VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 85127

Last change on this file since 85127 was 83033, checked in by vboxsync, 4 years ago

/Config.kmk,/Makefile.kmk,Installer/darwin,FE/QT,SUPHard: Eliminated the symlinks under Resources/VirtualBoxVM.app to avoid confusing codesign and notarization. bugref:9466
Note! Best to do a clean build on mac (or at a minimum rm -Rf out/darwin.amd64/*/dist/VirtualBox.app/Contents/Frameworks/ out/darwin.amd64/*/dist/VirtualBox.app/Contents/plugins/).

  • SUPHard: Added new location SUPSECMAIN_FLAGS_LOC_OSX_HLP_APP (darwin only) for indicating a helper application and that hardened dylib and the rest of VirtualBox isn't in the executable directory.
  • SUPHard: Added a corresponding internal path ID kSupID_AppMacHelper (darwin only) for finding VirtualBoxVM for verification now that it is no longer in the main app binary directory.
  • /Config.kmk: Run install_name_tool after linking Qt binaries on darwin fix the Qt import paths (@executable_path/../Frameworks/ doesn't work for VirtualBoxVM any more).
  • /Makefile.kmk: Run install_name_tool during installation of Qt frameworks and plugins to use @rpath in non-hardened builds and the absolute paths in hardened ones (latter done by Installer/darwin/Makefile.kmk previously).
  • FE/Qt,Installer/darwin: Adjustments and path hacks.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 85.0 KB
Line 
1/* $Id: SUPR3HardenedVerify.cpp 83033 2020-02-10 13:40:54Z vboxsync $ */
2/** @file
3 * VirtualBox Support Library - Verification of Hardened Installation.
4 */
5
6/*
7 * Copyright (C) 2006-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#if defined(RT_OS_OS2)
32# define INCL_BASE
33# define INCL_ERRORS
34# include <os2.h>
35# include <stdio.h>
36# include <stdlib.h>
37# include <unistd.h>
38# include <sys/fcntl.h>
39# include <sys/errno.h>
40# include <sys/syslimits.h>
41
42#elif defined(RT_OS_WINDOWS)
43# include <iprt/nt/nt-and-windows.h>
44# ifndef IN_SUP_HARDENED_R3
45# include <stdio.h>
46# endif
47
48#else /* UNIXes */
49# include <sys/types.h>
50# include <stdio.h>
51# include <stdlib.h>
52# include <dirent.h>
53# include <dlfcn.h>
54# include <fcntl.h>
55# include <limits.h>
56# include <errno.h>
57# include <unistd.h>
58# include <sys/stat.h>
59# include <sys/time.h>
60# include <sys/fcntl.h>
61# include <pwd.h>
62# ifdef RT_OS_DARWIN
63# include <mach-o/dyld.h>
64# endif
65
66#endif
67
68#include <VBox/sup.h>
69#include <VBox/err.h>
70#include <iprt/asm.h>
71#include <iprt/ctype.h>
72#include <iprt/param.h>
73#include <iprt/path.h>
74#include <iprt/string.h>
75#include <iprt/utf16.h>
76
77#include "SUPLibInternal.h"
78#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
79# define SUPHNTVI_NO_NT_STUFF
80# include "win/SUPHardenedVerify-win.h"
81#endif
82
83
84/*********************************************************************************************************************************
85* Defined Constants And Macros *
86*********************************************************************************************************************************/
87/** The max path length acceptable for a trusted path. */
88#define SUPR3HARDENED_MAX_PATH 260U
89
90/** Enable to resolve symlinks using realpath() instead of cooking our own stuff. */
91#define SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH 1
92
93#ifdef RT_OS_SOLARIS
94# define dirfd(d) ((d)->d_fd)
95#endif
96
97/** Compare table file names with externally supplied names. */
98#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
99# define SUP_COMP_FILENAME RTStrICmp
100#else
101# define SUP_COMP_FILENAME suplibHardenedStrCmp
102#endif
103
104
105/*********************************************************************************************************************************
106* Global Variables *
107*********************************************************************************************************************************/
108/**
109 * The files that gets verified.
110 *
111 * @todo This needs reviewing against the linux packages.
112 * @todo The excessive use of kSupID_AppSharedLib needs to be reviewed at some point. For
113 * the time being we're building the linux packages with SharedLib pointing to
114 * AppPrivArch (lazy bird).
115 *
116 * @remarks If you add executables here, you might need to update
117 * g_apszSupNtVpAllowedVmExes in SUPHardenedVerifyProcess-win.cpp.
118 */
119static SUPINSTFILE const g_aSupInstallFiles[] =
120{
121 /* type, dir, fOpt, "pszFile" */
122 /* ---------------------------------------------------------------------- */
123 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
124 { kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
125
126#ifdef VBOX_WITH_RAW_MODE
127 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMRC.rc" },
128 { kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDRC.rc" },
129#endif
130
131 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
132 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
133#if HC_ARCH_BITS == 32
134 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
135 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
136#endif
137 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
138 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
139 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
140 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxVMMPreload" SUPLIB_EXE_SUFF },
141 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVMMPreload" SUPLIB_DLL_SUFF },
142
143//#ifdef VBOX_WITH_DEBUGGER_GUI
144 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
145 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
146//#endif
147
148//#ifdef VBOX_WITH_SHARED_CLIPBOARD
149 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
150//#endif
151//#ifdef VBOX_WITH_SHARED_FOLDERS
152 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
153//#endif
154//#ifdef VBOX_WITH_DRAG_AND_DROP
155 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
156//#endif
157//#ifdef VBOX_WITH_GUEST_PROPS
158 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
159//#endif
160//#ifdef VBOX_WITH_GUEST_CONTROL
161 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
162//#endif
163 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
164 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
165 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
166 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
167 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
168
169 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
170
171#ifdef VBOX_WITH_MAIN
172 { kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
173 #ifdef RT_OS_WINDOWS
174 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
175 #else
176 { kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
177 { kSupIFT_Dll, kSupID_AppSharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
178 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
179 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
180 { kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
181 { kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
182 #endif
183#endif
184
185 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
186 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
187 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
188
189//#ifdef VBOX_WITH_HEADLESS
190 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
191 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
192 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
193//#endif
194
195//#ifdef VBOX_WITH_QTGUI
196 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
197# ifdef RT_OS_DARWIN
198 { kSupIFT_Exe, kSupID_AppMacHelper, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
199# else
200 { kSupIFT_Exe, kSupID_AppBin, true, "VirtualBoxVM" SUPLIB_EXE_SUFF },
201# endif
202 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBoxVM" SUPLIB_DLL_SUFF },
203 { kSupIFT_Dll, kSupID_AppPrivArch, true, "UICommon" SUPLIB_DLL_SUFF },
204# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
205 { kSupIFT_Dll, kSupID_AppSharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
206# endif
207//#endif
208
209//#ifdef VBOX_WITH_VBOXSDL
210 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
211 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
212//#endif
213
214//#ifdef VBOX_WITH_WEBSERVICES
215 { kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
216//#endif
217
218#ifdef RT_OS_LINUX
219 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
220#endif
221
222//#ifdef VBOX_WITH_NETFLT
223 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
224 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
225//#endif
226
227//#ifdef VBOX_WITH_LWIP_NAT
228 { kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
229 { kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
230//#endif
231#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
232# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
233 { kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
234 { kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
235 HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
236 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
237 HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
238 HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
239 HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
240# define HARDENED_TESTCASE_ENTRY(a_szName) \
241 { kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
242 { kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
243 HARDENED_TESTCASE_ENTRY("tstCFGM"),
244 HARDENED_TESTCASE_ENTRY("tstGIP-2"),
245 HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
246 HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
247 HARDENED_TESTCASE_ENTRY("tstRTR0ThreadPreemptionDriver"),
248 HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
249 HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
250 HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
251 HARDENED_TESTCASE_ENTRY("tstSSM"),
252#endif
253};
254
255
256/** Array parallel to g_aSupInstallFiles containing per-file status info. */
257static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
258
259/** Array index by install directory specifier containing info about verified directories. */
260static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
261
262
263/**
264 * Assembles the path to a directory.
265 *
266 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
267 * decides whether it returns or not).
268 *
269 * @param enmDir The directory.
270 * @param pszDst Where to assemble the path.
271 * @param cchDst The size of the buffer.
272 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
273 * @param pFile The file (for darwin helper app paths).
274 */
275static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal, PCSUPINSTFILE pFile)
276{
277 int rc;
278 switch (enmDir)
279 {
280 case kSupID_AppBin:
281 rc = supR3HardenedPathAppBin(pszDst, cchDst);
282 break;
283 case kSupID_AppSharedLib:
284 rc = supR3HardenedPathAppSharedLibs(pszDst, cchDst);
285 break;
286 case kSupID_AppPrivArch:
287 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
288 break;
289 case kSupID_AppPrivArchComp:
290 rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
291 if (RT_SUCCESS(rc))
292 {
293 size_t off = suplibHardenedStrLen(pszDst);
294 if (cchDst - off >= sizeof("/components"))
295 suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
296 else
297 rc = VERR_BUFFER_OVERFLOW;
298 }
299 break;
300 case kSupID_AppPrivNoArch:
301 rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
302 break;
303 case kSupID_Testcase:
304 rc = supR3HardenedPathAppBin(pszDst, cchDst);
305 if (RT_SUCCESS(rc))
306 {
307 size_t off = suplibHardenedStrLen(pszDst);
308 if (cchDst - off >= sizeof("/testcase"))
309 suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
310 else
311 rc = VERR_BUFFER_OVERFLOW;
312 }
313 break;
314#ifdef RT_OS_DARWIN
315 case kSupID_AppMacHelper:
316 rc = supR3HardenedPathAppBin(pszDst, cchDst);
317 if (RT_SUCCESS(rc))
318 {
319 /* Up one level from the VirtualBox.app/Contents/MacOS directory: */
320 size_t offDst = suplibHardenedStrLen(pszDst);
321 while (offDst > 1 && pszDst[offDst - 1] == '/')
322 offDst--;
323 while (offDst > 1 && pszDst[offDst - 1] != '/')
324 offDst--;
325
326 /* Construct the path to the helper application's Contents/MacOS directory: */
327 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
328 if (offDst + cchFile + sizeof("Resources/.app/Contents/MacOS") <= cchDst)
329 {
330 suplibHardenedMemCopy(&pszDst[offDst], RT_STR_TUPLE("Resources/"));
331 offDst += sizeof("Resources/") - 1;
332 suplibHardenedMemCopy(&pszDst[offDst], pFile->pszFile, cchFile);
333 offDst += cchFile;
334 suplibHardenedMemCopy(&pszDst[offDst], RT_STR_TUPLE(".app/Contents/MacOS") + 1);
335 }
336 else
337 rc = VERR_BUFFER_OVERFLOW;
338 }
339 break;
340#endif
341 default:
342 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
343 "supR3HardenedMakePath: enmDir=%d\n", enmDir);
344 }
345 if (RT_FAILURE(rc))
346 supR3HardenedError(rc, fFatal,
347 "supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
348 NOREF(pFile);
349 return rc;
350}
351
352
353
354/**
355 * Assembles the path to a file table entry, with or without the actual filename.
356 *
357 * @returns VINF_SUCCESS on success, some error code on failure (fFatal
358 * decides whether it returns or not).
359 *
360 * @param pFile The file table entry.
361 * @param pszDst Where to assemble the path.
362 * @param cchDst The size of the buffer.
363 * @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
364 * @param fFatal Whether failures should be treated as fatal (true) or not (false).
365 */
366static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
367{
368 /*
369 * Combine supR3HardenedMakePath and the filename.
370 */
371 int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal, pFile);
372 if (RT_SUCCESS(rc) && fWithFilename)
373 {
374 size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
375 size_t off = suplibHardenedStrLen(pszDst);
376 if (cchDst - off >= cchFile + 2)
377 {
378 pszDst[off++] = '/';
379 suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
380 }
381 else
382 rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
383 "supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
384 pFile->pszFile, (long)off);
385 }
386 return rc;
387}
388
389
390/**
391 * Verifies a directory.
392 *
393 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
394 * fFatal is clear and if it's set the function wont return.
395 * @param enmDir The directory specifier.
396 * @param fFatal Whether validation failures should be treated as
397 * fatal (true) or not (false).
398 * @param pFile The file (for darwin helper app paths).
399 */
400DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal, PCSUPINSTFILE pFile)
401{
402 /*
403 * Validate the index just to be on the safe side...
404 */
405 if (enmDir <= kSupID_Invalid || enmDir >= kSupID_End)
406 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
407 "supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
408
409 /*
410 * Already validated?
411 */
412 if (g_aSupVerifiedDirs[enmDir].fValidated)
413 return VINF_SUCCESS; /** @todo revalidate? */
414
415 /* initialize the entry. */
416 if (g_aSupVerifiedDirs[enmDir].hDir != 0)
417 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
418 "supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
419 (void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
420 g_aSupVerifiedDirs[enmDir].hDir = -1;
421 g_aSupVerifiedDirs[enmDir].fValidated = false;
422
423 /*
424 * Make the path and open the directory.
425 */
426 char szPath[RTPATH_MAX];
427 int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal, pFile);
428 if (RT_SUCCESS(rc))
429 {
430#if defined(RT_OS_WINDOWS)
431 PRTUTF16 pwszPath;
432 rc = RTStrToUtf16(szPath, &pwszPath);
433 if (RT_SUCCESS(rc))
434 {
435 HANDLE hDir = CreateFileW(pwszPath,
436 GENERIC_READ,
437 FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE,
438 NULL,
439 OPEN_EXISTING,
440 FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
441 NULL);
442 if (hDir != INVALID_HANDLE_VALUE)
443 {
444 /** @todo check the type */
445 /* That's all on windows, for now at least... */
446 g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
447 g_aSupVerifiedDirs[enmDir].fValidated = true;
448 }
449 else if (enmDir == kSupID_Testcase)
450 {
451 g_aSupVerifiedDirs[enmDir].fValidated = true;
452 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
453 }
454 else
455 {
456 int err = RtlGetLastWin32Error();
457 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
458 "supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
459 szPath, err);
460 }
461 RTUtf16Free(pwszPath);
462 }
463 else
464 rc = supR3HardenedError(rc, fFatal,
465 "supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
466
467#else /* UNIXY */
468 int fd = open(szPath, O_RDONLY, 0);
469 if (fd >= 0)
470 {
471 /*
472 * On unixy systems we'll make sure the directory is owned by root
473 * and not writable by the group and user.
474 */
475 struct stat st;
476 if (!fstat(fd, &st))
477 {
478
479 if ( st.st_uid == 0
480 && !(st.st_mode & (S_IWGRP | S_IWOTH))
481 && S_ISDIR(st.st_mode))
482 {
483 g_aSupVerifiedDirs[enmDir].hDir = fd;
484 g_aSupVerifiedDirs[enmDir].fValidated = true;
485 }
486 else
487 {
488 if (!S_ISDIR(st.st_mode))
489 rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
490 "supR3HardenedVerifyDir: \"%s\" is not a directory\n",
491 szPath, (long)st.st_uid);
492 else if (st.st_uid)
493 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
494 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
495 szPath, (long)st.st_uid);
496 else
497 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
498 "supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
499 szPath, (long)st.st_mode);
500 close(fd);
501 }
502 }
503 else
504 {
505 int err = errno;
506 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
507 "supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
508 szPath, strerror(err), err);
509 close(fd);
510 }
511 }
512 else if (enmDir == kSupID_Testcase)
513 {
514 g_aSupVerifiedDirs[enmDir].fValidated = true;
515 rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
516 }
517 else
518 {
519 int err = errno;
520 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
521 "supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
522 szPath, strerror(err), err);
523 }
524#endif /* UNIXY */
525 }
526
527 return rc;
528}
529
530
531#ifdef RT_OS_WINDOWS
532/**
533 * Opens the file for verification.
534 *
535 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
536 * fFatal is clear and if it's set the function wont return.
537 * @param pFile The file entry.
538 * @param fFatal Whether validation failures should be treated as
539 * kl fatal (true) or not (false).
540 * @param phFile The file handle, set to -1 if we failed to open
541 * the file. The function may return VINF_SUCCESS
542 * and a -1 handle if the file is optional.
543 */
544static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
545{
546 *phFile = -1;
547
548 char szPath[RTPATH_MAX];
549 int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
550 if (RT_SUCCESS(rc))
551 {
552 PRTUTF16 pwszPath;
553 rc = RTStrToUtf16(szPath, &pwszPath);
554 if (RT_SUCCESS(rc))
555 {
556 HANDLE hFile = CreateFileW(pwszPath,
557 GENERIC_READ,
558 FILE_SHARE_READ,
559 NULL,
560 OPEN_EXISTING,
561 FILE_ATTRIBUTE_NORMAL,
562 NULL);
563 if (hFile != INVALID_HANDLE_VALUE)
564 {
565 *phFile = (intptr_t)hFile;
566 rc = VINF_SUCCESS;
567 }
568 else
569 {
570 int err = RtlGetLastWin32Error();
571 if ( !pFile->fOptional
572 || ( err != ERROR_FILE_NOT_FOUND
573 && (err != ERROR_PATH_NOT_FOUND || pFile->enmDir != kSupID_Testcase) ) )
574 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
575 "supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
576 }
577 RTUtf16Free(pwszPath);
578 }
579 else
580 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
581 szPath, rc);
582 }
583 return rc;
584}
585
586
587/**
588 * Worker for supR3HardenedVerifyFileInternal.
589 *
590 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
591 * fFatal is clear and if it's set the function wont return.
592 * @param pFile The file entry.
593 * @param pVerified The verification record.
594 * @param fFatal Whether validation failures should be treated as
595 * fatal (true) or not (false).
596 * @param fLeaveFileOpen Whether the file should be left open.
597 */
598static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
599{
600# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
601
602 /*
603 * Open the file if we have to.
604 */
605 int rc;
606 intptr_t hFileOpened;
607 intptr_t hFile = pVerified->hFile;
608 if (hFile != -1)
609 hFileOpened = -1;
610 else
611 {
612 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
613 if (RT_FAILURE(rc))
614 return rc;
615 hFile = hFileOpened;
616 }
617
618 /*
619 * Verify the signature.
620 */
621 char szErr[1024];
622 RTERRINFO ErrInfo;
623 RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
624
625 uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
626 if (pFile->enmType == kSupIFT_Rc)
627 fFlags |= SUPHNTVI_F_RC_IMAGE;
628
629 rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
630 if (RT_SUCCESS(rc))
631 pVerified->fCheckedSignature = true;
632 else
633 {
634 pVerified->fCheckedSignature = false;
635 rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
636 pFile->pszFile, rc, szErr);
637
638 }
639
640 /*
641 * Close the handle if we opened the file and we should close it.
642 */
643 if (hFileOpened != -1)
644 {
645 if (fLeaveFileOpen && RT_SUCCESS(rc))
646 pVerified->hFile = hFileOpened;
647 else
648 NtClose((HANDLE)hFileOpened);
649 }
650
651 return rc;
652
653# else /* Not checking signatures. */
654 RT_NOREF4(pFile, pVerified, fFatal, fLeaveFileOpen);
655 return VINF_SUCCESS;
656# endif /* Not checking signatures. */
657}
658#endif
659
660
661/**
662 * Verifies a file entry.
663 *
664 * @returns VINF_SUCCESS on success. On failure, an error code is returned if
665 * fFatal is clear and if it's set the function wont return.
666 *
667 * @param iFile The file table index of the file to be verified.
668 * @param fFatal Whether validation failures should be treated as
669 * fatal (true) or not (false).
670 * @param fLeaveFileOpen Whether the file should be left open.
671 * @param fVerifyAll Set if this is an verify all call and we will
672 * postpone signature checking.
673 */
674static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
675{
676#ifndef RT_OS_WINDOWS
677 RT_NOREF1(fVerifyAll);
678#endif
679 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
680 PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
681
682 /*
683 * Already done validation? Do signature validation if we haven't yet.
684 */
685 if (pVerified->fValidated)
686 {
687 /** @todo revalidate? Check that the file hasn't been replace or similar. */
688#ifdef RT_OS_WINDOWS
689 if (!pVerified->fCheckedSignature && !fVerifyAll)
690 return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
691#endif
692 return VINF_SUCCESS;
693 }
694
695
696 /* initialize the entry. */
697 if (pVerified->hFile != 0)
698 supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
699 "supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
700 (void *)pVerified->hFile, pFile->pszFile);
701 pVerified->hFile = -1;
702 pVerified->fValidated = false;
703#ifdef RT_OS_WINDOWS
704 pVerified->fCheckedSignature = false;
705#endif
706
707 /*
708 * Verify the directory then proceed to open it.
709 * (This'll make sure the directory is opened and that we can (later)
710 * use openat if we wish.)
711 */
712 int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal, pFile);
713 if (RT_SUCCESS(rc))
714 {
715#if defined(RT_OS_WINDOWS)
716 rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
717 if (RT_SUCCESS(rc))
718 {
719 if (!fVerifyAll)
720 rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
721 if (RT_SUCCESS(rc))
722 {
723 pVerified->fValidated = true;
724 if (!fLeaveFileOpen)
725 {
726 NtClose((HANDLE)pVerified->hFile);
727 pVerified->hFile = -1;
728 }
729 }
730 }
731#else /* !RT_OS_WINDOWS */
732 char szPath[RTPATH_MAX];
733 rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /*fWithFilename*/, fFatal);
734 if (RT_SUCCESS(rc))
735 {
736 int fd = open(szPath, O_RDONLY, 0);
737 if (fd >= 0)
738 {
739 /*
740 * On unixy systems we'll make sure the file is owned by root
741 * and not writable by the group and user.
742 */
743 struct stat st;
744 if (!fstat(fd, &st))
745 {
746 if ( st.st_uid == 0
747 && !(st.st_mode & (S_IWGRP | S_IWOTH))
748 && S_ISREG(st.st_mode))
749 {
750 /* it's valid. */
751 if (fLeaveFileOpen)
752 pVerified->hFile = fd;
753 else
754 close(fd);
755 pVerified->fValidated = true;
756 }
757 else
758 {
759 if (!S_ISREG(st.st_mode))
760 rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
761 "supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
762 szPath, (long)st.st_uid);
763 else if (st.st_uid)
764 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
765 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
766 szPath, (long)st.st_uid);
767 else
768 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
769 "supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
770 szPath, (long)st.st_mode);
771 close(fd);
772 }
773 }
774 else
775 {
776 int err = errno;
777 rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
778 "supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
779 szPath, strerror(err), err);
780 close(fd);
781 }
782 }
783 else
784 {
785 int err = errno;
786 if (!pFile->fOptional || err != ENOENT)
787 rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
788 "supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
789 szPath, strerror(err), err);
790 }
791 }
792#endif /* !RT_OS_WINDOWS */
793 }
794
795 return rc;
796}
797
798
799/**
800 * Verifies that the specified table entry matches the given filename.
801 *
802 * @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
803 * error is returned or we terminate the application.
804 *
805 * @param iFile The file table index.
806 * @param pszFilename The filename.
807 * @param fFatal Whether validation failures should be treated as
808 * fatal (true) or not (false).
809 */
810static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
811{
812 PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
813
814 /*
815 * Construct the full path for the file table entry
816 * and compare it with the specified file.
817 */
818 char szName[RTPATH_MAX];
819 int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
820 if (RT_FAILURE(rc))
821 return rc;
822 if (SUP_COMP_FILENAME(szName, pszFilename))
823 {
824 /*
825 * Normalize the two paths and compare again.
826 */
827 rc = VERR_NOT_SAME_DEVICE;
828#if defined(RT_OS_WINDOWS)
829 LPSTR pszIgnored;
830 char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
831 if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
832 && GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
833 if (!SUP_COMP_FILENAME(szName2, szName))
834 rc = VINF_SUCCESS;
835#else
836 AssertCompile(RTPATH_MAX >= PATH_MAX);
837 char szName2[RTPATH_MAX];
838 if ( realpath(szName, szName2) != NULL
839 && realpath(pszFilename, szName) != NULL)
840 if (!SUP_COMP_FILENAME(szName2, szName))
841 rc = VINF_SUCCESS;
842#endif
843
844 if (RT_FAILURE(rc))
845 {
846 supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /*fWithFilename*/, fFatal);
847 return supR3HardenedError(rc, fFatal,
848 "supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
849 pszFilename, szName);
850 }
851 }
852
853 /*
854 * Check more stuff like the stat info if it's an already open file?
855 */
856
857
858
859 return VINF_SUCCESS;
860}
861
862
863/**
864 * Verifies a file.
865 *
866 * @returns VINF_SUCCESS on success.
867 * VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
868 * On verification failure, an error code will be returned when fFatal is clear,
869 * otherwise the program will be terminated.
870 *
871 * @param pszFilename The filename.
872 * @param fFatal Whether validation failures should be treated as
873 * fatal (true) or not (false).
874 */
875DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
876{
877 /*
878 * Lookup the file and check if it's the same file.
879 */
880 const char *pszName = supR3HardenedPathFilename(pszFilename);
881 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
882 if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
883 {
884 int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
885 if (RT_SUCCESS(rc))
886 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen */, false /* fVerifyAll */);
887 return rc;
888 }
889
890 return VERR_NOT_FOUND;
891}
892
893
894/**
895 * Verifies a program, worker for supR3HardenedVerifyAll.
896 *
897 * @returns See supR3HardenedVerifyAll.
898 * @param pszProgName See supR3HardenedVerifyAll.
899 * @param pszExePath The path to the executable.
900 * @param fFatal See supR3HardenedVerifyAll.
901 * @param fLeaveOpen The leave open setting used by
902 * supR3HardenedVerifyAll.
903 * @param fMainFlags Flags supplied to SUPR3HardenedMain.
904 */
905static int supR3HardenedVerifyProgram(const char *pszProgName, const char *pszExePath, bool fFatal,
906 bool fLeaveOpen, uint32_t fMainFlags)
907{
908 /*
909 * Search the table looking for the executable and the DLL/DYLIB/SO.
910 * Note! On darwin we have a hack in place for VirtualBoxVM helper app
911 * to share VirtualBox.dylib with the VirtualBox app. This ASSUMES
912 * that cchProgNameDll is equal or shorter to the exe name.
913 */
914 int rc = VINF_SUCCESS;
915 bool fExe = false;
916 bool fDll = false;
917 size_t const cchProgNameExe = suplibHardenedStrLen(pszProgName);
918#ifndef RT_OS_DARWIN
919 size_t const cchProgNameDll = cchProgNameExe;
920 NOREF(fMainFlags);
921#else
922 size_t const cchProgNameDll = fMainFlags & SUPSECMAIN_FLAGS_OSX_VM_APP
923 ? sizeof("VirtualBox") - 1
924 : cchProgNameExe;
925 if (cchProgNameDll > cchProgNameExe)
926 return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
927 "supR3HardenedVerifyProgram: SUPSECMAIN_FLAGS_OSX_VM_APP + '%s'", pszProgName);
928#endif
929 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
930 if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameDll))
931 {
932 if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
933 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
934 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameDll], SUPLIB_DLL_SUFF))
935 {
936 /* This only has to be found (once). */
937 if (fDll)
938 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
939 "supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
940 else
941 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
942 true /* fVerifyAll - check sign later, only final process need check it on load. */);
943 fDll = true;
944 }
945 else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
946 || g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
947 && ( cchProgNameExe == cchProgNameDll
948 || !suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgNameExe))
949 && !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgNameExe], SUPLIB_EXE_SUFF))
950 {
951 /* Here we'll have to check that the specific program is the same as the entry. */
952 if (fExe)
953 rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
954 "supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
955 else
956 rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
957 fExe = true;
958
959 supR3HardenedVerifySameFile(iFile, pszExePath, fFatal);
960 }
961 }
962
963 /*
964 * Check the findings.
965 */
966 if (RT_SUCCESS(rc))
967 {
968 if (!fDll && !fExe)
969 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
970 "supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
971 else if (!fExe)
972 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
973 "supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
974 else if (!fDll)
975 rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
976 "supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
977 }
978 return rc;
979}
980
981
982/**
983 * Verifies all the known files (called from SUPR3HardenedMain).
984 *
985 * @returns VINF_SUCCESS on success.
986 * On verification failure, an error code will be returned when fFatal is clear,
987 * otherwise the program will be terminated.
988 *
989 * @param fFatal Whether validation failures should be treated as
990 * fatal (true) or not (false).
991 * @param pszProgName The program name. This is used to verify that
992 * both the executable and corresponding
993 * DLL/DYLIB/SO are valid.
994 * @param pszExePath The path to the executable.
995 * @param fMainFlags Flags supplied to SUPR3HardenedMain.
996 */
997DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName, const char *pszExePath, uint32_t fMainFlags)
998{
999 /*
1000 * On windows
1001 */
1002#if defined(RT_OS_WINDOWS)
1003 bool fLeaveOpen = true;
1004#else
1005 bool fLeaveOpen = false;
1006#endif
1007
1008 /*
1009 * The verify all the files.
1010 */
1011 int rc = VINF_SUCCESS;
1012 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1013 {
1014 int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
1015 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
1016 rc = rc2;
1017 }
1018
1019 /*
1020 * Verify the program name, that is to say, check that it's in the table
1021 * (thus verified above) and verify the signature on platforms where we
1022 * sign things.
1023 */
1024 int rc2 = supR3HardenedVerifyProgram(pszProgName, pszExePath, fFatal, fLeaveOpen, fMainFlags);
1025 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
1026 rc2 = rc;
1027
1028 return rc;
1029}
1030
1031
1032/**
1033 * Copies the N messages into the error buffer and returns @a rc.
1034 *
1035 * @returns Returns @a rc
1036 * @param rc The return code.
1037 * @param pErrInfo The error info structure.
1038 * @param cMsgs The number of messages in the ellipsis.
1039 * @param ... Message parts.
1040 */
1041static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
1042{
1043 if (pErrInfo)
1044 {
1045 size_t cbErr = pErrInfo->cbMsg;
1046 char *pszErr = pErrInfo->pszMsg;
1047
1048 va_list va;
1049 va_start(va, cMsgs);
1050 while (cMsgs-- > 0 && cbErr > 0)
1051 {
1052 const char *pszMsg = va_arg(va, const char *);
1053 size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
1054 if (cchMsg >= cbErr)
1055 cchMsg = cbErr - 1;
1056 suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
1057 pszErr[cchMsg] = '\0';
1058 pszErr += cchMsg;
1059 cbErr -= cchMsg;
1060 }
1061 va_end(va);
1062
1063 pErrInfo->rc = rc;
1064 pErrInfo->fFlags |= RTERRINFO_FLAGS_SET;
1065 }
1066
1067 return rc;
1068}
1069
1070
1071#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1072/**
1073 * Copies the four messages into the error buffer and returns @a rc.
1074 *
1075 * @returns Returns @a rc
1076 * @param rc The return code.
1077 * @param pErrInfo The error info structure.
1078 * @param pszMsg1 The first message part.
1079 * @param pszMsg2 The second message part.
1080 * @param pszMsg3 The third message part.
1081 * @param pszMsg4 The fourth message part.
1082 */
1083static int supR3HardenedSetError4(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1084 const char *pszMsg2, const char *pszMsg3, const char *pszMsg4)
1085{
1086 return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4);
1087}
1088#endif
1089
1090
1091/**
1092 * Copies the three messages into the error buffer and returns @a rc.
1093 *
1094 * @returns Returns @a rc
1095 * @param rc The return code.
1096 * @param pErrInfo The error info structure.
1097 * @param pszMsg1 The first message part.
1098 * @param pszMsg2 The second message part.
1099 * @param pszMsg3 The third message part.
1100 */
1101static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1102 const char *pszMsg2, const char *pszMsg3)
1103{
1104 return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1105}
1106
1107
1108#ifdef SOME_UNUSED_FUNCTION
1109/**
1110 * Copies the two messages into the error buffer and returns @a rc.
1111 *
1112 * @returns Returns @a rc
1113 * @param rc The return code.
1114 * @param pErrInfo The error info structure.
1115 * @param pszMsg1 The first message part.
1116 * @param pszMsg2 The second message part.
1117 */
1118static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1119 const char *pszMsg2)
1120{
1121 return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1122}
1123#endif
1124
1125
1126#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1127# if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1128/**
1129 * Copies the error message to the error buffer and returns @a rc.
1130 *
1131 * @returns Returns @a rc
1132 * @param rc The return code.
1133 * @param pErrInfo The error info structure.
1134 * @param pszMsg The message.
1135 */
1136static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1137{
1138 return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1139}
1140# endif
1141#endif
1142
1143
1144/**
1145 * Output from a successfull supR3HardenedVerifyPathSanity call.
1146 */
1147typedef struct SUPR3HARDENEDPATHINFO
1148{
1149 /** The length of the path in szCopy. */
1150 uint16_t cch;
1151 /** The number of path components. */
1152 uint16_t cComponents;
1153 /** Set if the path ends with slash, indicating that it's a directory
1154 * reference and not a file reference. The slash has been removed from
1155 * the copy. */
1156 bool fDirSlash;
1157 /** The offset where each path component starts, i.e. the char after the
1158 * slash. The array has cComponents + 1 entries, where the final one is
1159 * cch + 1 so that one can always terminate the current component by
1160 * szPath[aoffComponent[i] - 1] = '\0'. */
1161 uint16_t aoffComponents[32+1];
1162 /** A normalized copy of the path.
1163 * Reserve some extra space so we can be more relaxed about overflow
1164 * checks and terminator paddings, especially when recursing. */
1165 char szPath[SUPR3HARDENED_MAX_PATH * 2];
1166} SUPR3HARDENEDPATHINFO;
1167/** Pointer to a parsed path. */
1168typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1169
1170
1171/**
1172 * Verifies that the path is absolutely sane, it also parses the path.
1173 *
1174 * A sane path starts at the root (w/ drive letter on DOS derived systems) and
1175 * does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1176 * Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1177 * paths are not supported.
1178 *
1179 * @returns VBox status code.
1180 * @param pszPath The path to check.
1181 * @param pErrInfo The error info structure.
1182 * @param pInfo Where to return a copy of the path along with
1183 * parsing information.
1184 */
1185static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1186{
1187 const char *pszSrc = pszPath;
1188 char *pszDst = pInfo->szPath;
1189
1190 /*
1191 * Check that it's an absolute path and copy the volume/root specifier.
1192 */
1193#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
1194 if ( !RT_C_IS_ALPHA(pszSrc[0])
1195 || pszSrc[1] != ':'
1196 || !RTPATH_IS_SLASH(pszSrc[2]))
1197 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1198
1199 *pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1200 *pszDst++ = ':';
1201 *pszDst++ = RTPATH_SLASH;
1202 pszSrc += 3;
1203
1204#else
1205 if (!RTPATH_IS_SLASH(pszSrc[0]))
1206 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1207
1208 *pszDst++ = RTPATH_SLASH;
1209 pszSrc += 1;
1210#endif
1211
1212 /*
1213 * No path specifying the root or something very shortly thereafter will
1214 * be approved of.
1215 */
1216 if (pszSrc[0] == '\0')
1217 return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1218 if ( pszSrc[1] == '\0'
1219 || pszSrc[2] == '\0')
1220 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1221
1222#if RTPATH_STYLE == RTPATH_STR_F_STYLE_UNIX
1223 /*
1224 * Skip double slashes.
1225 */
1226 while (RTPATH_IS_SLASH(*pszSrc))
1227 pszSrc++;
1228#else
1229 /*
1230 * The root slash should be alone to avoid UNC confusion.
1231 */
1232 if (RTPATH_IS_SLASH(pszSrc[0]))
1233 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1234 "The path is not clean of leading double slashes: '", pszPath, "'");
1235#endif
1236 /*
1237 * Check each component. No parent references.
1238 */
1239 pInfo->cComponents = 0;
1240 pInfo->fDirSlash = false;
1241 while (pszSrc[0])
1242 {
1243 /* Sanity checks. */
1244 if ( pszSrc[0] == '.'
1245 && pszSrc[1] == '.'
1246 && RTPATH_IS_SLASH(pszSrc[2]))
1247 return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1248 "The path is not absolute: '", pszPath, "'");
1249
1250 /* Record the start of the component. */
1251 if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1252 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1253 "The path has too many components: '", pszPath, "'");
1254 pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1255
1256 /* Traverse to the end of the component, copying it as we go along. */
1257 while (pszSrc[0])
1258 {
1259 if (RTPATH_IS_SLASH(pszSrc[0]))
1260 {
1261 pszSrc++;
1262 if (*pszSrc)
1263 *pszDst++ = RTPATH_SLASH;
1264 else
1265 pInfo->fDirSlash = true;
1266 break;
1267 }
1268 *pszDst++ = *pszSrc++;
1269 if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1270 return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1271 "The path is too long: '", pszPath, "'");
1272 }
1273
1274 /* Skip double slashes. */
1275 while (RTPATH_IS_SLASH(*pszSrc))
1276 pszSrc++;
1277 }
1278
1279 /* Terminate the string and enter its length. */
1280 pszDst[0] = '\0';
1281 pszDst[1] = '\0'; /* for aoffComponents */
1282 pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1283 pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1284
1285 return VINF_SUCCESS;
1286}
1287
1288
1289/**
1290 * The state information collected by supR3HardenedVerifyFsObject.
1291 *
1292 * This can be used to verify that a directory we've opened for enumeration is
1293 * the same as the one that supR3HardenedVerifyFsObject just verified. It can
1294 * equally be used to verify a native specfied by the user.
1295 */
1296typedef struct SUPR3HARDENEDFSOBJSTATE
1297{
1298#ifdef RT_OS_WINDOWS
1299 /** Not implemented for windows yet. */
1300 char chTodo;
1301#else
1302 /** The stat output. */
1303 struct stat Stat;
1304#endif
1305} SUPR3HARDENEDFSOBJSTATE;
1306/** Pointer to a file system object state. */
1307typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1308/** Pointer to a const file system object state. */
1309typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1310
1311
1312/**
1313 * Query information about a file system object by path.
1314 *
1315 * @returns VBox status code, error buffer filled on failure.
1316 * @param pszPath The path to the object.
1317 * @param pFsObjState Where to return the state information.
1318 * @param pErrInfo The error info structure.
1319 */
1320static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1321{
1322#if defined(RT_OS_WINDOWS)
1323 /** @todo Windows hardening. */
1324 pFsObjState->chTodo = 0;
1325 RT_NOREF2(pszPath, pErrInfo);
1326 return VINF_SUCCESS;
1327
1328#else
1329 /*
1330 * Stat the object, do not follow links.
1331 */
1332 if (lstat(pszPath, &pFsObjState->Stat) != 0)
1333 {
1334 /* Ignore access errors */
1335 if (errno != EACCES)
1336 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1337 5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1338 }
1339
1340 /*
1341 * Read ACLs.
1342 */
1343 /** @todo */
1344
1345 return VINF_SUCCESS;
1346#endif
1347}
1348
1349
1350/**
1351 * Query information about a file system object by native handle.
1352 *
1353 * @returns VBox status code, error buffer filled on failure.
1354 * @param hNative The native handle to the object @a pszPath
1355 * specifies and this should be verified to be the
1356 * same file system object.
1357 * @param pFsObjState Where to return the state information.
1358 * @param pszPath The path to the object. (For the error message
1359 * only.)
1360 * @param pErrInfo The error info structure.
1361 */
1362static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1363 char const *pszPath, PRTERRINFO pErrInfo)
1364{
1365#if defined(RT_OS_WINDOWS)
1366 /** @todo Windows hardening. */
1367 pFsObjState->chTodo = 0;
1368 RT_NOREF3(hNative, pszPath, pErrInfo);
1369 return VINF_SUCCESS;
1370
1371#else
1372 /*
1373 * Stat the object, do not follow links.
1374 */
1375 if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1376 return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1377 5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1378
1379 /*
1380 * Read ACLs.
1381 */
1382 /** @todo */
1383
1384 return VINF_SUCCESS;
1385#endif
1386}
1387
1388
1389/**
1390 * Verifies that the file system object indicated by the native handle is the
1391 * same as the one @a pFsObjState indicates.
1392 *
1393 * @returns VBox status code, error buffer filled on failure.
1394 * @param pFsObjState1 File system object information/state by path.
1395 * @param pFsObjState2 File system object information/state by handle.
1396 * @param pszPath The path to the object @a pFsObjState
1397 * describes. (For the error message.)
1398 * @param pErrInfo The error info structure.
1399 */
1400static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1401 const char *pszPath, PRTERRINFO pErrInfo)
1402{
1403#if defined(RT_OS_WINDOWS)
1404 /** @todo Windows hardening. */
1405 RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1406 return VINF_SUCCESS;
1407
1408#elif defined(RT_OS_OS2)
1409 RT_NOREF4(pFsObjState1, pFsObjState2, pszPath, pErrInfo);
1410 return VINF_SUCCESS;
1411
1412#else
1413 /*
1414 * Compare the ino+dev, then the uid+gid and finally the important mode
1415 * bits. Technically the first one should be enough, but we're paranoid.
1416 */
1417 if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1418 || pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1419 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1420 "The native handle is not the same as '", pszPath, "' (ino/dev)");
1421 if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1422 || pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1423 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1424 "The native handle is not the same as '", pszPath, "' (uid/gid)");
1425 if ( (pFsObjState1->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH))
1426 != (pFsObjState2->Stat.st_mode & (S_IFMT | S_IWUSR | S_IWGRP | S_IWOTH)))
1427 return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1428 "The native handle is not the same as '", pszPath, "' (mode)");
1429 return VINF_SUCCESS;
1430#endif
1431}
1432
1433
1434/**
1435 * Verifies a file system object (file or directory).
1436 *
1437 * @returns VBox status code, error buffer filled on failure.
1438 * @param pFsObjState The file system object information/state to be
1439 * verified.
1440 * @param fDir Whether this is a directory or a file.
1441 * @param fRelaxed Whether we can be more relaxed about this
1442 * directory (only used for grand parent
1443 * directories).
1444 * @param fSymlinksAllowed Flag whether symlinks are allowed or not.
1445 * If allowed the symlink object is verified not the target.
1446 * @param pszPath The path to the object. For error messages and
1447 * securing a couple of hacks.
1448 * @param pErrInfo The error info structure.
1449 */
1450static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1451 bool fSymlinksAllowed, const char *pszPath, PRTERRINFO pErrInfo)
1452{
1453#if defined(RT_OS_WINDOWS)
1454 /** @todo Windows hardening. */
1455 RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1456 return VINF_SUCCESS;
1457
1458#elif defined(RT_OS_OS2)
1459 /* No hardening here - it's a single user system. */
1460 RT_NOREF(pFsObjState, fDir, fRelaxed, fSymlinksAllowed, pszPath, pErrInfo);
1461 return VINF_SUCCESS;
1462
1463#else
1464 /*
1465 * The owner must be root.
1466 *
1467 * This can be extended to include predefined system users if necessary.
1468 */
1469 if (pFsObjState->Stat.st_uid != 0)
1470 return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1471
1472 /*
1473 * The object type must be directory or file. It can be a symbolic link
1474 * if explicitely allowed. Otherwise this and other risky stuff is not allowed
1475 * (sorry dude, but we're paranoid on purpose here).
1476 */
1477 if ( !S_ISLNK(pFsObjState->Stat.st_mode)
1478 || !fSymlinksAllowed)
1479 {
1480
1481 if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1482 && !S_ISREG(pFsObjState->Stat.st_mode))
1483 {
1484 if (S_ISLNK(pFsObjState->Stat.st_mode))
1485 return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1486 "Symlinks are not permitted: '", pszPath, "'");
1487 return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1488 "Not regular file or directory: '", pszPath, "'");
1489 }
1490 if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1491 {
1492 if (S_ISDIR(pFsObjState->Stat.st_mode))
1493 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1494 "Expected file but found directory: '", pszPath, "'");
1495 return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1496 "Expected directory but found file: '", pszPath, "'");
1497 }
1498 }
1499
1500 /*
1501 * The group does not matter if it does not have write access, if it has
1502 * write access it must be group 0 (root/wheel/whatever).
1503 *
1504 * This can be extended to include predefined system groups or groups that
1505 * only root is member of.
1506 */
1507 if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1508 && pFsObjState->Stat.st_gid != 0)
1509 {
1510# ifdef RT_OS_DARWIN
1511 /* HACK ALERT: On Darwin /Applications is root:admin with admin having
1512 full access. So, to work around we relax the hardening a bit and
1513 permit grand parents and beyond to be group writable by admin. */
1514 /** @todo dynamically resolve the admin group? */
1515 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 80 /*admin*/ || suplibHardenedStrCmp(pszPath, "/Applications");
1516
1517# elif defined(RT_OS_FREEBSD)
1518 /* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1519 similar to /Applications on OS X (see above).
1520 On FreeBSD root is normally the only member of this group, on
1521 PC-BSD the default user is a member. */
1522 /** @todo dynamically resolve the operator group? */
1523 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 5 /*operator*/ || suplibHardenedStrCmp(pszPath, "/usr/pbi");
1524 NOREF(fRelaxed);
1525# elif defined(RT_OS_SOLARIS)
1526 /* HACK ALERT: Solaris has group-writable /usr/lib/iconv directory from
1527 which the appropriate module is loaded.
1528 By default only root and daemon are part of that group.
1529 . */
1530 /** @todo dynamically resolve the bin group? */
1531 bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
1532# else
1533 NOREF(fRelaxed);
1534 bool fBad = true;
1535# endif
1536 if (fBad)
1537 return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1538 "An unknown (and thus untrusted) group has write access to '", pszPath,
1539 "' and we therefore cannot trust the directory content or that of any subdirectory");
1540 }
1541
1542 /*
1543 * World must not have write access. There is no relaxing this rule.
1544 * Linux exception: Symbolic links are always give permission 0777, there
1545 * is no lchmod or lchown APIs. The permissions on parent
1546 * directory that contains the symbolic link is what is
1547 * decising wrt to modifying it. (Caller is expected not
1548 * to allow symbolic links in the first path component.)
1549 */
1550 if ( (pFsObjState->Stat.st_mode & S_IWOTH)
1551# ifdef RT_OS_LINUX
1552 && ( !S_ISLNK(pFsObjState->Stat.st_mode)
1553 || !fSymlinksAllowed /* paranoia */)
1554# endif
1555 )
1556 return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1557 "World writable: '", pszPath, "'");
1558
1559 /*
1560 * Check the ACLs.
1561 */
1562 /** @todo */
1563
1564 return VINF_SUCCESS;
1565#endif
1566}
1567
1568
1569/**
1570 * Verifies that the file system object indicated by the native handle is the
1571 * same as the one @a pFsObjState indicates.
1572 *
1573 * @returns VBox status code, error buffer filled on failure.
1574 * @param hNative The native handle to the object @a pszPath
1575 * specifies and this should be verified to be the
1576 * same file system object.
1577 * @param pFsObjState The information/state returned by a previous
1578 * query call.
1579 * @param pszPath The path to the object @a pFsObjState
1580 * describes. (For the error message.)
1581 * @param pErrInfo The error info structure.
1582 */
1583static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1584 const char *pszPath, PRTERRINFO pErrInfo)
1585{
1586 SUPR3HARDENEDFSOBJSTATE FsObjState2;
1587 int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1588 if (RT_SUCCESS(rc))
1589 rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1590 return rc;
1591}
1592
1593
1594/**
1595 * Does the recursive directory enumeration.
1596 *
1597 * @returns VBox status code, error buffer filled on failure.
1598 * @param pszDirPath The path buffer containing the subdirectory to
1599 * enumerate followed by a slash (this is never
1600 * the root slash). The buffer is RTPATH_MAX in
1601 * size and anything starting at @a cchDirPath
1602 * - 1 and beyond is scratch space.
1603 * @param cchDirPath The length of the directory path + slash.
1604 * @param pFsObjState Pointer to the file system object state buffer.
1605 * On input this will hold the stats for
1606 * the directory @a pszDirPath indicates and will
1607 * be used to verified that we're opening the same
1608 * thing.
1609 * @param fRecursive Whether to recurse into subdirectories.
1610 * @param pErrInfo The error info structure.
1611 */
1612static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1613 bool fRecursive, PRTERRINFO pErrInfo)
1614{
1615#if defined(RT_OS_WINDOWS)
1616 /** @todo Windows hardening. */
1617 RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1618 return VINF_SUCCESS;
1619
1620#elif defined(RT_OS_OS2)
1621 /* No hardening here - it's a single user system. */
1622 RT_NOREF5(pszDirPath, cchDirPath, pFsObjState, fRecursive, pErrInfo);
1623 return VINF_SUCCESS;
1624
1625#else
1626 /*
1627 * Open the directory. Now, we could probably eliminate opendir here
1628 * and go down on kernel API level (open + getdents for instance), however
1629 * that's not very portable and hopefully not necessary.
1630 */
1631 DIR *pDir = opendir(pszDirPath);
1632 if (!pDir)
1633 {
1634 /* Ignore access errors. */
1635 if (errno == EACCES)
1636 return VINF_SUCCESS;
1637 return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1638 5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1639 }
1640 if (dirfd(pDir) != -1)
1641 {
1642 int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1643 if (RT_FAILURE(rc))
1644 {
1645 closedir(pDir);
1646 return rc;
1647 }
1648 }
1649
1650 /*
1651 * Enumerate the directory, check all the requested bits.
1652 */
1653 int rc = VINF_SUCCESS;
1654 for (;;)
1655 {
1656 pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1657
1658 struct dirent Entry;
1659 struct dirent *pEntry;
1660#if RT_GNUC_PREREQ(4, 6)
1661# pragma GCC diagnostic push
1662# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
1663#endif
1664 int iErr = readdir_r(pDir, &Entry, &pEntry);
1665#if RT_GNUC_PREREQ(4, 6)
1666# pragma GCC diagnostic pop
1667#endif
1668 if (iErr)
1669 {
1670 rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1671 5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1672 break;
1673 }
1674 if (!pEntry)
1675 break;
1676
1677 /*
1678 * Check the length and copy it into the path buffer so it can be
1679 * stat()'ed.
1680 */
1681 size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1682 if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1683 {
1684 rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1685 4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1686 break;
1687 }
1688 suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1689
1690 /*
1691 * Query the information about the entry and verify it.
1692 * (We don't bother skipping '.' and '..' at this point, a little bit
1693 * of extra checks doesn't hurt and neither requires relaxed handling.)
1694 */
1695 rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1696 if (RT_SUCCESS(rc))
1697 break;
1698 rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /*fRelaxed*/,
1699 false /*fSymlinksAllowed*/, pszDirPath, pErrInfo);
1700 if (RT_FAILURE(rc))
1701 break;
1702
1703 /*
1704 * Recurse into subdirectories if requested.
1705 */
1706 if ( fRecursive
1707 && S_ISDIR(pFsObjState->Stat.st_mode)
1708 && suplibHardenedStrCmp(pEntry->d_name, ".")
1709 && suplibHardenedStrCmp(pEntry->d_name, ".."))
1710 {
1711 pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1712 pszDirPath[cchDirPath + cchName + 1] = '\0';
1713
1714 rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1715 fRecursive, pErrInfo);
1716 if (RT_FAILURE(rc))
1717 break;
1718 }
1719 }
1720
1721 closedir(pDir);
1722 return VINF_SUCCESS;
1723#endif
1724}
1725
1726
1727/**
1728 * Worker for SUPR3HardenedVerifyDir.
1729 *
1730 * @returns See SUPR3HardenedVerifyDir.
1731 * @param pszDirPath See SUPR3HardenedVerifyDir.
1732 * @param fRecursive See SUPR3HardenedVerifyDir.
1733 * @param fCheckFiles See SUPR3HardenedVerifyDir.
1734 * @param pErrInfo See SUPR3HardenedVerifyDir.
1735 */
1736DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1737{
1738 /*
1739 * Validate the input path and parse it.
1740 */
1741 SUPR3HARDENEDPATHINFO Info;
1742 int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1743 if (RT_FAILURE(rc))
1744 return rc;
1745
1746 /*
1747 * Verify each component from the root up.
1748 */
1749 SUPR3HARDENEDFSOBJSTATE FsObjState;
1750 uint32_t const cComponents = Info.cComponents;
1751 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1752 {
1753 bool fRelaxed = iComponent + 2 < cComponents;
1754 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1755 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1756 if (RT_SUCCESS(rc))
1757 rc = supR3HardenedVerifyFsObject(&FsObjState, true /*fDir*/, fRelaxed,
1758 false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1759 if (RT_FAILURE(rc))
1760 return rc;
1761 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1762 }
1763
1764 /*
1765 * Check files and subdirectories if requested.
1766 */
1767 if (fCheckFiles || fRecursive)
1768 {
1769 Info.szPath[Info.cch] = RTPATH_SLASH;
1770 Info.szPath[Info.cch + 1] = '\0';
1771 return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1772 fRecursive, pErrInfo);
1773 }
1774
1775 return VINF_SUCCESS;
1776}
1777
1778
1779/**
1780 * Verfies a file.
1781 *
1782 * @returns VBox status code, error buffer filled on failure.
1783 * @param pszFilename The file to verify.
1784 * @param hNativeFile Handle to the file, verify that it's the same
1785 * as we ended up with when verifying the path.
1786 * RTHCUINTPTR_MAX means NIL here.
1787 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1788 * third party. Different validation rules may
1789 * apply to 3rd party code on some platforms.
1790 * @param pErrInfo Where to return extended error information.
1791 * Optional.
1792 */
1793DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1794 bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1795{
1796 /*
1797 * Validate the input path and parse it.
1798 */
1799 SUPR3HARDENEDPATHINFO Info;
1800 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1801 if (RT_FAILURE(rc))
1802 return rc;
1803 if (Info.fDirSlash)
1804 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1805 "The file path specifies a directory: '", pszFilename, "'");
1806
1807 /*
1808 * Verify each component from the root up.
1809 */
1810 SUPR3HARDENEDFSOBJSTATE FsObjState;
1811 uint32_t const cComponents = Info.cComponents;
1812 for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1813 {
1814 bool fFinal = iComponent + 1 == cComponents;
1815 bool fRelaxed = iComponent + 2 < cComponents;
1816 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1817 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1818 if (RT_SUCCESS(rc))
1819 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
1820 false /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1821 if (RT_FAILURE(rc))
1822 return rc;
1823 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1824 }
1825
1826 /*
1827 * Verify the file handle against the last component, if specified.
1828 */
1829 if (hNativeFile != RTHCUINTPTR_MAX)
1830 {
1831 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1832 if (RT_FAILURE(rc))
1833 return rc;
1834 }
1835
1836#ifdef RT_OS_WINDOWS
1837 /*
1838 * The files shall be signed on windows, verify that.
1839 */
1840 rc = VINF_SUCCESS;
1841 HANDLE hVerify;
1842 if (hNativeFile == RTHCUINTPTR_MAX)
1843 {
1844 PRTUTF16 pwszPath;
1845 rc = RTStrToUtf16(pszFilename, &pwszPath);
1846 if (RT_SUCCESS(rc))
1847 {
1848 hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1849 RTUtf16Free(pwszPath);
1850 }
1851 else
1852 {
1853 rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1854 hVerify = INVALID_HANDLE_VALUE;
1855 }
1856 }
1857 else
1858 {
1859 NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1860 GENERIC_READ, 0 /*HandleAttributes*/, 0 /*Options*/);
1861 if (!NT_SUCCESS(rcNt))
1862 hVerify = INVALID_HANDLE_VALUE;
1863 }
1864 if (hVerify != INVALID_HANDLE_VALUE)
1865 {
1866# ifdef VBOX_WITH_HARDENING
1867 uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1868 if (!fMaybe3rdParty)
1869 fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1870 const char *pszSuffix = RTPathSuffix(pszFilename);
1871 if ( pszSuffix
1872 && pszSuffix[0] == '.'
1873 && ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1874 || RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1875 && RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1876 && pszSuffix[3] == '\0' )
1877 fFlags |= SUPHNTVI_F_RC_IMAGE;
1878# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1879 rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1880# endif
1881# else
1882 RT_NOREF1(fMaybe3rdParty);
1883# endif
1884 NtClose(hVerify);
1885 }
1886 else if (RT_SUCCESS(rc))
1887 rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1888 "Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1889 if (RT_FAILURE(rc))
1890 return rc;
1891#else
1892 RT_NOREF1(fMaybe3rdParty);
1893#endif
1894
1895 return VINF_SUCCESS;
1896}
1897
1898
1899#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX)
1900/**
1901 * Verfies a file following symlinks.
1902 *
1903 * @returns VBox status code, error buffer filled on failure.
1904 * @param pszFilename The file to verify.
1905 * @param hNativeFile Handle to the file, verify that it's the same
1906 * as we ended up with when verifying the path.
1907 * RTHCUINTPTR_MAX means NIL here.
1908 * @param fMaybe3rdParty Set if the file is could be a supplied by a
1909 * third party. Different validation rules may
1910 * apply to 3rd party code on some platforms.
1911 * @param pErrInfo Where to return extended error information.
1912 * Optional.
1913 *
1914 * @note This is only used on OS X for libraries loaded with dlopen() because
1915 * the frameworks use symbolic links to point to the relevant library.
1916 *
1917 * @sa supR3HardenedVerifyFile
1918 */
1919DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty,
1920 PRTERRINFO pErrInfo)
1921{
1922 RT_NOREF1(fMaybe3rdParty);
1923
1924 /*
1925 * Validate the input path and parse it.
1926 */
1927 SUPR3HARDENEDPATHINFO Info;
1928 int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1929 if (RT_FAILURE(rc))
1930 return rc;
1931 if (Info.fDirSlash)
1932 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1933 "The file path specifies a directory: '", pszFilename, "'");
1934
1935 /*
1936 * Verify each component from the root up.
1937 */
1938#ifndef SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH
1939 uint32_t iLoops = 0;
1940#endif
1941 SUPR3HARDENEDFSOBJSTATE FsObjState;
1942 uint32_t iComponent = 0;
1943 while (iComponent < Info.cComponents)
1944 {
1945 bool fFinal = iComponent + 1 == Info.cComponents;
1946 bool fRelaxed = iComponent + 2 < Info.cComponents;
1947 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1948 rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1949 if (RT_SUCCESS(rc))
1950 {
1951 /*
1952 * In case the component is a symlink expand it and start from the beginning after
1953 * verifying it has the proper access rights.
1954 * Furthermore only allow symlinks which don't contain any .. or . in the target
1955 * (enforced by supR3HardenedVerifyPathSanity).
1956 */
1957 rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /*fDir*/, fRelaxed,
1958 true /*fSymlinksAllowed*/, Info.szPath, pErrInfo);
1959 if ( RT_SUCCESS(rc)
1960 && S_ISLNK(FsObjState.Stat.st_mode))
1961 {
1962#if SUP_HARDENED_VERIFY_FOLLOW_SYMLINKS_USE_REALPATH /* Another approach using realpath() and verifying the result when encountering a symlink. */
1963 char *pszFilenameResolved = realpath(pszFilename, NULL);
1964 if (pszFilenameResolved)
1965 {
1966 rc = supR3HardenedVerifyFile(pszFilenameResolved, hNativeFile, fMaybe3rdParty, pErrInfo);
1967 free(pszFilenameResolved);
1968 return rc;
1969 }
1970 else
1971 {
1972 int iErr = errno;
1973 supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
1974 "supR3HardenedVerifyFileFollowSymlinks: Failed to resolve the real path '%s': %s (%d)\n",
1975 pszFilename, strerror(iErr), iErr);
1976 return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
1977 "realpath failed for '", pszFilename, "': ", strerror(iErr));
1978 }
1979#else
1980 /* Don't loop forever. */
1981 iLoops++;
1982 if (iLoops < 8)
1983 {
1984 /*
1985 * Construct new path by replacing the current component by the symlink value.
1986 * Note! readlink() is a weird API that doesn't necessarily indicates if the
1987 * buffer is too small.
1988 */
1989 char szPath[RTPATH_MAX];
1990 size_t const cchBefore = Info.aoffComponents[iComponent]; /* includes slash */
1991 size_t const cchAfter = fFinal ? 0 : 1 /*slash*/ + Info.cch - Info.aoffComponents[iComponent + 1];
1992 if (sizeof(szPath) > cchBefore + cchAfter + 2)
1993 {
1994 ssize_t cchTarget = readlink(Info.szPath, szPath, sizeof(szPath) - 1);
1995 if (cchTarget > 0)
1996 {
1997 /* Some serious paranoia against embedded zero terminator and weird return values. */
1998 szPath[cchTarget] = '\0';
1999 size_t cchLink = strlen(szPath);
2000
2001 /* Strip trailing dirslashes of non-final link. */
2002 if (!fFinal)
2003 while (cchLink > 1 and szPath[cchLink - 1] == '/')
2004 cchLink--;
2005
2006 /* Check link value sanity and buffer size. */
2007 if (cchLink == 0)
2008 return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
2009 "Bad readlink return for '", Info.szPath, "'");
2010 if (szPath[0] == '/')
2011 return supR3HardenedSetError3(VERR_ACCESS_DENIED, pErrInfo,
2012 "Absolute symbolic link not allowed: '", szPath, "'");
2013 if (cchBefore + cchLink + cchAfter + 1 /*terminator*/ > sizeof(szPath))
2014 return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
2015 "Symlinks causing too long path!");
2016
2017 /* Construct the new path. */
2018 if (cchBefore)
2019 memmove(&szPath[cchBefore], &szPath[0], cchLink);
2020 memcpy(&szPath[0], Info.szPath, cchBefore);
2021 if (!cchAfter)
2022 szPath[cchBefore + cchLink] = '\0';
2023 else
2024 {
2025 szPath[cchBefore + cchLink] = RTPATH_SLASH;
2026 memcpy(&szPath[cchBefore + cchLink + 1],
2027 &Info.szPath[Info.aoffComponents[iComponent + 1]],
2028 cchAfter); /* cchAfter includes a zero terminator */
2029 }
2030
2031 /* Parse, copy and check the sanity (no '..' or '.') of the altered path. */
2032 rc = supR3HardenedVerifyPathSanity(szPath, pErrInfo, &Info);
2033 if (RT_FAILURE(rc))
2034 return rc;
2035 if (Info.fDirSlash)
2036 return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
2037 "The file path specifies a directory: '", szPath, "'");
2038
2039 /* Restart from the current component. */
2040 continue;
2041 }
2042 int iErr = errno;
2043 supR3HardenedError(VERR_ACCESS_DENIED, false /*fFatal*/,
2044 "supR3HardenedVerifyFileFollowSymlinks: Failed to readlink '%s': %s (%d)\n",
2045 Info.szPath, strerror(iErr), iErr);
2046 return supR3HardenedSetError4(VERR_ACCESS_DENIED, pErrInfo,
2047 "readlink failed for '", Info.szPath, "': ", strerror(iErr));
2048 }
2049 return supR3HardenedSetError(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo, "Path too long for symlink replacing!");
2050 }
2051 else
2052 return supR3HardenedSetError3(VERR_TOO_MANY_SYMLINKS, pErrInfo,
2053 "Too many symbolic links: '", pszFilename, "'");
2054#endif
2055 }
2056 }
2057 if (RT_FAILURE(rc))
2058 return rc;
2059 Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
2060 iComponent++;
2061 }
2062
2063 /*
2064 * Verify the file handle against the last component, if specified.
2065 */
2066 if (hNativeFile != RTHCUINTPTR_MAX)
2067 {
2068 rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
2069 if (RT_FAILURE(rc))
2070 return rc;
2071 }
2072
2073 return VINF_SUCCESS;
2074}
2075#endif /* RT_OS_DARWIN || RT_OS_LINUX */
2076
2077
2078/**
2079 * Gets the pre-init data for the hand-over to the other version
2080 * of this code.
2081 *
2082 * The reason why we pass this information on is that it contains
2083 * open directories and files. Later it may include even more info
2084 * (int the verified arrays mostly).
2085 *
2086 * The receiver is supR3HardenedRecvPreInitData.
2087 *
2088 * @param pPreInitData Where to store it.
2089 */
2090DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
2091{
2092 pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
2093 pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
2094 pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
2095
2096 pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
2097 pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
2098}
2099
2100
2101/**
2102 * Receives the pre-init data from the static executable stub.
2103 *
2104 * @returns VBox status code. Will not bitch on failure since the
2105 * runtime isn't ready for it, so that is left to the exe stub.
2106 *
2107 * @param pPreInitData The hand-over data.
2108 */
2109DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
2110{
2111 /*
2112 * Compare the array lengths and the contents of g_aSupInstallFiles.
2113 */
2114 if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
2115 || pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
2116 return VERR_VERSION_MISMATCH;
2117 SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
2118 for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
2119 if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
2120 || g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
2121 || g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
2122 || suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
2123 return VERR_VERSION_MISMATCH;
2124
2125 /*
2126 * Check that we're not called out of order.
2127 * If dynamic linking it screwed up, we may end up here.
2128 */
2129 if ( !ASMMemIsZero(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles))
2130 || !ASMMemIsZero(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs)))
2131 return VERR_WRONG_ORDER;
2132
2133 /*
2134 * Copy the verification data over.
2135 */
2136 suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
2137 suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
2138 return VINF_SUCCESS;
2139}
Note: See TracBrowser for help on using the repository browser.

© 2023 Oracle
ContactPrivacy policyTerms of Use