SUPR3HardenedMain.cpp revision 9f997e760f610c92e3a365be21ead6972bc46130
2N/A * VirtualBox Support Library - Hardened main(). 2N/A * Copyright (C) 2006-2014 Oracle Corporation 2N/A * This file is part of VirtualBox Open Source Edition (OSE), as 2N/A * you can redistribute it and/or modify it under the terms of the GNU 2N/A * General Public License (GPL) as published by the Free Software 2N/A * Foundation, in version 2 as it comes in the "COPYING" file of the 2N/A * VirtualBox OSE distribution. VirtualBox OSE is distributed in the 2N/A * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind. 2N/A * The contents of this file may alternatively be used under the terms 2N/A * of the Common Development and Distribution License Version 1.0 2N/A * (CDDL) only, as it comes in the "COPYING.CDDL" file of the 2N/A * VirtualBox OSE distribution, in which case the provisions of the 2N/A * CDDL are applicable instead of those of the GPL. 2N/A * You may elect to license modified versions of this file under the 2N/A * terms and conditions of either the GPL or the CDDL or both. 2N/A/******************************************************************************* 2N/A*******************************************************************************/ 2N/A libcap1 or libcap2 */ 2N/A/******************************************************************************* 2N/A* Defined Constants And Macros * 2N/A*******************************************************************************/ 2N/A/** @def SUP_HARDENED_SUID 2N/A * Whether we're employing set-user-ID-on-execute in the hardening. 2N/A/** @def SUP_HARDENED_SYM 2N/A * Decorate a symbol that's resolved dynamically. 2N/A/******************************************************************************* 2N/A* Structures and Typedefs * 2N/A*******************************************************************************/ 2N/A/** @see RTR3InitEx */ 2N/A/******************************************************************************* 2N/A*******************************************************************************/ 2N/A/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */ 2N/A/** The program executable path. */ 2N/A/** The program directory path. */ 2N/A/** The program name. */ 2N/A/** The flags passed to SUPR3HardenedMain. */ 2N/A/** The real UID at startup. */ 2N/A/** The real GID at startup. */ 2N/A/** The startup log file. */ 2N/A/** The number of bytes we've written to the startup log. */ 2N/A/** The current SUPR3HardenedMain state / location. */ 2N/A/******************************************************************************* 2N/A* Internal Functions * 2N/A*******************************************************************************/ 2N/A * Safely copy one or more strings into the given buffer. 2N/A * @returns VINF_SUCCESS or VERR_BUFFER_OVERFLOW. 2N/A * @param pszDst The destionation buffer. 2N/A * @param cbDst The size of the destination buffer. 2N/A * @param ... One or more zero terminated strings, ending with 2N/A * Exit current process in the quickest possible fashion. 2N/A * @param rcExit The exit code. 2N/A * Writes a substring to standard error. 2N/A * @param pch The start of the substring. 2N/A * @param cch The length of the substring. 2N/A /* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */ 2N/A * Writes a string to standard error. 2N/A * @param psz The string. 2N/A * Writes a char to standard error. 2N/A * @param ch The character value to write. 2N/A * Writes a decimal number to stdard error. 2N/A * @param uValue The value. 2N/A * Writes a hexadecimal or octal number to standard error. 2N/A * @param uValue The value. 2N/A * @param uBase The base (16 or 8). 2N/A * @param fFlags Format flags. * Writes a wide character string to standard error. * @param pwsz The string. if ( (
wc <
0x7f &&
wc >=
0x20)
/** Buffer structure used by suplibHardenedOutput. */ /** Callback for RTStrFormatV, see FNRTSTROUTPUT. */ /* Copy the string into the buffer. */ * Simple printf to standard error. * @param pszFormat The format string. * @param va Arguments to format. * Use buffered output here to avoid character mixing on the windows * console and to enable us to use OutputDebugString. /* Flush unwritten bits. */ /* Width and precision - ignored. */ * Do type specific formatting. /* Flush the last bits of the string. */ #
endif /* !IPRT_NO_CRT */ * Prints to standard error. * @param pszFormat The format string. * @param ... Arguments to format. * @copydoc RTPathStripFilename. /* will never get here */ * @copydoc RTPathFilename /* will never get here */ * @copydoc RTPathAppPrivateNoArch * @copydoc RTPathAppPrivateArch * @copydoc RTPathSharedLibs * Returns the full path to the executable. * @returns IPRT status code. * @param pszPath Where to store it. * @param cchPath How big that buffer is. * Get the program filename. * Most UNIXes have no API for obtaining the executable path, but provides a symbolic * link in the proc file system that tells who was exec'ed. The bad thing about this * is that we have to use readlink, one of the weirder UNIX APIs. * Darwin, OS/2 and Windows all have proper APIs for getting the program file name. #
else /* RT_OS_FREEBSD */ * Strip off the filename part (RTPathStripFilename()). * This is used on linux to see if we have to call init * with program path or not. * Lazy init (probably not required). * Calc the length and check if there is space before copying. * Scan the argument vector. * Drop the argument from the vector (has trailing NULL entry). * Open the log file, unless we've already opened one. * First argument takes precedence * Prints the message prefix. suplibHardenedPrintStr(
"Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n");
* Don't call TrustedError if it's too early. * Drop any root privileges we might be holding, this won't return * if it fails but end up calling supR3HardenedFatal[V]. * Now try resolve and call the TrustedError entry point if we can * find it. We'll fork before we attempt this because that way the * session management in main will see us exiting immediately (if * it's involved with us). static volatile bool s_fRecursive =
false;
/* Loader hooks may cause recursion. */ * Report the error to the parent if this happens during early VM init. * Report the error to the parent if this happens during early VM init. * @remarks This function will not return on failure. /** @todo better messages! */ "Kernel driver not installed");
"Kernel driver not accessible");
"VERR_VM_DRIVER_LOAD_ERROR");
"VERR_VM_DRIVER_OPEN_ERROR");
"Kernel driver version mismatch");
* Grabs extra non-root capabilities / privileges that we might require. * This is currently only used for being able to do ICMP from the NAT engine. * @note We still have root privileges at the time of this call. * We are about to drop all our privileges. Remove all capabilities but * keep the cap_net_raw capability for ICMP sockets for the NAT stack. /* XXX cap_net_bind_service */ #
endif /* !USE_LIB_PCAP */ * Add net_icmpaccess privilege to effective privileges and limit * permitted privileges before completely dropping root privileges. * This requires dropping root privileges temporarily to get the normal /* Order is important, as one can't set a privilege which is * not in the permitted privilege set. */ /* for memory allocation failures just continue */ * Look at the environment for some special options. * Do _not_ perform any capability-related system calls for root processes * (leaving g_uCaps at 0). * (Hint: getuid gets the real user id, not the effective.) * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'. * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'. * Drop any root privileges we might be holding. * Try use setre[ug]id since this will clear the save uid/gid and thus * leave fewer traces behind that libs like GTK+ may pick up. /* The really great thing here is that setreuid isn't available on OS X 10.4, libc emulates it. While 10.4 have a slightly different and non-standard setuid implementation compared to 10.5, the following works the same way with both version since we're super user (10.5 req). The following will set all three variants of the group and user IDs. */ /* Solaris doesn't have setresuid, but the setreuid interface is BSD compatible and will set the saved uid to euid when we pass it a ruid that isn't -1 (which we do). */ /* This is the preferred one, full control no questions about semantics. PORTME: If this isn't work, try join one of two other gangs above. */ /* Check that it worked out all right. */ " (euid=%d ruid=%d suid=%d egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
* Re-enable the cap_net_raw capability which was disabled during setresuid. /** @todo Warn if that does not work? */ /* XXX cap_net_bind_service */ /** @todo Warn if that does not work? */ #
endif /* !USE_LIB_PCAP */#
endif /* SUP_HARDENED_SUID */ * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver, * @param fFlags The SUPR3HardenedMain fFlags argument, passed to supR3PreInit. * @remarks VBoxRT contains both IPRT and SUPR3. * @remarks This function will not return on failure. * Open it and resolve the symbols. "LoadLibrary \"%s\" failed (rc=%d)",
"Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
"Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
"dlopen(\"%s\",) failed: %s",
"Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
"Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
"supR3PreInit failed with rc=%d",
rc);
"RTR3InitEx failed with rc=%d",
rc);
* Windows: Create thread that terminates the process when the parent stub * process terminates (VBoxNetDHCP, Ctrl-C, etc). * Loads the DLL/SO/DYLIB containing the actual program and * resolves the TrustedError symbol. * This is very similar to supR3HardenedMainGetTrustedMain(). * @returns Pointer to the trusted error symbol if it is exported, NULL * and no error messages otherwise. * @param pszProgName The program name. * Don't bother if the main() function didn't advertise any TrustedError * export. It's both a waste of time and may trigger additional problems, * confusing or obscuring the original issue. * Open it and resolve the symbol. * Loads the DLL/SO/DYLIB containing the actual program and * resolves the TrustedMain symbol. * @returns Pointer to the trusted main of the actual program. * @param pszProgName The program name. * @remarks This function will not return on failure. * Open it and resolve the symbol. supR3HardenedFatal(
"supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
supR3HardenedFatal(
"supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
* This is used for the set-user-ID-on-execute binaries on unixy systems * and when using the open-vboxdrv-via-root-service setup on Windows. * This function will perform the integrity checks of the VirtualBox * installation, open the support driver, open the root service (later), * and load the DLL corresponding to \a pszProgName and execute its main * @returns Return code appropriate for main(). * @param pszProgName The program name. This will be used to figure out which * @param argc The argument count. * @param argv The argument vector. * @param envp The environment vector. * Note! At this point there is no IPRT, so we will have to stick * to basic CRT functions that everyone agree upon. * On linux we have to make sure the path is initialized because we * *might* not be able to access /proc/self/exe after the seteuid call. * Grab any options from the environment. * Check that we're root, if we aren't then the installation is butchered. "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
#
endif /* SUP_HARDENED_SUID */ * Windows: First respawn. On Windows we will respawn the process twice to establish * something we can put some kind of reliable trust in. The first respawning aims * at dropping compatibility layers and process "security" solutions. * Windows: Initialize the image verification global data so we can verify the * signature of the process image and hook the core of the DLL loader API so we * can check the signature of all DLLs mapped into the process. (Already done * by early VM process init.) #
endif /* RT_OS_WINDOWS */ * Validate the installation. * The next steps are only taken if we actually need to access the support * driver. (Already done by early VM process init.) * Windows: Verify the process (repeated by the kernel later. * Windows: The second respawn. This time we make a special arrangement * with vboxdrv to monitor access to the new process from its inception. SUP_DPRINTF((
"SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
#
endif /* RT_OS_WINDOWS */ * Open the vboxdrv device. * Windows: Enable the use of windows APIs to verify images at load time. * Grab additional capabilities / privileges. * Drop any root privileges we might be holding (won't return on failure) * Load the IPRT, hand the SUPLib part the open driver and * Load the DLL/SO/DYLIB containing the actual program * and pass control to it. SUP_DPRINTF((
"SUPR3HardenedMain: Load TrustedMain...\n"));