142 *
143 * In addition to what the dynamic linker does for us, the VirtualBox code will
144 * not directly be calling either RTLdrLoad or dlopen to load dynamic link
145 * libraries into the process. Instead it will call #SUPR3HardenedLdrLoad,
146 * #SUPR3HardenedLdrLoadAppPriv and #SUPR3HardenedLdrLoadPlugIn to do the
147 * loading. These functions will perform the same validations on the file being
148 * loaded as #SUPR3HardenedMain did in its validation step. So, anything we
149 * load must be installed with root/wheel as owner/group, the directory we load
150 * it from must also be owned by root:wheel and now allow for renaming the file.
151 * Similar ownership restrictions applies to all the parent directories (except
152 * on darwin).
153 *
154 * So, we place the responsibility of not installing malicious software on the
155 * root user on UNIX-like systems. Which is fair enough, in our opinion.
156 *
157 *
158 * @section sec_hardening_win Hardening on Windows
159 *
160 * On Windows we cannot put the same level or trust in the Administrator user(s)
161 * (equivalent of root/wheel on unix) as on the UNIX-like systems, which
162 * complicates things greatly.
163 *
164 * Some of the blame for this can be given to Windows being a descendant /
165 * replacement for a set of single user systems: DOS, Windows 1.0-3.11 Windows
166 * 95-ME, and OS/2. Users of NT 3.1 and later was inclined to want to always
167 * run it with full root/administrator privileges like they had done on the
168 * predecessors, while Microsoft didn't provide much incentive for more secure
169 * alternatives. Bad idea, security wise, but execellent for the security
170 * software industry. For this reason using a set-uid-to-root approach is
171 * pointless, even if Windows had one.
172 *
173 * So, in order to protect access to the support driver and protect the %VM
174 * process while it's running we have to do a lot more work. A keystone in the
175 * defences is cryptographic code signing. Here's the short version of what we
176 * do:
177 * - Minimal stub executable, signed with the same certificate as the
178 * kernel driver.
179 *
180 * - The stub executable respawns itself twice, hooking the NTDLL init
181 * routine to perform protection tasks as early as possible. The parent
182 * stub helps keep in the child clean for verification as does the
183 * support driver.
184 *
185 * - In order to protect against loading unwanted code into the process,
186 * the stub processes installs DLL load hooks with NTDLL as well as
187 * directly intercepting the LdrLoadDll and NtCreateSection APIs.
188 *
189 * - The support driver will verify all but the initial process very
190 * thoroughly before allowing them protection and in the final case full
191 * unrestricted access.
192 *
193 *
194 * @subsection sec_hardening_win_protsoft 3rd Party "Protection" Software
195 *
196 * What makes our life REALLY difficult on Windows is this 3rd party "security"
197 * software which is more or less required to keep a Windows system safe for
198 * normal users and all corporate IT departments rightly insists on installing.
199 * After the kernel patching clampdown in Vista, anti-* software has to do a
200 * lot more mucking about in user mode to get their job (kind of) done. So, it
201 * is common practice to patch a lot of NTDLL, KERNEL32, the executable import
202 * table, load extra DLLs into the process, allocate executable memory in the
203 * process (classic code injection) and more.
204 *
205 * The BIG problem with all this is that it is indistinguishable from what
206 * malicious software would be doing in order to intercept process activity
207 * (network sniffing, maybe password snooping) or gain a level of kernel access
208 * via the support driver. So, the "protection" software is what is currently
209 * forcing us to do the pre-NTDLL initialization.
210 *
211 *
212 * @subsection sec_hardening_win_1st_stub The Initial Stub Process
213 *
214 * We share the stub executable approach with the UNIX-like systems, so there's
215 * the #SUPR3HardenedMain calling stub executable with its partner DLL exporting
216 * TrustedMain and TrustedError. However, the stub executable does a lot more,
217 * while doing it in a more bare metal fashion:
218 * - It does not use the Microsoft CRT, what we need of CRT functions comes
219 * from IPRT.
220 * - It does not statically import anything. This is to avoid having an
221 * import table that can be patched to intercept our calls or extended to
222 * load additional DLLs.
223 * - Direct NT system calls. System calls normally going thru NTDLL, but
224 * since there is so much software out there which wants to patch known
225 * NTDLL entry points to control our software (either for good or
226 * malicious reasons), we do it ourselves.
227 *
228 * The initial stub process is not really to be trusted, though we try our best
229 * to limit potential harm (user mode debugger checks, disable thread creation).
230 * So, when it enters #SUPR3HardenedMain we only call #supR3HardenedVerifyAll to
231 * verify the installation (known executables and DLLs, checking their code
232 * signing signatures, keeping them all open to deny deletion and replacing) and
233 * does a respawn via #supR3HardenedWinReSpawn.
234 *
235 *
236 * @subsection sec_hardening_win_2nd_stub The Second Stub Process
237 *
238 * The second stub process will be created in suspended state, i.e. the main
239 * thread is suspended before it executes a single instruction. It is also
240 * created with a less generous ACLs, though this doesn't protect us from admin
241 * users. In order for #SUPR3HardenedMain to figure that it is the second stub
242 * process, the zeroth command line argument has been replaced by a known magic
243 * string (UUID).
244 *
245 * Now, before the process starts executing, the parent (initial stub) will
246 * patch the LdrInitializeThunk entry point in NTDLL to call
247 * #supR3HardenedEarlyProcessInit via #supR3HardenedEarlyProcessInitThunk. The
248 * parent will also plant some synchronization stuff via #g_ProcParams (NTDLL
249 * location, inherited event handles and associated ping-pong equipment).
250 *
251 * The LdrInitializeThunk entry point of NTDLL is where the kernel sets up
252 * process execution to start executing (via a user alert, so it is not subject
253 * to SetThreadContext). LdrInitializeThunk performs process, NTDLL and
254 * sub-system client (kernel32) initialization. A lot of "protection" software
255 * uses triggers in this initialization sequence (like the KERNEL32.DLL load
256 * event), so we avoid quite a bit of problems by getting our stuff done early
257 * on.
258 *
259 * However, there are also those that uses events that triggers immediately when
260 * the process is created or/and starts executing the first instruction. But we
261 * can easily counter these as we have a known process state we can restore. So,
262 * the first thing that #supR3HardenedEarlyProcessInit does is to signal the
263 * parent to perform a child purification, so the potentially evil influences
264 * can be exorcised.
265 *
266 * What the parent does during the purification is very similar to what the
267 * kernel driver will do later on when verifying the second stub and the %VM
268 * processes, except that instead of failing when encountering an shortcoming it
269 * will take corrective actions:
270 * - Executable memory regions not belonging to a DLL mapping will be
271 * attempted freed, and we'll only fail if we can't evict them.
272 * - All pages in the executable images in the process (should be just the
273 * stub executable and NTDLL) will be compared to the pristine fixed-up
274 * copy prepared by the IPRT PE loader code, restoring any bytes which
275 * appears differently in the child. (#g_ProcParams is exempted,
276 * LdrInitializeThunk is set to call NtTerminateThread.)
277 * - Unwanted DLLs will be unloaded (we have a set of DLLs we like).
278 *
279 * Before signalling the second stub process that it has been purified and should
280 * get on with it, the parent will close all handles with unrestricted access to
281 * the process and thread so that the initial stub process no longer can
282 * influence the child in any really harmful way. (The caller of CreateProcess
283 * usually receives handles with unrestricted access to the child process and
284 * its main thread. These could in theory be used with DuplicateHandle or
285 * WriteProcessMemory to get at the %VM process if we're not careful.)
286 *
287 * #supR3HardenedEarlyProcessInit will continue with opening the log file
288 * (requires command line parsing). It will continue to initialize a bunch of
289 * global variables, system calls and trustworthy/harmless NTDLL imports.
290 * #supR3HardenedWinInit is then called to setup image verification, that is:
291 * - Hook the NtCreateSection entry point in NTDLL so we can check all
292 * executable mappings before they're created and can be mapped. The
293 * NtCreateSection code jumps to #supR3HardenedMonitor_NtCreateSection.
294 * - Hook (ditto) the LdrLoadDll entry point in NTDLL so we can
295 * pre-validate all images that gets loaded the normal way (partly
296 * because the NtCreateSection context is restrictive because the NTDLL
297 * loader lock is usually held, which prevents us from safely calling
298 * WinVerityTrust). The LdrLoadDll code jumps to
299 * #supR3HardenedMonitor_LdrLoadDll.
300 *
301 * The image/DLL verification hooks are at this point able to verify DLLs
302 * containing embedded code signing signatures, and will restrict the locations
303 * from which DLLs will be loaded. When #SUPR3HardenedMain gets going later on,
304 * they will start insisting on everything having valid signatures, either
305 * embedded or in a signed installer catalog file.
306 *
307 * The function also irrevocably disables debug notifications related to the
308 * current thread, just to make attaching a debugging that much more difficult
309 * and less useful.
310 *
311 * Now, the second stub process will open the so called stub device
312 * (\\Device\\VBoxDrvStub), that is a special support driver device node that
313 * tells the support driver to:
314 * - Protect the process against the OpenProcess and OpenThread attack
315 * vectors by stripping risky access rights.
316 * - Check that the process isn't being debugged.
317 * - Check that the process contains exactly one thread.
318 * - Check that the process doesn't have any unknown DLLs loaded into it.
319 * - Check that the process doesn't have any executable memory (other than
320 * DLL sections) in it.
321 * - Check that the process executable is a known VBox executable which may
322 * access the support driver.
323 * - Check that the process executable is signed with the same code signing
324 * certificate as the driver and that the on disk image is valid
325 * according to its embedded signature.
326 * - Check all the signature of all DLLs in the process (NTDLL) if they are
327 * signed, and only accept unsigned ones in versions where they are known
328 * not to be signed.
329 * - Check that the code and readonly parts of the executable and DLLs
330 * mapped into the process matches the on disk content (no patches other
331 * than our own two in NTDLL are allowed).
332 *
333 * Once granted access to the stub device, #supR3HardenedEarlyProcessInit will
334 * restore the LdrInitializeThunk code and let the process perform normal
335 * initialization. Leading us to #SUPR3HardenedMain where we detect that this
336 * is the 2nd stub process and does another respawn.
337 *
338 *
339 * @subsection sec_hardening_win_3rd_stub The Final Stub / VM Process
340 *
341 * The third stub process is what becomes the %VM process. Because the parent
342 * has opened \\Device\\VBoxDrvSub, it is protected from malicious OpenProcess &
343 * OpenThread calls from the moment of inception, practically speaking.
344 *
345 * It goes thru the same suspended creation, patching, purification and such as
346 * its parent (the second stub process). However, instead of opening
347 * \\Device\\VBoxDrvStub from #supR3HardenedEarlyProcessInit, it opens the
348 * support driver for full unrestricted access, i.e. \\Device\\VBoxDrv.
349 *
350 * The support driver will perform the same checks as it did when
351 * \\Device\\VBoxDrvStub was opened, but in addition it will:
352 * - Check that the process is the first child of a process that opened
353 * \\Device\\VBoxDrvStub.
354 * - Check that the parent process is still alive.
355 * - Scan all open handles in the system for potentially harmful ones to
356 * the process or the primary thread.
357 *
358 * Knowing that the process is genuinly signed with the same certificate as the
359 * kernel driver, and the exectuable code in the process is either shipped by us
360 * or Microsoft, the support driver will trust it with full access and to keep
361 * the handle secure.
362 *
363 * We also trust the protection the support driver gives the process to keep out
364 * malicious ring-3 code, and therefore any code, patching or other mysterious
365 * stuff that enteres the process must be from kernel mode and that we can trust
366 * it (the alternative interpretation is that the kernel has been breanched
367 * already, which isn't our responsibility). This means that, the anti-software
368 * products can do whatever they like from this point on. However, should they
369 * do unrevertable changes to the process before this point, VirtualBox won't
370 * work.
371 *
372 * As in the second stub process, we'll now do normal process initialization and
373 * #SUPR3HardenedMain will take control. It will detect that it is being called
374 * by the 3rd stub process because of a different magic string starting the
375 * command line, and not respawn itself any more. #SUPR3HardenedMain will
376 * recheck the VirtualBox installation, keeping all known files open just like
377 * in two previous stub processes.
378 *
379 * It will then load the Windows cryptographic API and load the trusted root
380 * certificates from the Windows store. The API enables using installation
381 * catalog files for signature checking as well as providing a second
382 * verification in addition to our own implementation (IPRT). The certificates
383 * allows our signature validation implementation to validate all embedded
384 * signatures, not just the microsoft ones and the one signed by our own
385 * certificate.
386 *
387 */
388
389
390/*********************************************************************************************************************************
391* Header Files *
392*********************************************************************************************************************************/
393#if defined(RT_OS_OS2)
394# define INCL_BASE
395# define INCL_ERRORS
396# include <os2.h>
397# include <stdio.h>
398# include <stdlib.h>
399# include <dlfcn.h>
400# include <unistd.h>
401
402#elif RT_OS_WINDOWS
403# include <iprt/nt/nt-and-windows.h>
404
405#else /* UNIXes */
406# ifdef RT_OS_DARWIN
407# define _POSIX_C_SOURCE 1 /* pick the correct prototype for unsetenv. */
408# endif
409# include <iprt/types.h> /* stdint fun on darwin. */
410
411# include <stdio.h>
412# include <stdlib.h>
413# include <dlfcn.h>
414# include <limits.h>
415# include <errno.h>
416# include <unistd.h>
417# include <sys/stat.h>
418# include <sys/time.h>
419# include <sys/types.h>
420# if defined(RT_OS_LINUX)
421# undef USE_LIB_PCAP /* don't depend on libcap as we had to depend on either
422 libcap1 or libcap2 */
423
424# undef _POSIX_SOURCE
425# include <linux/types.h> /* sys/capabilities from uek-headers require this */
426# include <sys/capability.h>
427# include <sys/prctl.h>
428# ifndef CAP_TO_MASK
429# define CAP_TO_MASK(cap) RT_BIT(cap)
430# endif
431# elif defined(RT_OS_FREEBSD)
432# include <sys/param.h>
433# include <sys/sysctl.h>
434# elif defined(RT_OS_SOLARIS)
435# include <priv.h>
436# endif
437# include <pwd.h>
438# ifdef RT_OS_DARWIN
439# include <mach-o/dyld.h>
440# endif
441
442#endif
443
444#include <VBox/sup.h>
445#include <VBox/err.h>
446#ifdef RT_OS_WINDOWS
447# include <VBox/version.h>
448# include <iprt/utf16.h>
449#endif
450#include <iprt/ctype.h>
451#include <iprt/string.h>
452#include <iprt/initterm.h>
453#include <iprt/param.h>
454#include <iprt/path.h>
455
456#include "SUPLibInternal.h"
457
458
459/*********************************************************************************************************************************
460* Defined Constants And Macros *
461*********************************************************************************************************************************/
462/* This mess is temporary after eliminating a define duplicated in SUPLibInternal.h. */
463#if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
464# ifndef SUP_HARDENED_SUID
465# error "SUP_HARDENED_SUID is NOT defined?!?"
466# endif
467#else
468# ifdef SUP_HARDENED_SUID
469# error "SUP_HARDENED_SUID is defined?!?"
470# endif
471#endif
472
473/** @def SUP_HARDENED_SYM
474 * Decorate a symbol that's resolved dynamically.
475 */
476#ifdef RT_OS_OS2
477# define SUP_HARDENED_SYM(sym) "_" sym
478#else
479# define SUP_HARDENED_SYM(sym) sym
480#endif
481
482
483/*********************************************************************************************************************************
484* Structures and Typedefs *
485*********************************************************************************************************************************/
486/** @see RTR3InitEx */
487typedef DECLCALLBACKTYPE(int, FNRTR3INITEX,(uint32_t iVersion, uint32_t fFlags, int cArgs,
488 char **papszArgs, const char *pszProgramPath));
489typedef FNRTR3INITEX *PFNRTR3INITEX;
490
491/** @see RTLogRelPrintf */
492typedef DECLCALLBACKTYPE(void, FNRTLOGRELPRINTF,(const char *pszFormat, ...));
493typedef FNRTLOGRELPRINTF *PFNRTLOGRELPRINTF;
494
495
496/**
497 * Descriptor of an environment variable to purge.
498 */
499typedef struct SUPENVPURGEDESC
500{
501 /** Name of the environment variable to purge. */
502 const char *pszEnv;
503 /** The length of the variable name. */
504 uint8_t cchEnv;
505 /** Flag whether a failure in purging the variable leads to
506 * a fatal error resulting in an process exit. */
507 bool fPurgeErrFatal;
508} SUPENVPURGEDESC;
509/** Pointer to a environment variable purge descriptor. */
510typedef SUPENVPURGEDESC *PSUPENVPURGEDESC;
511/** Pointer to a const environment variable purge descriptor. */
512typedef const SUPENVPURGEDESC *PCSUPENVPURGEDESC;
513
514/**
515 * Descriptor of an command line argument to purge.
516 */
517typedef struct SUPARGPURGEDESC
518{
519 /** Name of the argument to purge. */
520 const char *pszArg;
521 /** The length of the argument name. */
522 uint8_t cchArg;
523 /** Flag whether the argument is followed by an extra argument
524 * which must be purged too */
525 bool fTakesValue;
526} SUPARGPURGEDESC;
527/** Pointer to a environment variable purge descriptor. */
528typedef SUPARGPURGEDESC *PSUPARGPURGEDESC;
529/** Pointer to a const environment variable purge descriptor. */
530typedef const SUPARGPURGEDESC *PCSUPARGPURGEDESC;
531
532
533/*********************************************************************************************************************************
534* Global Variables *
535*********************************************************************************************************************************/
536/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
537static SUPPREINITDATA g_SupPreInitData;
538/** The program executable path. */
539#ifndef RT_OS_WINDOWS
540static
541#endif
542char g_szSupLibHardenedExePath[RTPATH_MAX];
543/** The application bin directory path. */
544static char g_szSupLibHardenedAppBinPath[RTPATH_MAX];
545/** The offset into g_szSupLibHardenedExePath of the executable name. */
546static size_t g_offSupLibHardenedExecName;
547/** The length of the executable name in g_szSupLibHardenedExePath. */
548static size_t g_cchSupLibHardenedExecName;
549
550/** The program name. */
551static const char *g_pszSupLibHardenedProgName;
552/** The flags passed to SUPR3HardenedMain. */
553static uint32_t g_fSupHardenedMain;
554
555#ifdef SUP_HARDENED_SUID
556/** The real UID at startup. */
557static uid_t g_uid;
558/** The real GID at startup. */
559static gid_t g_gid;
560# ifdef RT_OS_LINUX
561static uint32_t g_uCaps;
562static uint32_t g_uCapsVersion;
563# endif
564#endif
565
566/** The startup log file. */
567#ifdef RT_OS_WINDOWS
568static HANDLE g_hStartupLog = NULL;
569#else
570static int g_hStartupLog = -1;
571#endif
572/** The number of bytes we've written to the startup log. */
573static uint32_t volatile g_cbStartupLog = 0;
574
575/** The current SUPR3HardenedMain state / location. */
576SUPR3HARDENEDMAINSTATE g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED;
577AssertCompileSize(g_enmSupR3HardenedMainState, sizeof(uint32_t));
578
579#ifdef RT_OS_WINDOWS
580/** Pointer to VBoxRT's RTLogRelPrintf function so we can write errors to the
581 * release log at runtime. */
582static PFNRTLOGRELPRINTF g_pfnRTLogRelPrintf = NULL;
583/** Log volume name (for attempting volume flush). */
584static RTUTF16 g_wszStartupLogVol[16];
585#endif
586
587/** Environment variables to purge from the process because
588 * they are known to be harmful. */
589static const SUPENVPURGEDESC g_aSupEnvPurgeDescs[] =
590{
591 /* pszEnv fPurgeErrFatal */
592 /* Qt related environment variables: */
593 { RT_STR_TUPLE("QT_QPA_PLATFORM_PLUGIN_PATH"), true },
594 { RT_STR_TUPLE("QT_PLUGIN_PATH"), true },
595 /* ALSA related environment variables: */
596 { RT_STR_TUPLE("ALSA_MIXER_SIMPLE_MODULES"), true },
597 { RT_STR_TUPLE("LADSPA_PATH"), true },
598};
599
600/** Arguments to purge from the argument vector because
601 * they are known to be harmful. */
602static const SUPARGPURGEDESC g_aSupArgPurgeDescs[] =
603{
604 /* pszArg fTakesValue */
605 /* Qt related environment variables: */
606 { RT_STR_TUPLE("-platformpluginpath"), true },
607};
608
609
610/*********************************************************************************************************************************
611* Internal Functions *
612*********************************************************************************************************************************/
613#ifdef SUP_HARDENED_SUID
614static void supR3HardenedMainDropPrivileges(void);
615#endif
616static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
617
618
619/**
620 * Safely copy one or more strings into the given buffer.
621 *
622 * @returns VINF_SUCCESS or VERR_BUFFER_OVERFLOW.
623 * @param pszDst The destionation buffer.
624 * @param cbDst The size of the destination buffer.
625 * @param ... One or more zero terminated strings, ending with
626 * a NULL.
627 */
628static int suplibHardenedStrCopyEx(char *pszDst, size_t cbDst, ...)
629{
630 int rc = VINF_SUCCESS;
631
632 if (cbDst == 0)
633 return VERR_BUFFER_OVERFLOW;
634
635 va_list va;
636 va_start(va, cbDst);
637 for (;;)
638 {
639 const char *pszSrc = va_arg(va, const char *);
640 if (!pszSrc)
641 break;
642
643 size_t cchSrc = suplibHardenedStrLen(pszSrc);
644 if (cchSrc < cbDst)
645 {
646 suplibHardenedMemCopy(pszDst, pszSrc, cchSrc);
647 pszDst += cchSrc;
648 cbDst -= cchSrc;
649 }
650 else
651 {
652 rc = VERR_BUFFER_OVERFLOW;
653 if (cbDst > 1)
654 {
655 suplibHardenedMemCopy(pszDst, pszSrc, cbDst - 1);
656 pszDst += cbDst - 1;
657 cbDst = 1;
658 }
659 }
660 *pszDst = '\0';
661 }
662 va_end(va);
663
664 return rc;
665}
666
667
668/**
669 * Exit current process in the quickest possible fashion.
670 *
671 * @param rcExit The exit code.
672 */
673DECLHIDDEN(DECL_NO_RETURN(void)) suplibHardenedExit(RTEXITCODE rcExit)
674{
675 for (;;)
676 {
677#ifdef RT_OS_WINDOWS
678 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
679 ExitProcess(rcExit);
680 if (RtlExitUserProcess != NULL)
681 RtlExitUserProcess(rcExit);
682 NtTerminateProcess(NtCurrentProcess(), rcExit);
683#else
684 _Exit(rcExit);
685#endif
686 }
687}
688
689
690/**
691 * Writes a substring to standard error.
692 *
693 * @param pch The start of the substring.
694 * @param cch The length of the substring.
695 */
696static void suplibHardenedPrintStrN(const char *pch, size_t cch)
697{
698#ifdef RT_OS_WINDOWS
699 HANDLE hStdOut = NtCurrentPeb()->ProcessParameters->StandardOutput;
700 if (hStdOut != NULL)
701 {
702 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
703 {
704 DWORD cbWritten;
705 WriteFile(hStdOut, pch, (DWORD)cch, &cbWritten, NULL);
706 }
707 /* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */
708 else if (NtWriteFile != NULL && ((uintptr_t)hStdOut & 3) == 0)
709 {
710 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
711 NtWriteFile(hStdOut, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
712 &Ios, (PVOID)pch, (ULONG)cch, NULL /*ByteOffset*/, NULL /*Key*/);
713 }
714 }
715#else
716 int res = write(2, pch, cch);
717 NOREF(res);
718#endif
719}
720
721
722/**
723 * Writes a string to standard error.
724 *
725 * @param psz The string.
726 */
727static void suplibHardenedPrintStr(const char *psz)
728{
729 suplibHardenedPrintStrN(psz, suplibHardenedStrLen(psz));
730}
731
732
733/**
734 * Writes a char to standard error.
735 *
736 * @param ch The character value to write.
737 */
738static void suplibHardenedPrintChr(char ch)
739{
740 suplibHardenedPrintStrN(&ch, 1);
741}
742
743#ifndef IPRT_NO_CRT
744
745/**
746 * Writes a decimal number to stdard error.
747 *
748 * @param uValue The value.
749 */
750static void suplibHardenedPrintDecimal(uint64_t uValue)
751{
752 char szBuf[64];
753 char *pszEnd = &szBuf[sizeof(szBuf) - 1];
754 char *psz = pszEnd;
755
756 *psz-- = '\0';
757
758 do
759 {
760 *psz-- = '0' + (uValue % 10);
761 uValue /= 10;
762 } while (uValue > 0);
763
764 psz++;
765 suplibHardenedPrintStrN(psz, pszEnd - psz);
766}
767
768
769/**
770 * Writes a hexadecimal or octal number to standard error.
771 *
772 * @param uValue The value.
773 * @param uBase The base (16 or 8).
774 * @param fFlags Format flags.
775 */
776static void suplibHardenedPrintHexOctal(uint64_t uValue, unsigned uBase, uint32_t fFlags)
777{
778 static char const s_achDigitsLower[17] = "0123456789abcdef";
779 static char const s_achDigitsUpper[17] = "0123456789ABCDEF";
780 const char *pchDigits = !(fFlags & RTSTR_F_CAPITAL) ? s_achDigitsLower : s_achDigitsUpper;
781 unsigned cShift = uBase == 16 ? 4 : 3;
782 unsigned fDigitMask = uBase == 16 ? 0xf : 7;
783 char szBuf[64];
784 char *pszEnd = &szBuf[sizeof(szBuf) - 1];
785 char *psz = pszEnd;
786
787 *psz-- = '\0';
788
789 do
790 {
791 *psz-- = pchDigits[uValue & fDigitMask];
792 uValue >>= cShift;
793 } while (uValue > 0);
794
795 if ((fFlags & RTSTR_F_SPECIAL) && uBase == 16)
796 {
797 *psz-- = !(fFlags & RTSTR_F_CAPITAL) ? 'x' : 'X';
798 *psz-- = '0';
799 }
800
801 psz++;
802 suplibHardenedPrintStrN(psz, pszEnd - psz);
803}
804
805
806/**
807 * Writes a wide character string to standard error.
808 *
809 * @param pwsz The string.
810 */
811static void suplibHardenedPrintWideStr(PCRTUTF16 pwsz)
812{
813 for (;;)
814 {
815 RTUTF16 wc = *pwsz++;
816 if (!wc)
817 return;
818 if ( (wc < 0x7f && wc >= 0x20)
819 || wc == '\n'
820 || wc == '\r')
821 suplibHardenedPrintChr((char)wc);
822 else
823 {
824 suplibHardenedPrintStrN(RT_STR_TUPLE("\\x"));
825 suplibHardenedPrintHexOctal(wc, 16, 0);
826 }
827 }
828}
829
830#else /* IPRT_NO_CRT */
831
832/** Buffer structure used by suplibHardenedOutput. */
833struct SUPLIBHARDENEDOUTPUTBUF
834{
835 size_t off;
836 char szBuf[2048];
837};
838
839/** Callback for RTStrFormatV, see FNRTSTROUTPUT. */
840static DECLCALLBACK(size_t) suplibHardenedOutput(void *pvArg, const char *pachChars, size_t cbChars)
841{
842 SUPLIBHARDENEDOUTPUTBUF *pBuf = (SUPLIBHARDENEDOUTPUTBUF *)pvArg;
843 size_t cbTodo = cbChars;
844 for (;;)
845 {
846 size_t cbSpace = sizeof(pBuf->szBuf) - pBuf->off - 1;
847
848 /* Flush the buffer? */
849 if ( cbSpace == 0
850 || (cbTodo == 0 && pBuf->off))
851 {
852 suplibHardenedPrintStrN(pBuf->szBuf, pBuf->off);
853# ifdef RT_OS_WINDOWS
854 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
855 OutputDebugString(pBuf->szBuf);
856# endif
857 pBuf->off = 0;
858 cbSpace = sizeof(pBuf->szBuf) - 1;
859 }
860
861 /* Copy the string into the buffer. */
862 if (cbTodo == 1)
863 {
864 pBuf->szBuf[pBuf->off++] = *pachChars;
865 break;
866 }
867 if (cbSpace >= cbTodo)
868 {
869 memcpy(&pBuf->szBuf[pBuf->off], pachChars, cbTodo);
870 pBuf->off += cbTodo;
871 break;
872 }
873 memcpy(&pBuf->szBuf[pBuf->off], pachChars, cbSpace);
874 pBuf->off += cbSpace;
875 cbTodo -= cbSpace;
876 }
877 pBuf->szBuf[pBuf->off] = '\0';
878
879 return cbChars;
880}
881
882#endif /* IPRT_NO_CRT */
883
884/**
885 * Simple printf to standard error.
886 *
887 * @param pszFormat The format string.
888 * @param va Arguments to format.
889 */
890DECLHIDDEN(void) suplibHardenedPrintFV(const char *pszFormat, va_list va)
891{
892#ifdef IPRT_NO_CRT
893 /*
894 * Use buffered output here to avoid character mixing on the windows
895 * console and to enable us to use OutputDebugString.
896 */
897 SUPLIBHARDENEDOUTPUTBUF Buf;
898 Buf.off = 0;
899 Buf.szBuf[0] = '\0';
900 RTStrFormatV(suplibHardenedOutput, &Buf, NULL, NULL, pszFormat, va);
901
902#else /* !IPRT_NO_CRT */
903 /*
904 * Format loop.
905 */
906 char ch;
907 const char *pszLast = pszFormat;
908 for (;;)
909 {
910 ch = *pszFormat;
911 if (!ch)
912 break;
913 pszFormat++;
914
915 if (ch == '%')
916 {
917 /*
918 * Format argument.
919 */
920
921 /* Flush unwritten bits. */
922 if (pszLast != pszFormat - 1)
923 suplibHardenedPrintStrN(pszLast, pszFormat - pszLast - 1);
924 pszLast = pszFormat;
925 ch = *pszFormat++;
926
927 /* flags. */
928 uint32_t fFlags = 0;
929 for (;;)
930 {
931 if (ch == '#') fFlags |= RTSTR_F_SPECIAL;
932 else if (ch == '-') fFlags |= RTSTR_F_LEFT;
933 else if (ch == '+') fFlags |= RTSTR_F_PLUS;
934 else if (ch == ' ') fFlags |= RTSTR_F_BLANK;
935 else if (ch == '0') fFlags |= RTSTR_F_ZEROPAD;
936 else if (ch == '\'') fFlags |= RTSTR_F_THOUSAND_SEP;
937 else break;
938 ch = *pszFormat++;
939 }
940
941 /* Width and precision - ignored. */
942 while (RT_C_IS_DIGIT(ch))
943 ch = *pszFormat++;
944 if (ch == '*')
945 va_arg(va, int);
946 if (ch == '.')
947 {
948 do ch = *pszFormat++;
949 while (RT_C_IS_DIGIT(ch));
950 if (ch == '*')
951 va_arg(va, int);
952 }
953
954 /* Size. */
955 char chArgSize = 0;
956 switch (ch)
957 {
958 case 'z':
959 case 'L':
960 case 'j':
961 case 't':
962 chArgSize = ch;
963 ch = *pszFormat++;
964 break;
965
966 case 'l':
967 chArgSize = ch;
968 ch = *pszFormat++;
969 if (ch == 'l')
970 {
971 chArgSize = 'L';
972 ch = *pszFormat++;
973 }
974 break;
975
976 case 'h':
977 chArgSize = ch;
978 ch = *pszFormat++;
979 if (ch == 'h')
980 {
981 chArgSize = 'H';
982 ch = *pszFormat++;
983 }
984 break;
985 }
986
987 /*
988 * Do type specific formatting.
989 */
990 switch (ch)
991 {
992 case 'c':
993 ch = (char)va_arg(va, int);
994 suplibHardenedPrintChr(ch);
995 break;
996
997 case 's':
998 if (chArgSize == 'l')
999 {
1000 PCRTUTF16 pwszStr = va_arg(va, PCRTUTF16 );
1001 if (RT_VALID_PTR(pwszStr))
1002 suplibHardenedPrintWideStr(pwszStr);
1003 else
1004 suplibHardenedPrintStr("<NULL>");
1005 }
1006 else
1007 {
1008 const char *pszStr = va_arg(va, const char *);
1009 if (!RT_VALID_PTR(pszStr))
1010 pszStr = "<NULL>";
1011 suplibHardenedPrintStr(pszStr);
1012 }
1013 break;
1014
1015 case 'd':
1016 case 'i':
1017 {
1018 int64_t iValue;
1019 if (chArgSize == 'L' || chArgSize == 'j')
1020 iValue = va_arg(va, int64_t);
1021 else if (chArgSize == 'l')
1022 iValue = va_arg(va, signed long);
1023 else if (chArgSize == 'z' || chArgSize == 't')
1024 iValue = va_arg(va, intptr_t);
1025 else
1026 iValue = va_arg(va, signed int);
1027 if (iValue < 0)
1028 {
1029 suplibHardenedPrintChr('-');
1030 iValue = -iValue;
1031 }
1032 suplibHardenedPrintDecimal(iValue);
1033 break;
1034 }
1035
1036 case 'p':
1037 case 'x':
1038 case 'X':
1039 case 'u':
1040 case 'o':
1041 {
1042 unsigned uBase = 10;
1043 uint64_t uValue;
1044
1045 switch (ch)
1046 {
1047 case 'p':
1048 fFlags |= RTSTR_F_ZEROPAD; /* Note not standard behaviour (but I like it this way!) */
1049 uBase = 16;
1050 break;
1051 case 'X':
1052 fFlags |= RTSTR_F_CAPITAL;
1053 RT_FALL_THRU();
1054 case 'x':
1055 uBase = 16;
1056 break;
1057 case 'u':
1058 uBase = 10;
1059 break;
1060 case 'o':
1061 uBase = 8;
1062 break;
1063 }
1064
1065 if (ch == 'p' || chArgSize == 'z' || chArgSize == 't')
1066 uValue = va_arg(va, uintptr_t);
1067 else if (chArgSize == 'L' || chArgSize == 'j')
1068 uValue = va_arg(va, uint64_t);
1069 else if (chArgSize == 'l')
1070 uValue = va_arg(va, unsigned long);
1071 else
1072 uValue = va_arg(va, unsigned int);
1073
1074 if (uBase == 10)
1075 suplibHardenedPrintDecimal(uValue);
1076 else
1077 suplibHardenedPrintHexOctal(uValue, uBase, fFlags);
1078 break;
1079 }
1080
1081 case 'R':
1082 if (pszFormat[0] == 'r' && pszFormat[1] == 'c')
1083 {
1084 int iValue = va_arg(va, int);
1085 if (iValue < 0)
1086 {
1087 suplibHardenedPrintChr('-');
1088 iValue = -iValue;
1089 }
1090 suplibHardenedPrintDecimal(iValue);
1091 pszFormat += 2;
1092 break;
1093 }
1094 RT_FALL_THRU();
1095
1096 /*
1097 * Custom format.
1098 */
1099 default:
1100 suplibHardenedPrintStr("[bad format: ");
1101 suplibHardenedPrintStrN(pszLast, pszFormat - pszLast);
1102 suplibHardenedPrintChr(']');
1103 break;
1104 }
1105
1106 /* continue */
1107 pszLast = pszFormat;
1108 }
1109 }
1110
1111 /* Flush the last bits of the string. */
1112 if (pszLast != pszFormat)
1113 suplibHardenedPrintStrN(pszLast, pszFormat - pszLast);
1114#endif /* !IPRT_NO_CRT */
1115}
1116
1117
1118/**
1119 * Prints to standard error.
1120 *
1121 * @param pszFormat The format string.
1122 * @param ... Arguments to format.
1123 */
1124DECLHIDDEN(void) suplibHardenedPrintF(const char *pszFormat, ...)
1125{
1126 va_list va;
1127 va_start(va, pszFormat);
1128 suplibHardenedPrintFV(pszFormat, va);
1129 va_end(va);
1130}
1131
1132
1133/**
1134 * @copydoc RTPathStripFilename
1135 */
1136static void suplibHardenedPathStripFilename(char *pszPath)
1137{
1138 char *psz = pszPath;
1139 char *pszLastSep = pszPath;
1140
1141 for (;; psz++)
1142 {
1143 switch (*psz)
1144 {
1145 /* handle separators. */
1146#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1147 case ':':
1148 pszLastSep = psz + 1;
1149 break;
1150
1151 case '\\':
1152#endif
1153 case '/':
1154 pszLastSep = psz;
1155 break;
1156
1157 /* the end */
1158 case '\0':
1159 if (pszLastSep == pszPath)
1160 *pszLastSep++ = '.';
1161 *pszLastSep = '\0';
1162 return;
1163 }
1164 }
1165 /* will never get here */
1166}
1167
1168
1169/**
1170 * @copydoc RTPathFilename
1171 */
1172DECLHIDDEN(char *) supR3HardenedPathFilename(const char *pszPath)
1173{
1174 const char *psz = pszPath;
1175 const char *pszLastComp = pszPath;
1176
1177 for (;; psz++)
1178 {
1179 switch (*psz)
1180 {
1181 /* handle separators. */
1182#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1183 case ':':
1184 pszLastComp = psz + 1;
1185 break;
1186
1187 case '\\':
1188#endif
1189 case '/':
1190 pszLastComp = psz + 1;
1191 break;
1192
1193 /* the end */
1194 case '\0':
1195 if (*pszLastComp)
1196 return (char *)(void *)pszLastComp;
1197 return NULL;
1198 }
1199 }
1200
1201 /* will never get here */
1202}
1203
1204
1205/**
1206 * @copydoc RTPathAppPrivateNoArch
1207 */
1208DECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
1209{
1210#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
1211 const char *pszSrcPath = RTPATH_APP_PRIVATE;
1212 size_t cchPathPrivateNoArch = suplibHardenedStrLen(pszSrcPath);
1213 if (cchPathPrivateNoArch >= cchPath)
1214 supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateNoArch, cchPath);
1215 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
1216 return VINF_SUCCESS;
1217
1218#else
1219 return supR3HardenedPathAppBin(pszPath, cchPath);
1220#endif
1221}
1222
1223
1224/**
1225 * @copydoc RTPathAppPrivateArch
1226 */
1227DECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
1228{
1229#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
1230 const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
1231 size_t cchPathPrivateArch = suplibHardenedStrLen(pszSrcPath);
1232 if (cchPathPrivateArch >= cchPath)
1233 supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateArch, cchPath);
1234 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
1235 return VINF_SUCCESS;
1236
1237#else
1238 return supR3HardenedPathAppBin(pszPath, cchPath);
1239#endif
1240}
1241
1242
1243/**
1244 * @copydoc RTPathSharedLibs
1245 */
1246DECLHIDDEN(int) supR3HardenedPathAppSharedLibs(char *pszPath, size_t cchPath)
1247{
1248#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
1249 const char *pszSrcPath = RTPATH_SHARED_LIBS;
1250 size_t cchPathSharedLibs = suplibHardenedStrLen(pszSrcPath);
1251 if (cchPathSharedLibs >= cchPath)
1252 supR3HardenedFatal("supR3HardenedPathAppSharedLibs: Buffer overflow, %zu >= %zu\n", cchPathSharedLibs, cchPath);
1253 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
1254 return VINF_SUCCESS;
1255
1256#else
1257 return supR3HardenedPathAppBin(pszPath, cchPath);
1258#endif
1259}
1260
1261
1262/**
1263 * @copydoc RTPathAppDocs
1264 */
1265DECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
1266{
1267#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
1268 const char *pszSrcPath = RTPATH_APP_DOCS;
1269 size_t cchPathAppDocs = suplibHardenedStrLen(pszSrcPath);
1270 if (cchPathAppDocs >= cchPath)
1271 supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %zu >= %zu\n", cchPathAppDocs, cchPath);
1272 suplibHardenedMemCopy(pszPath, pszSrcPath, cchPathAppDocs + 1);
1273 return VINF_SUCCESS;
1274
1275#else
1276 return supR3HardenedPathAppBin(pszPath, cchPath);
1277#endif
1278}
1279
1280
1281/**
1282 * Returns the full path to the executable in g_szSupLibHardenedExePath.
1283 *
1284 * @returns IPRT status code.
1285 */
1286static void supR3HardenedGetFullExePath(void)
1287{
1288 /*
1289 * Get the program filename.
1290 *
1291 * Most UNIXes have no API for obtaining the executable path, but provides a symbolic
1292 * link in the proc file system that tells who was exec'ed. The bad thing about this
1293 * is that we have to use readlink, one of the weirder UNIX APIs.
1294 *
1295 * Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
1296 */
1297#if defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS)
1298# ifdef RT_OS_LINUX
1299 int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
1300
1301# elif defined(RT_OS_SOLARIS)
1302 char szFileBuf[PATH_MAX + 1];
1303 sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
1304 int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
1305
1306# else /* RT_OS_FREEBSD */
1307 int aiName[4];
1308 aiName[0] = CTL_KERN;
1309 aiName[1] = KERN_PROC;
1310 aiName[2] = KERN_PROC_PATHNAME;
1311 aiName[3] = getpid();
1312
1313 size_t cbPath = sizeof(g_szSupLibHardenedExePath);
1314 if (sysctl(aiName, RT_ELEMENTS(aiName), g_szSupLibHardenedExePath, &cbPath, NULL, 0) < 0)
1315 supR3HardenedFatal("supR3HardenedExecDir: sysctl failed\n");
1316 g_szSupLibHardenedExePath[sizeof(g_szSupLibHardenedExePath) - 1] = '\0';
1317 int cchLink = suplibHardenedStrLen(g_szSupLibHardenedExePath); /* paranoid? can't we use cbPath? */
1318
1319# endif
1320 if (cchLink < 0 || cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
1321 supR3HardenedFatal("supR3HardenedExecDir: couldn't read \"%s\", errno=%d cchLink=%d\n",
1322 g_szSupLibHardenedExePath, errno, cchLink);
1323 g_szSupLibHardenedExePath[cchLink] = '\0';
1324
1325#elif defined(RT_OS_OS2) || defined(RT_OS_L4)
1326 _execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
1327
1328#elif defined(RT_OS_DARWIN)
1329 const char *pszImageName = _dyld_get_image_name(0);
1330 if (!pszImageName)
1331 supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed\n");
1332 size_t cchImageName = suplibHardenedStrLen(pszImageName);
1333 if (!cchImageName || cchImageName >= sizeof(g_szSupLibHardenedExePath))
1334 supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
1335 suplibHardenedMemCopy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
1336 /** @todo abspath the string or this won't work:
1337 * cd /Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/ && ./VirtualBoxVM --startvm name */
1338
1339#elif defined(RT_OS_WINDOWS)
1340 char *pszDst = g_szSupLibHardenedExePath;
1341 int rc = RTUtf16ToUtf8Ex(g_wszSupLibHardenedExePath, RTSTR_MAX, &pszDst, sizeof(g_szSupLibHardenedExePath), NULL);
1342 if (RT_FAILURE(rc))
1343 supR3HardenedFatal("supR3HardenedExecDir: RTUtf16ToUtf8Ex failed, rc=%Rrc\n", rc);
1344#else
1345# error needs porting.
1346#endif
1347
1348 /*
1349 * Determine the application binary directory location.
1350 */
1351 suplibHardenedStrCopy(g_szSupLibHardenedAppBinPath, g_szSupLibHardenedExePath);
1352 suplibHardenedPathStripFilename(g_szSupLibHardenedAppBinPath);
1353
1354 g_offSupLibHardenedExecName = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath);
1355 while (RTPATH_IS_SEP(g_szSupLibHardenedExePath[g_offSupLibHardenedExecName]))
1356 g_offSupLibHardenedExecName++;
1357 g_cchSupLibHardenedExecName = suplibHardenedStrLen(&g_szSupLibHardenedExePath[g_offSupLibHardenedExecName]);
1358
1359 if (g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED)
1360 supR3HardenedFatal("supR3HardenedExecDir: Called before SUPR3HardenedMain! (%d)\n", g_enmSupR3HardenedMainState);
1361 switch (g_fSupHardenedMain & SUPSECMAIN_FLAGS_LOC_MASK)
1362 {
1363 case SUPSECMAIN_FLAGS_LOC_APP_BIN:
1364 break;
1365 case SUPSECMAIN_FLAGS_LOC_TESTCASE:
1366 suplibHardenedPathStripFilename(g_szSupLibHardenedAppBinPath);
1367 break;
1368#ifdef RT_OS_DARWIN
1369 case SUPSECMAIN_FLAGS_LOC_OSX_HLP_APP:
1370 {
1371 /* We must ascend to the parent bundle's Contents directory then decend into its MacOS: */
1372 static const RTSTRTUPLE s_aComponentsToSkip[] =
1373 { { RT_STR_TUPLE("MacOS") }, { RT_STR_TUPLE("Contents") }, { NULL /*some.app*/, 0 }, { RT_STR_TUPLE("Resources") } };
1374 size_t cchPath = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath);
1375 for (uintptr_t i = 0; i < RT_ELEMENTS(s_aComponentsToSkip); i++)
1376 {
1377 while (cchPath > 1 && g_szSupLibHardenedAppBinPath[cchPath - 1] == '/')
1378 cchPath--;
1379 size_t const cchMatch = s_aComponentsToSkip[i].cch;
1380 if (cchMatch > 0)
1381 {
1382 if ( cchPath >= cchMatch + sizeof("VirtualBox.app/Contents")
1383 && g_szSupLibHardenedAppBinPath[cchPath - cchMatch - 1] == '/'
1384 && suplibHardenedMemComp(&g_szSupLibHardenedAppBinPath[cchPath - cchMatch],
1385 s_aComponentsToSkip[i].psz, cchMatch) == 0)
1386 cchPath -= cchMatch;
1387 else
1388 supR3HardenedFatal("supR3HardenedExecDir: Bad helper app path (tail component #%u '%s'): %s\n",
1389 i, s_aComponentsToSkip[i].psz, g_szSupLibHardenedAppBinPath);
1390 }
1391 else if ( cchPath > g_cchSupLibHardenedExecName + sizeof("VirtualBox.app/Contents/Resources/.app")
1392 && suplibHardenedMemComp(&g_szSupLibHardenedAppBinPath[cchPath - 4], ".app", 4) == 0
1393 && suplibHardenedMemComp(&g_szSupLibHardenedAppBinPath[cchPath - 4 - g_cchSupLibHardenedExecName],
1394 &g_szSupLibHardenedExePath[g_offSupLibHardenedExecName],
1395 g_cchSupLibHardenedExecName) == 0)
1396 cchPath -= g_cchSupLibHardenedExecName + 4;
1397 else
1398 supR3HardenedFatal("supR3HardenedExecDir: Bad helper app path (tail component #%u '%s.app'): %s\n",
1399 i, &g_szSupLibHardenedExePath[g_offSupLibHardenedExecName], g_szSupLibHardenedAppBinPath);
1400 }
1401 suplibHardenedMemCopy(&g_szSupLibHardenedAppBinPath[cchPath], "MacOS", sizeof("MacOS"));
1402 break;
1403 }
1404#endif /* RT_OS_DARWIN */
1405 default:
1406 supR3HardenedFatal("supR3HardenedExecDir: Unknown program binary location: %#x\n", g_fSupHardenedMain);
1407 }
1408}
1409
1410
1411#ifdef RT_OS_LINUX
1412/**
1413 * Checks if we can read /proc/self/exe.
1414 *
1415 * This is used on linux to see if we have to call init
1416 * with program path or not.
1417 *
1418 * @returns true / false.
1419 */
1420static bool supR3HardenedMainIsProcSelfExeAccssible(void)
1421{
1422 char szPath[RTPATH_MAX];
1423 int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
1424 return cchLink != -1;
1425}
1426#endif /* RT_OS_LINUX */
1427
1428
1429
1430/**
1431 * @remarks not quite like RTPathExecDir actually...
1432 */
1433DECLHIDDEN(int) supR3HardenedPathAppBin(char *pszPath, size_t cchPath)
1434{
1435 /*
1436 * Lazy init (probably not required).
1437 */
1438 if (!g_szSupLibHardenedAppBinPath[0])
1439 supR3HardenedGetFullExePath();
1440
1441 /*
1442 * Calc the length and check if there is space before copying.
1443 */
1444 size_t cch = suplibHardenedStrLen(g_szSupLibHardenedAppBinPath) + 1;
1445 if (cch <= cchPath)
1446 {
1447 suplibHardenedMemCopy(pszPath, g_szSupLibHardenedAppBinPath, cch + 1);
1448 return VINF_SUCCESS;
1449 }
1450
1451 supR3HardenedFatal("supR3HardenedPathAppBin: Buffer too small (%u < %u)\n", cchPath, cch);
1452 /* not reached */
1453}
1454
1455
1456#ifdef RT_OS_WINDOWS
1457extern "C" uint32_t g_uNtVerCombined;
1458#endif
1459
1460DECLHIDDEN(void) supR3HardenedOpenLog(int *pcArgs, char **papszArgs)
1461{
1462 static const char s_szLogOption[] = "--sup-hardening-log=";
1463
1464 /*
1465 * Scan the argument vector.
1466 */
1467 int cArgs = *pcArgs;
1468 for (int iArg = 1; iArg < cArgs; iArg++)
1469 if (strncmp(papszArgs[iArg], s_szLogOption, sizeof(s_szLogOption) - 1) == 0)
1470 {
1471#ifdef RT_OS_WINDOWS
1472 const char *pszLogFile = &papszArgs[iArg][sizeof(s_szLogOption) - 1];
1473#endif
1474
1475 /*
1476 * Drop the argument from the vector (has trailing NULL entry).
1477 */
1478// memmove(&papszArgs[iArg], &papszArgs[iArg + 1], (cArgs - iArg) * sizeof(papszArgs[0]));
1479 *pcArgs -= 1;
1480 cArgs -= 1;
1481
1482 /*
1483 * Open the log file, unless we've already opened one.
1484 * First argument takes precedence
1485 */
1486#ifdef RT_OS_WINDOWS
1487 if (g_hStartupLog == NULL)
1488 {
1489 int rc = RTNtPathOpen(pszLogFile,
1490 GENERIC_WRITE | SYNCHRONIZE,
1491 FILE_ATTRIBUTE_NORMAL,
1492 FILE_SHARE_READ | FILE_SHARE_WRITE,
1493 FILE_OPEN_IF,
1494 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
1495 OBJ_CASE_INSENSITIVE,
1496 &g_hStartupLog,
1497 NULL);
1498 if (RT_SUCCESS(rc))
1499 {
1500// SUP_DPRINTF(("Log file opened: " VBOX_VERSION_STRING "r%u g_hStartupLog=%p g_uNtVerCombined=%#x\n",
1501// VBOX_SVN_REV, g_hStartupLog, g_uNtVerCombined));
1502
1503 /*
1504 * If the path contains a drive volume, save it so we can
1505 * use it to flush the volume containing the log file.
1506 */
1507 if (RT_C_IS_ALPHA(pszLogFile[0]) && pszLogFile[1] == ':')
1508 {
1509// RTUtf16CopyAscii(g_wszStartupLogVol, RT_ELEMENTS(g_wszStartupLogVol), "\\??\\");
1510 g_wszStartupLogVol[sizeof("\\??\\") - 1] = RT_C_TO_UPPER(pszLogFile[0]);
1511 g_wszStartupLogVol[sizeof("\\??\\") + 0] = ':';
1512 g_wszStartupLogVol[sizeof("\\??\\") + 1] = '\0';
1513 }
1514 }
1515 else
1516 g_hStartupLog = NULL;
1517 }
1518#else
1519 /* Just some mumbo jumbo to shut up the compiler. */
1520 g_hStartupLog -= 1;
1521 g_cbStartupLog += 1;
1522 //g_hStartupLog = open()
1523#endif
1524 }
1525}
1526
1527
1528DECLHIDDEN(void) supR3HardenedLogV(const char *pszFormat, va_list va)
1529{
1530#ifdef RT_OS_WINDOWS
1531 if ( g_hStartupLog != NULL
1532 && g_cbStartupLog < 16*_1M)
1533 {
1534 char szBuf[5120];
1535 PCLIENT_ID pSelfId = &((PTEB)NtCurrentTeb())->ClientId;
1536 size_t cchPrefix = RTStrPrintf(szBuf, sizeof(szBuf), "%x.%x: ", pSelfId->UniqueProcess, pSelfId->UniqueThread);
1537 size_t cch = RTStrPrintfV(&szBuf[cchPrefix], sizeof(szBuf) - cchPrefix, pszFormat, va) + cchPrefix;
1538
1539 if ((size_t)cch >= sizeof(szBuf))
1540 cch = sizeof(szBuf) - 1;
1541
1542 if (!cch || szBuf[cch - 1] != '\n')
1543 szBuf[cch++] = '\n';
1544
1545 ASMAtomicAddU32(&g_cbStartupLog, (uint32_t)cch);
1546
1547 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1548 LARGE_INTEGER Offset;
1549 Offset.QuadPart = -1; /* Write to end of file. */
1550 NtWriteFile(g_hStartupLog, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
1551 &Ios, szBuf, (ULONG)cch, &Offset, NULL /*Key*/);
1552 }
1553#else
1554 RT_NOREF(pszFormat, va);
1555 /* later */
1556#endif
1557}
1558
1559
1560DECLHIDDEN(void) supR3HardenedLog(const char *pszFormat, ...)
1561{
1562 va_list va;
1563 va_start(va, pszFormat);
1564 supR3HardenedLogV(pszFormat, va);
1565 va_end(va);
1566}
1567
1568
1569DECLHIDDEN(void) supR3HardenedLogFlush(void)
1570{
1571#ifdef RT_OS_WINDOWS
1572 if ( g_hStartupLog != NULL
1573 && g_cbStartupLog < 16*_1M)
1574 {
1575 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1576 NTSTATUS rcNt = NtFlushBuffersFile(g_hStartupLog, &Ios);
1577
1578 /*
1579 * Try flush the volume containing the log file too.
1580 */
1581 if (g_wszStartupLogVol[0])
1582 {
1583 HANDLE hLogVol = RTNT_INVALID_HANDLE_VALUE;
1584 UNICODE_STRING NtName;
1585 NtName.Buffer = g_wszStartupLogVol;
1586 NtName.Length = (USHORT)(RTUtf16Len(g_wszStartupLogVol) * sizeof(RTUTF16));
1587 NtName.MaximumLength = NtName.Length + 1;
1588 OBJECT_ATTRIBUTES ObjAttr;
1589 InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
1590 RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
1591 rcNt = NtCreateFile(&hLogVol,
1592 GENERIC_WRITE | GENERIC_READ | SYNCHRONIZE | FILE_READ_ATTRIBUTES,
1593 &ObjAttr,
1594 &Ios,
1595 NULL /* Allocation Size*/,
1596 0 /*FileAttributes*/,
1597 FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
1598 FILE_OPEN,
1599 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
1600 NULL /*EaBuffer*/,
1601 0 /*EaLength*/);
1602 if (NT_SUCCESS(rcNt))
1603 rcNt = Ios.Status;
1604 if (NT_SUCCESS(rcNt))
1605 {
1606 RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
1607 rcNt = NtFlushBuffersFile(hLogVol, &Ios);
1608 NtClose(hLogVol);
1609 }
1610 else
1611 {
1612 /* This may have sideeffects similar to what we want... */
1613 hLogVol = RTNT_INVALID_HANDLE_VALUE;
1614 RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
1615 rcNt = NtCreateFile(&hLogVol,
1616 GENERIC_READ | SYNCHRONIZE | FILE_READ_ATTRIBUTES,
1617 &ObjAttr,
1618 &Ios,
1619 NULL /* Allocation Size*/,
1620 0 /*FileAttributes*/,
1621 FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
1622 FILE_OPEN,
1623 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
1624 NULL /*EaBuffer*/,
1625 0 /*EaLength*/);
1626 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
1627 NtClose(hLogVol);
1628 }
1629 }
1630 }
1631#else
1632 /* later */
1633#endif
1634}
1635
1636
1637/**
1638 * Prints the message prefix.
1639 */
1640static void suplibHardenedPrintPrefix(void)
1641{
1642 if (g_pszSupLibHardenedProgName)
1643 suplibHardenedPrintStr(g_pszSupLibHardenedProgName);
1644 suplibHardenedPrintStr(": ");
1645}
1646
1647
1648DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc,
1649 const char *pszMsgFmt, va_list va)
1650{
1651 /*
1652 * First to the log.
1653 */
1654 supR3HardenedLog("Error %d in %s! (enmWhat=%d)\n", rc, pszWhere, enmWhat);
1655 va_list vaCopy;
1656 va_copy(vaCopy, va);
1657 supR3HardenedLogV(pszMsgFmt, vaCopy);
1658 va_end(vaCopy);
1659
1660#ifdef RT_OS_WINDOWS
1661 /*
1662 * The release log.
1663 */
1664 if (g_pfnRTLogRelPrintf)
1665 {
1666 va_copy(vaCopy, va);
1667 g_pfnRTLogRelPrintf("supR3HardenedFatalMsgV: %s enmWhat=%d rc=%Rrc (%#x)\n", pszWhere, enmWhat, rc);
1668 g_pfnRTLogRelPrintf("supR3HardenedFatalMsgV: %N\n", pszMsgFmt, &vaCopy);
1669 va_end(vaCopy);
1670 }
1671#endif
1672
1673 /*
1674 * Then to the console.
1675 */
1676 suplibHardenedPrintPrefix();
1677 suplibHardenedPrintF("Error %d in %s!\n", rc, pszWhere);
1678
1679 suplibHardenedPrintPrefix();
1680 va_copy(vaCopy, va);
1681 suplibHardenedPrintFV(pszMsgFmt, vaCopy);
1682 va_end(vaCopy);
1683 suplibHardenedPrintChr('\n');
1684
1685 switch (enmWhat)
1686 {
1687 case kSupInitOp_Driver:
1688 suplibHardenedPrintChr('\n');
1689 suplibHardenedPrintPrefix();
1690 suplibHardenedPrintStr("Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n");
1691 break;
1692
1693 case kSupInitOp_Misc:
1694 case kSupInitOp_IPRT:
1695 case kSupInitOp_Integrity:
1696 case kSupInitOp_RootCheck:
1697 suplibHardenedPrintChr('\n');
1698 suplibHardenedPrintPrefix();
1699 suplibHardenedPrintStr("Tip! It may help to reinstall VirtualBox.\n");
1700 break;
1701
1702 default:
1703 /* no hints here */
1704 break;
1705 }
1706
1707 /*
1708 * Finally, TrustedError if appropriate.
1709 */
1710 if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
1711 {
1712#ifdef SUP_HARDENED_SUID
1713 /* Drop any root privileges we might be holding, this won't return
1714 if it fails but end up calling supR3HardenedFatal[V]. */
1715 supR3HardenedMainDropPrivileges();
1716#endif
1717 /* Close the driver, if we succeeded opening it. Both because
1718 TrustedError may be untrustworthy and because the driver deosn't
1719 like us if we fork(). @bugref{8838} */
1720 suplibOsTerm(&g_SupPreInitData.Data);
1721
1722 /*
1723 * Now try resolve and call the TrustedError entry point if we can find it.
1724 * Note! Loader involved, so we must guard against loader hooks calling us.
1725 */
1726 static volatile bool s_fRecursive = false;
1727 if (!s_fRecursive)
1728 {
1729 s_fRecursive = true;
1730
1731 PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
1732 if (pfnTrustedError)
1733 {
1734 /* We'll fork before we make the call because that way the session management
1735 in main will see us exiting immediately (if it's involved with us) and possibly
1736 get an error back to the API / user. */
1737#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
1738 int pid = fork();
1739 if (pid <= 0)
1740#endif
1741 {
1742 pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
1743 }
1744 }
1745
1746 s_fRecursive = false;
1747 }
1748 }
1749#if defined(RT_OS_WINDOWS)
1750 /*
1751 * Report the error to the parent if this happens during early VM init.
1752 */
1753 else if ( g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
1754 && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
1755 supR3HardenedWinReportErrorToParent(pszWhere, enmWhat, rc, pszMsgFmt, va);
1756#endif
1757
1758 /*
1759 * Quit
1760 */
1761 suplibHardenedExit(RTEXITCODE_FAILURE);
1762}
1763
1764
1765DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc,
1766 const char *pszMsgFmt, ...)
1767{
1768 va_list va;
1769 va_start(va, pszMsgFmt);
1770 supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
1771 /* not reached */
1772}
1773
1774
1775DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatalV(const char *pszFormat, va_list va)
1776{
1777 supR3HardenedLog("Fatal error:\n");
1778 va_list vaCopy;
1779 va_copy(vaCopy, va);
1780 supR3HardenedLogV(pszFormat, vaCopy);
1781 va_end(vaCopy);
1782
1783#if defined(RT_OS_WINDOWS)
1784 /*
1785 * Report the error to the parent if this happens during early VM init.
1786 */
1787 if ( g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
1788 && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
1789 supR3HardenedWinReportErrorToParent(NULL, kSupInitOp_Invalid, VERR_INTERNAL_ERROR, pszFormat, va);
1790 else
1791#endif
1792 {
1793#ifdef RT_OS_WINDOWS
1794 if (g_pfnRTLogRelPrintf)
1795 {
1796 va_copy(vaCopy, va);
1797 g_pfnRTLogRelPrintf("supR3HardenedFatalV: %N", pszFormat, &vaCopy);
1798 va_end(vaCopy);
1799 }
1800#endif
1801
1802 suplibHardenedPrintPrefix();
1803 suplibHardenedPrintFV(pszFormat, va);
1804 }
1805
1806 suplibHardenedExit(RTEXITCODE_FAILURE);
1807}
1808
1809
1810DECL_NO_RETURN(DECLHIDDEN(void)) supR3HardenedFatal(const char *pszFormat, ...)
1811{
1812 va_list va;
1813 va_start(va, pszFormat);
1814 supR3HardenedFatalV(pszFormat, va);
1815 /* not reached */
1816}
1817
1818
1819DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
1820{
1821 if (fFatal)
1822 supR3HardenedFatalV(pszFormat, va);
1823
1824 supR3HardenedLog("Error (rc=%d):\n", rc);
1825 va_list vaCopy;
1826 va_copy(vaCopy, va);
1827 supR3HardenedLogV(pszFormat, vaCopy);
1828 va_end(vaCopy);
1829
1830#ifdef RT_OS_WINDOWS
1831 if (g_pfnRTLogRelPrintf)
1832 {
1833 va_copy(vaCopy, va);
1834 g_pfnRTLogRelPrintf("supR3HardenedErrorV: %N", pszFormat, &vaCopy);
1835 va_end(vaCopy);
1836 }
1837#endif
1838
1839 suplibHardenedPrintPrefix();
1840 suplibHardenedPrintFV(pszFormat, va);
1841
1842 return rc;
1843}
1844
1845
1846DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
1847{
1848 va_list va;
1849 va_start(va, pszFormat);
1850 supR3HardenedErrorV(rc, fFatal, pszFormat, va);
1851 va_end(va);
1852 return rc;
1853}
1854
1855
1856
1857/**
1858 * Attempts to open /dev/vboxdrv (or equvivalent).
1859 *
1860 * @remarks This function will not return on failure.
1861 */
1862DECLHIDDEN(void) supR3HardenedMainOpenDevice(void)
1863{
1864 RTERRINFOSTATIC ErrInfo;
1865 SUPINITOP enmWhat = kSupInitOp_Driver;
1866 int rc = suplibOsInit(&g_SupPreInitData.Data, false /*fPreInit*/, true /*fUnrestricted*/,
1867 &enmWhat, RTErrInfoInitStatic(&ErrInfo));
1868 if (RT_SUCCESS(rc))
1869 return;
1870
1871 if (RTErrInfoIsSet(&ErrInfo.Core))
1872 supR3HardenedFatalMsg("suplibOsInit", enmWhat, rc, "%s", ErrInfo.szMsg);
1873
1874 switch (rc)
1875 {
1876 /** @todo better messages! */
1877 case VERR_VM_DRIVER_NOT_INSTALLED:
1878 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver not installed");
1879 case VERR_VM_DRIVER_NOT_ACCESSIBLE:
1880 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver not accessible");
1881 case VERR_VM_DRIVER_LOAD_ERROR:
1882 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_VM_DRIVER_LOAD_ERROR");
1883 case VERR_VM_DRIVER_OPEN_ERROR:
1884 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_VM_DRIVER_OPEN_ERROR");
1885 case VERR_VM_DRIVER_VERSION_MISMATCH:
1886 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel driver version mismatch");
1887 case VERR_ACCESS_DENIED:
1888 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "VERR_ACCESS_DENIED");
1889 case VERR_NO_MEMORY:
1890 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Kernel memory allocation/mapping failed");
1891 case VERR_SUPDRV_HARDENING_EVIL_HANDLE:
1892 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPDRV_HARDENING_EVIL_HANDLE");
1893 case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_0:
1894 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_0");
1895 case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_1:
1896 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_1");
1897 case VERR_SUPLIB_NT_PROCESS_UNTRUSTED_2:
1898 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Integrity, rc, "VERR_SUPLIB_NT_PROCESS_UNTRUSTED_2");
1899 default:
1900 supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc, "Unknown rc=%d (%Rrc)", rc, rc);
1901 }
1902}
1903
1904
1905#ifdef SUP_HARDENED_SUID
1906
1907/**
1908 * Grabs extra non-root capabilities / privileges that we might require.
1909 *
1910 * This is currently only used for being able to do ICMP from the NAT engine
1911 * and for being able to raise thread scheduling priority
1912 *
1913 * @note We still have root privileges at the time of this call.
1914 */
1915static void supR3HardenedMainGrabCapabilites(void)
1916{
1917# if defined(RT_OS_LINUX)
1918 /*
1919 * We are about to drop all our privileges. Remove all capabilities but
1920 * keep the cap_net_raw capability for ICMP sockets for the NAT stack,
1921 * also keep cap_sys_nice capability for priority tweaking.
1922 */
1923 if (g_uCaps != 0)
1924 {
1925# ifdef USE_LIB_PCAP
1926 /* XXX cap_net_bind_service */
1927 if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep cap_sys_nice+ep")))
1928 prctl(PR_SET_KEEPCAPS, 1 /*keep=*/, 0, 0, 0);
1929 prctl(PR_SET_DUMPABLE, 1 /*dump*/, 0, 0, 0);
1930# else
1931 cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
1932 cap_user_data_t cap = (cap_user_data_t)alloca(2 /*_LINUX_CAPABILITY_U32S_3*/ * sizeof(*cap));
1933 memset(hdr, 0, sizeof(*hdr));
1934 capget(hdr, NULL);
1935 if ( hdr->version != 0x19980330 /* _LINUX_CAPABILITY_VERSION_1, _LINUX_CAPABILITY_U32S_1 = 1 */
1936 && hdr->version != 0x20071026 /* _LINUX_CAPABILITY_VERSION_2, _LINUX_CAPABILITY_U32S_2 = 2 */
1937 && hdr->version != 0x20080522 /* _LINUX_CAPABILITY_VERSION_3, _LINUX_CAPABILITY_U32S_3 = 2 */)
1938 hdr->version = _LINUX_CAPABILITY_VERSION;
1939 g_uCapsVersion = hdr->version;
1940 memset(cap, 0, 2 /* _LINUX_CAPABILITY_U32S_3 */ * sizeof(*cap));
1941 cap->effective = g_uCaps;
1942 cap->permitted = g_uCaps;
1943 if (!capset(hdr, cap))
1944 prctl(PR_SET_KEEPCAPS, 1 /*keep*/, 0, 0, 0);
1945 prctl(PR_SET_DUMPABLE, 1 /*dump*/, 0, 0, 0);
1946# endif /* !USE_LIB_PCAP */
1947 }
1948
1949# elif defined(RT_OS_SOLARIS)
1950 /*
1951 * Add net_icmpaccess privilege to effective privileges and limit
1952 * permitted privileges before completely dropping root privileges.
1953 * This requires dropping root privileges temporarily to get the normal
1954 * user's privileges.
1955 */
1956 seteuid(g_uid);
1957 priv_set_t *pPrivEffective = priv_allocset();
1958 priv_set_t *pPrivNew = priv_allocset();
1959 if (pPrivEffective && pPrivNew)
1960 {
1961 int rc = getppriv(PRIV_EFFECTIVE, pPrivEffective);
1962 seteuid(0);
1963 if (!rc)
1964 {
1965 priv_copyset(pPrivEffective, pPrivNew);
1966 rc = priv_addset(pPrivNew, PRIV_NET_ICMPACCESS);
1967 if (!rc)
1968 {
1969 /* Order is important, as one can't set a privilege which is
1970 * not in the permitted privilege set. */
1971 rc = setppriv(PRIV_SET, PRIV_EFFECTIVE, pPrivNew);
1972 if (rc)
1973 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set effective privilege set.\n");
1974 rc = setppriv(PRIV_SET, PRIV_PERMITTED, pPrivNew);
1975 if (rc)
1976 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to set permitted privilege set.\n");
1977 }
1978 else
1979 supR3HardenedError(rc, false, "SUPR3HardenedMain: failed to add NET_ICMPACCESS privilege.\n");
1980 }
1981 }
1982 else
1983 {
1984 /* for memory allocation failures just continue */
1985 seteuid(0);
1986 }
1987
1988 if (pPrivEffective)
1989 priv_freeset(pPrivEffective);
1990 if (pPrivNew)
1991 priv_freeset(pPrivNew);
1992# endif
1993}
1994
1995/*
1996 * Look at the environment for some special options.
1997 */
1998static void supR3GrabOptions(void)
1999{
2000# ifdef RT_OS_LINUX
2001 g_uCaps = 0;
2002
2003 /*
2004 * Do _not_ perform any capability-related system calls for root processes
2005 * (leaving g_uCaps at 0).
2006 * (Hint: getuid gets the real user id, not the effective.)
2007 */
2008 if (getuid() != 0)
2009 {
2010 /*
2011 * CAP_NET_RAW.
2012 * Default: enabled.
2013 * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'.
2014 */
2015 const char *pszOpt = getenv("VBOX_HARD_CAP_NET_RAW");
2016 if ( !pszOpt
2017 || memcmp(pszOpt, "0", sizeof("0")) != 0)
2018 g_uCaps = CAP_TO_MASK(CAP_NET_RAW);
2019
2020 /*
2021 * CAP_NET_BIND_SERVICE.
2022 * Default: disabled.
2023 * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'.
2024 */
2025 pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE");
2026 if ( pszOpt
2027 && memcmp(pszOpt, "0", sizeof("0")) != 0)
2028 g_uCaps |= CAP_TO_MASK(CAP_NET_BIND_SERVICE);
2029
2030 /*
2031 * CAP_SYS_NICE.
2032 * Default: enabled.
2033 * Can be disabled with 'export VBOX_HARD_CAP_SYS_NICE=0'.
2034 */
2035 pszOpt = getenv("VBOX_HARD_CAP_SYS_NICE");
2036 if ( !pszOpt
2037 || memcmp(pszOpt, "0", sizeof("0")) != 0)
2038 g_uCaps |= CAP_TO_MASK(CAP_SYS_NICE);
2039 }
2040# endif
2041}
2042
2043/**
2044 * Drop any root privileges we might be holding.
2045 */
2046static void supR3HardenedMainDropPrivileges(void)
2047{
2048 /*
2049 * Try use setre[ug]id since this will clear the save uid/gid and thus
2050 * leave fewer traces behind that libs like GTK+ may pick up.
2051 */
2052 uid_t euid, ruid, suid;
2053 gid_t egid, rgid, sgid;
2054# if defined(RT_OS_DARWIN)
2055 /* The really great thing here is that setreuid isn't available on
2056 OS X 10.4, libc emulates it. While 10.4 have a slightly different and
2057 non-standard setuid implementation compared to 10.5, the following
2058 works the same way with both version since we're super user (10.5 req).
2059 The following will set all three variants of the group and user IDs. */
2060 setgid(g_gid);
2061 setuid(g_uid);
2062 euid = geteuid();
2063 ruid = suid = getuid();
2064 egid = getegid();
2065 rgid = sgid = getgid();
2066
2067# elif defined(RT_OS_SOLARIS)
2068 /* Solaris doesn't have setresuid, but the setreuid interface is BSD
2069 compatible and will set the saved uid to euid when we pass it a ruid
2070 that isn't -1 (which we do). */
2071 setregid(g_gid, g_gid);
2072 setreuid(g_uid, g_uid);
2073 euid = geteuid();
2074 ruid = suid = getuid();
2075 egid = getegid();
2076 rgid = sgid = getgid();
2077
2078# else
2079 /* This is the preferred one, full control no questions about semantics.
2080 PORTME: If this isn't work, try join one of two other gangs above. */
2081 int res = setresgid(g_gid, g_gid, g_gid);
2082 NOREF(res);
2083 res = setresuid(g_uid, g_uid, g_uid);
2084 NOREF(res);
2085 if (getresuid(&ruid, &euid, &suid) != 0)
2086 {
2087 euid = geteuid();
2088 ruid = suid = getuid();
2089 }
2090 if (getresgid(&rgid, &egid, &sgid) != 0)
2091 {
2092 egid = getegid();
2093 rgid = sgid = getgid();
2094 }
2095# endif
2096
2097
2098 /* Check that it worked out all right. */
2099 if ( euid != g_uid
2100 || ruid != g_uid
2101 || suid != g_uid
2102 || egid != g_gid
2103 || rgid != g_gid
2104 || sgid != g_gid)
2105 supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
2106 " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
2107 euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);
2108
2109# if RT_OS_LINUX
2110 /*
2111 * Re-enable the cap_net_raw and cap_sys_nice capabilities which were disabled during setresuid.
2112 */
2113 if (g_uCaps != 0)
2114 {
2115# ifdef USE_LIB_PCAP
2116 /** @todo Warn if that does not work? */
2117 /* XXX cap_net_bind_service */
2118 cap_set_proc(cap_from_text("cap_net_raw+ep cap_sys_nice+ep"));
2119# else
2120 cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
2121 cap_user_data_t cap = (cap_user_data_t)alloca(2 /* _LINUX_CAPABILITY_U32S_3 */ * sizeof(*cap));
2122 memset(hdr, 0, sizeof(*hdr));
2123 hdr->version = g_uCapsVersion;
2124 memset(cap, 0, 2 /* _LINUX_CAPABILITY_U32S_3 */ * sizeof(*cap));
2125 cap->effective = g_uCaps;
2126 cap->permitted = g_uCaps;
2127 /** @todo Warn if that does not work? */
2128 capset(hdr, cap);
2129# endif /* !USE_LIB_PCAP */
2130 }
2131# endif
2132}
2133
2134#endif /* SUP_HARDENED_SUID */
2135
2136/**
2137 * Purge the process environment from any environment vairable which can lead
2138 * to loading untrusted binaries compromising the process address space.
2139 *
2140 * @param envp The initial environment vector. (Can be NULL.)
2141 */
2142static void supR3HardenedMainPurgeEnvironment(char **envp)
2143{
2144 for (unsigned i = 0; i < RT_ELEMENTS(g_aSupEnvPurgeDescs); i++)
2145 {
2146 /*
2147 * Update the initial environment vector, just in case someone actually cares about it.
2148 */
2149 if (envp)
2150 {
2151 const char * const pszEnv = g_aSupEnvPurgeDescs[i].pszEnv;
2152 size_t const cchEnv = g_aSupEnvPurgeDescs[i].cchEnv;
2153 unsigned iSrc = 0;
2154 unsigned iDst = 0;
2155 char *pszTmp;
2156
2157 while ((pszTmp = envp[iSrc]) != NULL)
2158 {
2159 if ( memcmp(pszTmp, pszEnv, cchEnv) != 0
2160 || (pszTmp[cchEnv] != '=' && pszTmp[cchEnv] != '\0'))
2161 {
2162 if (iDst != iSrc)
2163 envp[iDst] = pszTmp;
2164 iDst++;
2165 }
2166 else
2167 SUP_DPRINTF(("supR3HardenedMainPurgeEnvironment: dropping envp[%d]=%s\n", iSrc, pszTmp));
2168 iSrc++;
2169 }
2170
2171 if (iDst != iSrc)
2172 while (iDst <= iSrc)
2173 envp[iDst++] = NULL;
2174 }
2175
2176 /*
2177 * Remove from the process environment if present.
2178 */
2179#ifndef RT_OS_WINDOWS
2180 const char *pszTmp = getenv(g_aSupEnvPurgeDescs[i].pszEnv);
2181 if (pszTmp != NULL)
2182 {
2183 if (unsetenv((char *)g_aSupEnvPurgeDescs[i].pszEnv) == 0)
2184 SUP_DPRINTF(("supR3HardenedMainPurgeEnvironment: dropped %s\n", pszTmp));
2185 else
2186 if (g_aSupEnvPurgeDescs[i].fPurgeErrFatal)
2187 supR3HardenedFatal("SUPR3HardenedMain: failed to purge %s environment variable! (errno=%d %s)\n",
2188 g_aSupEnvPurgeDescs[i].pszEnv, errno, strerror(errno));
2189 else
2190 SUP_DPRINTF(("supR3HardenedMainPurgeEnvironment: dropping %s failed! errno=%d\n", pszTmp, errno));
2191 }
2192#else
2193 /** @todo Call NT API to do the same. */
2194#endif
2195 }
2196}
2197
2198
2199/**
2200 * Returns the argument purge descriptor of the given argument if available.
2201 *
2202 * @retval 0 if it should not be purged.
2203 * @retval 1 if it only the current argument should be purged.
2204 * @retval 2 if the argument and the following (if present) should be purged.
2205 * @param pszArg The argument to look for.
2206 */
2207static unsigned supR3HardenedMainShouldPurgeArg(const char *pszArg)
2208{
2209 for (unsigned i = 0; i < RT_ELEMENTS(g_aSupArgPurgeDescs); i++)
2210 {
2211 size_t const cchPurge = g_aSupArgPurgeDescs[i].cchArg;
2212 if (!memcmp(pszArg, g_aSupArgPurgeDescs[i].pszArg, cchPurge))
2213 {
2214 if (pszArg[cchPurge] == '\0')
2215 return 1 + g_aSupArgPurgeDescs[i].fTakesValue;
2216 if ( g_aSupArgPurgeDescs[i].fTakesValue
2217 && (pszArg[cchPurge] == ':' || pszArg[cchPurge] == '='))
2218 return 1;
2219 }
2220 }
2221
2222 return 0;
2223}
2224
2225
2226/**
2227 * Purges any command line arguments considered harmful.
2228 *
2229 * @returns nothing.
2230 * @param cArgsOrig The original number of arguments.
2231 * @param papszArgsOrig The original argument vector.
2232 * @param pcArgsNew Where to store the new number of arguments on success.
2233 * @param ppapszArgsNew Where to store the pointer to the purged argument vector.
2234 */
2235static void supR3HardenedMainPurgeArgs(int cArgsOrig, char **papszArgsOrig, int *pcArgsNew, char ***ppapszArgsNew)
2236{
2237 int iDst = 0;
2238#ifdef RT_OS_WINDOWS
2239 char **papszArgsNew = papszArgsOrig; /* We allocated this, no need to allocate again. */
2240#else
2241 char **papszArgsNew = (char **)malloc((cArgsOrig + 1) * sizeof(char *));
2242#endif
2243 if (papszArgsNew)
2244 {
2245 for (int iSrc = 0; iSrc < cArgsOrig; iSrc++)
2246 {
2247 unsigned cPurgedArgs = supR3HardenedMainShouldPurgeArg(papszArgsOrig[iSrc]);
2248 if (!cPurgedArgs)
2249 papszArgsNew[iDst++] = papszArgsOrig[iSrc];
2250 else
2251 iSrc += cPurgedArgs - 1;
2252 }
2253
2254 papszArgsNew[iDst] = NULL; /* The array is NULL terminated, just like envp. */
2255 }
2256 else
2257 supR3HardenedFatal("SUPR3HardenedMain: failed to allocate memory for purged command line!\n");
2258 *pcArgsNew = iDst;
2259 *ppapszArgsNew = papszArgsNew;
2260
2261#ifdef RT_OS_WINDOWS
2262 /** @todo Update command line pointers in PEB, wont really work without it. */
2263#endif
2264}
2265
2266
2267/**
2268 * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
2269 * and calls RTR3InitEx.
2270 *
2271 * @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
2272 *
2273 * @remarks VBoxRT contains both IPRT and SUPR3.
2274 * @remarks This function will not return on failure.
2275 */
2276static void supR3HardenedMainInitRuntime(uint32_t fFlags)
2277{
2278 /*
2279 * Construct the name.
2280 */
2281 char szPath[RTPATH_MAX];
2282 supR3HardenedPathAppSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
2283 suplibHardenedStrCat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);
2284
2285 /*
2286 * Open it and resolve the symbols.
2287 */
2288#if defined(RT_OS_WINDOWS)
2289 HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, g_fSupHardenedMain);
2290 if (!hMod)
2291 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
2292 "LoadLibrary \"%s\" failed (rc=%d)",
2293 szPath, RtlGetLastWin32Error());
2294 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
2295 if (!pfnRTInitEx)
2296 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
2297 "Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
2298 szPath, RtlGetLastWin32Error());
2299
2300 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
2301 if (!pfnSUPPreInit)
2302 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
2303 "Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
2304 szPath, RtlGetLastWin32Error());
2305
2306 g_pfnRTLogRelPrintf = (PFNRTLOGRELPRINTF)GetProcAddress(hMod, SUP_HARDENED_SYM("RTLogRelPrintf"));
2307 Assert(g_pfnRTLogRelPrintf); /* Not fatal in non-strict builds. */
2308
2309#else
2310 /* the dlopen crowd */
2311 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
2312 if (!pvMod)
2313 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
2314 "dlopen(\"%s\",) failed: %s",
2315 szPath, dlerror());
2316 PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
2317 if (!pfnRTInitEx)
2318 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
2319 "Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
2320 szPath, dlerror());
2321 PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
2322 if (!pfnSUPPreInit)
2323 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
2324 "Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
2325 szPath, dlerror());
2326#endif
2327
2328 /*
2329 * Make the calls.
2330 */
2331 supR3HardenedGetPreInitData(&g_SupPreInitData);
2332 int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
2333 if (RT_FAILURE(rc))
2334 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
2335 "supR3PreInit failed with rc=%d", rc);
2336 const char *pszExePath = NULL;
2337#ifdef RT_OS_LINUX
2338 if (!supR3HardenedMainIsProcSelfExeAccssible())
2339 pszExePath = g_szSupLibHardenedExePath;
2340#endif
2341 rc = pfnRTInitEx(RTR3INIT_VER_1,
2342 fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV ? 0 : RTR3INIT_FLAGS_SUPLIB,
2343 0 /*cArgs*/, NULL /*papszArgs*/, pszExePath);
2344 if (RT_FAILURE(rc))
2345 supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
2346 "RTR3InitEx failed with rc=%d", rc);
2347
2348#if defined(RT_OS_WINDOWS)
2349 /*
2350 * Windows: Create thread that terminates the process when the parent stub
2351 * process terminates (VBoxNetDHCP, Ctrl-C, etc).
2352 */
2353 if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
2354 supR3HardenedWinCreateParentWatcherThread(hMod);
2355#endif
2356}
2357
2358
2359/**
2360 * Construct the path to the DLL/SO/DYLIB containing the actual program.
2361 *
2362 * @returns VBox status code.
2363 * @param pszProgName The program name.
2364 * @param fMainFlags The flags passed to SUPR3HardenedMain.
2365 * @param pszPath The output buffer.
2366 * @param cbPath The size of the output buffer, in bytes. Must be at
2367 * least 128 bytes!
2368 */
2369static int supR3HardenedMainGetTrustedLib(const char *pszProgName, uint32_t fMainFlags, char *pszPath, size_t cbPath)
2370{
2371 supR3HardenedPathAppPrivateArch(pszPath, sizeof(cbPath) - 10);
2372 const char *pszSubDirSlash;
2373 switch (g_fSupHardenedMain & SUPSECMAIN_FLAGS_LOC_MASK)
2374 {
2375 case SUPSECMAIN_FLAGS_LOC_APP_BIN:
2376#ifdef RT_OS_DARWIN
2377 case SUPSECMAIN_FLAGS_LOC_OSX_HLP_APP:
2378#endif
2379 pszSubDirSlash = "/";
2380 break;
2381 case SUPSECMAIN_FLAGS_LOC_TESTCASE:
2382 pszSubDirSlash = "/testcase/";
2383 break;
2384 default:
2385 pszSubDirSlash = "/";
2386 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Unknown program binary location: %#x\n", g_fSupHardenedMain);
2387 }
2388#ifdef RT_OS_DARWIN
2389 if (fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP)
2390 pszProgName = "VirtualBox";
2391#else
2392 RT_NOREF1(fMainFlags);
2393#endif
2394 size_t cch = suplibHardenedStrLen(pszPath);
2395 return suplibHardenedStrCopyEx(&pszPath[cch], cbPath - cch, pszSubDirSlash, pszProgName, SUPLIB_DLL_SUFF, NULL);
2396}
2397
2398
2399/**
2400 * Loads the DLL/SO/DYLIB containing the actual program and
2401 * resolves the TrustedError symbol.
2402 *
2403 * This is very similar to supR3HardenedMainGetTrustedMain().
2404 *
2405 * @returns Pointer to the trusted error symbol if it is exported, NULL
2406 * and no error messages otherwise.
2407 * @param pszProgName The program name.
2408 */
2409static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
2410{
2411 /*
2412 * Don't bother if the main() function didn't advertise any TrustedError
2413 * export. It's both a waste of time and may trigger additional problems,
2414 * confusing or obscuring the original issue.
2415 */
2416 if (!(g_fSupHardenedMain & SUPSECMAIN_FLAGS_TRUSTED_ERROR))
2417 return NULL;
2418
2419 /*
2420 * Construct the name.
2421 */
2422 char szPath[RTPATH_MAX];
2423 supR3HardenedMainGetTrustedLib(pszProgName, g_fSupHardenedMain, szPath, sizeof(szPath));
2424
2425 /*
2426 * Open it and resolve the symbol.
2427 */
2428#if defined(RT_OS_WINDOWS)
2429 supR3HardenedWinEnableThreadCreation();
2430 HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, 0 /*fMainFlags*/);
2431 if (!hMod)
2432 return NULL;
2433 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
2434 if (!pfn)
2435 return NULL;
2436 return (PFNSUPTRUSTEDERROR)pfn;
2437
2438#else
2439 /* the dlopen crowd */
2440 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
2441 if (!pvMod)
2442 return NULL;
2443 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
2444 if (!pvSym)
2445 return NULL;
2446 return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
2447#endif
2448}
2449
2450
2451/**
2452 * Loads the DLL/SO/DYLIB containing the actual program and
2453 * resolves the TrustedMain symbol.
2454 *
2455 * @returns Pointer to the trusted main of the actual program.
2456 * @param pszProgName The program name.
2457 * @param fMainFlags The flags passed to SUPR3HardenedMain.
2458 * @remarks This function will not return on failure.
2459 */
2460static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName, uint32_t fMainFlags)
2461{
2462 /*
2463 * Construct the name.
2464 */
2465 char szPath[RTPATH_MAX];
2466 supR3HardenedMainGetTrustedLib(pszProgName, fMainFlags, szPath, sizeof(szPath));
2467
2468 /*
2469 * Open it and resolve the symbol.
2470 */
2471#if defined(RT_OS_WINDOWS)
2472 HMODULE hMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, false /*fSystem32Only*/, 0 /*fMainFlags*/);
2473 if (!hMod)
2474 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibrary \"%s\" failed, rc=%d\n",
2475 szPath, RtlGetLastWin32Error());
2476 FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
2477 if (!pfn)
2478 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
2479 szPath, RtlGetLastWin32Error());
2480 return (PFNSUPTRUSTEDMAIN)pfn;
2481
2482#else
2483 /* the dlopen crowd */
2484 void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
2485 if (!pvMod)
2486 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
2487 szPath, dlerror());
2488 void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
2489 if (!pvSym)
2490 supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
2491 szPath, dlerror());
2492 return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
2493#endif
2494}
2495
2496
2497/**
2498 * Secure main.
2499 *
2500 * This is used for the set-user-ID-on-execute binaries on unixy systems
2501 * and when using the open-vboxdrv-via-root-service setup on Windows.
2502 *
2503 * This function will perform the integrity checks of the VirtualBox
2504 * installation, open the support driver, open the root service (later),
2505 * and load the DLL corresponding to \a pszProgName and execute its main
2506 * function.
2507 *
2508 * @returns Return code appropriate for main().
2509 *
2510 * @param pszProgName The program name. This will be used to figure out which
2511 * DLL/SO/DYLIB to load and execute.
2512 * @param fFlags Flags.
2513 * @param argc The argument count.
2514 * @param argv The argument vector.
2515 * @param envp The environment vector.
2516 */
2517DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
2518{
2519 SUP_DPRINTF(("SUPR3HardenedMain: pszProgName=%s fFlags=%#x\n", pszProgName, fFlags));
2520 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED;
2521
2522 /*
2523 * Note! At this point there is no IPRT, so we will have to stick
2524 * to basic CRT functions that everyone agree upon.
2525 */
2526 g_pszSupLibHardenedProgName = pszProgName;
2527 g_fSupHardenedMain = fFlags;
2528 g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
2529 g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;
2530#ifdef RT_OS_WINDOWS
2531 if (!g_fSupEarlyProcessInit)
2532#endif
2533 g_SupPreInitData.Data.hDevice = SUP_HDEVICE_NIL;
2534
2535 /*
2536 * Determine the full exe path as we'll be needing it for the verify all
2537 * call(s) below. (We have to do this early on Linux because we * *might*
2538 * not be able to access /proc/self/exe after the seteuid call.)
2539 */
2540 supR3HardenedGetFullExePath();
2541#ifdef RT_OS_WINDOWS
2542 supR3HardenedWinInitAppBin(fFlags);
2543#endif
2544
2545#ifdef SUP_HARDENED_SUID
2546 /*
2547 * Grab any options from the environment.
2548 */
2549 supR3GrabOptions();
2550
2551 /*
2552 * Check that we're root, if we aren't then the installation is butchered.
2553 */
2554 g_uid = getuid();
2555 g_gid = getgid();
2556 if (geteuid() != 0 /* root */)
2557 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
2558 "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
2559 geteuid(), getegid(), g_uid, g_gid);
2560#endif /* SUP_HARDENED_SUID */
2561
2562#ifdef RT_OS_WINDOWS
2563 /*
2564 * Windows: First respawn. On Windows we will respawn the process twice to establish
2565 * something we can put some kind of reliable trust in. The first respawning aims
2566 * at dropping compatibility layers and process "security" solutions.
2567 */
2568 if ( !g_fSupEarlyProcessInit
2569 && !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
2570 && supR3HardenedWinIsReSpawnNeeded(1 /*iWhich*/, argc, argv))
2571 {
2572 SUP_DPRINTF(("SUPR3HardenedMain: Respawn #1\n"));
2573 supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV | SUPSECMAIN_FLAGS_FIRST_PROCESS, false /*fAvastKludge*/);
2574 supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
2575 return supR3HardenedWinReSpawn(1 /*iWhich*/);
2576 }
2577
2578 /*
2579 * Windows: Initialize the image verification global data so we can verify the
2580 * signature of the process image and hook the core of the DLL loader API so we
2581 * can check the signature of all DLLs mapped into the process. (Already done
2582 * by early VM process init.)
2583 */
2584 if (!g_fSupEarlyProcessInit)
2585 supR3HardenedWinInit(fFlags, true /*fAvastKludge*/);
2586#endif /* RT_OS_WINDOWS */
2587
2588 /*
2589 * Validate the installation.
2590 */
2591 supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
2592
2593 /*
2594 * The next steps are only taken if we actually need to access the support
2595 * driver. (Already done by early process init.)
2596 */
2597 if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
2598 {
2599#ifdef RT_OS_WINDOWS
2600 /*
2601 * Windows: Must have done early process init if we get here.
2602 */
2603 if (!g_fSupEarlyProcessInit)
2604 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_Integrity, VERR_WRONG_ORDER,
2605 "Early process init was somehow skipped.");
2606
2607 /*
2608 * Windows: The second respawn. This time we make a special arrangement
2609 * with vboxdrv to monitor access to the new process from its inception.
2610 */
2611 if (supR3HardenedWinIsReSpawnNeeded(2 /* iWhich*/, argc, argv))
2612 {
2613 SUP_DPRINTF(("SUPR3HardenedMain: Respawn #2\n"));
2614 return supR3HardenedWinReSpawn(2 /* iWhich*/);
2615 }
2616 SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
2617 supR3HardenedWinFlushLoaderCache();
2618
2619#else
2620 /*
2621 * Open the vboxdrv device.
2622 */
2623 supR3HardenedMainOpenDevice();
2624#endif /* !RT_OS_WINDOWS */
2625 }
2626
2627#ifdef RT_OS_WINDOWS
2628 /*
2629 * Windows: Enable the use of windows APIs to verify images at load time.
2630 */
2631 supR3HardenedWinEnableThreadCreation();
2632 supR3HardenedWinFlushLoaderCache();
2633 supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation(g_pszSupLibHardenedProgName);
2634 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERIFY_TRUST_READY;
2635#else /* !RT_OS_WINDOWS */
2636# if defined(RT_OS_DARWIN)
2637 supR3HardenedDarwinInit();
2638# elif !defined(RT_OS_FREEBSD) /** @todo Portme. */
2639 /*
2640 * Posix: Hook the load library interface interface.
2641 */
2642 supR3HardenedPosixInit();
2643# endif
2644#endif /* !RT_OS_WINDOWS */
2645
2646#ifdef SUP_HARDENED_SUID
2647 /*
2648 * Grab additional capabilities / privileges.
2649 */
2650 supR3HardenedMainGrabCapabilites();
2651
2652 /*
2653 * Drop any root privileges we might be holding (won't return on failure)
2654 */
2655 supR3HardenedMainDropPrivileges();
2656#endif
2657
2658 /*
2659 * Purge any environment variables and command line arguments considered harmful.
2660 */
2661 /** @todo May need to move this to a much earlier stage on windows. */
2662 supR3HardenedMainPurgeEnvironment(envp);
2663 supR3HardenedMainPurgeArgs(argc, argv, &argc, &argv);
2664
2665 /*
2666 * Load the IPRT, hand the SUPLib part the open driver and
2667 * call RTR3InitEx.
2668 */
2669 SUP_DPRINTF(("SUPR3HardenedMain: Load Runtime...\n"));
2670 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_INIT_RUNTIME;
2671 supR3HardenedMainInitRuntime(fFlags);
2672#ifdef RT_OS_WINDOWS
2673 supR3HardenedWinModifyDllSearchPath(fFlags, g_szSupLibHardenedAppBinPath);
2674#endif
2675
2676 /*
2677 * Load the DLL/SO/DYLIB containing the actual program
2678 * and pass control to it.
2679 */
2680 SUP_DPRINTF(("SUPR3HardenedMain: Load TrustedMain...\n"));
2681 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_GET_TRUSTED_MAIN;
2682 PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName, fFlags);
2683
2684 SUP_DPRINTF(("SUPR3HardenedMain: Calling TrustedMain (%p)...\n", pfnTrustedMain));
2685 g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_CALLED_TRUSTED_MAIN;
2686 return pfnTrustedMain(argc, argv, envp);
2687}
2688
Note: See TracBrowser for help on using the repository browser.

© 2023 Oracle
ContactPrivacy policyTerms of Use