[11725] | 1 | /* $Id: SUPR3HardenedVerify.cpp 66842 2017-05-08 21:03:57Z vboxsync $ */
|
---|
| 2 | /** @file
|
---|
| 3 | * VirtualBox Support Library - Verification of Hardened Installation.
|
---|
| 4 | */
|
---|
| 5 |
|
---|
| 6 | /*
|
---|
[62490] | 7 | * Copyright (C) 2006-2016 Oracle Corporation
|
---|
[11725] | 8 | *
|
---|
| 9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
| 10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
| 11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
| 12 | * General Public License (GPL) as published by the Free Software
|
---|
| 13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
| 14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
| 15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
| 16 | *
|
---|
| 17 | * The contents of this file may alternatively be used under the terms
|
---|
| 18 | * of the Common Development and Distribution License Version 1.0
|
---|
| 19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
| 20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
| 21 | * CDDL are applicable instead of those of the GPL.
|
---|
| 22 | *
|
---|
| 23 | * You may elect to license modified versions of this file under the
|
---|
| 24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
| 25 | */
|
---|
| 26 |
|
---|
[57358] | 27 |
|
---|
| 28 | /*********************************************************************************************************************************
|
---|
| 29 | * Header Files *
|
---|
| 30 | *********************************************************************************************************************************/
|
---|
[11725] | 31 | #if defined(RT_OS_OS2)
|
---|
| 32 | # define INCL_BASE
|
---|
| 33 | # define INCL_ERRORS
|
---|
| 34 | # include <os2.h>
|
---|
| 35 | # include <stdio.h>
|
---|
[13908] | 36 | # include <stdlib.h>
|
---|
| 37 | # include <unistd.h>
|
---|
| 38 | # include <sys/fcntl.h>
|
---|
| 39 | # include <sys/errno.h>
|
---|
| 40 | # include <sys/syslimits.h>
|
---|
[11725] | 41 |
|
---|
| 42 | #elif defined(RT_OS_WINDOWS)
|
---|
[52163] | 43 | # include <iprt/nt/nt-and-windows.h>
|
---|
[49211] | 44 | # ifndef IN_SUP_HARDENED_R3
|
---|
| 45 | # include <stdio.h>
|
---|
| 46 | # endif
|
---|
[11725] | 47 |
|
---|
| 48 | #else /* UNIXes */
|
---|
| 49 | # include <sys/types.h>
|
---|
| 50 | # include <stdio.h>
|
---|
| 51 | # include <stdlib.h>
|
---|
[33701] | 52 | # include <dirent.h>
|
---|
[11725] | 53 | # include <dlfcn.h>
|
---|
| 54 | # include <fcntl.h>
|
---|
| 55 | # include <limits.h>
|
---|
| 56 | # include <errno.h>
|
---|
| 57 | # include <unistd.h>
|
---|
| 58 | # include <sys/stat.h>
|
---|
| 59 | # include <sys/time.h>
|
---|
| 60 | # include <sys/fcntl.h>
|
---|
| 61 | # include <pwd.h>
|
---|
| 62 | # ifdef RT_OS_DARWIN
|
---|
| 63 | # include <mach-o/dyld.h>
|
---|
| 64 | # endif
|
---|
| 65 |
|
---|
| 66 | #endif
|
---|
| 67 |
|
---|
| 68 | #include <VBox/sup.h>
|
---|
| 69 | #include <VBox/err.h>
|
---|
[29250] | 70 | #include <iprt/asm.h>
|
---|
[33739] | 71 | #include <iprt/ctype.h>
|
---|
[11725] | 72 | #include <iprt/param.h>
|
---|
[33701] | 73 | #include <iprt/path.h>
|
---|
[33739] | 74 | #include <iprt/string.h>
|
---|
[11725] | 75 |
|
---|
| 76 | #include "SUPLibInternal.h"
|
---|
[51770] | 77 | #if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
|
---|
| 78 | # define SUPHNTVI_NO_NT_STUFF
|
---|
| 79 | # include "win/SUPHardenedVerify-win.h"
|
---|
| 80 | #endif
|
---|
[11725] | 81 |
|
---|
| 82 |
|
---|
[57358] | 83 | /*********************************************************************************************************************************
|
---|
| 84 | * Defined Constants And Macros *
|
---|
| 85 | *********************************************************************************************************************************/
|
---|
[33738] | 86 | /** The max path length acceptable for a trusted path. */
|
---|
| 87 | #define SUPR3HARDENED_MAX_PATH 260U
|
---|
[11725] | 88 |
|
---|
[66842] | 89 | /** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
|
---|
| 90 | #define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
|
---|
| 91 |
|
---|
[33872] | 92 | #ifdef RT_OS_SOLARIS
|
---|
[33874] | 93 | # define dirfd(d) ((d)->d_fd)
|
---|
[33872] | 94 | #endif
|
---|
[11725] | 95 |
|
---|
[51770] | 96 | /** Compare table file names with externally supplied names. */
|
---|
| 97 | #if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
|
---|
[52160] | 98 | # define SUP_COMP_FILENAME RTStrICmp
|
---|
[51770] | 99 | #else
|
---|
| 100 | # define SUP_COMP_FILENAME suplibHardenedStrCmp
|
---|
| 101 | #endif
|
---|
[33872] | 102 |
|
---|
[51770] | 103 |
|
---|
[57358] | 104 | /*********************************************************************************************************************************
|
---|
| 105 | * Global Variables *
|
---|
| 106 | *********************************************************************************************************************************/
|
---|
[11725] | 107 | /**
|
---|
| 108 | * The files that gets verified.
|
---|
| 109 | *
|
---|
| 110 | * @todo This needs reviewing against the linux packages.
|
---|
[56733] | 111 | * @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
|
---|
[11725] | 112 | * the time being we're building the linux packages with SharedLib pointing to
|
---|
| 113 | * AppPrivArch (lazy bird).
|
---|
[57351] | 114 | *
|
---|
| 115 | * @remarks If you add executables here, you might need to update
|
---|
| 116 | * g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
|
---|
[11725] | 117 | */
|
---|
| 118 | static SUPINSTFILE const g_aSupInstallFiles[] =
|
---|
| 119 | {
|
---|
[18154] | 120 | /* type, dir, fOpt, "pszFile" */
|
---|
[11725] | 121 | /* ---------------------------------------------------------------------- */
|
---|
| 122 | { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
|
---|
| 123 | { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
|
---|
| 124 | { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
|
---|
| 125 |
|
---|
[40370] | 126 | #ifdef VBOX_WITH_RAW_MODE
|
---|
[56284] | 127 | { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
|
---|
| 128 | { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
|
---|
| 129 | { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2RC.rc" },
|
---|
[40370] | 130 | #endif
|
---|
[11725] | 131 |
|
---|
[56733] | 132 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
|
---|
| 133 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
|
---|
[60982] | 134 | #ifdef VBOX_WITH_REM
|
---|
[56733] | 135 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
|
---|
[60982] | 136 | #endif
|
---|
[15353] | 137 | #if HC_ARCH_BITS == 32
|
---|
[56733] | 138 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
|
---|
| 139 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
|
---|
[15327] | 140 | #endif
|
---|
[56733] | 141 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
|
---|
| 142 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
|
---|
| 143 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
|
---|
[58374] | 144 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
|
---|
| 145 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
|
---|
[11725] | 146 |
|
---|
| 147 | //#ifdef VBOX_WITH_DEBUGGER_GUI
|
---|
[56733] | 148 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
|
---|
| 149 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
|
---|
[11725] | 150 | //#endif
|
---|
| 151 |
|
---|
[17791] | 152 | //#ifdef VBOX_WITH_SHARED_CLIPBOARD
|
---|
[18154] | 153 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
|
---|
[17791] | 154 | //#endif
|
---|
| 155 | //#ifdef VBOX_WITH_SHARED_FOLDERS
|
---|
[18154] | 156 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
|
---|
[17791] | 157 | //#endif
|
---|
[42331] | 158 | //#ifdef VBOX_WITH_DRAG_AND_DROP
|
---|
| 159 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
|
---|
| 160 | //#endif
|
---|
[17791] | 161 | //#ifdef VBOX_WITH_GUEST_PROPS
|
---|
[18154] | 162 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
|
---|
[17791] | 163 | //#endif
|
---|
[28545] | 164 | //#ifdef VBOX_WITH_GUEST_CONTROL
|
---|
| 165 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
|
---|
| 166 | //#endif
|
---|
[43457] | 167 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
|
---|
[18154] | 168 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
|
---|
| 169 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
|
---|
| 170 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
|
---|
| 171 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
|
---|
[17794] | 172 |
|
---|
[18154] | 173 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
|
---|
[17794] | 174 |
|
---|
| 175 | #ifdef VBOX_WITH_MAIN
|
---|
[11725] | 176 | { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
|
---|
[17794] | 177 | #ifdef RT_OS_WINDOWS
|
---|
[56733] | 178 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
|
---|
[17794] | 179 | #else
|
---|
[11725] | 180 | { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
|
---|
[56733] | 181 | { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
|
---|
[11725] | 182 | { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
|
---|
| 183 | { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
|
---|
| 184 | { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
|
---|
| 185 | { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
|
---|
[17794] | 186 | #endif
|
---|
[11725] | 187 | #endif
|
---|
| 188 |
|
---|
[56733] | 189 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
|
---|
| 190 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
|
---|
| 191 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
|
---|
[11725] | 192 |
|
---|
| 193 | //#ifdef VBOX_WITH_HEADLESS
|
---|
[18154] | 194 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
|
---|
| 195 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
|
---|
[42477] | 196 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
|
---|
[11725] | 197 | //#endif
|
---|
| 198 |
|
---|
[16174] | 199 | //#ifdef VBOX_WITH_QTGUI
|
---|
[18154] | 200 | { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
|
---|
| 201 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
|
---|
[56817] | 202 | # ifdef RT_OS_DARWIN
|
---|
| 203 | { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
|
---|
| 204 | # endif
|
---|
[11725] | 205 | # if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
|
---|
[56733] | 206 | { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
|
---|
[11725] | 207 | # endif
|
---|
| 208 | //#endif
|
---|
| 209 |
|
---|
| 210 | //#ifdef VBOX_WITH_VBOXSDL
|
---|
[18154] | 211 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
|
---|
| 212 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
|
---|
[11725] | 213 | //#endif
|
---|
| 214 |
|
---|
| 215 | //#ifdef VBOX_WITH_WEBSERVICES
|
---|
[18154] | 216 | { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
|
---|
[11725] | 217 | //#endif
|
---|
| 218 |
|
---|
| 219 | #ifdef RT_OS_LINUX
|
---|
[18154] | 220 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
|
---|
[11725] | 221 | #endif
|
---|
[18003] | 222 |
|
---|
| 223 | //#ifdef VBOX_WITH_NETFLT
|
---|
[18154] | 224 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
|
---|
| 225 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
|
---|
[18003] | 226 | //#endif
|
---|
[47883] | 227 |
|
---|
| 228 | //#ifdef VBOX_WITH_LWIP_NAT
|
---|
[47894] | 229 | { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
|
---|
| 230 | { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
|
---|
[47883] | 231 | //#endif
|
---|
[51909] | 232 | #if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
|
---|
| 233 | # define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
|
---|
| 234 | { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
|
---|
| 235 | { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
|
---|
| 236 | HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
|
---|
| 237 | HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
|
---|
| 238 | HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
|
---|
| 239 | HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
|
---|
| 240 | HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
|
---|
| 241 | # define HARDENED_TESTCASE_ENTRY(a_szName) \
|
---|
| 242 | { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
|
---|
| 243 | { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
|
---|
| 244 | HARDENED_TESTCASE_ENTRY("tstCFGM"),
|
---|
[57351] | 245 | HARDENED_TESTCASE_ENTRY("tstGIP-2"),
|
---|
[51909] | 246 | HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
|
---|
| 247 | HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
|
---|
[54453] | 248 | HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
|
---|
[51909] | 249 | HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
|
---|
| 250 | HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
|
---|
| 251 | HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
|
---|
| 252 | HARDENED_TESTCASE_ENTRY("tstSSM"),
|
---|
| 253 | #endif
|
---|
[11725] | 254 | };
|
---|
| 255 |
|
---|
| 256 |
|
---|
| 257 | /** Array parallel to g_aSupInstallFiles containing per-file status info. */
|
---|
| 258 | static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
|
---|
| 259 |
|
---|
| 260 | /** Array index by install directory specifier containing info about verified directories. */
|
---|
| 261 | static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
|
---|
| 262 |
|
---|
| 263 |
|
---|
| 264 | /**
|
---|
[33540] | 265 | * Assembles the path to a directory.
|
---|
[11725] | 266 | *
|
---|
| 267 | * @returns VINF_SUCCESS on success, some error code on failure (fFatal
|
---|
| 268 | * decides whether it returns or not).
|
---|
| 269 | *
|
---|
| 270 | * @param enmDir The directory.
|
---|
| 271 | * @param pszDst Where to assemble the path.
|
---|
| 272 | * @param cchDst The size of the buffer.
|
---|
| 273 | * @param fFatal Whether failures should be treated as fatal (true) or not (false).
|
---|
| 274 | */
|
---|
| 275 | static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
|
---|
| 276 | {
|
---|
| 277 | int rc;
|
---|
| 278 | switch (enmDir)
|
---|
| 279 | {
|
---|
[56733] | 280 | case kSupID_AppBin:
|
---|
| 281 | rc = supR3HardenedPathAppBin(pszDst, cchDst);
|
---|
[11725] | 282 | break;
|
---|
[56733] | 283 | case kSupID_AppSharedLib:
|
---|
| 284 | rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
|
---|
[11725] | 285 | break;
|
---|
| 286 | case kSupID_AppPrivArch:
|
---|
| 287 | rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
|
---|
| 288 | break;
|
---|
| 289 | case kSupID_AppPrivArchComp:
|
---|
| 290 | rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
|
---|
| 291 | if (RT_SUCCESS(rc))
|
---|
| 292 | {
|
---|
[49211] | 293 | size_t off = suplibHardenedStrLen(pszDst);
|
---|
[11725] | 294 | if (cchDst - off >= sizeof("/components"))
|
---|
[49211] | 295 | suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
|
---|
[11725] | 296 | else
|
---|
| 297 | rc = VERR_BUFFER_OVERFLOW;
|
---|
| 298 | }
|
---|
| 299 | break;
|
---|
| 300 | case kSupID_AppPrivNoArch:
|
---|
| 301 | rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
|
---|
| 302 | break;
|
---|
[51909] | 303 | case kSupID_Testcase:
|
---|
[56733] | 304 | rc = supR3HardenedPathAppBin(pszDst, cchDst);
|
---|
[51909] | 305 | if (RT_SUCCESS(rc))
|
---|
| 306 | {
|
---|
| 307 | size_t off = suplibHardenedStrLen(pszDst);
|
---|
| 308 | if (cchDst - off >= sizeof("/testcase"))
|
---|
| 309 | suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
|
---|
| 310 | else
|
---|
| 311 | rc = VERR_BUFFER_OVERFLOW;
|
---|
| 312 | }
|
---|
| 313 | break;
|
---|
[11725] | 314 | default:
|
---|
| 315 | return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 316 | "supR3HardenedMakePath: enmDir=%d\n", enmDir);
|
---|
| 317 | }
|
---|
| 318 | if (RT_FAILURE(rc))
|
---|
| 319 | supR3HardenedError(rc, fFatal,
|
---|
| 320 | "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
|
---|
| 321 | return rc;
|
---|
| 322 | }
|
---|
| 323 |
|
---|
| 324 |
|
---|
| 325 |
|
---|
| 326 | /**
|
---|
| 327 | * Assembles the path to a file table entry, with or without the actual filename.
|
---|
| 328 | *
|
---|
| 329 | * @returns VINF_SUCCESS on success, some error code on failure (fFatal
|
---|
| 330 | * decides whether it returns or not).
|
---|
| 331 | *
|
---|
| 332 | * @param pFile The file table entry.
|
---|
| 333 | * @param pszDst Where to assemble the path.
|
---|
| 334 | * @param cchDst The size of the buffer.
|
---|
| 335 | * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
|
---|
| 336 | * @param fFatal Whether failures should be treated as fatal (true) or not (false).
|
---|
| 337 | */
|
---|
| 338 | static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
|
---|
| 339 | {
|
---|
| 340 | /*
|
---|
| 341 | * Combine supR3HardenedMakePath and the filename.
|
---|
| 342 | */
|
---|
| 343 | int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
|
---|
[39086] | 344 | if (RT_SUCCESS(rc) && fWithFilename)
|
---|
[11725] | 345 | {
|
---|
[49211] | 346 | size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
|
---|
| 347 | size_t off = suplibHardenedStrLen(pszDst);
|
---|
[11725] | 348 | if (cchDst - off >= cchFile + 2)
|
---|
| 349 | {
|
---|
| 350 | pszDst[off++] = '/';
|
---|
[49211] | 351 | suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
|
---|
[11725] | 352 | }
|
---|
| 353 | else
|
---|
| 354 | rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
|
---|
| 355 | "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
|
---|
| 356 | pFile->pszFile, (long)off);
|
---|
| 357 | }
|
---|
| 358 | return rc;
|
---|
| 359 | }
|
---|
| 360 |
|
---|
| 361 |
|
---|
| 362 | /**
|
---|
| 363 | * Verifies a directory.
|
---|
| 364 | *
|
---|
| 365 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
| 366 | * fFatal is clear and if it's set the function wont return.
|
---|
| 367 | * @param enmDir The directory specifier.
|
---|
| 368 | * @param fFatal Whether validation failures should be treated as
|
---|
| 369 | * fatal (true) or not (false).
|
---|
| 370 | */
|
---|
[33701] | 371 | DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
|
---|
[11725] | 372 | {
|
---|
| 373 | /*
|
---|
| 374 | * Validate the index just to be on the safe side...
|
---|
| 375 | */
|
---|
| 376 | if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
|
---|
| 377 | return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 378 | "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
|
---|
| 379 |
|
---|
| 380 | /*
|
---|
| 381 | * Already validated?
|
---|
| 382 | */
|
---|
| 383 | if (g_aSupVerifiedDirs[enmDir].fValidated)
|
---|
| 384 | return VINF_SUCCESS; /** @todo revalidate? */
|
---|
| 385 |
|
---|
| 386 | /* initialize the entry. */
|
---|
| 387 | if (g_aSupVerifiedDirs[enmDir].hDir != 0)
|
---|
| 388 | supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 389 | "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
|
---|
| 390 | (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
|
---|
| 391 | g_aSupVerifiedDirs[enmDir].hDir = -1;
|
---|
| 392 | g_aSupVerifiedDirs[enmDir].fValidated = false;
|
---|
| 393 |
|
---|
| 394 | /*
|
---|
| 395 | * Make the path and open the directory.
|
---|
| 396 | */
|
---|
| 397 | char szPath[RTPATH_MAX];
|
---|
| 398 | int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
|
---|
| 399 | if (RT_SUCCESS(rc))
|
---|
| 400 | {
|
---|
[51912] | 401 | #if defined(RT_OS_WINDOWS)
|
---|
| 402 | PRTUTF16 pwszPath;
|
---|
| 403 | rc = RTStrToUtf16(szPath, &pwszPath);
|
---|
| 404 | if (RT_SUCCESS(rc))
|
---|
[11725] | 405 | {
|
---|
[51912] | 406 | HANDLE hDir = CreateFileW(pwszPath,
|
---|
| 407 | GENERIC_READ,
|
---|
| 408 | FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
|
---|
| 409 | NULL,
|
---|
| 410 | OPEN_EXISTING,
|
---|
| 411 | FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
|
---|
| 412 | NULL);
|
---|
| 413 | if (hDir != INVALID_HANDLE_VALUE)
|
---|
| 414 | {
|
---|
| 415 | /** @todo check the type */
|
---|
| 416 | /* That's all on windows, for now at least... */
|
---|
| 417 | g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
|
---|
| 418 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
| 419 | }
|
---|
| 420 | else if (enmDir == kSupID_Testcase)
|
---|
| 421 | {
|
---|
| 422 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
| 423 | rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
|
---|
| 424 | }
|
---|
| 425 | else
|
---|
| 426 | {
|
---|
[52940] | 427 | int err = RtlGetLastWin32Error();
|
---|
[51912] | 428 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
| 429 | "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
|
---|
| 430 | szPath, err);
|
---|
| 431 | }
|
---|
| 432 | RTUtf16Free(pwszPath);
|
---|
[11725] | 433 | }
|
---|
| 434 | else
|
---|
[51912] | 435 | rc = supR3HardenedError(rc, fFatal,
|
---|
| 436 | "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
|
---|
| 437 |
|
---|
[11725] | 438 | #else /* UNIXY */
|
---|
| 439 | int fd = open(szPath, O_RDONLY, 0);
|
---|
| 440 | if (fd >= 0)
|
---|
| 441 | {
|
---|
| 442 | /*
|
---|
| 443 | * On unixy systems we'll make sure the directory is owned by root
|
---|
| 444 | * and not writable by the group and user.
|
---|
| 445 | */
|
---|
| 446 | struct stat st;
|
---|
| 447 | if (!fstat(fd, &st))
|
---|
| 448 | {
|
---|
| 449 |
|
---|
| 450 | if ( st.st_uid == 0
|
---|
| 451 | && !(st.st_mode & (S_IWGRP | S_IWOTH))
|
---|
| 452 | && S_ISDIR(st.st_mode))
|
---|
| 453 | {
|
---|
| 454 | g_aSupVerifiedDirs[enmDir].hDir = fd;
|
---|
| 455 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
| 456 | }
|
---|
| 457 | else
|
---|
| 458 | {
|
---|
| 459 | if (!S_ISDIR(st.st_mode))
|
---|
| 460 | rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
|
---|
| 461 | "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
|
---|
| 462 | szPath, (long)st.st_uid);
|
---|
| 463 | else if (st.st_uid)
|
---|
| 464 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
| 465 | "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
|
---|
| 466 | szPath, (long)st.st_uid);
|
---|
| 467 | else
|
---|
| 468 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
| 469 | "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
|
---|
| 470 | szPath, (long)st.st_mode);
|
---|
| 471 | close(fd);
|
---|
| 472 | }
|
---|
| 473 | }
|
---|
| 474 | else
|
---|
| 475 | {
|
---|
| 476 | int err = errno;
|
---|
| 477 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
| 478 | "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
|
---|
| 479 | szPath, strerror(err), err);
|
---|
| 480 | close(fd);
|
---|
| 481 | }
|
---|
| 482 | }
|
---|
[51909] | 483 | else if (enmDir == kSupID_Testcase)
|
---|
| 484 | {
|
---|
| 485 | g_aSupVerifiedDirs[enmDir].fValidated = true;
|
---|
| 486 | rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
|
---|
| 487 | }
|
---|
[11725] | 488 | else
|
---|
| 489 | {
|
---|
| 490 | int err = errno;
|
---|
| 491 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
| 492 | "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
|
---|
| 493 | szPath, strerror(err), err);
|
---|
| 494 | }
|
---|
| 495 | #endif /* UNIXY */
|
---|
| 496 | }
|
---|
| 497 |
|
---|
| 498 | return rc;
|
---|
| 499 | }
|
---|
| 500 |
|
---|
| 501 |
|
---|
[52083] | 502 | #ifdef RT_OS_WINDOWS
|
---|
[11725] | 503 | /**
|
---|
[52083] | 504 | * Opens the file for verification.
|
---|
| 505 | *
|
---|
| 506 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
| 507 | * fFatal is clear and if it's set the function wont return.
|
---|
| 508 | * @param pFile The file entry.
|
---|
| 509 | * @param fFatal Whether validation failures should be treated as
|
---|
| 510 | * kl fatal (true) or not (false).
|
---|
| 511 | * @param phFile The file handle, set to -1 if we failed to open
|
---|
| 512 | * the file. The function may return VINF_SUCCESS
|
---|
| 513 | * and a -1 handle if the file is optional.
|
---|
| 514 | */
|
---|
| 515 | static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
|
---|
| 516 | {
|
---|
| 517 | *phFile = -1;
|
---|
| 518 |
|
---|
| 519 | char szPath[RTPATH_MAX];
|
---|
| 520 | int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
|
---|
| 521 | if (RT_SUCCESS(rc))
|
---|
| 522 | {
|
---|
| 523 | PRTUTF16 pwszPath;
|
---|
| 524 | rc = RTStrToUtf16(szPath, &pwszPath);
|
---|
| 525 | if (RT_SUCCESS(rc))
|
---|
| 526 | {
|
---|
| 527 | HANDLE hFile = CreateFileW(pwszPath,
|
---|
| 528 | GENERIC_READ,
|
---|
| 529 | FILE_SHARE_READ,
|
---|
| 530 | NULL,
|
---|
| 531 | OPEN_EXISTING,
|
---|
| 532 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 533 | NULL);
|
---|
[52355] | 534 | if (hFile != INVALID_HANDLE_VALUE)
|
---|
[52083] | 535 | {
|
---|
| 536 | *phFile = (intptr_t)hFile;
|
---|
| 537 | rc = VINF_SUCCESS;
|
---|
| 538 | }
|
---|
| 539 | else
|
---|
| 540 | {
|
---|
[52940] | 541 | int err = RtlGetLastWin32Error();
|
---|
[52083] | 542 | if ( !pFile->fOptional
|
---|
| 543 | || ( err != ERROR_FILE_NOT_FOUND
|
---|
| 544 | && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
|
---|
| 545 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
| 546 | "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
|
---|
| 547 | }
|
---|
| 548 | RTUtf16Free(pwszPath);
|
---|
| 549 | }
|
---|
| 550 | else
|
---|
| 551 | rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
|
---|
| 552 | szPath, rc);
|
---|
| 553 | }
|
---|
| 554 | return rc;
|
---|
| 555 | }
|
---|
| 556 |
|
---|
| 557 |
|
---|
| 558 | /**
|
---|
| 559 | * Worker for supR3HardenedVerifyFileInternal.
|
---|
| 560 | *
|
---|
| 561 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
| 562 | * fFatal is clear and if it's set the function wont return.
|
---|
| 563 | * @param pFile The file entry.
|
---|
| 564 | * @param pVerified The verification record.
|
---|
| 565 | * @param fFatal Whether validation failures should be treated as
|
---|
| 566 | * fatal (true) or not (false).
|
---|
| 567 | * @param fLeaveFileOpen Whether the file should be left open.
|
---|
| 568 | */
|
---|
| 569 | static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
|
---|
| 570 | {
|
---|
| 571 | # if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
|
---|
| 572 |
|
---|
| 573 | /*
|
---|
| 574 | * Open the file if we have to.
|
---|
| 575 | */
|
---|
| 576 | int rc;
|
---|
| 577 | intptr_t hFileOpened;
|
---|
| 578 | intptr_t hFile = pVerified->hFile;
|
---|
| 579 | if (hFile != -1)
|
---|
| 580 | hFileOpened = -1;
|
---|
| 581 | else
|
---|
| 582 | {
|
---|
| 583 | rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
|
---|
| 584 | if (RT_FAILURE(rc))
|
---|
| 585 | return rc;
|
---|
| 586 | hFile = hFileOpened;
|
---|
| 587 | }
|
---|
| 588 |
|
---|
| 589 | /*
|
---|
| 590 | * Verify the signature.
|
---|
| 591 | */
|
---|
| 592 | char szErr[1024];
|
---|
| 593 | RTERRINFO ErrInfo;
|
---|
| 594 | RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
|
---|
| 595 |
|
---|
| 596 | uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
|
---|
| 597 | if (pFile->enmType == kSupIFT_Rc)
|
---|
| 598 | fFlags |= SUPHNTVI_F_RC_IMAGE;
|
---|
| 599 |
|
---|
| 600 | rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
|
---|
| 601 | if (RT_SUCCESS(rc))
|
---|
| 602 | pVerified->fCheckedSignature = true;
|
---|
| 603 | else
|
---|
| 604 | {
|
---|
| 605 | pVerified->fCheckedSignature = false;
|
---|
| 606 | rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
|
---|
| 607 | pFile->pszFile, rc, szErr);
|
---|
| 608 |
|
---|
| 609 | }
|
---|
| 610 |
|
---|
| 611 | /*
|
---|
| 612 | * Close the handle if we opened the file and we should close it.
|
---|
| 613 | */
|
---|
| 614 | if (hFileOpened != -1)
|
---|
| 615 | {
|
---|
| 616 | if (fLeaveFileOpen && RT_SUCCESS(rc))
|
---|
| 617 | pVerified->hFile = hFileOpened;
|
---|
| 618 | else
|
---|
[52940] | 619 | NtClose((HANDLE)hFileOpened);
|
---|
[52083] | 620 | }
|
---|
| 621 |
|
---|
| 622 | return rc;
|
---|
| 623 |
|
---|
| 624 | # else /* Not checking signatures. */
|
---|
[62675] | 625 | RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
|
---|
[52083] | 626 | return VINF_SUCCESS;
|
---|
| 627 | # endif /* Not checking signatures. */
|
---|
| 628 | }
|
---|
| 629 | #endif
|
---|
| 630 |
|
---|
| 631 |
|
---|
| 632 | /**
|
---|
[11725] | 633 | * Verifies a file entry.
|
---|
| 634 | *
|
---|
| 635 | * @returns VINF_SUCCESS on success. On failure, an error code is returned if
|
---|
| 636 | * fFatal is clear and if it's set the function wont return.
|
---|
| 637 | *
|
---|
| 638 | * @param iFile The file table index of the file to be verified.
|
---|
| 639 | * @param fFatal Whether validation failures should be treated as
|
---|
| 640 | * fatal (true) or not (false).
|
---|
| 641 | * @param fLeaveFileOpen Whether the file should be left open.
|
---|
[52083] | 642 | * @param fVerifyAll Set if this is an verify all call and we will
|
---|
| 643 | * postpone signature checking.
|
---|
[11725] | 644 | */
|
---|
[52083] | 645 | static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
|
---|
[11725] | 646 | {
|
---|
[62877] | 647 | #ifndef RT_OS_WINDOWS
|
---|
| 648 | RT_NOREF1(fVerifyAll);
|
---|
| 649 | #endif
|
---|
[11725] | 650 | PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
|
---|
| 651 | PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
|
---|
| 652 |
|
---|
| 653 | /*
|
---|
[52083] | 654 | * Already done validation? Do signature validation if we haven't yet.
|
---|
[11725] | 655 | */
|
---|
| 656 | if (pVerified->fValidated)
|
---|
[52083] | 657 | {
|
---|
| 658 | /** @todo revalidate? Check that the file hasn't been replace or similar. */
|
---|
| 659 | #ifdef RT_OS_WINDOWS
|
---|
| 660 | if (!pVerified->fCheckedSignature && !fVerifyAll)
|
---|
| 661 | return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
|
---|
| 662 | #endif
|
---|
| 663 | return VINF_SUCCESS;
|
---|
| 664 | }
|
---|
[11725] | 665 |
|
---|
| 666 |
|
---|
| 667 | /* initialize the entry. */
|
---|
| 668 | if (pVerified->hFile != 0)
|
---|
| 669 | supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 670 | "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
|
---|
| 671 | (void *)pVerified->hFile, pFile->pszFile);
|
---|
| 672 | pVerified->hFile = -1;
|
---|
| 673 | pVerified->fValidated = false;
|
---|
[52084] | 674 | #ifdef RT_OS_WINDOWS
|
---|
[52083] | 675 | pVerified->fCheckedSignature = false;
|
---|
[52084] | 676 | #endif
|
---|
[11725] | 677 |
|
---|
| 678 | /*
|
---|
| 679 | * Verify the directory then proceed to open it.
|
---|
| 680 | * (This'll make sure the directory is opened and that we can (later)
|
---|
| 681 | * use openat if we wish.)
|
---|
| 682 | */
|
---|
[33701] | 683 | int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
|
---|
[11725] | 684 | if (RT_SUCCESS(rc))
|
---|
| 685 | {
|
---|
[52083] | 686 | #if defined(RT_OS_WINDOWS)
|
---|
| 687 | rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
|
---|
[11725] | 688 | if (RT_SUCCESS(rc))
|
---|
| 689 | {
|
---|
[52083] | 690 | if (!fVerifyAll)
|
---|
| 691 | rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
|
---|
[51803] | 692 | if (RT_SUCCESS(rc))
|
---|
[11725] | 693 | {
|
---|
[52083] | 694 | pVerified->fValidated = true;
|
---|
| 695 | if (!fLeaveFileOpen)
|
---|
[51803] | 696 | {
|
---|
[52940] | 697 | NtClose((HANDLE)pVerified->hFile);
|
---|
[52083] | 698 | pVerified->hFile = -1;
|
---|
[51770] | 699 | }
|
---|
[11725] | 700 | }
|
---|
[52083] | 701 | }
|
---|
| 702 | #else /* !RT_OS_WINDOWS */
|
---|
| 703 | char szPath[RTPATH_MAX];
|
---|
| 704 | rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
|
---|
| 705 | if (RT_SUCCESS(rc))
|
---|
| 706 | {
|
---|
[11725] | 707 | int fd = open(szPath, O_RDONLY, 0);
|
---|
| 708 | if (fd >= 0)
|
---|
| 709 | {
|
---|
| 710 | /*
|
---|
[52083] | 711 | * On unixy systems we'll make sure the file is owned by root
|
---|
[11725] | 712 | * and not writable by the group and user.
|
---|
| 713 | */
|
---|
| 714 | struct stat st;
|
---|
| 715 | if (!fstat(fd, &st))
|
---|
| 716 | {
|
---|
| 717 | if ( st.st_uid == 0
|
---|
| 718 | && !(st.st_mode & (S_IWGRP | S_IWOTH))
|
---|
| 719 | && S_ISREG(st.st_mode))
|
---|
| 720 | {
|
---|
| 721 | /* it's valid. */
|
---|
| 722 | if (fLeaveFileOpen)
|
---|
| 723 | pVerified->hFile = fd;
|
---|
| 724 | else
|
---|
| 725 | close(fd);
|
---|
| 726 | pVerified->fValidated = true;
|
---|
| 727 | }
|
---|
| 728 | else
|
---|
| 729 | {
|
---|
| 730 | if (!S_ISREG(st.st_mode))
|
---|
| 731 | rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
|
---|
| 732 | "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
|
---|
| 733 | szPath, (long)st.st_uid);
|
---|
| 734 | else if (st.st_uid)
|
---|
| 735 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
| 736 | "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
|
---|
| 737 | szPath, (long)st.st_uid);
|
---|
| 738 | else
|
---|
| 739 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
| 740 | "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
|
---|
| 741 | szPath, (long)st.st_mode);
|
---|
| 742 | close(fd);
|
---|
| 743 | }
|
---|
| 744 | }
|
---|
| 745 | else
|
---|
| 746 | {
|
---|
| 747 | int err = errno;
|
---|
| 748 | rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
|
---|
| 749 | "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
|
---|
| 750 | szPath, strerror(err), err);
|
---|
| 751 | close(fd);
|
---|
| 752 | }
|
---|
| 753 | }
|
---|
| 754 | else
|
---|
| 755 | {
|
---|
| 756 | int err = errno;
|
---|
| 757 | if (!pFile->fOptional || err != ENOENT)
|
---|
| 758 | rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
|
---|
| 759 | "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
|
---|
| 760 | szPath, strerror(err), err);
|
---|
| 761 | }
|
---|
| 762 | }
|
---|
[52083] | 763 | #endif /* !RT_OS_WINDOWS */
|
---|
[11725] | 764 | }
|
---|
| 765 |
|
---|
| 766 | return rc;
|
---|
| 767 | }
|
---|
| 768 |
|
---|
| 769 |
|
---|
| 770 | /**
|
---|
| 771 | * Verifies that the specified table entry matches the given filename.
|
---|
| 772 | *
|
---|
| 773 | * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
|
---|
| 774 | * error is returned or we terminate the application.
|
---|
| 775 | *
|
---|
| 776 | * @param iFile The file table index.
|
---|
| 777 | * @param pszFilename The filename.
|
---|
| 778 | * @param fFatal Whether validation failures should be treated as
|
---|
| 779 | * fatal (true) or not (false).
|
---|
| 780 | */
|
---|
| 781 | static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
|
---|
| 782 | {
|
---|
| 783 | PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
|
---|
| 784 |
|
---|
| 785 | /*
|
---|
| 786 | * Construct the full path for the file table entry
|
---|
| 787 | * and compare it with the specified file.
|
---|
| 788 | */
|
---|
| 789 | char szName[RTPATH_MAX];
|
---|
| 790 | int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
|
---|
| 791 | if (RT_FAILURE(rc))
|
---|
| 792 | return rc;
|
---|
[51770] | 793 | if (SUP_COMP_FILENAME(szName, pszFilename))
|
---|
[11725] | 794 | {
|
---|
| 795 | /*
|
---|
| 796 | * Normalize the two paths and compare again.
|
---|
| 797 | */
|
---|
| 798 | rc = VERR_NOT_SAME_DEVICE;
|
---|
| 799 | #if defined(RT_OS_WINDOWS)
|
---|
| 800 | LPSTR pszIgnored;
|
---|
[52163] | 801 | char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
|
---|
[11725] | 802 | if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
|
---|
| 803 | && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
|
---|
[51770] | 804 | if (!SUP_COMP_FILENAME(szName2, szName))
|
---|
[11725] | 805 | rc = VINF_SUCCESS;
|
---|
| 806 | #else
|
---|
| 807 | AssertCompile(RTPATH_MAX >= PATH_MAX);
|
---|
| 808 | char szName2[RTPATH_MAX];
|
---|
| 809 | if ( realpath(szName, szName2) != NULL
|
---|
| 810 | && realpath(pszFilename, szName) != NULL)
|
---|
[51770] | 811 | if (!SUP_COMP_FILENAME(szName2, szName))
|
---|
[11725] | 812 | rc = VINF_SUCCESS;
|
---|
| 813 | #endif
|
---|
| 814 |
|
---|
| 815 | if (RT_FAILURE(rc))
|
---|
| 816 | {
|
---|
| 817 | supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
|
---|
| 818 | return supR3HardenedError(rc, fFatal,
|
---|
| 819 | "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
|
---|
| 820 | pszFilename, szName);
|
---|
| 821 | }
|
---|
| 822 | }
|
---|
| 823 |
|
---|
| 824 | /*
|
---|
| 825 | * Check more stuff like the stat info if it's an already open file?
|
---|
| 826 | */
|
---|
| 827 |
|
---|
| 828 |
|
---|
| 829 |
|
---|
| 830 | return VINF_SUCCESS;
|
---|
| 831 | }
|
---|
| 832 |
|
---|
| 833 |
|
---|
| 834 | /**
|
---|
| 835 | * Verifies a file.
|
---|
| 836 | *
|
---|
| 837 | * @returns VINF_SUCCESS on success.
|
---|
| 838 | * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
|
---|
[33540] | 839 | * On verification failure, an error code will be returned when fFatal is clear,
|
---|
| 840 | * otherwise the program will be terminated.
|
---|
[11725] | 841 | *
|
---|
| 842 | * @param pszFilename The filename.
|
---|
| 843 | * @param fFatal Whether validation failures should be treated as
|
---|
| 844 | * fatal (true) or not (false).
|
---|
| 845 | */
|
---|
[33701] | 846 | DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
|
---|
[11725] | 847 | {
|
---|
| 848 | /*
|
---|
| 849 | * Lookup the file and check if it's the same file.
|
---|
| 850 | */
|
---|
| 851 | const char *pszName = supR3HardenedPathFilename(pszFilename);
|
---|
| 852 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
[51770] | 853 | if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
|
---|
[11725] | 854 | {
|
---|
| 855 | int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
|
---|
| 856 | if (RT_SUCCESS(rc))
|
---|
[52083] | 857 | rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
|
---|
[11725] | 858 | return rc;
|
---|
| 859 | }
|
---|
| 860 |
|
---|
| 861 | return VERR_NOT_FOUND;
|
---|
| 862 | }
|
---|
| 863 |
|
---|
| 864 |
|
---|
| 865 | /**
|
---|
| 866 | * Verifies a program, worker for supR3HardenedVerifyAll.
|
---|
| 867 | *
|
---|
| 868 | * @returns See supR3HardenedVerifyAll.
|
---|
| 869 | * @param pszProgName See supR3HardenedVerifyAll.
|
---|
[56733] | 870 | * @param pszExePath The path to the executable.
|
---|
[11725] | 871 | * @param fFatal See supR3HardenedVerifyAll.
|
---|
[52083] | 872 | * @param fLeaveOpen The leave open setting used by
|
---|
| 873 | * supR3HardenedVerifyAll.
|
---|
[56817] | 874 | * @param fMainFlags Flags supplied to SUPR3HardenedMain.
|
---|
[11725] | 875 | */
|
---|
[56817] | 876 | static int supR3HardenedVerifyProgram(const char *pszProgName, const char *pszExePath, bool fFatal,
|
---|
| 877 | bool fLeaveOpen, uint32_t fMainFlags)
|
---|
[11725] | 878 | {
|
---|
| 879 | /*
|
---|
| 880 | * Search the table looking for the executable and the DLL/DYLIB/SO.
|
---|
[56817] | 881 | * Note! On darwin we have a hack in place for VirtualBoxVM helper app
|
---|
| 882 | * to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
|
---|
| 883 | * that cchProgNameDll is equal or shorter to the exe name.
|
---|
[11725] | 884 | */
|
---|
| 885 | int rc = VINF_SUCCESS;
|
---|
| 886 | bool fExe = false;
|
---|
| 887 | bool fDll = false;
|
---|
[56817] | 888 | size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
|
---|
| 889 | #ifndef RT_OS_DARWIN
|
---|
| 890 | size_t const cchProgNameDll = cchProgNameExe;
|
---|
[62675] | 891 | NOREF(fMainFlags);
|
---|
[56817] | 892 | #else
|
---|
| 893 | size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
|
---|
| 894 | ? sizeof("VirtualBox") - 1
|
---|
| 895 | : cchProgNameExe;
|
---|
| 896 | if (cchProgNameDll > cchProgNameExe)
|
---|
| 897 | return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 898 | "supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
|
---|
| 899 | #endif
|
---|
[11725] | 900 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
[56817] | 901 | if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
|
---|
[11725] | 902 | {
|
---|
[56817] | 903 | if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
|
---|
| 904 | || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
|
---|
| 905 | && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
|
---|
[11725] | 906 | {
|
---|
| 907 | /* This only has to be found (once). */
|
---|
| 908 | if (fDll)
|
---|
| 909 | rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 910 | "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
|
---|
[52083] | 911 | else
|
---|
[52417] | 912 | rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
|
---|
| 913 | true /* fVerifyAll - check sign later, only final process need check it on load. */);
|
---|
[11725] | 914 | fDll = true;
|
---|
| 915 | }
|
---|
[51909] | 916 | else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
|
---|
| 917 | || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
|
---|
[56817] | 918 | && ( cchProgNameExe == cchProgNameDll
|
---|
| 919 | || !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
|
---|
| 920 | && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
|
---|
[11725] | 921 | {
|
---|
| 922 | /* Here we'll have to check that the specific program is the same as the entry. */
|
---|
| 923 | if (fExe)
|
---|
| 924 | rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
|
---|
| 925 | "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
|
---|
[52083] | 926 | else
|
---|
| 927 | rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
|
---|
[11725] | 928 | fExe = true;
|
---|
| 929 |
|
---|
[56733] | 930 | supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
|
---|
[11725] | 931 | }
|
---|
| 932 | }
|
---|
| 933 |
|
---|
| 934 | /*
|
---|
| 935 | * Check the findings.
|
---|
| 936 | */
|
---|
[52083] | 937 | if (RT_SUCCESS(rc))
|
---|
| 938 | {
|
---|
| 939 | if (!fDll && !fExe)
|
---|
| 940 | rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
|
---|
| 941 | "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
|
---|
| 942 | else if (!fExe)
|
---|
| 943 | rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
|
---|
| 944 | "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
|
---|
| 945 | else if (!fDll)
|
---|
| 946 | rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
|
---|
| 947 | "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
|
---|
| 948 | }
|
---|
[11725] | 949 | return rc;
|
---|
| 950 | }
|
---|
| 951 |
|
---|
| 952 |
|
---|
| 953 | /**
|
---|
[52083] | 954 | * Verifies all the known files (called from SUPR3HardenedMain).
|
---|
[11725] | 955 | *
|
---|
| 956 | * @returns VINF_SUCCESS on success.
|
---|
[33540] | 957 | * On verification failure, an error code will be returned when fFatal is clear,
|
---|
| 958 | * otherwise the program will be terminated.
|
---|
[11725] | 959 | *
|
---|
| 960 | * @param fFatal Whether validation failures should be treated as
|
---|
| 961 | * fatal (true) or not (false).
|
---|
[52083] | 962 | * @param pszProgName The program name. This is used to verify that
|
---|
| 963 | * both the executable and corresponding
|
---|
[11725] | 964 | * DLL/DYLIB/SO are valid.
|
---|
[56733] | 965 | * @param pszExePath The path to the executable.
|
---|
[56817] | 966 | * @param fMainFlags Flags supplied to SUPR3HardenedMain.
|
---|
[11725] | 967 | */
|
---|
[56817] | 968 | DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName, const char *pszExePath, uint32_t fMainFlags)
|
---|
[11725] | 969 | {
|
---|
| 970 | /*
|
---|
[52083] | 971 | * On windows
|
---|
| 972 | */
|
---|
| 973 | #if defined(RT_OS_WINDOWS)
|
---|
| 974 | bool fLeaveOpen = true;
|
---|
| 975 | #else
|
---|
| 976 | bool fLeaveOpen = false;
|
---|
| 977 | #endif
|
---|
| 978 |
|
---|
| 979 | /*
|
---|
[11725] | 980 | * The verify all the files.
|
---|
| 981 | */
|
---|
| 982 | int rc = VINF_SUCCESS;
|
---|
| 983 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
| 984 | {
|
---|
[52083] | 985 | int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
|
---|
[11725] | 986 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
| 987 | rc = rc2;
|
---|
| 988 | }
|
---|
| 989 |
|
---|
| 990 | /*
|
---|
[52083] | 991 | * Verify the program name, that is to say, check that it's in the table
|
---|
| 992 | * (thus verified above) and verify the signature on platforms where we
|
---|
| 993 | * sign things.
|
---|
[11725] | 994 | */
|
---|
[56817] | 995 | int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
|
---|
[52083] | 996 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
| 997 | rc2 = rc;
|
---|
[11725] | 998 |
|
---|
| 999 | return rc;
|
---|
| 1000 | }
|
---|
| 1001 |
|
---|
| 1002 |
|
---|
[33738] | 1003 | /**
|
---|
| 1004 | * Copies the N messages into the error buffer and returns @a rc.
|
---|
| 1005 | *
|
---|
| 1006 | * @returns Returns @a rc
|
---|
| 1007 | * @param rc The return code.
|
---|
[35188] | 1008 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1009 | * @param cMsgs The number of messages in the ellipsis.
|
---|
| 1010 | * @param ... Message parts.
|
---|
| 1011 | */
|
---|
[35188] | 1012 | static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
|
---|
[33738] | 1013 | {
|
---|
[35188] | 1014 | if (pErrInfo)
|
---|
[33738] | 1015 | {
|
---|
[35188] | 1016 | size_t cbErr = pErrInfo->cbMsg;
|
---|
| 1017 | char *pszErr = pErrInfo->pszMsg;
|
---|
| 1018 |
|
---|
| 1019 | va_list va;
|
---|
| 1020 | va_start(va, cMsgs);
|
---|
| 1021 | while (cMsgs-- > 0 && cbErr > 0)
|
---|
| 1022 | {
|
---|
| 1023 | const char *pszMsg = va_arg(va, const char *);
|
---|
[49211] | 1024 | size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
|
---|
[35188] | 1025 | if (cchMsg >= cbErr)
|
---|
| 1026 | cchMsg = cbErr - 1;
|
---|
[49211] | 1027 | suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
|
---|
[35188] | 1028 | pszErr[cchMsg] = '\0';
|
---|
| 1029 | pszErr += cchMsg;
|
---|
| 1030 | cbErr -= cchMsg;
|
---|
| 1031 | }
|
---|
| 1032 | va_end(va);
|
---|
| 1033 |
|
---|
| 1034 | pErrInfo->rc = rc;
|
---|
| 1035 | pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
|
---|
[33738] | 1036 | }
|
---|
[33701] | 1037 |
|
---|
[33738] | 1038 | return rc;
|
---|
| 1039 | }
|
---|
| 1040 |
|
---|
[66632] | 1041 |
|
---|
| 1042 | #if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
|
---|
[66526] | 1043 | /**
|
---|
| 1044 | * Copies the four messages into the error buffer and returns @a rc.
|
---|
| 1045 | *
|
---|
| 1046 | * @returns Returns @a rc
|
---|
| 1047 | * @param rc The return code.
|
---|
| 1048 | * @param pErrInfo The error info structure.
|
---|
| 1049 | * @param pszMsg1 The first message part.
|
---|
| 1050 | * @param pszMsg2 The second message part.
|
---|
| 1051 | * @param pszMsg3 The third message part.
|
---|
| 1052 | * @param pszMsg4 The fourth message part.
|
---|
| 1053 | */
|
---|
| 1054 | static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
|
---|
| 1055 | const char *pszMsg2, const char *pszMsg3, const char *pszMsg4)
|
---|
| 1056 | {
|
---|
| 1057 | return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
|
---|
| 1058 | }
|
---|
[66632] | 1059 | #endif
|
---|
[33738] | 1060 |
|
---|
[66526] | 1061 |
|
---|
[11725] | 1062 | /**
|
---|
[33738] | 1063 | * Copies the three messages into the error buffer and returns @a rc.
|
---|
| 1064 | *
|
---|
| 1065 | * @returns Returns @a rc
|
---|
| 1066 | * @param rc The return code.
|
---|
[35188] | 1067 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1068 | * @param pszMsg1 The first message part.
|
---|
| 1069 | * @param pszMsg2 The second message part.
|
---|
| 1070 | * @param pszMsg3 The third message part.
|
---|
| 1071 | */
|
---|
[35188] | 1072 | static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
|
---|
[33738] | 1073 | const char *pszMsg2, const char *pszMsg3)
|
---|
| 1074 | {
|
---|
[35188] | 1075 | return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
|
---|
[33738] | 1076 | }
|
---|
| 1077 |
|
---|
[66632] | 1078 |
|
---|
[39091] | 1079 | #ifdef SOME_UNUSED_FUNCTION
|
---|
[33738] | 1080 | /**
|
---|
| 1081 | * Copies the two messages into the error buffer and returns @a rc.
|
---|
| 1082 | *
|
---|
| 1083 | * @returns Returns @a rc
|
---|
| 1084 | * @param rc The return code.
|
---|
[35188] | 1085 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1086 | * @param pszMsg1 The first message part.
|
---|
| 1087 | * @param pszMsg2 The second message part.
|
---|
| 1088 | */
|
---|
[35188] | 1089 | static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
|
---|
[33738] | 1090 | const char *pszMsg2)
|
---|
| 1091 | {
|
---|
[35188] | 1092 | return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
|
---|
[33738] | 1093 | }
|
---|
[66632] | 1094 | #endif
|
---|
[33738] | 1095 |
|
---|
| 1096 |
|
---|
[66842] | 1097 | #ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
|
---|
| 1098 | # if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
|
---|
[33738] | 1099 | /**
|
---|
[33701] | 1100 | * Copies the error message to the error buffer and returns @a rc.
|
---|
| 1101 | *
|
---|
| 1102 | * @returns Returns @a rc
|
---|
| 1103 | * @param rc The return code.
|
---|
[35188] | 1104 | * @param pErrInfo The error info structure.
|
---|
[33701] | 1105 | * @param pszMsg The message.
|
---|
| 1106 | */
|
---|
[35188] | 1107 | static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
|
---|
[33701] | 1108 | {
|
---|
[35188] | 1109 | return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
|
---|
[33701] | 1110 | }
|
---|
[66842] | 1111 | # endif
|
---|
[66526] | 1112 | #endif
|
---|
[33701] | 1113 |
|
---|
[66526] | 1114 |
|
---|
[33701] | 1115 | /**
|
---|
[33738] | 1116 | * Output from a successfull supR3HardenedVerifyPathSanity call.
|
---|
| 1117 | */
|
---|
| 1118 | typedef struct SUPR3HARDENEDPATHINFO
|
---|
| 1119 | {
|
---|
| 1120 | /** The length of the path in szCopy. */
|
---|
| 1121 | uint16_t cch;
|
---|
| 1122 | /** The number of path components. */
|
---|
| 1123 | uint16_t cComponents;
|
---|
| 1124 | /** Set if the path ends with slash, indicating that it's a directory
|
---|
| 1125 | * reference and not a file reference. The slash has been removed from
|
---|
| 1126 | * the copy. */
|
---|
| 1127 | bool fDirSlash;
|
---|
| 1128 | /** The offset where each path component starts, i.e. the char after the
|
---|
| 1129 | * slash. The array has cComponents + 1 entries, where the final one is
|
---|
| 1130 | * cch + 1 so that one can always terminate the current component by
|
---|
| 1131 | * szPath[aoffComponent[i] - 1] = '\0'. */
|
---|
| 1132 | uint16_t aoffComponents[32+1];
|
---|
| 1133 | /** A normalized copy of the path.
|
---|
| 1134 | * Reserve some extra space so we can be more relaxed about overflow
|
---|
| 1135 | * checks and terminator paddings, especially when recursing. */
|
---|
| 1136 | char szPath[SUPR3HARDENED_MAX_PATH * 2];
|
---|
| 1137 | } SUPR3HARDENEDPATHINFO;
|
---|
| 1138 | /** Pointer to a parsed path. */
|
---|
| 1139 | typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
|
---|
| 1140 |
|
---|
| 1141 |
|
---|
| 1142 | /**
|
---|
| 1143 | * Verifies that the path is absolutely sane, it also parses the path.
|
---|
[33701] | 1144 | *
|
---|
| 1145 | * A sane path starts at the root (w/ drive letter on DOS derived systems) and
|
---|
| 1146 | * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
|
---|
[33738] | 1147 | * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
|
---|
| 1148 | * paths are not supported.
|
---|
[33701] | 1149 | *
|
---|
| 1150 | * @returns VBox status code.
|
---|
| 1151 | * @param pszPath The path to check.
|
---|
[35188] | 1152 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1153 | * @param pInfo Where to return a copy of the path along with
|
---|
| 1154 | * parsing information.
|
---|
[33701] | 1155 | */
|
---|
[35188] | 1156 | static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
|
---|
[33701] | 1157 | {
|
---|
[33738] | 1158 | const char *pszSrc = pszPath;
|
---|
| 1159 | char *pszDst = pInfo->szPath;
|
---|
[33701] | 1160 |
|
---|
| 1161 | /*
|
---|
[33738] | 1162 | * Check that it's an absolute path and copy the volume/root specifier.
|
---|
[33701] | 1163 | */
|
---|
| 1164 | #if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
|
---|
[51770] | 1165 | if ( !RT_C_IS_ALPHA(pszSrc[0])
|
---|
[33738] | 1166 | || pszSrc[1] != ':'
|
---|
| 1167 | || !RTPATH_IS_SLASH(pszSrc[2]))
|
---|
[35188] | 1168 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
|
---|
[33738] | 1169 |
|
---|
| 1170 | *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
|
---|
| 1171 | *pszDst++ = ':';
|
---|
| 1172 | *pszDst++ = RTPATH_SLASH;
|
---|
| 1173 | pszSrc += 3;
|
---|
| 1174 |
|
---|
[33701] | 1175 | #else
|
---|
[33738] | 1176 | if (!RTPATH_IS_SLASH(pszSrc[0]))
|
---|
[35188] | 1177 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
|
---|
[33738] | 1178 |
|
---|
| 1179 | *pszDst++ = RTPATH_SLASH;
|
---|
| 1180 | pszSrc += 1;
|
---|
[33701] | 1181 | #endif
|
---|
| 1182 |
|
---|
| 1183 | /*
|
---|
[33738] | 1184 | * No path specifying the root or something very shortly thereafter will
|
---|
| 1185 | * be approved of.
|
---|
| 1186 | */
|
---|
| 1187 | if (pszSrc[0] == '\0')
|
---|
[35188] | 1188 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
|
---|
[33738] | 1189 | if ( pszSrc[1] == '\0'
|
---|
| 1190 | || pszSrc[2] == '\0')
|
---|
[35188] | 1191 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
|
---|
[33738] | 1192 |
|
---|
| 1193 | /*
|
---|
[66608] | 1194 | * The root slash should be alone to avoid UNC confusion.
|
---|
[33701] | 1195 | */
|
---|
[66608] | 1196 | if (RTPATH_IS_SLASH(pszSrc[0]))
|
---|
| 1197 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
|
---|
| 1198 | "The path is not clean of leading double slashes: '", pszPath, "'");
|
---|
| 1199 | /*
|
---|
| 1200 | * Check each component. No parent references.
|
---|
| 1201 | */
|
---|
[33859] | 1202 | pInfo->cComponents = 0;
|
---|
| 1203 | pInfo->fDirSlash = false;
|
---|
[33738] | 1204 | while (pszSrc[0])
|
---|
[33701] | 1205 | {
|
---|
[33738] | 1206 | /* Sanity checks. */
|
---|
| 1207 | if ( pszSrc[0] == '.'
|
---|
| 1208 | && pszSrc[1] == '.'
|
---|
| 1209 | && RTPATH_IS_SLASH(pszSrc[2]))
|
---|
[35188] | 1210 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
|
---|
[33738] | 1211 | "The path is not absolute: '", pszPath, "'");
|
---|
| 1212 |
|
---|
| 1213 | /* Record the start of the component. */
|
---|
| 1214 | if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
|
---|
[35188] | 1215 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
|
---|
[33738] | 1216 | "The path has too many components: '", pszPath, "'");
|
---|
| 1217 | pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
|
---|
| 1218 |
|
---|
| 1219 | /* Traverse to the end of the component, copying it as we go along. */
|
---|
| 1220 | while (pszSrc[0])
|
---|
[33701] | 1221 | {
|
---|
[33738] | 1222 | if (RTPATH_IS_SLASH(pszSrc[0]))
|
---|
[33701] | 1223 | {
|
---|
[33738] | 1224 | pszSrc++;
|
---|
| 1225 | if (*pszSrc)
|
---|
| 1226 | *pszDst++ = RTPATH_SLASH;
|
---|
| 1227 | else
|
---|
| 1228 | pInfo->fDirSlash = true;
|
---|
[33701] | 1229 | break;
|
---|
| 1230 | }
|
---|
[33738] | 1231 | *pszDst++ = *pszSrc++;
|
---|
[33832] | 1232 | if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
|
---|
[35188] | 1233 | return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
|
---|
[33738] | 1234 | "The path is too long: '", pszPath, "'");
|
---|
[33701] | 1235 | }
|
---|
[66608] | 1236 |
|
---|
| 1237 | /* Skip double slashes. */
|
---|
| 1238 | while (RTPATH_IS_SLASH(*pszSrc))
|
---|
| 1239 | pszSrc++;
|
---|
[33701] | 1240 | }
|
---|
| 1241 |
|
---|
[33738] | 1242 | /* Terminate the string and enter its length. */
|
---|
| 1243 | pszDst[0] = '\0';
|
---|
| 1244 | pszDst[1] = '\0'; /* for aoffComponents */
|
---|
| 1245 | pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
|
---|
| 1246 | pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
|
---|
| 1247 |
|
---|
| 1248 | return VINF_SUCCESS;
|
---|
| 1249 | }
|
---|
| 1250 |
|
---|
| 1251 |
|
---|
| 1252 | /**
|
---|
| 1253 | * The state information collected by supR3HardenedVerifyFsObject.
|
---|
| 1254 | *
|
---|
| 1255 | * This can be used to verify that a directory we've opened for enumeration is
|
---|
| 1256 | * the same as the one that supR3HardenedVerifyFsObject just verified. It can
|
---|
| 1257 | * equally be used to verify a native specfied by the user.
|
---|
| 1258 | */
|
---|
| 1259 | typedef struct SUPR3HARDENEDFSOBJSTATE
|
---|
| 1260 | {
|
---|
| 1261 | #ifdef RT_OS_WINDOWS
|
---|
| 1262 | /** Not implemented for windows yet. */
|
---|
| 1263 | char chTodo;
|
---|
| 1264 | #else
|
---|
| 1265 | /** The stat output. */
|
---|
| 1266 | struct stat Stat;
|
---|
| 1267 | #endif
|
---|
| 1268 | } SUPR3HARDENEDFSOBJSTATE;
|
---|
| 1269 | /** Pointer to a file system object state. */
|
---|
| 1270 | typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
|
---|
| 1271 | /** Pointer to a const file system object state. */
|
---|
| 1272 | typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
|
---|
| 1273 |
|
---|
| 1274 |
|
---|
| 1275 | /**
|
---|
| 1276 | * Query information about a file system object by path.
|
---|
| 1277 | *
|
---|
| 1278 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1279 | * @param pszPath The path to the object.
|
---|
| 1280 | * @param pFsObjState Where to return the state information.
|
---|
[35188] | 1281 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1282 | */
|
---|
[35188] | 1283 | static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
|
---|
[33738] | 1284 | {
|
---|
| 1285 | #if defined(RT_OS_WINDOWS)
|
---|
| 1286 | /** @todo Windows hardening. */
|
---|
| 1287 | pFsObjState->chTodo = 0;
|
---|
[62675] | 1288 | RT_NOREF2(pszPath, pErrInfo);
|
---|
[33738] | 1289 | return VINF_SUCCESS;
|
---|
| 1290 |
|
---|
| 1291 | #else
|
---|
[33701] | 1292 | /*
|
---|
[33738] | 1293 | * Stat the object, do not follow links.
|
---|
[33701] | 1294 | */
|
---|
[33738] | 1295 | if (lstat(pszPath, &pFsObjState->Stat) != 0)
|
---|
| 1296 | {
|
---|
| 1297 | /* Ignore access errors */
|
---|
| 1298 | if (errno != EACCES)
|
---|
[35188] | 1299 | return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
|
---|
[33738] | 1300 | 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
|
---|
| 1301 | }
|
---|
[33701] | 1302 |
|
---|
[33738] | 1303 | /*
|
---|
| 1304 | * Read ACLs.
|
---|
| 1305 | */
|
---|
| 1306 | /** @todo */
|
---|
| 1307 |
|
---|
[33701] | 1308 | return VINF_SUCCESS;
|
---|
[33738] | 1309 | #endif
|
---|
[33701] | 1310 | }
|
---|
| 1311 |
|
---|
| 1312 |
|
---|
| 1313 | /**
|
---|
[33738] | 1314 | * Query information about a file system object by native handle.
|
---|
[33701] | 1315 | *
|
---|
| 1316 | * @returns VBox status code, error buffer filled on failure.
|
---|
[33738] | 1317 | * @param hNative The native handle to the object @a pszPath
|
---|
| 1318 | * specifies and this should be verified to be the
|
---|
| 1319 | * same file system object.
|
---|
| 1320 | * @param pFsObjState Where to return the state information.
|
---|
| 1321 | * @param pszPath The path to the object. (For the error message
|
---|
| 1322 | * only.)
|
---|
[35188] | 1323 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1324 | */
|
---|
| 1325 | static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
|
---|
[35188] | 1326 | char const *pszPath, PRTERRINFO pErrInfo)
|
---|
[33738] | 1327 | {
|
---|
| 1328 | #if defined(RT_OS_WINDOWS)
|
---|
| 1329 | /** @todo Windows hardening. */
|
---|
| 1330 | pFsObjState->chTodo = 0;
|
---|
[62675] | 1331 | RT_NOREF3(hNative, pszPath, pErrInfo);
|
---|
[33738] | 1332 | return VINF_SUCCESS;
|
---|
| 1333 |
|
---|
| 1334 | #else
|
---|
| 1335 | /*
|
---|
| 1336 | * Stat the object, do not follow links.
|
---|
| 1337 | */
|
---|
| 1338 | if (fstat((int)hNative, &pFsObjState->Stat) != 0)
|
---|
[35188] | 1339 | return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
|
---|
[33738] | 1340 | 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
|
---|
| 1341 |
|
---|
| 1342 | /*
|
---|
| 1343 | * Read ACLs.
|
---|
| 1344 | */
|
---|
| 1345 | /** @todo */
|
---|
| 1346 |
|
---|
| 1347 | return VINF_SUCCESS;
|
---|
| 1348 | #endif
|
---|
| 1349 | }
|
---|
| 1350 |
|
---|
| 1351 |
|
---|
| 1352 | /**
|
---|
| 1353 | * Verifies that the file system object indicated by the native handle is the
|
---|
| 1354 | * same as the one @a pFsObjState indicates.
|
---|
| 1355 | *
|
---|
| 1356 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1357 | * @param pFsObjState1 File system object information/state by path.
|
---|
| 1358 | * @param pFsObjState2 File system object information/state by handle.
|
---|
| 1359 | * @param pszPath The path to the object @a pFsObjState
|
---|
| 1360 | * describes. (For the error message.)
|
---|
[35188] | 1361 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1362 | */
|
---|
| 1363 | static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
|
---|
[35188] | 1364 | const char *pszPath, PRTERRINFO pErrInfo)
|
---|
[33738] | 1365 | {
|
---|
| 1366 | #if defined(RT_OS_WINDOWS)
|
---|
| 1367 | /** @todo Windows hardening. */
|
---|
[62675] | 1368 | RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
|
---|
[33738] | 1369 | return VINF_SUCCESS;
|
---|
| 1370 |
|
---|
| 1371 | #elif defined(RT_OS_OS2)
|
---|
[62675] | 1372 | RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
|
---|
[33738] | 1373 | return VINF_SUCCESS;
|
---|
| 1374 |
|
---|
| 1375 | #else
|
---|
| 1376 | /*
|
---|
| 1377 | * Compare the ino+dev, then the uid+gid and finally the important mode
|
---|
| 1378 | * bits. Technically the first one should be enough, but we're paranoid.
|
---|
| 1379 | */
|
---|
| 1380 | if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
|
---|
| 1381 | || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
|
---|
[35188] | 1382 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
|
---|
[33738] | 1383 | "The native handle is not the same as '", pszPath, "' (ino/dev)");
|
---|
| 1384 | if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
|
---|
| 1385 | || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
|
---|
[35188] | 1386 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
|
---|
[33738] | 1387 | "The native handle is not the same as '", pszPath, "' (uid/gid)");
|
---|
| 1388 | if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
|
---|
| 1389 | != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
|
---|
[35188] | 1390 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
|
---|
[33738] | 1391 | "The native handle is not the same as '", pszPath, "' (mode)");
|
---|
| 1392 | return VINF_SUCCESS;
|
---|
| 1393 | #endif
|
---|
| 1394 | }
|
---|
| 1395 |
|
---|
| 1396 |
|
---|
| 1397 | /**
|
---|
| 1398 | * Verifies a file system object (file or directory).
|
---|
| 1399 | *
|
---|
| 1400 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1401 | * @param pFsObjState The file system object information/state to be
|
---|
| 1402 | * verified.
|
---|
[33701] | 1403 | * @param fDir Whether this is a directory or a file.
|
---|
[33738] | 1404 | * @param fRelaxed Whether we can be more relaxed about this
|
---|
| 1405 | * directory (only used for grand parent
|
---|
| 1406 | * directories).
|
---|
[66526] | 1407 | * @param fSymlinksAllowed Flag whether symlinks are allowed or not.
|
---|
| 1408 | * If allowed the symlink object is verified not the target.
|
---|
[39133] | 1409 | * @param pszPath The path to the object. For error messages and
|
---|
| 1410 | * securing a couple of hacks.
|
---|
[35188] | 1411 | * @param pErrInfo The error info structure.
|
---|
[33701] | 1412 | */
|
---|
[33738] | 1413 | static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
|
---|
[66526] | 1414 | bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
|
---|
[33701] | 1415 | {
|
---|
| 1416 | #if defined(RT_OS_WINDOWS)
|
---|
| 1417 | /** @todo Windows hardening. */
|
---|
[66527] | 1418 | RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
|
---|
[33701] | 1419 | return VINF_SUCCESS;
|
---|
| 1420 |
|
---|
| 1421 | #elif defined(RT_OS_OS2)
|
---|
| 1422 | /* No hardening here - it's a single user system. */
|
---|
[66527] | 1423 | RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
|
---|
[33701] | 1424 | return VINF_SUCCESS;
|
---|
| 1425 |
|
---|
| 1426 | #else
|
---|
| 1427 | /*
|
---|
[33738] | 1428 | * The owner must be root.
|
---|
| 1429 | *
|
---|
| 1430 | * This can be extended to include predefined system users if necessary.
|
---|
[33701] | 1431 | */
|
---|
[33738] | 1432 | if (pFsObjState->Stat.st_uid != 0)
|
---|
[35188] | 1433 | return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
|
---|
[33738] | 1434 |
|
---|
| 1435 | /*
|
---|
[66526] | 1436 | * The object type must be directory or file. It can be a symbolic link
|
---|
| 1437 | * if explicitely allowed. Otherwise this and other risky stuff is not allowed
|
---|
| 1438 | * (sorry dude, but we're paranoid on purpose here).
|
---|
[35403] | 1439 | */
|
---|
[66526] | 1440 | if ( !S_ISLNK(pFsObjState->Stat.st_mode)
|
---|
| 1441 | || !fSymlinksAllowed)
|
---|
[35403] | 1442 | {
|
---|
[66526] | 1443 |
|
---|
| 1444 | if ( !S_ISDIR(pFsObjState->Stat.st_mode)
|
---|
| 1445 | && !S_ISREG(pFsObjState->Stat.st_mode))
|
---|
| 1446 | {
|
---|
| 1447 | if (S_ISLNK(pFsObjState->Stat.st_mode))
|
---|
| 1448 | return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
|
---|
| 1449 | "Symlinks are not permitted: '", pszPath, "'");
|
---|
| 1450 | return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
|
---|
| 1451 | "Not regular file or directory: '", pszPath, "'");
|
---|
| 1452 | }
|
---|
| 1453 | if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
|
---|
| 1454 | {
|
---|
| 1455 | if (S_ISDIR(pFsObjState->Stat.st_mode))
|
---|
| 1456 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
| 1457 | "Expected file but found directory: '", pszPath, "'");
|
---|
| 1458 | return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
|
---|
| 1459 | "Expected directory but found file: '", pszPath, "'");
|
---|
| 1460 | }
|
---|
[35403] | 1461 | }
|
---|
| 1462 |
|
---|
| 1463 | /*
|
---|
[33738] | 1464 | * The group does not matter if it does not have write access, if it has
|
---|
| 1465 | * write access it must be group 0 (root/wheel/whatever).
|
---|
| 1466 | *
|
---|
| 1467 | * This can be extended to include predefined system groups or groups that
|
---|
| 1468 | * only root is member of.
|
---|
| 1469 | */
|
---|
| 1470 | if ( (pFsObjState->Stat.st_mode & S_IWGRP)
|
---|
| 1471 | && pFsObjState->Stat.st_gid != 0)
|
---|
[33701] | 1472 | {
|
---|
[66627] | 1473 | # ifdef RT_OS_DARWIN
|
---|
[33738] | 1474 | /* HACK ALERT: On Darwin /Applications is root:admin with admin having
|
---|
| 1475 | full access. So, to work around we relax the hardening a bit and
|
---|
| 1476 | permit grand parents and beyond to be group writable by admin. */
|
---|
[39133] | 1477 | /** @todo dynamically resolve the admin group? */
|
---|
[49211] | 1478 | bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
|
---|
[39091] | 1479 |
|
---|
[66627] | 1480 | # elif defined(RT_OS_FREEBSD)
|
---|
[39133] | 1481 | /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
|
---|
| 1482 | similar to /Applications on OS X (see above).
|
---|
| 1483 | On FreeBSD root is normally the only member of this group, on
|
---|
| 1484 | PC-BSD the default user is a member. */
|
---|
| 1485 | /** @todo dynamically resolve the operator group? */
|
---|
[49211] | 1486 | bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
|
---|
[39091] | 1487 | NOREF(fRelaxed);
|
---|
[66627] | 1488 | # elif defined(RT_OS_SOLARIS)
|
---|
[66554] | 1489 | /* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
|
---|
| 1490 | which the appropriate module is loaded.
|
---|
| 1491 | By default only root and daemon are part of that group.
|
---|
| 1492 | . */
|
---|
| 1493 | /** @todo dynamically resolve the bin group? */
|
---|
| 1494 | bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
|
---|
[66627] | 1495 | # else
|
---|
[39091] | 1496 | NOREF(fRelaxed);
|
---|
| 1497 | bool fBad = true;
|
---|
[66627] | 1498 | # endif
|
---|
[39091] | 1499 | if (fBad)
|
---|
[35188] | 1500 | return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
|
---|
[52790] | 1501 | "An unknown (and thus untrusted) group has write access to '", pszPath,
|
---|
| 1502 | "' and we therefore cannot trust the directory content or that of any subdirectory");
|
---|
[33701] | 1503 | }
|
---|
| 1504 |
|
---|
[33738] | 1505 | /*
|
---|
| 1506 | * World must not have write access. There is no relaxing this rule.
|
---|
[66632] | 1507 | * Linux exception: Symbolic links are always give permission 0777, there
|
---|
| 1508 | * is no lchmod or lchown APIs. The permissions on parent
|
---|
| 1509 | * directory that contains the symbolic link is what is
|
---|
| 1510 | * decising wrt to modifying it. (Caller is expected not
|
---|
| 1511 | * to allow symbolic links in the first path component.)
|
---|
[33738] | 1512 | */
|
---|
[66632] | 1513 | if ( (pFsObjState->Stat.st_mode & S_IWOTH)
|
---|
| 1514 | # ifdef RT_OS_LINUX
|
---|
| 1515 | && ( !S_ISLNK(pFsObjState->Stat.st_mode)
|
---|
| 1516 | || !fSymlinksAllowed /* paranoia */)
|
---|
| 1517 | # endif
|
---|
| 1518 | )
|
---|
[35188] | 1519 | return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
|
---|
[33738] | 1520 | "World writable: '", pszPath, "'");
|
---|
[33701] | 1521 |
|
---|
[33738] | 1522 | /*
|
---|
| 1523 | * Check the ACLs.
|
---|
| 1524 | */
|
---|
| 1525 | /** @todo */
|
---|
| 1526 |
|
---|
[33701] | 1527 | return VINF_SUCCESS;
|
---|
| 1528 | #endif
|
---|
| 1529 | }
|
---|
| 1530 |
|
---|
| 1531 |
|
---|
| 1532 | /**
|
---|
[33738] | 1533 | * Verifies that the file system object indicated by the native handle is the
|
---|
| 1534 | * same as the one @a pFsObjState indicates.
|
---|
| 1535 | *
|
---|
| 1536 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1537 | * @param hNative The native handle to the object @a pszPath
|
---|
| 1538 | * specifies and this should be verified to be the
|
---|
| 1539 | * same file system object.
|
---|
| 1540 | * @param pFsObjState The information/state returned by a previous
|
---|
| 1541 | * query call.
|
---|
| 1542 | * @param pszPath The path to the object @a pFsObjState
|
---|
| 1543 | * describes. (For the error message.)
|
---|
[35188] | 1544 | * @param pErrInfo The error info structure.
|
---|
[33738] | 1545 | */
|
---|
| 1546 | static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
|
---|
[35188] | 1547 | const char *pszPath, PRTERRINFO pErrInfo)
|
---|
[33738] | 1548 | {
|
---|
| 1549 | SUPR3HARDENEDFSOBJSTATE FsObjState2;
|
---|
[35188] | 1550 | int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
|
---|
[33738] | 1551 | if (RT_SUCCESS(rc))
|
---|
[35188] | 1552 | rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
|
---|
[33738] | 1553 | return rc;
|
---|
| 1554 | }
|
---|
| 1555 |
|
---|
| 1556 |
|
---|
| 1557 | /**
|
---|
[33701] | 1558 | * Does the recursive directory enumeration.
|
---|
| 1559 | *
|
---|
| 1560 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1561 | * @param pszDirPath The path buffer containing the subdirectory to
|
---|
| 1562 | * enumerate followed by a slash (this is never
|
---|
| 1563 | * the root slash). The buffer is RTPATH_MAX in
|
---|
| 1564 | * size and anything starting at @a cchDirPath
|
---|
| 1565 | * - 1 and beyond is scratch space.
|
---|
| 1566 | * @param cchDirPath The length of the directory path + slash.
|
---|
[33738] | 1567 | * @param pFsObjState Pointer to the file system object state buffer.
|
---|
| 1568 | * On input this will hold the stats for
|
---|
| 1569 | * the directory @a pszDirPath indicates and will
|
---|
| 1570 | * be used to verified that we're opening the same
|
---|
| 1571 | * thing.
|
---|
[33701] | 1572 | * @param fRecursive Whether to recurse into subdirectories.
|
---|
[35188] | 1573 | * @param pErrInfo The error info structure.
|
---|
[33701] | 1574 | */
|
---|
[33738] | 1575 | static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
|
---|
[35188] | 1576 | bool fRecursive, PRTERRINFO pErrInfo)
|
---|
[33701] | 1577 | {
|
---|
| 1578 | #if defined(RT_OS_WINDOWS)
|
---|
| 1579 | /** @todo Windows hardening. */
|
---|
[62675] | 1580 | RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
|
---|
[33701] | 1581 | return VINF_SUCCESS;
|
---|
| 1582 |
|
---|
| 1583 | #elif defined(RT_OS_OS2)
|
---|
| 1584 | /* No hardening here - it's a single user system. */
|
---|
[62675] | 1585 | RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
|
---|
[33701] | 1586 | return VINF_SUCCESS;
|
---|
| 1587 |
|
---|
| 1588 | #else
|
---|
[33738] | 1589 | /*
|
---|
| 1590 | * Open the directory. Now, we could probably eliminate opendir here
|
---|
| 1591 | * and go down on kernel API level (open + getdents for instance), however
|
---|
| 1592 | * that's not very portable and hopefully not necessary.
|
---|
| 1593 | */
|
---|
[33701] | 1594 | DIR *pDir = opendir(pszDirPath);
|
---|
| 1595 | if (!pDir)
|
---|
| 1596 | {
|
---|
| 1597 | /* Ignore access errors. */
|
---|
| 1598 | if (errno == EACCES)
|
---|
| 1599 | return VINF_SUCCESS;
|
---|
[35188] | 1600 | return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
|
---|
[33738] | 1601 | 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
|
---|
[33701] | 1602 | }
|
---|
[33738] | 1603 | if (dirfd(pDir) != -1)
|
---|
| 1604 | {
|
---|
[35188] | 1605 | int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
|
---|
[33738] | 1606 | if (RT_FAILURE(rc))
|
---|
| 1607 | {
|
---|
| 1608 | closedir(pDir);
|
---|
| 1609 | return rc;
|
---|
| 1610 | }
|
---|
| 1611 | }
|
---|
[33701] | 1612 |
|
---|
[33738] | 1613 | /*
|
---|
| 1614 | * Enumerate the directory, check all the requested bits.
|
---|
| 1615 | */
|
---|
[33701] | 1616 | int rc = VINF_SUCCESS;
|
---|
| 1617 | for (;;)
|
---|
| 1618 | {
|
---|
[33738] | 1619 | pszDirPath[cchDirPath] = '\0'; /* for error messages. */
|
---|
| 1620 |
|
---|
[33701] | 1621 | struct dirent Entry;
|
---|
| 1622 | struct dirent *pEntry;
|
---|
[63677] | 1623 | #if RT_GNUC_PREREQ(4, 6)
|
---|
| 1624 | # pragma GCC diagnostic push
|
---|
| 1625 | # pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
---|
| 1626 | #endif
|
---|
[33701] | 1627 | int iErr = readdir_r(pDir, &Entry, &pEntry);
|
---|
[63677] | 1628 | #if RT_GNUC_PREREQ(4, 6)
|
---|
| 1629 | # pragma GCC diagnostic pop
|
---|
| 1630 | #endif
|
---|
[33701] | 1631 | if (iErr)
|
---|
| 1632 | {
|
---|
[35188] | 1633 | rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
|
---|
[33738] | 1634 | 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
|
---|
[33701] | 1635 | break;
|
---|
| 1636 | }
|
---|
| 1637 | if (!pEntry)
|
---|
| 1638 | break;
|
---|
| 1639 |
|
---|
| 1640 | /*
|
---|
| 1641 | * Check the length and copy it into the path buffer so it can be
|
---|
| 1642 | * stat()'ed.
|
---|
| 1643 | */
|
---|
[49211] | 1644 | size_t cchName = suplibHardenedStrLen(pEntry->d_name);
|
---|
[33738] | 1645 | if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
|
---|
[33701] | 1646 | {
|
---|
[35188] | 1647 | rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
|
---|
[33738] | 1648 | 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
|
---|
[33701] | 1649 | break;
|
---|
| 1650 | }
|
---|
[49211] | 1651 | suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
|
---|
[33701] | 1652 |
|
---|
| 1653 | /*
|
---|
[33738] | 1654 | * Query the information about the entry and verify it.
|
---|
| 1655 | * (We don't bother skipping '.' and '..' at this point, a little bit
|
---|
| 1656 | * of extra checks doesn't hurt and neither requires relaxed handling.)
|
---|
[33701] | 1657 | */
|
---|
[35188] | 1658 | rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
|
---|
[33738] | 1659 | if (RT_SUCCESS(rc))
|
---|
[33701] | 1660 | break;
|
---|
[33738] | 1661 | rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
|
---|
[66526] | 1662 | false /*fSymlinksAllowed*/, pszDirPath, pErrInfo);
|
---|
[33738] | 1663 | if (RT_FAILURE(rc))
|
---|
| 1664 | break;
|
---|
[33701] | 1665 |
|
---|
| 1666 | /*
|
---|
[33738] | 1667 | * Recurse into subdirectories if requested.
|
---|
[33701] | 1668 | */
|
---|
| 1669 | if ( fRecursive
|
---|
[33738] | 1670 | && S_ISDIR(pFsObjState->Stat.st_mode)
|
---|
[49211] | 1671 | && suplibHardenedStrCmp(pEntry->d_name, ".")
|
---|
| 1672 | && suplibHardenedStrCmp(pEntry->d_name, ".."))
|
---|
[33701] | 1673 | {
|
---|
| 1674 | pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
|
---|
| 1675 | pszDirPath[cchDirPath + cchName + 1] = '\0';
|
---|
| 1676 |
|
---|
[33738] | 1677 | rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
|
---|
[35188] | 1678 | fRecursive, pErrInfo);
|
---|
[33701] | 1679 | if (RT_FAILURE(rc))
|
---|
| 1680 | break;
|
---|
| 1681 | }
|
---|
| 1682 | }
|
---|
| 1683 |
|
---|
| 1684 | closedir(pDir);
|
---|
| 1685 | return VINF_SUCCESS;
|
---|
| 1686 | #endif
|
---|
| 1687 | }
|
---|
| 1688 |
|
---|
| 1689 |
|
---|
| 1690 | /**
|
---|
| 1691 | * Worker for SUPR3HardenedVerifyDir.
|
---|
| 1692 | *
|
---|
| 1693 | * @returns See SUPR3HardenedVerifyDir.
|
---|
| 1694 | * @param pszDirPath See SUPR3HardenedVerifyDir.
|
---|
| 1695 | * @param fRecursive See SUPR3HardenedVerifyDir.
|
---|
| 1696 | * @param fCheckFiles See SUPR3HardenedVerifyDir.
|
---|
[35188] | 1697 | * @param pErrInfo See SUPR3HardenedVerifyDir.
|
---|
[33701] | 1698 | */
|
---|
[35188] | 1699 | DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
|
---|
[33701] | 1700 | {
|
---|
| 1701 | /*
|
---|
[33738] | 1702 | * Validate the input path and parse it.
|
---|
[33701] | 1703 | */
|
---|
[33738] | 1704 | SUPR3HARDENEDPATHINFO Info;
|
---|
[35188] | 1705 | int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
|
---|
[33701] | 1706 | if (RT_FAILURE(rc))
|
---|
| 1707 | return rc;
|
---|
| 1708 |
|
---|
| 1709 | /*
|
---|
[33738] | 1710 | * Verify each component from the root up.
|
---|
[33701] | 1711 | */
|
---|
[33738] | 1712 | SUPR3HARDENEDFSOBJSTATE FsObjState;
|
---|
| 1713 | uint32_t const cComponents = Info.cComponents;
|
---|
| 1714 | for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
|
---|
[33701] | 1715 | {
|
---|
[33738] | 1716 | bool fRelaxed = iComponent + 2 < cComponents;
|
---|
| 1717 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
|
---|
[35188] | 1718 | rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
|
---|
[33738] | 1719 | if (RT_SUCCESS(rc))
|
---|
[66526] | 1720 | rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed,
|
---|
| 1721 | false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
|
---|
[33701] | 1722 | if (RT_FAILURE(rc))
|
---|
| 1723 | return rc;
|
---|
[34280] | 1724 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
|
---|
[33701] | 1725 | }
|
---|
| 1726 |
|
---|
| 1727 | /*
|
---|
[33738] | 1728 | * Check files and subdirectories if requested.
|
---|
[33701] | 1729 | */
|
---|
| 1730 | if (fCheckFiles || fRecursive)
|
---|
| 1731 | {
|
---|
[33738] | 1732 | Info.szPath[Info.cch] = RTPATH_SLASH;
|
---|
| 1733 | Info.szPath[Info.cch + 1] = '\0';
|
---|
| 1734 | return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
|
---|
[35188] | 1735 | fRecursive, pErrInfo);
|
---|
[33701] | 1736 | }
|
---|
| 1737 |
|
---|
| 1738 | return VINF_SUCCESS;
|
---|
| 1739 | }
|
---|
| 1740 |
|
---|
| 1741 |
|
---|
| 1742 | /**
|
---|
| 1743 | * Verfies a file.
|
---|
| 1744 | *
|
---|
| 1745 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1746 | * @param pszFilename The file to verify.
|
---|
[33738] | 1747 | * @param hNativeFile Handle to the file, verify that it's the same
|
---|
| 1748 | * as we ended up with when verifying the path.
|
---|
| 1749 | * RTHCUINTPTR_MAX means NIL here.
|
---|
[51770] | 1750 | * @param fMaybe3rdParty Set if the file is could be a supplied by a
|
---|
| 1751 | * third party. Different validation rules may
|
---|
| 1752 | * apply to 3rd party code on some platforms.
|
---|
[35188] | 1753 | * @param pErrInfo Where to return extended error information.
|
---|
| 1754 | * Optional.
|
---|
[33701] | 1755 | */
|
---|
[51770] | 1756 | DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
|
---|
| 1757 | bool fMaybe3rdParty, PRTERRINFO pErrInfo)
|
---|
[33701] | 1758 | {
|
---|
| 1759 | /*
|
---|
[33738] | 1760 | * Validate the input path and parse it.
|
---|
[33701] | 1761 | */
|
---|
[33738] | 1762 | SUPR3HARDENEDPATHINFO Info;
|
---|
[35188] | 1763 | int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
|
---|
[33701] | 1764 | if (RT_FAILURE(rc))
|
---|
| 1765 | return rc;
|
---|
[33738] | 1766 | if (Info.fDirSlash)
|
---|
[35188] | 1767 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
[33738] | 1768 | "The file path specifies a directory: '", pszFilename, "'");
|
---|
[33701] | 1769 |
|
---|
| 1770 | /*
|
---|
[33738] | 1771 | * Verify each component from the root up.
|
---|
[33701] | 1772 | */
|
---|
[33738] | 1773 | SUPR3HARDENEDFSOBJSTATE FsObjState;
|
---|
| 1774 | uint32_t const cComponents = Info.cComponents;
|
---|
| 1775 | for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
|
---|
[33701] | 1776 | {
|
---|
[33738] | 1777 | bool fFinal = iComponent + 1 == cComponents;
|
---|
| 1778 | bool fRelaxed = iComponent + 2 < cComponents;
|
---|
| 1779 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
|
---|
[35188] | 1780 | rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
|
---|
[33738] | 1781 | if (RT_SUCCESS(rc))
|
---|
[66526] | 1782 | rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
|
---|
| 1783 | false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
|
---|
[33701] | 1784 | if (RT_FAILURE(rc))
|
---|
| 1785 | return rc;
|
---|
[34280] | 1786 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
|
---|
[33701] | 1787 | }
|
---|
| 1788 |
|
---|
[33738] | 1789 | /*
|
---|
[51770] | 1790 | * Verify the file handle against the last component, if specified.
|
---|
[33738] | 1791 | */
|
---|
| 1792 | if (hNativeFile != RTHCUINTPTR_MAX)
|
---|
[51770] | 1793 | {
|
---|
| 1794 | rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
|
---|
| 1795 | if (RT_FAILURE(rc))
|
---|
| 1796 | return rc;
|
---|
| 1797 | }
|
---|
| 1798 |
|
---|
| 1799 | #ifdef RT_OS_WINDOWS
|
---|
| 1800 | /*
|
---|
| 1801 | * The files shall be signed on windows, verify that.
|
---|
| 1802 | */
|
---|
[51912] | 1803 | rc = VINF_SUCCESS;
|
---|
[51770] | 1804 | HANDLE hVerify;
|
---|
[51912] | 1805 | if (hNativeFile == RTHCUINTPTR_MAX)
|
---|
| 1806 | {
|
---|
| 1807 | PRTUTF16 pwszPath;
|
---|
| 1808 | rc = RTStrToUtf16(pszFilename, &pwszPath);
|
---|
| 1809 | if (RT_SUCCESS(rc))
|
---|
| 1810 | {
|
---|
| 1811 | hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
---|
| 1812 | RTUtf16Free(pwszPath);
|
---|
| 1813 | }
|
---|
| 1814 | else
|
---|
[62675] | 1815 | {
|
---|
[51912] | 1816 | rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
|
---|
[62675] | 1817 | hVerify = INVALID_HANDLE_VALUE;
|
---|
| 1818 | }
|
---|
[51912] | 1819 | }
|
---|
[52163] | 1820 | else
|
---|
| 1821 | {
|
---|
| 1822 | NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
|
---|
| 1823 | GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
|
---|
| 1824 | if (!NT_SUCCESS(rcNt))
|
---|
| 1825 | hVerify = INVALID_HANDLE_VALUE;
|
---|
| 1826 | }
|
---|
[51770] | 1827 | if (hVerify != INVALID_HANDLE_VALUE)
|
---|
| 1828 | {
|
---|
[51772] | 1829 | # ifdef VBOX_WITH_HARDENING
|
---|
[51770] | 1830 | uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
|
---|
| 1831 | if (!fMaybe3rdParty)
|
---|
| 1832 | fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
|
---|
| 1833 | const char *pszSuffix = RTPathSuffix(pszFilename);
|
---|
| 1834 | if ( pszSuffix
|
---|
| 1835 | && pszSuffix[0] == '.'
|
---|
| 1836 | && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
|
---|
| 1837 | || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
|
---|
| 1838 | && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
|
---|
| 1839 | && pszSuffix[3] == '\0' )
|
---|
| 1840 | fFlags |= SUPHNTVI_F_RC_IMAGE;
|
---|
[51772] | 1841 | # ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
|
---|
[51770] | 1842 | rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
|
---|
[51772] | 1843 | # endif
|
---|
[62675] | 1844 | # else
|
---|
| 1845 | RT_NOREF1(fMaybe3rdParty);
|
---|
[51770] | 1846 | # endif
|
---|
[52940] | 1847 | NtClose(hVerify);
|
---|
[51770] | 1848 | }
|
---|
[51912] | 1849 | else if (RT_SUCCESS(rc))
|
---|
[52940] | 1850 | rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
|
---|
| 1851 | "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
|
---|
[51770] | 1852 | if (RT_FAILURE(rc))
|
---|
| 1853 | return rc;
|
---|
[62675] | 1854 | #else
|
---|
| 1855 | RT_NOREF1(fMaybe3rdParty);
|
---|
[51770] | 1856 | #endif
|
---|
| 1857 |
|
---|
[33701] | 1858 | return VINF_SUCCESS;
|
---|
| 1859 | }
|
---|
| 1860 |
|
---|
| 1861 |
|
---|
[66632] | 1862 | #if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
|
---|
[33701] | 1863 | /**
|
---|
[66526] | 1864 | * Verfies a file following symlinks.
|
---|
| 1865 | *
|
---|
| 1866 | * @returns VBox status code, error buffer filled on failure.
|
---|
| 1867 | * @param pszFilename The file to verify.
|
---|
| 1868 | * @param hNativeFile Handle to the file, verify that it's the same
|
---|
| 1869 | * as we ended up with when verifying the path.
|
---|
| 1870 | * RTHCUINTPTR_MAX means NIL here.
|
---|
| 1871 | * @param fMaybe3rdParty Set if the file is could be a supplied by a
|
---|
| 1872 | * third party. Different validation rules may
|
---|
| 1873 | * apply to 3rd party code on some platforms.
|
---|
| 1874 | * @param pErrInfo Where to return extended error information.
|
---|
| 1875 | * Optional.
|
---|
| 1876 | *
|
---|
| 1877 | * @note This is only used on OS X for libraries loaded with dlopen() because
|
---|
| 1878 | * the frameworks use symbolic links to point to the relevant library.
|
---|
| 1879 | *
|
---|
| 1880 | * @sa supR3HardenedVerifyFile
|
---|
| 1881 | */
|
---|
| 1882 | DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
|
---|
| 1883 | PRTERRINFO pErrInfo)
|
---|
| 1884 | {
|
---|
| 1885 | RT_NOREF1(fMaybe3rdParty);
|
---|
| 1886 |
|
---|
| 1887 | /*
|
---|
| 1888 | * Validate the input path and parse it.
|
---|
| 1889 | */
|
---|
| 1890 | SUPR3HARDENEDPATHINFO Info;
|
---|
| 1891 | int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
|
---|
| 1892 | if (RT_FAILURE(rc))
|
---|
| 1893 | return rc;
|
---|
| 1894 | if (Info.fDirSlash)
|
---|
| 1895 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
| 1896 | "The file path specifies a directory: '", pszFilename, "'");
|
---|
| 1897 |
|
---|
| 1898 | /*
|
---|
| 1899 | * Verify each component from the root up.
|
---|
| 1900 | */
|
---|
[66842] | 1901 | #ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
|
---|
[66526] | 1902 | uint32_t iLoops = 0;
|
---|
[66842] | 1903 | #endif
|
---|
[66526] | 1904 | SUPR3HARDENEDFSOBJSTATE FsObjState;
|
---|
| 1905 | uint32_t iComponent = 0;
|
---|
| 1906 | while (iComponent < Info.cComponents)
|
---|
| 1907 | {
|
---|
| 1908 | bool fFinal = iComponent + 1 == Info.cComponents;
|
---|
| 1909 | bool fRelaxed = iComponent + 2 < Info.cComponents;
|
---|
| 1910 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
|
---|
| 1911 | rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
|
---|
| 1912 | if (RT_SUCCESS(rc))
|
---|
| 1913 | {
|
---|
| 1914 | /*
|
---|
| 1915 | * In case the component is a symlink expand it and start from the beginning after
|
---|
| 1916 | * verifying it has the proper access rights.
|
---|
| 1917 | * Furthermore only allow symlinks which don't contain any .. or . in the target
|
---|
| 1918 | * (enforced by supR3HardenedVerifyPathSanity).
|
---|
| 1919 | */
|
---|
| 1920 | rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
|
---|
| 1921 | true /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
|
---|
| 1922 | if ( RT_SUCCESS(rc)
|
---|
| 1923 | && S_ISLNK(FsObjState.Stat.st_mode))
|
---|
| 1924 | {
|
---|
[66842] | 1925 | #if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
|
---|
| 1926 | char *pszFilenameResolved = realpath(pszFilename, NULL);
|
---|
| 1927 | if (pszFilenameResolved)
|
---|
| 1928 | {
|
---|
| 1929 | rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
|
---|
| 1930 | free(pszFilenameResolved);
|
---|
| 1931 | return rc;
|
---|
| 1932 | }
|
---|
| 1933 | else
|
---|
| 1934 | {
|
---|
| 1935 | int iErr = errno;
|
---|
| 1936 | supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
|
---|
| 1937 | "supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
|
---|
| 1938 | pszFilename, strerror(iErr), iErr);
|
---|
| 1939 | return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
|
---|
| 1940 | "realpath failed for '", pszFilename, "': ", strerror(iErr));
|
---|
| 1941 | }
|
---|
| 1942 | #else
|
---|
[66526] | 1943 | /* Don't loop forever. */
|
---|
| 1944 | iLoops++;
|
---|
| 1945 | if (iLoops < 8)
|
---|
| 1946 | {
|
---|
| 1947 | /*
|
---|
| 1948 | * Construct new path by replacing the current component by the symlink value.
|
---|
| 1949 | * Note! readlink() is a weird API that doesn't necessarily indicates if the
|
---|
| 1950 | * buffer is too small.
|
---|
| 1951 | */
|
---|
| 1952 | char szPath[RTPATH_MAX];
|
---|
| 1953 | size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
|
---|
| 1954 | size_t const cchAfter = fFinal ? 0 : 1 /*slash*/ + Info.cch - Info.aoffComponents[iComponent + 1];
|
---|
| 1955 | if (sizeof(szPath) > cchBefore + cchAfter + 2)
|
---|
| 1956 | {
|
---|
| 1957 | ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
|
---|
| 1958 | if (cchTarget > 0)
|
---|
| 1959 | {
|
---|
| 1960 | /* Some serious paranoia against embedded zero terminator and weird return values. */
|
---|
| 1961 | szPath[cchTarget] = '\0';
|
---|
| 1962 | size_t cchLink = strlen(szPath);
|
---|
| 1963 |
|
---|
| 1964 | /* Strip trailing dirslashes of non-final link. */
|
---|
| 1965 | if (!fFinal)
|
---|
| 1966 | while (cchLink > 1 and szPath[cchLink - 1] == '/')
|
---|
| 1967 | cchLink--;
|
---|
| 1968 |
|
---|
| 1969 | /* Check link value sanity and buffer size. */
|
---|
| 1970 | if (cchLink == 0)
|
---|
| 1971 | return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
|
---|
| 1972 | "Bad readlink return for '", Info.szPath, "'");
|
---|
| 1973 | if (szPath[0] == '/')
|
---|
| 1974 | return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
|
---|
| 1975 | "Absolute symbolic link not allowed: '", szPath, "'");
|
---|
| 1976 | if (cchBefore + cchLink + cchAfter + 1 /*terminator*/ > sizeof(szPath))
|
---|
| 1977 | return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
|
---|
| 1978 | "Symlinks causing too long path!");
|
---|
| 1979 |
|
---|
| 1980 | /* Construct the new path. */
|
---|
| 1981 | if (cchBefore)
|
---|
| 1982 | memmove(&szPath[cchBefore], &szPath[0], cchLink);
|
---|
| 1983 | memcpy(&szPath[0], Info.szPath, cchBefore);
|
---|
| 1984 | if (!cchAfter)
|
---|
| 1985 | szPath[cchBefore + cchLink] = '\0';
|
---|
| 1986 | else
|
---|
| 1987 | {
|
---|
| 1988 | szPath[cchBefore + cchLink] = RTPATH_SLASH;
|
---|
| 1989 | memcpy(&szPath[cchBefore + cchLink + 1],
|
---|
| 1990 | &Info.szPath[Info.aoffComponents[iComponent + 1]],
|
---|
| 1991 | cchAfter); /* cchAfter includes a zero terminator */
|
---|
| 1992 | }
|
---|
| 1993 |
|
---|
| 1994 | /* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
|
---|
| 1995 | rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
|
---|
| 1996 | if (RT_FAILURE(rc))
|
---|
| 1997 | return rc;
|
---|
| 1998 | if (Info.fDirSlash)
|
---|
| 1999 | return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
|
---|
| 2000 | "The file path specifies a directory: '", szPath, "'");
|
---|
| 2001 |
|
---|
| 2002 | /* Restart from the current component. */
|
---|
| 2003 | continue;
|
---|
| 2004 | }
|
---|
| 2005 | int iErr = errno;
|
---|
| 2006 | supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
|
---|
| 2007 | "supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
|
---|
| 2008 | Info.szPath, strerror(iErr), iErr);
|
---|
| 2009 | return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
|
---|
| 2010 | "readlink failed for '", Info.szPath, "': ", strerror(iErr));
|
---|
| 2011 | }
|
---|
| 2012 | return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
|
---|
| 2013 | }
|
---|
| 2014 | else
|
---|
| 2015 | return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
|
---|
| 2016 | "Too many symbolic links: '", pszFilename, "'");
|
---|
[66842] | 2017 | #endif
|
---|
[66526] | 2018 | }
|
---|
| 2019 | }
|
---|
| 2020 | if (RT_FAILURE(rc))
|
---|
| 2021 | return rc;
|
---|
| 2022 | Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
|
---|
| 2023 | iComponent++;
|
---|
| 2024 | }
|
---|
| 2025 |
|
---|
| 2026 | /*
|
---|
| 2027 | * Verify the file handle against the last component, if specified.
|
---|
| 2028 | */
|
---|
| 2029 | if (hNativeFile != RTHCUINTPTR_MAX)
|
---|
| 2030 | {
|
---|
| 2031 | rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
|
---|
| 2032 | if (RT_FAILURE(rc))
|
---|
| 2033 | return rc;
|
---|
| 2034 | }
|
---|
| 2035 |
|
---|
| 2036 | return VINF_SUCCESS;
|
---|
| 2037 | }
|
---|
[66632] | 2038 | #endif /* RT_OS_DARWIN || RT_OS_LINUX */
|
---|
[66526] | 2039 |
|
---|
| 2040 |
|
---|
| 2041 | /**
|
---|
[11725] | 2042 | * Gets the pre-init data for the hand-over to the other version
|
---|
| 2043 | * of this code.
|
---|
| 2044 | *
|
---|
| 2045 | * The reason why we pass this information on is that it contains
|
---|
| 2046 | * open directories and files. Later it may include even more info
|
---|
| 2047 | * (int the verified arrays mostly).
|
---|
| 2048 | *
|
---|
| 2049 | * The receiver is supR3HardenedRecvPreInitData.
|
---|
| 2050 | *
|
---|
| 2051 | * @param pPreInitData Where to store it.
|
---|
| 2052 | */
|
---|
| 2053 | DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
|
---|
| 2054 | {
|
---|
| 2055 | pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
|
---|
| 2056 | pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
|
---|
| 2057 | pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
|
---|
| 2058 |
|
---|
| 2059 | pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
|
---|
| 2060 | pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
|
---|
| 2061 | }
|
---|
| 2062 |
|
---|
| 2063 |
|
---|
| 2064 | /**
|
---|
| 2065 | * Receives the pre-init data from the static executable stub.
|
---|
| 2066 | *
|
---|
| 2067 | * @returns VBox status code. Will not bitch on failure since the
|
---|
| 2068 | * runtime isn't ready for it, so that is left to the exe stub.
|
---|
| 2069 | *
|
---|
| 2070 | * @param pPreInitData The hand-over data.
|
---|
| 2071 | */
|
---|
| 2072 | DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
|
---|
| 2073 | {
|
---|
| 2074 | /*
|
---|
| 2075 | * Compare the array lengths and the contents of g_aSupInstallFiles.
|
---|
| 2076 | */
|
---|
| 2077 | if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
|
---|
| 2078 | || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
|
---|
| 2079 | return VERR_VERSION_MISMATCH;
|
---|
| 2080 | SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
|
---|
| 2081 | for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
|
---|
| 2082 | if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
|
---|
| 2083 | || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
|
---|
| 2084 | || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
|
---|
[49211] | 2085 | || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
|
---|
[11725] | 2086 | return VERR_VERSION_MISMATCH;
|
---|
| 2087 |
|
---|
| 2088 | /*
|
---|
| 2089 | * Check that we're not called out of order.
|
---|
| 2090 | * If dynamic linking it screwed up, we may end up here.
|
---|
| 2091 | */
|
---|
[59747] | 2092 | if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
|
---|
| 2093 | || !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
|
---|
[11725] | 2094 | return VERR_WRONG_ORDER;
|
---|
| 2095 |
|
---|
| 2096 | /*
|
---|
| 2097 | * Copy the verification data over.
|
---|
| 2098 | */
|
---|
[49211] | 2099 | suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
|
---|
| 2100 | suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
|
---|
[11725] | 2101 | return VINF_SUCCESS;
|
---|
| 2102 | }
|
---|