HostDrivers/Support/SUPR3HardenedMain.cpp

	SUPR3HardenedMain.cpp revision a3b910b31da2f6dd99e41dc573f051a74e802a68
af062818b47340eef15700d2f0211576ba3506eevboxsync/* $Id$ */
af062818b47340eef15700d2f0211576ba3506eevboxsync/** @file
af062818b47340eef15700d2f0211576ba3506eevboxsync * VirtualBox Support Library - Hardened main().
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/*
af062818b47340eef15700d2f0211576ba3506eevboxsync * Copyright (C) 2006-2008 Sun Microsystems, Inc.
af062818b47340eef15700d2f0211576ba3506eevboxsync *
af062818b47340eef15700d2f0211576ba3506eevboxsync * This file is part of VirtualBox Open Source Edition (OSE), as
af062818b47340eef15700d2f0211576ba3506eevboxsync * available from http://www.virtualbox.org. This file is free software;
af062818b47340eef15700d2f0211576ba3506eevboxsync * you can redistribute it and/or modify it under the terms of the GNU
af062818b47340eef15700d2f0211576ba3506eevboxsync * General Public License (GPL) as published by the Free Software
af062818b47340eef15700d2f0211576ba3506eevboxsync * Foundation, in version 2 as it comes in the "COPYING" file of the
af062818b47340eef15700d2f0211576ba3506eevboxsync * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
af062818b47340eef15700d2f0211576ba3506eevboxsync * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
af062818b47340eef15700d2f0211576ba3506eevboxsync *
af062818b47340eef15700d2f0211576ba3506eevboxsync * The contents of this file may alternatively be used under the terms
af062818b47340eef15700d2f0211576ba3506eevboxsync * of the Common Development and Distribution License Version 1.0
af062818b47340eef15700d2f0211576ba3506eevboxsync * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
af062818b47340eef15700d2f0211576ba3506eevboxsync * VirtualBox OSE distribution, in which case the provisions of the
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync * CDDL are applicable instead of those of the GPL.
4b9d6701570cb98fd36e209314239d104ec584d3vboxsync *
4b9d6701570cb98fd36e209314239d104ec584d3vboxsync * You may elect to license modified versions of this file under the
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync * terms and conditions of either the GPL or the CDDL or both.
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync *
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync * Clara, CA 95054 USA or visit http://www.sun.com if you need
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync * additional information or have any questions.
b955672b950093ff7416d1269dd4d3b69983bd8fvboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/*******************************************************************************
af062818b47340eef15700d2f0211576ba3506eevboxsync*   Header Files                                                               *
0658e98c3d1b59361863ce3390e57a356fd42217vboxsync*******************************************************************************/
0658e98c3d1b59361863ce3390e57a356fd42217vboxsync#if defined(RT_OS_OS2)
af062818b47340eef15700d2f0211576ba3506eevboxsync# define INCL_BASE
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# define INCL_ERRORS
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# include <os2.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# include <stdio.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# include <stdlib.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# include <dlfcn.h>
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync#elif RT_OS_WINDOWS
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <Windows.h>
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync# include <stdio.h>
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync#else /* UNIXes */
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <iprt/types.h> /* stdint fun on darwin. */
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <stdio.h>
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <stdlib.h>
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <dlfcn.h>
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <limits.h>
6cd9e4d9b3398c78dfee8363a3ad75a33304d76cvboxsync# include <errno.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# include <unistd.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# include <sys/stat.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# include <sys/time.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# include <stdio.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# include <sys/types.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# ifdef RT_OS_LINUX
af062818b47340eef15700d2f0211576ba3506eevboxsync#  include <sys/capability.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync#  include <sys/prctl.h>
af062818b47340eef15700d2f0211576ba3506eevboxsync# endif
af062818b47340eef15700d2f0211576ba3506eevboxsync# include <pwd.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# ifdef RT_OS_DARWIN
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#  include <mach-o/dyld.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# endif
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#endif
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#include <VBox/sup.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#include <VBox/err.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#include <iprt/string.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#include <iprt/param.h>
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#include "SUPLibInternal.h"
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync/*******************************************************************************
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync*   Defined Constants And Macros                                               *
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync*******************************************************************************/
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync/** @def SUP_HARDENED_SUID
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync * Whether we're employing set-user-ID-on-execute in the hardening.
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync */
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#if !defined(RT_OS_OS2) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_L4)
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# define SUP_HARDENED_SUID
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#else
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# undef  SUP_HARDENED_SUID
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#endif
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync/** @def SUP_HARDENED_SYM
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync * Decorate a symbol that's resolved dynamically.
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync */
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#ifdef RT_OS_OS2
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync# define SUP_HARDENED_SYM(sym)  "_" sym
d2432596ad0325b8a9b42552ce4fcd251f37fcc3vboxsync#else
af062818b47340eef15700d2f0211576ba3506eevboxsync# define SUP_HARDENED_SYM(sym)  sym
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/*******************************************************************************
af062818b47340eef15700d2f0211576ba3506eevboxsync*   Structures and Typedefs                                                    *
af062818b47340eef15700d2f0211576ba3506eevboxsync*******************************************************************************/
af062818b47340eef15700d2f0211576ba3506eevboxsync/** @see RTR3InitEx */
af062818b47340eef15700d2f0211576ba3506eevboxsynctypedef DECLCALLBACK(int) FNRTR3INITEX(uint32_t iVersion, const char *pszProgramPath, bool fInitSUPLib);
af062818b47340eef15700d2f0211576ba3506eevboxsynctypedef FNRTR3INITEX *PFNRTR3INITEX;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/*******************************************************************************
af062818b47340eef15700d2f0211576ba3506eevboxsync*   Global Variables                                                           *
af062818b47340eef15700d2f0211576ba3506eevboxsync*******************************************************************************/
af062818b47340eef15700d2f0211576ba3506eevboxsync/** The pre-init data we pass on to SUPR3 (residing in VBoxRT). */
af062818b47340eef15700d2f0211576ba3506eevboxsyncstatic SUPPREINITDATA g_SupPreInitData;
af062818b47340eef15700d2f0211576ba3506eevboxsync/** The progam executable path. */
af062818b47340eef15700d2f0211576ba3506eevboxsyncstatic char g_szSupLibHardenedExePath[RTPATH_MAX];
af062818b47340eef15700d2f0211576ba3506eevboxsync/** The program directory path. */
af062818b47340eef15700d2f0211576ba3506eevboxsyncstatic char g_szSupLibHardenedDirPath[RTPATH_MAX];
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/** The program name. */
af062818b47340eef15700d2f0211576ba3506eevboxsyncstatic const char *g_pszSupLibHardenedProgName;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#ifdef SUP_HARDENED_SUID
af062818b47340eef15700d2f0211576ba3506eevboxsync/** The real UID at startup. */
af062818b47340eef15700d2f0211576ba3506eevboxsyncstatic uid_t g_uid;
d4af5b054ea5e3fa148cfb539e5fb886338f9c41vboxsync/** The real GID at startup. */
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsyncstatic gid_t g_gid;
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync#endif
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync/*******************************************************************************
af062818b47340eef15700d2f0211576ba3506eevboxsync*   Internal Functions                                                         *
af062818b47340eef15700d2f0211576ba3506eevboxsync*******************************************************************************/
d4af5b054ea5e3fa148cfb539e5fb886338f9c41vboxsync#ifdef SUP_HARDENED_SUID
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsyncstatic void supR3HardenedMainDropPrivileges(void);
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync#endif
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsyncstatic PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName);
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * @copydoc RTPathStripFilename.
d4af5b054ea5e3fa148cfb539e5fb886338f9c41vboxsync */
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsyncstatic void suplibHardenedPathStripFilename(char *pszPath)
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync    char *psz = pszPath;
3c5c04d7b0973be0757addef8ba44b9352b38386vboxsync    char *pszLastSep = pszPath;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync    for (;; psz++)
af062818b47340eef15700d2f0211576ba3506eevboxsync    {
af062818b47340eef15700d2f0211576ba3506eevboxsync        switch (*psz)
af062818b47340eef15700d2f0211576ba3506eevboxsync        {
af062818b47340eef15700d2f0211576ba3506eevboxsync            /* handle separators. */
af062818b47340eef15700d2f0211576ba3506eevboxsync#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
af062818b47340eef15700d2f0211576ba3506eevboxsync            case ':':
af062818b47340eef15700d2f0211576ba3506eevboxsync                pszLastSep = psz + 1;
af062818b47340eef15700d2f0211576ba3506eevboxsync                break;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync            case '\\':
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync            case '/':
af062818b47340eef15700d2f0211576ba3506eevboxsync                pszLastSep = psz;
af062818b47340eef15700d2f0211576ba3506eevboxsync                break;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync            /* the end */
af062818b47340eef15700d2f0211576ba3506eevboxsync            case '\0':
af062818b47340eef15700d2f0211576ba3506eevboxsync                if (pszLastSep == pszPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync                    *pszLastSep++ = '.';
af062818b47340eef15700d2f0211576ba3506eevboxsync                *pszLastSep = '\0';
af062818b47340eef15700d2f0211576ba3506eevboxsync                return;
af062818b47340eef15700d2f0211576ba3506eevboxsync        }
af062818b47340eef15700d2f0211576ba3506eevboxsync    }
af062818b47340eef15700d2f0211576ba3506eevboxsync    /* will never get here */
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * @copydoc RTPathFilename
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncDECLHIDDEN(char *) supR3HardenedPathFilename(const char *pszPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *psz = pszPath;
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *pszLastComp = pszPath;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync    for (;; psz++)
af062818b47340eef15700d2f0211576ba3506eevboxsync    {
af062818b47340eef15700d2f0211576ba3506eevboxsync        switch (*psz)
af062818b47340eef15700d2f0211576ba3506eevboxsync        {
af062818b47340eef15700d2f0211576ba3506eevboxsync            /* handle separators. */
af062818b47340eef15700d2f0211576ba3506eevboxsync#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
af062818b47340eef15700d2f0211576ba3506eevboxsync            case ':':
af062818b47340eef15700d2f0211576ba3506eevboxsync                pszLastComp = psz + 1;
af062818b47340eef15700d2f0211576ba3506eevboxsync                break;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync            case '\\':
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync            case '/':
af062818b47340eef15700d2f0211576ba3506eevboxsync                pszLastComp = psz + 1;
af062818b47340eef15700d2f0211576ba3506eevboxsync                break;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync            /* the end */
af062818b47340eef15700d2f0211576ba3506eevboxsync            case '\0':
af062818b47340eef15700d2f0211576ba3506eevboxsync                if (*pszLastComp)
af062818b47340eef15700d2f0211576ba3506eevboxsync                    return (char *)(void *)pszLastComp;
af062818b47340eef15700d2f0211576ba3506eevboxsync                return NULL;
af062818b47340eef15700d2f0211576ba3506eevboxsync        }
af062818b47340eef15700d2f0211576ba3506eevboxsync    }
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync    /* will never get here */
af062818b47340eef15700d2f0211576ba3506eevboxsync    return NULL;
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * @copydoc RTPathAppPrivateNoArch
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncDECLHIDDEN(int) supR3HardenedPathAppPrivateNoArch(char *pszPath, size_t cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *pszSrcPath = RTPATH_APP_PRIVATE;
af062818b47340eef15700d2f0211576ba3506eevboxsync    size_t cchPathPrivateNoArch = strlen(pszSrcPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (cchPathPrivateNoArch >= cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathAppPrivateNoArch: Buffer overflow, %lu >= %lu\n",
af062818b47340eef15700d2f0211576ba3506eevboxsync                            (unsigned long)cchPathPrivateNoArch, (unsigned long)cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    memcpy(pszPath, pszSrcPath, cchPathPrivateNoArch + 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync    return VINF_SUCCESS;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#else
af062818b47340eef15700d2f0211576ba3506eevboxsync    return supR3HardenedPathProgram(pszPath, cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * @copydoc RTPathAppPrivateArch
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncDECLHIDDEN(int) supR3HardenedPathAppPrivateArch(char *pszPath, size_t cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE_ARCH)
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *pszSrcPath = RTPATH_APP_PRIVATE_ARCH;
af062818b47340eef15700d2f0211576ba3506eevboxsync    size_t cchPathPrivateArch = strlen(pszSrcPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (cchPathPrivateArch >= cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathAppPrivateArch: Buffer overflow, %lu >= %lu\n",
af062818b47340eef15700d2f0211576ba3506eevboxsync                            (unsigned long)cchPathPrivateArch, (unsigned long)cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    memcpy(pszPath, pszSrcPath, cchPathPrivateArch + 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync    return VINF_SUCCESS;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#else
af062818b47340eef15700d2f0211576ba3506eevboxsync    return supR3HardenedPathProgram(pszPath, cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * @copydoc RTPathSharedLibs
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncDECLHIDDEN(int) supR3HardenedPathSharedLibs(char *pszPath, size_t cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync#if !defined(RT_OS_WINDOWS) && defined(RTPATH_SHARED_LIBS)
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *pszSrcPath = RTPATH_SHARED_LIBS;
589fd26cedb2b4ebbed14f2964cad03cc8ebbca2vboxsync    size_t cchPathSharedLibs = strlen(pszSrcPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (cchPathSharedLibs >= cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathSharedLibs: Buffer overflow, %lu >= %lu\n",
af062818b47340eef15700d2f0211576ba3506eevboxsync                            (unsigned long)cchPathSharedLibs, (unsigned long)cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    memcpy(pszPath, pszSrcPath, cchPathSharedLibs + 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync    return VINF_SUCCESS;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#else
af062818b47340eef15700d2f0211576ba3506eevboxsync    return supR3HardenedPathProgram(pszPath, cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * @copydoc RTPathAppDocs
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncDECLHIDDEN(int) supR3HardenedPathAppDocs(char *pszPath, size_t cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync#if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_DOCS)
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *pszSrcPath = RTPATH_APP_DOCS;
af062818b47340eef15700d2f0211576ba3506eevboxsync    size_t cchPathAppDocs = strlen(pszSrcPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (cchPathAppDocs >= cchPath)
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathAppDocs: Buffer overflow, %lu >= %lu\n",
af062818b47340eef15700d2f0211576ba3506eevboxsync                            (unsigned long)cchPathAppDocs, (unsigned long)cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    memcpy(pszPath, pszSrcPath, cchPathAppDocs + 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync    return VINF_SUCCESS;
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#else
af062818b47340eef15700d2f0211576ba3506eevboxsync    return supR3HardenedPathProgram(pszPath, cchPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * Returns the full path to the executable.
af062818b47340eef15700d2f0211576ba3506eevboxsync *
af062818b47340eef15700d2f0211576ba3506eevboxsync * @returns IPRT status code.
af062818b47340eef15700d2f0211576ba3506eevboxsync * @param   pszPath     Where to store it.
af062818b47340eef15700d2f0211576ba3506eevboxsync * @param   cchPath     How big that buffer is.
af062818b47340eef15700d2f0211576ba3506eevboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncstatic void supR3HardenedGetFullExePath(void)
af062818b47340eef15700d2f0211576ba3506eevboxsync{
af062818b47340eef15700d2f0211576ba3506eevboxsync    /*
af062818b47340eef15700d2f0211576ba3506eevboxsync     * Get the program filename.
af062818b47340eef15700d2f0211576ba3506eevboxsync     *
af062818b47340eef15700d2f0211576ba3506eevboxsync     * Most UNIXes have no API for obtaining the executable path, but provides a symbolic
af062818b47340eef15700d2f0211576ba3506eevboxsync     * link in the proc file system that tells who was exec'ed. The bad thing about this
af062818b47340eef15700d2f0211576ba3506eevboxsync     * is that we have to use readlink, one of the weirder UNIX APIs.
af062818b47340eef15700d2f0211576ba3506eevboxsync     *
af062818b47340eef15700d2f0211576ba3506eevboxsync     * Darwin, OS/2 and Windows all have proper APIs for getting the program file name.
af062818b47340eef15700d2f0211576ba3506eevboxsync     */
af062818b47340eef15700d2f0211576ba3506eevboxsync#if defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS)
af062818b47340eef15700d2f0211576ba3506eevboxsync# ifdef RT_OS_LINUX
af062818b47340eef15700d2f0211576ba3506eevboxsync    int cchLink = readlink("/proc/self/exe", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync# elif defined(RT_OS_SOLARIS)
af062818b47340eef15700d2f0211576ba3506eevboxsync    char szFileBuf[PATH_MAX + 1];
af062818b47340eef15700d2f0211576ba3506eevboxsync    sprintf(szFileBuf, "/proc/%ld/path/a.out", (long)getpid());
af062818b47340eef15700d2f0211576ba3506eevboxsync    int cchLink = readlink(szFileBuf, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync# else /* RT_OS_FREEBSD: */
af062818b47340eef15700d2f0211576ba3506eevboxsync    int cchLink = readlink("/proc/curproc/file", &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath) - 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync# endif
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (cchLink < 0 || cchLink == sizeof(g_szSupLibHardenedExePath) - 1)
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathProgram: couldn't read \"%s\", errno=%d cchLink=%d\n",
af062818b47340eef15700d2f0211576ba3506eevboxsync                            g_szSupLibHardenedExePath, errno, cchLink);
af062818b47340eef15700d2f0211576ba3506eevboxsync    g_szSupLibHardenedExePath[cchLink] = '\0';
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#elif defined(RT_OS_OS2) || defined(RT_OS_L4)
af062818b47340eef15700d2f0211576ba3506eevboxsync    _execname(g_szSupLibHardenedExePath, sizeof(g_szSupLibHardenedExePath));
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#elif defined(RT_OS_DARWIN)
af062818b47340eef15700d2f0211576ba3506eevboxsync    const char *pszImageName = _dyld_get_image_name(0);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (!pszImageName)
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathProgram: _dyld_get_image_name(0) failed\n");
af062818b47340eef15700d2f0211576ba3506eevboxsync    size_t cchImageName = strlen(pszImageName);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (!cchImageName || cchImageName >= sizeof(g_szSupLibHardenedExePath))
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathProgram: _dyld_get_image_name(0) failed, cchImageName=%d\n", cchImageName);
af062818b47340eef15700d2f0211576ba3506eevboxsync    memcpy(g_szSupLibHardenedExePath, pszImageName, cchImageName + 1);
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#elif defined(RT_OS_WINDOWS)
af062818b47340eef15700d2f0211576ba3506eevboxsync    HMODULE hExe = GetModuleHandle(NULL);
af062818b47340eef15700d2f0211576ba3506eevboxsync    if (!GetModuleFileName(hExe, &g_szSupLibHardenedExePath[0], sizeof(g_szSupLibHardenedExePath)))
af062818b47340eef15700d2f0211576ba3506eevboxsync        supR3HardenedFatal("supR3HardenedPathProgram: GetModuleFileName failed, rc=%d\n", GetLastError());
af062818b47340eef15700d2f0211576ba3506eevboxsync#else
af062818b47340eef15700d2f0211576ba3506eevboxsync# error needs porting.
af062818b47340eef15700d2f0211576ba3506eevboxsync#endif
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync    /*
af062818b47340eef15700d2f0211576ba3506eevboxsync     * Strip off the filename part (RTPathStripFilename()).
af062818b47340eef15700d2f0211576ba3506eevboxsync     */
af062818b47340eef15700d2f0211576ba3506eevboxsync    strcpy(g_szSupLibHardenedDirPath, g_szSupLibHardenedExePath);
af062818b47340eef15700d2f0211576ba3506eevboxsync    suplibHardenedPathStripFilename(g_szSupLibHardenedDirPath);
af062818b47340eef15700d2f0211576ba3506eevboxsync}
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync
af062818b47340eef15700d2f0211576ba3506eevboxsync#ifdef RT_OS_LINUX
af062818b47340eef15700d2f0211576ba3506eevboxsync/**
af062818b47340eef15700d2f0211576ba3506eevboxsync * Checks if we can read /proc/self/exe.
af062818b47340eef15700d2f0211576ba3506eevboxsync *
af062818b47340eef15700d2f0211576ba3506eevboxsync * This is used on linux to see if we have to call init
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync * with program path or not.
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync *
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync * @returns true / false.
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync */
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsyncstatic bool supR3HardenedMainIsProcSelfExeAccssible(void)
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync{
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync    char szPath[RTPATH_MAX];
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync    int cchLink = readlink("/proc/self/exe", szPath, sizeof(szPath));
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync    return cchLink != -1;
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync}
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync#endif /* RT_OS_LINUX */
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync/**
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync * @copydoc RTPathProgram
3a343ca21a267ec3c54e2317e2ed18fe99b8ebbbvboxsync */
af062818b47340eef15700d2f0211576ba3506eevboxsyncDECLHIDDEN(int) supR3HardenedPathProgram(char *pszPath, size_t cchPath)
{
    /*
     * Lazy init (probably not required).
     */
    if (!g_szSupLibHardenedDirPath[0])
        supR3HardenedGetFullExePath();

    /*
     * Calc the length and check if there is space before copying.
     */
    unsigned cch = strlen(g_szSupLibHardenedDirPath) + 1;
    if (cch <= cchPath)
    {
        memcpy(pszPath, g_szSupLibHardenedDirPath, cch + 1);
        return VINF_SUCCESS;
    }

    supR3HardenedFatal("supR3HardenedPathProgram: Buffer too small (%u < %u)\n", cchPath, cch);
    return VERR_BUFFER_OVERFLOW;
}


DECLHIDDEN(void)   supR3HardenedFatalMsgV(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, va_list va)
{
    /*
     * To the console first, like supR3HardenedFatalV.
     */
    fprintf(stderr, "%s: Error %d in %s!\n", g_pszSupLibHardenedProgName, rc, pszWhere);
    fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
    va_list vaCopy;
    va_copy(vaCopy, va);
    vfprintf(stderr, pszMsgFmt, vaCopy);
    va_end(vaCopy);
    fprintf(stderr, "\n");

    switch (enmWhat)
    {
        case kSupInitOp_Driver:
            fprintf(stderr,
                    "\n"
                    "%s: Tip! Make sure the kernel module is loaded. It may also help to reinstall VirtualBox.\n",
                    g_pszSupLibHardenedProgName);
            break;

        case kSupInitOp_IPRT:
        case kSupInitOp_Integrity:
        case kSupInitOp_RootCheck:
            fprintf(stderr,
                    "\n"
                    "%s: Tip! It may help to reinstall VirtualBox.\n",
                    g_pszSupLibHardenedProgName);
            break;

        default:
            /* no hints here */
            break;
    }

#ifdef SUP_HARDENED_SUID
    /*
     * Drop any root privileges we might be holding, this won't return
     * if it fails but end up calling supR3HardenedFatal[V].
     */
    supR3HardenedMainDropPrivileges();
#endif /* SUP_HARDENED_SUID */

    /*
     * Now try resolve and call the TrustedError entry point if we can
     * find it.  We'll fork before we attempt this because that way the
     * session management in main will see us exiting immediately (if
     * it's invovled with us).
     */
#if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
    int pid = fork();
    if (pid <= 0)
#endif
    {
        PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
        if (pfnTrustedError)
            pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
    }

    /*
     * Quit
     */
    for (;;)
#ifdef _MSC_VER
        exit(1);
#else
        _Exit(1);
#endif
}


DECLHIDDEN(void)   supR3HardenedFatalMsg(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, ...)
{
    va_list va;
    va_start(va, pszMsgFmt);
    supR3HardenedFatalMsgV(pszWhere, enmWhat, rc, pszMsgFmt, va);
    va_end(va);
}


DECLHIDDEN(void) supR3HardenedFatalV(const char *pszFormat, va_list va)
{
    fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
    vfprintf(stderr, pszFormat, va);
    for (;;)
#ifdef _MSC_VER
        exit(1);
#else
        _Exit(1);
#endif
}


DECLHIDDEN(void) supR3HardenedFatal(const char *pszFormat, ...)
{
    va_list va;
    va_start(va, pszFormat);
    supR3HardenedFatalV(pszFormat, va);
    va_end(va);
}


DECLHIDDEN(int) supR3HardenedErrorV(int rc, bool fFatal, const char *pszFormat, va_list va)
{
    if (fFatal)
        supR3HardenedFatalV(pszFormat, va);

    fprintf(stderr, "%s: ", g_pszSupLibHardenedProgName);
    vfprintf(stderr, pszFormat, va);
    return rc;
}


DECLHIDDEN(int) supR3HardenedError(int rc, bool fFatal, const char *pszFormat, ...)
{
    va_list va;
    va_start(va, pszFormat);
    supR3HardenedErrorV(rc, fFatal, pszFormat, va);
    va_end(va);
    return rc;
}


/**
 * Wrapper around snprintf which will throw a fatal error on buffer overflow.
 *
 * @returns Number of chars in the result string.
 * @param   pszDst          The destination buffer.
 * @param   cchDst          The size of the buffer.
 * @param   pszFormat       The format string.
 * @param   ...             Format arguments.
 */
static size_t supR3HardenedStrPrintf(char *pszDst, size_t cchDst, const char *pszFormat, ...)
{
    va_list va;
    va_start(va, pszFormat);
#ifdef _MSC_VER
    int cch = _vsnprintf(pszDst, cchDst, pszFormat, va);
#else
    int cch = vsnprintf(pszDst, cchDst, pszFormat, va);
#endif
    va_end(va);
    if ((unsigned)cch >= cchDst || cch < 0)
        supR3HardenedFatal("supR3HardenedStrPrintf: buffer overflow, %d >= %lu\n", cch, (long)cchDst);
    return cch;
}


/**
 * Attempts to open /dev/vboxdrv (or equvivalent).
 *
 * @remarks This function will not return on failure.
 */
static void supR3HardenedMainOpenDevice(void)
{
    int rc = suplibOsInit(&g_SupPreInitData.Data, false);
    if (RT_SUCCESS(rc))
        return;

    switch (rc)
    {
        /** @todo better messages! */
        case VERR_VM_DRIVER_NOT_INSTALLED:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "VERR_VM_DRIVER_NOT_INSTALLED");
        case VERR_VM_DRIVER_NOT_ACCESSIBLE:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "VERR_VM_DRIVER_NOT_ACCESSIBLE");
        case VERR_VM_DRIVER_LOAD_ERROR:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "VERR_VM_DRIVER_LOAD_ERROR");
        case VERR_VM_DRIVER_OPEN_ERROR:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "VERR_VM_DRIVER_OPEN_ERROR");
        case VERR_VM_DRIVER_VERSION_MISMATCH:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "VERR_VM_DRIVER_VERSION_MISMATCH");
        case VERR_ACCESS_DENIED:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "VERR_ACCESS_DENIED");
        default:
            supR3HardenedFatalMsg("suplibOsInit", kSupInitOp_Driver, rc,
                                  "Unknown rc=%d", rc);
    }
}


#ifdef SUP_HARDENED_SUID
/**
 * Drop any root privileges we might be holding.
 */
static void supR3HardenedMainDropPrivileges(void)
{
# if defined(RT_OS_LINUX)
    /*
     * We are about to drop all our privileges. Remove all capabilities but
     * keep the cap_net_raw capability for ICMP sockets for the NAT stack.
     */
    if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep")))
        prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0);
# endif

    /*
     * Try use setre[ug]id since this will clear the save uid/gid and thus
     * leave fewer traces behind that libs like GTK+ may pick up.
     */
    uid_t euid, ruid, suid;
    gid_t egid, rgid, sgid;
# if defined(RT_OS_DARWIN)
    /* The really great thing here is that setreuid isn't available on
       OS X 10.4, libc emulates it. While 10.4 have a sligtly different and
       non-standard setuid implementation compared to 10.5, the following
       works the same way with both version since we're super user (10.5 req).
       The following will set all three variants of the group and user IDs. */
    setgid(g_gid);
    setuid(g_uid);
    euid = geteuid();
    ruid = suid = getuid();
    egid = getegid();
    rgid = sgid = getgid();

# elif defined(RT_OS_SOLARIS)
    /* Solaris doesn't have setresuid, but the setreuid interface is BSD
       compatible and will set the saved uid to euid when we pass it a ruid
       that isn't -1 (which we do). */
    setregid(g_gid, g_gid);
    setreuid(g_uid, g_uid);
    euid = geteuid();
    ruid = suid = getuid();
    egid = getegid();
    rgid = sgid = getgid();

# else
    /* This is the preferred one, full control no questions about semantics.
       PORTME: If this isn't work, try join one of two other gangs above. */
    setresgid(g_gid, g_gid, g_gid);
    setresuid(g_uid, g_uid, g_uid);
    if (getresuid(&ruid, &euid, &suid) != 0)
    {
        euid = geteuid();
        ruid = suid = getuid();
    }
    if (getresgid(&rgid, &egid, &sgid) != 0)
    {
        egid = getegid();
        rgid = sgid = getgid();
    }
# endif


    /* Check that it worked out all right. */
    if (    euid != g_uid
        ||  ruid != g_uid
        ||  suid != g_uid
        ||  egid != g_gid
        ||  rgid != g_gid
        ||  sgid != g_gid)
        supR3HardenedFatal("SUPR3HardenedMain: failed to drop root privileges!"
                           " (euid=%d ruid=%d suid=%d  egid=%d rgid=%d sgid=%d; wanted uid=%d and gid=%d)\n",
                           euid, ruid, suid, egid, rgid, sgid, g_uid, g_gid);

# if RT_OS_LINUX
    /*
     * Re-enable the cap_net_raw capability which was disabled during setresuid.
     * XXX Warn if that does not work?
     */
    cap_set_proc(cap_from_text("cap_net_raw+ep"));
# endif
}
#endif /* SUP_HARDENED_SUID */


/**
 * Loads the VBoxRT DLL/SO/DYLIB, hands it the open driver,
 * and calls RTR3Init.
 *
 * @param   fFlags      The SUPR3HardenedMain fFlags argument, passed to supR3PreInit.
 *
 * @remarks VBoxRT contains both IPRT and SUPR3.
 * @remarks This function will not return on failure.
 */
static void supR3HardenedMainInitRuntime(uint32_t fFlags)
{
    /*
     * Construct the name.
     */
    char szPath[RTPATH_MAX];
    supR3HardenedPathSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxRT" SUPLIB_DLL_SUFF));
    strcat(szPath, "/VBoxRT" SUPLIB_DLL_SUFF);

    /*
     * Open it and resolve the symbols.
     */
#if defined(RT_OS_WINDOWS)
    /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
    HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
    if (!hMod)
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
                              "LoadLibraryEx(\"%s\",,) failed (rc=%d)",
                              szPath, GetLastError());
    PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)GetProcAddress(hMod, SUP_HARDENED_SYM("RTR3InitEx"));
    if (!pfnRTInitEx)
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
                              "Entrypoint \"RTR3InitEx\" not found in \"%s\" (rc=%d)",
                              szPath, GetLastError());

    PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)GetProcAddress(hMod, SUP_HARDENED_SYM("supR3PreInit"));
    if (!pfnSUPPreInit)
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
                              "Entrypoint \"supR3PreInit\" not found in \"%s\" (rc=%d)",
                              szPath, GetLastError());

#else
    /* the dlopen crowd */
    void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
    if (!pvMod)
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_MODULE_NOT_FOUND,
                              "dlopen(\"%s\",) failed: %s",
                              szPath, dlerror());
    PFNRTR3INITEX pfnRTInitEx = (PFNRTR3INITEX)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("RTR3InitEx"));
    if (!pfnRTInitEx)
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
                              "Entrypoint \"RTR3InitEx\" not found in \"%s\"!\ndlerror: %s",
                              szPath, dlerror());
    PFNSUPR3PREINIT pfnSUPPreInit = (PFNSUPR3PREINIT)(uintptr_t)dlsym(pvMod, SUP_HARDENED_SYM("supR3PreInit"));
    if (!pfnSUPPreInit)
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, VERR_SYMBOL_NOT_FOUND,
                              "Entrypoint \"supR3PreInit\" not found in \"%s\"!\ndlerror: %s",
                              szPath, dlerror());
#endif

    /*
     * Make the calls.
     */
    supR3HardenedGetPreInitData(&g_SupPreInitData);
    int rc = pfnSUPPreInit(&g_SupPreInitData, fFlags);
    if (RT_FAILURE(rc))
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
                              "supR3PreInit failed with rc=%d", rc);
    const char *pszExePath = NULL;
#ifdef RT_OS_LINUX
    if (!supR3HardenedMainIsProcSelfExeAccssible())
        pszExePath = g_szSupLibHardenedExePath;
#endif
    rc = pfnRTInitEx(0, pszExePath, !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV));
    if (RT_FAILURE(rc))
        supR3HardenedFatalMsg("supR3HardenedMainInitRuntime", kSupInitOp_IPRT, rc,
                              "RTR3Init failed with rc=%d", rc);
}


/**
 * Loads the DLL/SO/DYLIB containing the actual program and
 * resolves the TrustedError symbol.
 *
 * This is very similar to supR3HardenedMainGetTrustedMain().
 *
 * @returns Pointer to the trusted error symbol if it is exported, NULL
 *          and no error messages otherwise.
 * @param   pszProgName     The program name.
 */
static PFNSUPTRUSTEDERROR supR3HardenedMainGetTrustedError(const char *pszProgName)
{
    /*
     * Construct the name.
     */
    char szPath[RTPATH_MAX];
    supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
    size_t cch = strlen(szPath);
    supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);

    /*
     * Open it and resolve the symbol.
     */
#if defined(RT_OS_WINDOWS)
    /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
    HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
    if (!hMod)
        return NULL;
    FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedError"));
    if (!pfn)
        return NULL;
    return (PFNSUPTRUSTEDERROR)pfn;

#else
    /* the dlopen crowd */
    void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
    if (!pvMod)
        return NULL;
    void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedError"));
    if (!pvSym)
        return NULL;
    return (PFNSUPTRUSTEDERROR)(uintptr_t)pvSym;
#endif
}


/**
 * Loads the DLL/SO/DYLIB containing the actual program and
 * resolves the TrustedMain symbol.
 *
 * @returns Pointer to the trusted main of the actual program.
 * @param   pszProgName     The program name.
 * @remarks This function will not return on failure.
 */
static PFNSUPTRUSTEDMAIN supR3HardenedMainGetTrustedMain(const char *pszProgName)
{
    /*
     * Construct the name.
     */
    char szPath[RTPATH_MAX];
    supR3HardenedPathAppPrivateArch(szPath, sizeof(szPath) - 10);
    size_t cch = strlen(szPath);
    supR3HardenedStrPrintf(&szPath[cch], sizeof(szPath) - cch, "/%s%s", pszProgName, SUPLIB_DLL_SUFF);

    /*
     * Open it and resolve the symbol.
     */
#if defined(RT_OS_WINDOWS)
    /** @todo consider using LOAD_WITH_ALTERED_SEARCH_PATH here! */
    HMODULE hMod = LoadLibraryEx(szPath, NULL /*hFile*/, 0 /* dwFlags */);
    if (!hMod)
        supR3HardenedFatal("supR3HardenedMainGetTrustedMain: LoadLibraryEx(\"%s\",,) failed, rc=%d\n",
                            szPath, GetLastError());
    FARPROC pfn = GetProcAddress(hMod, SUP_HARDENED_SYM("TrustedMain"));
    if (!pfn)
        supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\" (rc=%d)\n",
                            szPath, GetLastError());
    return (PFNSUPTRUSTEDMAIN)pfn;

#else
    /* the dlopen crowd */
    void *pvMod = dlopen(szPath, RTLD_NOW | RTLD_GLOBAL);
    if (!pvMod)
        supR3HardenedFatal("supR3HardenedMainGetTrustedMain: dlopen(\"%s\",) failed: %s\n",
                            szPath, dlerror());
    void *pvSym = dlsym(pvMod, SUP_HARDENED_SYM("TrustedMain"));
    if (!pvSym)
        supR3HardenedFatal("supR3HardenedMainGetTrustedMain: Entrypoint \"TrustedMain\" not found in \"%s\"!\ndlerror: %s\n",
                            szPath, dlerror());
    return (PFNSUPTRUSTEDMAIN)(uintptr_t)pvSym;
#endif
}


/**
 * Secure main.
 *
 * This is used for the set-user-ID-on-execute binaries on unixy systems
 * and when using the open-vboxdrv-via-root-service setup on Windows.
 *
 * This function will perform the integrity checks of the VirtualBox
 * installation, open the support driver, open the root service (later),
 * and load the DLL corresponding to \a pszProgName and execute its main
 * function.
 *
 * @returns Return code appropriate for main().
 *
 * @param   pszProgName     The program name. This will be used to figure out which
 *                          DLL/SO/DYLIB to load and execute.
 * @param   fFlags          Flags.
 * @param   argc            The argument count.
 * @param   argv            The argument vector.
 * @param   envp            The environment vector.
 */
DECLHIDDEN(int) SUPR3HardenedMain(const char *pszProgName, uint32_t fFlags, int argc, char **argv, char **envp)
{
    /*
     * Note! At this point there is no IPRT, so we will have to stick
     * to basic CRT functions that everyone agree upon.
     */
    g_pszSupLibHardenedProgName = pszProgName;
    g_SupPreInitData.u32Magic = SUPPREINITDATA_MAGIC;
    g_SupPreInitData.Data.hDevice = NIL_RTFILE;
    g_SupPreInitData.u32EndMagic = SUPPREINITDATA_MAGIC;

#ifdef SUP_HARDENED_SUID
# ifdef RT_OS_LINUX
    /*
     * On linux we have to make sure the path is initialized because we
     * *might* not be able to access /proc/self/exe after the seteuid call.
     */
    supR3HardenedGetFullExePath();
# endif

    /*
     * Check that we're root, if we aren't then the installation is butchered.
     */
    g_uid = getuid();
    g_gid = getgid();
    if (geteuid() != 0 /* root */)
        supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
                              "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
                              geteuid(), getegid(), g_uid, g_gid);
#endif

    /*
     * Validate the installation.
     */
    supR3HardenedVerifyAll(true /* fFatal */, false /* fLeaveFilesOpen */, pszProgName);

    /*
     * Open the vboxdrv device.
     */
    if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
        supR3HardenedMainOpenDevice();

    /*
     * Open the root service connection.
     */
    //if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_SVC))
        //supR3HardenedMainOpenService(&g_SupPreInitData, true /* fFatal */);

#ifdef SUP_HARDENED_SUID
    /*
     * Drop any root privileges we might be holding (won't return on failure)
     */
    supR3HardenedMainDropPrivileges();
#endif

    /*
     * Load the IPRT, hand the SUPLib part the open driver and
     * call RTR3Init.
     */
    supR3HardenedMainInitRuntime(fFlags);

    /*
     * Load the DLL/SO/DYLIB containing the actual program
     * and pass control to it.
     */
    PFNSUPTRUSTEDMAIN pfnTrustedMain = supR3HardenedMainGetTrustedMain(pszProgName);
    return pfnTrustedMain(argc, argv, envp);
}