SUPR3HardenedMain.cpp revision 88d7b87c38cc3800f532139696785e8c96bfd531
/* $Id$ */
/** @file
* VirtualBox Support Library - Hardened main().
*/
/*
* Copyright (C) 2006-2014 Oracle Corporation
*
* This file is part of VirtualBox Open Source Edition (OSE), as
* available from http://www.virtualbox.org. This file is free software;
* General Public License (GPL) as published by the Free Software
* Foundation, in version 2 as it comes in the "COPYING" file of the
* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
*
* The contents of this file may alternatively be used under the terms
* of the Common Development and Distribution License Version 1.0
* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
* VirtualBox OSE distribution, in which case the provisions of the
* CDDL are applicable instead of those of the GPL.
*
* You may elect to license modified versions of this file under the
* terms and conditions of either the GPL or the CDDL or both.
*/
/*******************************************************************************
* Header Files *
*******************************************************************************/
#if defined(RT_OS_OS2)
# define INCL_BASE
# define INCL_ERRORS
# include <os2.h>
# include <stdio.h>
# include <stdlib.h>
# include <dlfcn.h>
# include <unistd.h>
#else /* UNIXes */
# include <stdio.h>
# include <stdlib.h>
# include <dlfcn.h>
# include <limits.h>
# include <errno.h>
# include <unistd.h>
# if defined(RT_OS_LINUX)
libcap1 or libcap2 */
# include <sys/capability.h>
# ifndef CAP_TO_MASK
# endif
# elif defined(RT_OS_FREEBSD)
# elif defined(RT_OS_SOLARIS)
# include <priv.h>
# endif
# include <pwd.h>
# ifdef RT_OS_DARWIN
# endif
#endif
#ifdef RT_OS_WINDOWS
#endif
#include <iprt/initterm.h>
#include "SUPLibInternal.h"
/*******************************************************************************
* Defined Constants And Macros *
*******************************************************************************/
/** @def SUP_HARDENED_SUID
* Whether we're employing set-user-ID-on-execute in the hardening.
*/
# define SUP_HARDENED_SUID
#else
#endif
/** @def SUP_HARDENED_SYM
* Decorate a symbol that's resolved dynamically.
*/
#ifdef RT_OS_OS2
#else
#endif
/*******************************************************************************
* Structures and Typedefs *
*******************************************************************************/
/** @see RTR3InitEx */
char **papszArgs, const char *pszProgramPath);
typedef FNRTR3INITEX *PFNRTR3INITEX;
/*******************************************************************************
* Global Variables *
*******************************************************************************/
/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
static SUPPREINITDATA g_SupPreInitData;
/** The program executable path. */
#ifndef RT_OS_WINDOWS
static
#endif
/** The program directory path. */
static char g_szSupLibHardenedDirPath[RTPATH_MAX];
/** The program name. */
static const char *g_pszSupLibHardenedProgName;
/** The flags passed to SUPR3HardenedMain. */
static uint32_t g_fSupHardenedMain;
#ifdef SUP_HARDENED_SUID
/** The real UID at startup. */
/** The real GID at startup. */
# ifdef RT_OS_LINUX
# endif
#endif
/** The startup log file. */
#ifdef RT_OS_WINDOWS
#else
static int g_hStartupLog = -1;
#endif
/** The number of bytes we've written to the startup log. */
static uint32_t volatile g_cbStartupLog = 0;
/** The current SUPR3HardenedMain state / location. */
/*******************************************************************************
* Internal Functions *
*******************************************************************************/
#ifdef SUP_HARDENED_SUID
static void supR3HardenedMainDropPrivileges(void);
#endif
/**
* Safely copy one or more strings into the given buffer.
*
* @returns VINF_SUCCESS or VERR_BUFFER_OVERFLOW.
* @param pszDst The destionation buffer.
* @param cbDst The size of the destination buffer.
* @param ... One or more zero terminated strings, ending with
* a NULL.
*/
{
int rc = VINF_SUCCESS;
if (cbDst == 0)
return VERR_BUFFER_OVERFLOW;
for (;;)
{
if (!pszSrc)
break;
{
}
else
{
if (cbDst > 1)
{
cbDst = 1;
}
}
*pszDst = '\0';
}
return rc;
}
/**
* Exit current process in the quickest possible fashion.
*
* @param rcExit The exit code.
*/
{
for (;;)
{
#ifdef RT_OS_WINDOWS
if (RtlExitUserProcess != NULL)
#else
#endif
}
}
/**
* Writes a substring to standard error.
*
* @param pch The start of the substring.
* @param cch The length of the substring.
*/
{
#ifdef RT_OS_WINDOWS
{
{
}
/* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */
{
}
}
#else
#endif
}
/**
* Writes a string to standard error.
*
* @param psz The string.
*/
static void suplibHardenedPrintStr(const char *psz)
{
}
/**
* Writes a char to standard error.
*
* @param ch The character value to write.
*/
static void suplibHardenedPrintChr(char ch)
{
}
/**
* Writes a decimal number to stdard error.
*
* @param uValue The value.
*/
{
char szBuf[64];
*psz-- = '\0';
do
{
uValue /= 10;
} while (uValue > 0);
psz++;
}
/**
* Writes a hexadecimal or octal number to standard error.
*
* @param uValue The value.
* @param uBase The base (16 or 8).
* @param fFlags Format flags.
*/
{
char szBuf[64];
*psz-- = '\0';
do
{
} while (uValue > 0);
{
*psz-- = '0';
}
psz++;
}
/**
* Writes a wide character string to standard error.
*
* @param pwsz The string.
*/
{
for (;;)
{
if (!wc)
return;
|| wc == '\n'
|| wc == '\r')
suplibHardenedPrintChr((char)wc);
else
{
}
}
}
#ifdef IPRT_NO_CRT
/** Buffer structure used by suplibHardenedOutput. */
struct SUPLIBHARDENEDOUTPUTBUF
{
char szBuf[2048];
};
/** Callback for RTStrFormatV, see FNRTSTROUTPUT. */
static DECLCALLBACK(size_t) suplibHardenedOutput(void *pvArg, const char *pachChars, size_t cbChars)
{
for (;;)
{
/* Flush the buffer? */
if ( cbSpace == 0
{
# ifdef RT_OS_WINDOWS
# endif
}
/* Copy the string into the buffer. */
if (cbTodo == 1)
{
break;
}
{
break;
}
}
return cbChars;
}
#endif /* IPRT_NO_CRT */
/**
* Simple printf to standard error.
*
* @param pszFormat The format string.
* @param va Arguments to format.
*/
{
#ifdef IPRT_NO_CRT
/*
* Use buffered output here to avoid character mixing on the windows
* console and to enable us to use OutputDebugString.
*/
#else /* !IPRT_NO_CRT */
/*
* Format loop.
*/
char ch;
for (;;)
{
if (!ch)
break;
pszFormat++;
if (ch == '%')
{
/*
* Format argument.
*/
/* Flush unwritten bits. */
/* flags. */
for (;;)
{
else break;
}
/* Width and precision - ignored. */
while (RT_C_IS_DIGIT(ch))
if (ch == '*')
if (ch == '.')
{
while (RT_C_IS_DIGIT(ch));
if (ch == '*')
}
/* Size. */
char chArgSize = 0;
switch (ch)
{
case 'z':
case 'L':
case 'j':
case 't':
break;
case 'l':
if (ch == 'l')
{
chArgSize = 'L';
}
break;
case 'h':
if (ch == 'h')
{
chArgSize = 'H';
}
break;
}
/*
* Do type specific formatting.
*/
switch (ch)
{
case 'c':
break;
case 's':
if (chArgSize == 'l')
{
if (RT_VALID_PTR(pwszStr))
else
suplibHardenedPrintStr("<NULL>");
}
else
{
if (!RT_VALID_PTR(pszStr))
pszStr = "<NULL>";
}
break;
case 'd':
case 'i':
{
else if (chArgSize == 'l')
else
if (iValue < 0)
{
suplibHardenedPrintChr('-');
}
break;
}
case 'p':
case 'x':
case 'X':
case 'u':
case 'o':
{
unsigned uBase = 10;
switch (ch)
{
case 'p':
uBase = 16;
break;
case 'X':
case 'x':
uBase = 16;
break;
case 'u':
uBase = 10;
break;
case 'o':
uBase = 8;
break;
}
else if (chArgSize == 'l')
else
if (uBase == 10)
else
break;
}
case 'R':
{
if (iValue < 0)
{
suplibHardenedPrintChr('-');
}
pszFormat += 2;
break;
}
/* fall thru */
/*
* Custom format.
*/
default:
suplibHardenedPrintStr("[bad format: ");
suplibHardenedPrintChr(']');
break;
}
/* continue */
}
}
/* Flush the last bits of the string. */
#endif /* !IPRT_NO_CRT */
}
/**
* Prints to standard error.
*
* @param pszFormat The format string.
* @param ... Arguments to format.
*/
{
}
/**
* @copydoc RTPathStripFilename.
*/
static void suplibHardenedPathStripFilename(char *pszPath)
{
char *pszLastSep = pszPath;
for (;; psz++)
{
switch (*psz)
{
/* handle separators. */
#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
case ':':
break;
case '\\':
#endif
case '/':
pszLastSep = psz;
break;
/* the end */
case '\0':
if (pszLastSep == pszPath)
*pszLastSep++ = '.';
*pszLastSep = '\0';
return;
}
}
/* will never get here */
}
/**
* @copydoc RTPathFilename
*/
{
const char *pszLastComp = pszPath;
for (;; psz++)
{
switch (*psz)
{
/* handle separators. */
#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
case ':':
break;
case '\\':
#endif
case '/':
break;
/* the end */
case '\0':
if (*pszLastComp)
return (char *)(void *)pszLastComp;
return NULL;
}
}
/* will never get here */
return NULL;
}
/**
* @copydoc RTPathAppPrivateNoArch
*/
{
#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
const char *pszSrcPath = RTPATH_APP_PRIVATE;
if (cchPathPrivateNoArch >= cchPath)
supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateNoArch, cchPath);
return VINF_SUCCESS;
#else
#endif
}
/**
* @copydoc RTPathAppPrivateArch
*/
{
#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
if (cchPathPrivateArch >= cchPath)
supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %zu >= %zu\n", cchPathPrivateArch, cchPath);
return VINF_SUCCESS;
#else
#endif
}
/**
* @copydoc RTPathSharedLibs
*/
{
#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
const char *pszSrcPath = RTPATH_SHARED_LIBS;
if (cchPathSharedLibs >= cchPath)
supR3HardenedFatal("supR3HardenedPathSharedLibs: Buffer overflow, %zu >= %zu\n", cchPathSharedLibs, cchPath);
return VINF_SUCCESS;
#else
#endif
}
/**
* @copydoc RTPathAppDocs
*/
{
#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
const char *pszSrcPath = RTPATH_APP_DOCS;
if (cchPathAppDocs >= cchPath)
supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %zu >= %zu\n", cchPathAppDocs, cchPath);
return VINF_SUCCESS;
#else
#endif
}
/**
* Returns the full path to the executable.
*
* @returns IPRT status code.
* @param pszPath Where to store it.
* @param cchPath How big that buffer is.
*/
static void supR3HardenedGetFullExePath(void)
{
/*
* Get the program filename.
*
* Most UNIXes have no API for obtaining the executable path, but provides a symbolic
* link in the proc file system that tells who was exec'ed. The bad thing about this
* is that we have to use readlink, one of the weirder UNIX APIs.
*
* Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
*/
# ifdef RT_OS_LINUX
int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
# elif defined(RT_OS_SOLARIS)
int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
# else /* RT_OS_FREEBSD */
int aiName[4];
supR3HardenedFatal("supR3HardenedExecDir: sysctl failed\n");
# endif
supR3HardenedFatal("supR3HardenedExecDir: couldn't read \"%s\", errno=%d cchLink=%d\n",
#elif defined(RT_OS_DARWIN)
const char *pszImageName = _dyld_get_image_name(0);
if (!pszImageName)
supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed\n");
supR3HardenedFatal("supR3HardenedExecDir: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
#elif defined(RT_OS_WINDOWS)
char *pszDst = g_szSupLibHardenedExePath;
int rc = RTUtf16ToUtf8Ex(g_wszSupLibHardenedExePath, RTSTR_MAX, &pszDst, sizeof(g_szSupLibHardenedExePath), NULL);
if (RT_FAILURE(rc))
#else
#endif
/*
* Strip off the filename part (RTPathStripFilename()).
*/
}
#ifdef RT_OS_LINUX
/**
*
* This is used on linux to see if we have to call init
* with program path or not.
*
* @returns true / false.
*/
static bool supR3HardenedMainIsProcSelfExeAccssible(void)
{
char szPath[RTPATH_MAX];
return cchLink != -1;
}
#endif /* RT_OS_LINUX */
/**
* @copydoc RTPathExecDir
*/
{
/*
* Lazy init (probably not required).
*/
if (!g_szSupLibHardenedDirPath[0])
/*
* Calc the length and check if there is space before copying.
*/
{
return VINF_SUCCESS;
}
return VERR_BUFFER_OVERFLOW;
}
#ifdef RT_OS_WINDOWS
#endif
{
static const char s_szLogOption[] = "--sup-startup-log=";
/*
* Scan the argument vector.
*/
{
/*
* Drop the argument from the vector (has trailing NULL entry).
*/
*pcArgs -= 1;
cArgs -= 1;
/*
* Open the log file, unless we've already opened one.
* First argument takes precedence
*/
#ifdef RT_OS_WINDOWS
if (g_hStartupLog == NULL)
{
NULL);
if (RT_SUCCESS(rc))
else
}
#else
//g_hStartupLog = open()
#endif
}
}
{
#ifdef RT_OS_WINDOWS
if ( g_hStartupLog != NULL
{
char szBuf[5120];
size_t cchPrefix = RTStrPrintf(szBuf, sizeof(szBuf), "%x.%x: ", pSelfId->UniqueProcess, pSelfId->UniqueThread);
}
#else
/* later */
#endif
}
{
}
/**
* Prints the message prefix.
*/
static void suplibHardenedPrintPrefix(void)
{
suplibHardenedPrintStr(": ");
}
DECLHIDDEN(void) supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, va_list va)
{
/*
* First to the log.
*/
/*
* Then to the console.
*/
suplibHardenedPrintChr('\n');
switch (enmWhat)
{
case kSupInitOp_Driver:
suplibHardenedPrintChr('\n');
suplibHardenedPrintStr("Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n");
break;
case kSupInitOp_Misc:
case kSupInitOp_IPRT:
case kSupInitOp_Integrity:
case kSupInitOp_RootCheck:
suplibHardenedPrintChr('\n');
suplibHardenedPrintStr("Tip! It may help to reinstall VirtualBox.\n");
break;
default:
/* no hints here */
break;
}
/*
* Don't call TrustedError if it's too early.
*/
{
#ifdef SUP_HARDENED_SUID
/*
* Drop any root privileges we might be holding, this won't return
* if it fails but end up calling supR3HardenedFatal[V].
*/
#endif
/*
* Now try resolve and call the TrustedError entry point if we can
* find it. We'll fork before we attempt this because that way the
* session management in main will see us exiting immediately (if
* it's involved with us).
*/
#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
if (pid <= 0)
#endif
{
static volatile bool s_fRecursive = false; /* Loader hooks may cause recursion. */
if (!s_fRecursive)
{
s_fRecursive = true;
if (pfnTrustedError)
s_fRecursive = false;
}
}
}
#if defined(RT_OS_WINDOWS)
/*
* Report the error to the parent if this happens during early VM init.
*/
#endif
/*
* Quit
*/
}
DECLHIDDEN(void) supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, ...)
{
}
{
supR3HardenedLog("Fatal error:\n");
#if defined(RT_OS_WINDOWS)
/*
* Report the error to the parent if this happens during early VM init.
*/
else
#endif
{
}
}
{
}
{
if (fFatal)
return rc;
}
{
return rc;
}
/**
*
* @remarks This function will not return on failure.
*/
DECLHIDDEN(void) supR3HardenedMainOpenDevice(void)
{
if (RT_SUCCESS(rc))
return;
switch (rc)
{
/** @todo better messages! */
"Kernel driver not installed");
"Kernel driver not accessible");
"VERR_VM_DRIVER_LOAD_ERROR");
"VERR_VM_DRIVER_OPEN_ERROR");
"Kernel driver version mismatch");
case VERR_ACCESS_DENIED:
"VERR_ACCESS_DENIED");
case VERR_NO_MEMORY:
"Kernel memory allocation/mapping failed");
default:
"Unknown rc=%d", rc);
}
}
#ifdef SUP_HARDENED_SUID
/**
* Grabs extra non-root capabilities / privileges that we might require.
*
* This is currently only used for being able to do ICMP from the NAT engine.
*
* @note We still have root privileges at the time of this call.
*/
static void supR3HardenedMainGrabCapabilites(void)
{
# if defined(RT_OS_LINUX)
/*
* We are about to drop all our privileges. Remove all capabilities but
* keep the cap_net_raw capability for ICMP sockets for the NAT stack.
*/
if (g_uCaps != 0)
{
# ifdef USE_LIB_PCAP
/* XXX cap_net_bind_service */
# else
# endif /* !USE_LIB_PCAP */
}
# elif defined(RT_OS_SOLARIS)
/*
* Add net_icmpaccess privilege to effective privileges and limit
* permitted privileges before completely dropping root privileges.
* This requires dropping root privileges temporarily to get the normal
* user's privileges.
*/
if (pPrivEffective && pPrivNew)
{
seteuid(0);
if (!rc)
{
if (!rc)
{
/* Order is important, as one can't set a privilege which is
* not in the permitted privilege set. */
if (rc)
if (rc)
}
else
}
}
else
{
/* for memory allocation failures just continue */
seteuid(0);
}
if (pPrivEffective)
if (pPrivNew)
# endif
}
/*
* Look at the environment for some special options.
*/
static void supR3GrabOptions(void)
{
const char *pszOpt;
# ifdef RT_OS_LINUX
g_uCaps = 0;
/*
* Do _not_ perform any capability-related system calls for root processes
* (leaving g_uCaps at 0).
* (Hint: getuid gets the real user id, not the effective.)
*/
if (getuid() != 0)
{
/*
* CAP_NET_RAW.
* Default: enabled.
* Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'.
*/
if ( !pszOpt
/*
* CAP_NET_BIND_SERVICE.
* Default: disabled.
* Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'.
*/
if ( pszOpt
}
# endif
}
/**
* Drop any root privileges we might be holding.
*/
static void supR3HardenedMainDropPrivileges(void)
{
/*
* leave fewer traces behind that libs like GTK+ may pick up.
*/
# if defined(RT_OS_DARWIN)
/* The really great thing here is that setreuid isn't available on
OS X 10.4, libc emulates it. While 10.4 have a slightly different and
non-standard setuid implementation compared to 10.5, the following
works the same way with both version since we're super user (10.5 req).
The following will set all three variants of the group and user IDs. */
# elif defined(RT_OS_SOLARIS)
/* Solaris doesn't have setresuid, but the setreuid interface is BSD
compatible and will set the saved uid to euid when we pass it a ruid
that isn't -1 (which we do). */
# else
/* This is the preferred one, full control no questions about semantics.
PORTME: If this isn't work, try join one of two other gangs above. */
{
}
{
}
# endif
/* Check that it worked out all right. */
supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
" (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
# if RT_OS_LINUX
/*
* Re-enable the cap_net_raw capability which was disabled during setresuid.
*/
if (g_uCaps != 0)
{
# ifdef USE_LIB_PCAP
/** @todo Warn if that does not work? */
/* XXX cap_net_bind_service */
# else
/** @todo Warn if that does not work? */
# endif /* !USE_LIB_PCAP */
}
# endif
}
#endif /* SUP_HARDENED_SUID */
/**
* and calls RTR3InitEx.
*
* @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
*
* @remarks VBoxRT contains both IPRT and SUPR3.
* @remarks This function will not return on failure.
*/
{
/*
* Construct the name.
*/
char szPath[RTPATH_MAX];
/*
* Open it and resolve the symbols.
*/
#if defined(RT_OS_WINDOWS)
if (!hMod)
"LoadLibrary \"%s\" failed (rc=%d)",
if (!pfnRTInitEx)
"Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
if (!pfnSUPPreInit)
"Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
#else
/* the dlopen crowd */
if (!pvMod)
"dlopen(\"%s\",) failed: %s",
if (!pfnRTInitEx)
"Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
if (!pfnSUPPreInit)
"Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
#endif
/*
* Make the calls.
*/
if (RT_FAILURE(rc))
"supR3PreInit failed with rc=%d", rc);
const char *pszExePath = NULL;
#ifdef RT_OS_LINUX
#endif
if (RT_FAILURE(rc))
"RTR3InitEx failed with rc=%d", rc);
#if defined(RT_OS_WINDOWS)
/*
* Windows: Create thread that terminates the process when the parent stub
* process terminates (VBoxNetDHCP, Ctrl-C, etc).
*/
if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
#endif
}
/**
* resolves the TrustedError symbol.
*
* This is very similar to supR3HardenedMainGetTrustedMain().
*
* @returns Pointer to the trusted error symbol if it is exported, NULL
* and no error messages otherwise.
* @param pszProgName The program name.
*/
{
/*
* Don't bother if the main() function didn't advertise any TrustedError
* export. It's both a waste of time and may trigger additional problems,
* confusing or obscuring the original issue.
*/
return NULL;
/*
* Construct the name.
*/
char szPath[RTPATH_MAX];
suplibHardenedStrCopyEx(&szPath[cch], sizeof(szPath) - cch, "/", pszProgName, SUPLIB_DLL_SUFF, NULL);
/*
* Open it and resolve the symbol.
*/
#if defined(RT_OS_WINDOWS)
if (!hMod)
return NULL;
if (!pfn)
return NULL;
return (PFNSUPTRUSTEDERROR)pfn;
#else
/* the dlopen crowd */
if (!pvMod)
return NULL;
if (!pvSym)
return NULL;
#endif
}
/**
* resolves the TrustedMain symbol.
*
* @returns Pointer to the trusted main of the actual program.
* @param pszProgName The program name.
* @remarks This function will not return on failure.
*/
{
/*
* Construct the name.
*/
char szPath[RTPATH_MAX];
suplibHardenedStrCopyEx(&szPath[cch], sizeof(szPath) - cch, "/", pszProgName, SUPLIB_DLL_SUFF, NULL);
/*
* Open it and resolve the symbol.
*/
#if defined(RT_OS_WINDOWS)
if (!hMod)
supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibrary \"%s\" failed, rc=%d\n",
if (!pfn)
supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
return (PFNSUPTRUSTEDMAIN)pfn;
#else
/* the dlopen crowd */
if (!pvMod)
supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
if (!pvSym)
supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
#endif
}
/**
* Secure main.
*
* This is used for the set-user-ID-on-execute binaries on unixy systems
* and when using the open-vboxdrv-via-root-service setup on Windows.
*
* This function will perform the integrity checks of the VirtualBox
* installation, open the support driver, open the root service (later),
* and load the DLL corresponding to \a pszProgName and execute its main
* function.
*
* @returns Return code appropriate for main().
*
* @param pszProgName The program name. This will be used to figure out which
* @param fFlags Flags.
* @param argc The argument count.
* @param argv The argument vector.
* @param envp The environment vector.
*/
DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
{
/*
* Note! At this point there is no IPRT, so we will have to stick
* to basic CRT functions that everyone agree upon.
*/
#ifdef RT_OS_WINDOWS
if (!g_fSupEarlyProcessInit)
#endif
#ifdef SUP_HARDENED_SUID
# ifdef RT_OS_LINUX
/*
* On linux we have to make sure the path is initialized because we
*/
# endif
/*
* Grab any options from the environment.
*/
/*
* Check that we're root, if we aren't then the installation is butchered.
*/
if (geteuid() != 0 /* root */)
"Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
#endif /* SUP_HARDENED_SUID */
#ifdef RT_OS_WINDOWS
/*
* Windows: First respawn. On Windows we will respawn the process twice to establish
* something we can put some kind of reliable trust in. The first respawning aims
* at dropping compatibility layers and process "security" solutions.
*/
if ( !g_fSupEarlyProcessInit
&& !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
{
SUP_DPRINTF(("SUPR3HardenedMain: Respawn #1\n"));
}
/*
* Windows: Initialize the image verification global data so we can verify the
* signature of the process image and hook the core of the DLL loader API so we
* can check the signature of all DLLs mapped into the process. (Already done
* by early VM process init.)
*/
if (!g_fSupEarlyProcessInit)
#endif /* RT_OS_WINDOWS */
/*
* Validate the installation.
*/
/*
* The next steps are only taken if we actually need to access the support
* driver. (Already done by early VM process init.)
*/
if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
{
#ifdef RT_OS_WINDOWS
/*
* Windows: The second respawn. This time we make a special arrangement
* with vboxdrv to monitor access to the new process from its inception.
*/
{
SUP_DPRINTF(("SUPR3HardenedMain: Respawn #2\n"));
}
SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
#else
/*
* Open the vboxdrv device.
*/
#endif /* !RT_OS_WINDOWS */
}
#ifdef RT_OS_WINDOWS
/*
* Windows: Enable the use of windows APIs to verify images at load time.
*/
#endif
#ifdef SUP_HARDENED_SUID
/*
* Grab additional capabilities / privileges.
*/
/*
* Drop any root privileges we might be holding (won't return on failure)
*/
#endif
/*
* Load the IPRT, hand the SUPLib part the open driver and
* call RTR3InitEx.
*/
SUP_DPRINTF(("SUPR3HardenedMain: Load Runtime...\n"));
/*
* and pass control to it.
*/
SUP_DPRINTF(("SUPR3HardenedMain: Load TrustedMain...\n"));
}