SUPR3HardenedVerify.cpp revision 9e293277b378073ce86910209a246b744b4caa2c
/* $Id$ */
/** @file
* VirtualBox Support Library - Verification of Hardened Installation.
*/
/*
* Copyright (C) 2006-2008 Sun Microsystems, Inc.
*
* This file is part of VirtualBox Open Source Edition (OSE), as
* available from http://www.virtualbox.org. This file is free software;
* General Public License (GPL) as published by the Free Software
* Foundation, in version 2 as it comes in the "COPYING" file of the
* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
*
* The contents of this file may alternatively be used under the terms
* of the Common Development and Distribution License Version 1.0
* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
* VirtualBox OSE distribution, in which case the provisions of the
* CDDL are applicable instead of those of the GPL.
*
* You may elect to license modified versions of this file under the
* terms and conditions of either the GPL or the CDDL or both.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
* Clara, CA 95054 USA or visit http://www.sun.com if you need
* additional information or have any questions.
*/
/*******************************************************************************
* Header Files *
*******************************************************************************/
#if defined(RT_OS_OS2)
# define INCL_BASE
# define INCL_ERRORS
# include <os2.h>
# include <stdio.h>
# include <stdlib.h>
# include <unistd.h>
# include <sys/syslimits.h>
#elif defined(RT_OS_WINDOWS)
# include <Windows.h>
# include <stdio.h>
#else /* UNIXes */
# include <stdio.h>
# include <stdlib.h>
# include <dlfcn.h>
# include <fcntl.h>
# include <limits.h>
# include <errno.h>
# include <unistd.h>
# include <stdio.h>
# include <pwd.h>
# ifdef RT_OS_DARWIN
# endif
#endif
#include "SUPLibInternal.h"
/*******************************************************************************
* Global Variables *
*******************************************************************************/
/**
* The files that gets verified.
*
* @todo This needs reviewing against the linux packages.
* @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
* the time being we're building the linux packages with SharedLib pointing to
* AppPrivArch (lazy bird).
*/
static SUPINSTFILE const g_aSupInstallFiles[] =
{
/* type, dir,fOptional, pszFile */
/* ---------------------------------------------------------------------- */
#if HC_ARCH_BITS == 32
#endif
//#ifdef VBOX_WITH_DEBUGGER_GUI
//#endif
//#ifdef VBOX_WITH_SHARED_CLIPBOARD
//#endif
//#ifdef VBOX_WITH_SHARED_FOLDERS
//#endif
//#ifdef VBOX_WITH_GUEST_PROPS
//#endif
//#ifdef VBOX_WITH_MAIN
//#endif
#ifdef RT_OS_WINDOWS
/** @todo */
#else
#ifdef VBOX_WITH_MAIN
#endif
//#ifdef VBOX_WITH_VRDP
//#endif
//#ifdef VBOX_WITH_HEADLESS
//#endif
//#ifdef VBOX_WITH_QTGUI
# endif
//#endif
//#ifdef VBOX_WITH_VBOXSDL
//#endif
//#ifdef VBOX_WITH_VBOXBFE
//#endif
//#ifdef VBOX_WITH_WEBSERVICES
//#endif
#ifdef RT_OS_LINUX
#endif
};
/** Array parallel to g_aSupInstallFiles containing per-file status info. */
/** Array index by install directory specifier containing info about verified directories. */
/**
* Assembles the path to a dirtory.
*
* @returns VINF_SUCCESS on success, some error code on failure (fFatal
* decides whether it returns or not).
*
* @param enmDir The directory.
* @param pszDst Where to assemble the path.
* @param cchDst The size of the buffer.
* @param fFatal Whether failures should be treated as fatal (true) or not (false).
*/
{
int rc;
switch (enmDir)
{
case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
case kSupID_Bin:
break;
case kSupID_SharedLib:
break;
case kSupID_AppPrivArch:
break;
case kSupID_AppPrivArchComp:
if (RT_SUCCESS(rc))
{
else
}
break;
case kSupID_AppPrivNoArch:
break;
default:
"supR3HardenedMakePath: enmDir=%d\n", enmDir);
}
if (RT_FAILURE(rc))
return rc;
}
/**
* Assembles the path to a file table entry, with or without the actual filename.
*
* @returns VINF_SUCCESS on success, some error code on failure (fFatal
* decides whether it returns or not).
*
* @param pFile The file table entry.
* @param pszDst Where to assemble the path.
* @param cchDst The size of the buffer.
* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
* @param fFatal Whether failures should be treated as fatal (true) or not (false).
*/
static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
{
/*
* Combine supR3HardenedMakePath and the filename.
*/
if (RT_SUCCESS(rc))
{
{
}
else
"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
}
return rc;
}
/**
* Verifies a directory.
*
* @returns VINF_SUCCESS on success. On failure, an error code is returned if
* fFatal is clear and if it's set the function wont return.
* @param enmDir The directory specifier.
* @param fFatal Whether validation failures should be treated as
* fatal (true) or not (false).
*/
{
/*
* Validate the index just to be on the safe side...
*/
"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
/*
* Already validated?
*/
return VINF_SUCCESS; /** @todo revalidate? */
/* initialize the entry. */
"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
/*
* Make the path and open the directory.
*/
char szPath[RTPATH_MAX];
if (RT_SUCCESS(rc))
{
#if defined(RT_OS_WINDOWS)
NULL,
NULL);
if (hDir != INVALID_HANDLE_VALUE)
{
/** @todo check the type */
/* That's all on windows, for now at least... */
}
else
{
int err = GetLastError();
"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
}
#else /* UNIXY */
if (fd >= 0)
{
/*
* On unixy systems we'll make sure the directory is owned by root
* and not writable by the group and user.
*/
{
{
}
else
{
"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
else
"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
}
}
else
{
"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
}
}
else
{
"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
}
#endif /* UNIXY */
}
return rc;
}
/**
* Verifies a file entry.
*
* @returns VINF_SUCCESS on success. On failure, an error code is returned if
* fFatal is clear and if it's set the function wont return.
*
* @param iFile The file table index of the file to be verified.
* @param fFatal Whether validation failures should be treated as
* fatal (true) or not (false).
* @param fLeaveFileOpen Whether the file should be left open.
*/
{
/*
* Already done?
*/
if (pVerified->fValidated)
return VINF_SUCCESS; /** @todo revalidate? */
/* initialize the entry. */
"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
pVerified->fValidated = false;
/*
* Verify the directory then proceed to open it.
* (This'll make sure the directory is opened and that we can (later)
* use openat if we wish.)
*/
if (RT_SUCCESS(rc))
{
char szPath[RTPATH_MAX];
if (RT_SUCCESS(rc))
{
#if defined(RT_OS_WINDOWS)
NULL,
NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
/** @todo Check the type, and verify the signature (separate function so we can skip it). */
{
/* it's valid. */
if (fLeaveFileOpen)
else
pVerified->fValidated = true;
}
}
else
{
int err = GetLastError();
"supR3HardenedVerifyFileInternal: Failed to open \"%s\": err=%d\n",
}
#else /* UNIXY */
if (fd >= 0)
{
/*
* On unixy systems we'll make sure the directory is owned by root
* and not writable by the group and user.
*/
{
{
/* it's valid. */
if (fLeaveFileOpen)
else
pVerified->fValidated = true;
}
else
{
"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
else
"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
}
}
else
{
"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
}
}
else
{
"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
}
#endif /* UNIXY */
}
}
return rc;
}
/**
* Verifies that the specified table entry matches the given filename.
*
* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
* error is returned or we terminate the application.
*
* @param iFile The file table index.
* @param pszFilename The filename.
* @param fFatal Whether validation failures should be treated as
* fatal (true) or not (false).
*/
{
/*
* Construct the full path for the file table entry
* and compare it with the specified file.
*/
char szName[RTPATH_MAX];
if (RT_FAILURE(rc))
return rc;
#if defined(RT_OS_WINDOWS) || defined(RT_OS_OS2)
#else
#endif
{
/*
* Normalize the two paths and compare again.
*/
#if defined(RT_OS_WINDOWS)
char szName2[RTPATH_MAX];
rc = VINF_SUCCESS;
#else
char szName2[RTPATH_MAX];
rc = VINF_SUCCESS;
#endif
if (RT_FAILURE(rc))
{
"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
}
}
/*
* Check more stuff like the stat info if it's an already open file?
*/
return VINF_SUCCESS;
}
/**
* Verifies a file.
*
* @returns VINF_SUCCESS on success.
* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
* On verfication failure, an error code will be returned when fFatal is clear,
* otherwise the program will be termindated.
*
* @param pszFilename The filename.
* @param fFatal Whether validation failures should be treated as
* fatal (true) or not (false).
*/
{
/*
* Lookup the file and check if it's the same file.
*/
{
if (RT_SUCCESS(rc))
return rc;
}
return VERR_NOT_FOUND;
}
/**
* Verifies a program, worker for supR3HardenedVerifyAll.
*
* @returns See supR3HardenedVerifyAll.
* @param pszProgName See supR3HardenedVerifyAll.
* @param fFatal See supR3HardenedVerifyAll.
*/
{
/*
*/
int rc = VINF_SUCCESS;
bool fExe = false;
bool fDll = false;
{
{
/* This only has to be found (once). */
if (fDll)
"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
fDll = true;
}
{
/* Here we'll have to check that the specific program is the same as the entry. */
if (fExe)
"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
fExe = true;
char szFilename[RTPATH_MAX];
int rc2 = supR3HardenedPathProgram(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
if (RT_SUCCESS(rc2))
{
}
else
"supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
}
}
/*
* Check the findings.
*/
"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
else if (!fExe)
"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
else if (!fDll)
"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
return rc;
}
/**
* Verifies all the known files.
*
* @returns VINF_SUCCESS on success.
* On verfication failure, an error code will be returned when fFatal is clear,
* otherwise the program will be termindated.
*
* @param fFatal Whether validation failures should be treated as
* fatal (true) or not (false).
* @param fLeaveFilesOpen If set, all the verfied files are left open.
* @param pszProgName Optional program name. This is used by SUPR3HardenedMain
* to verify that both the executable and corresponding
*/
{
/*
* The verify all the files.
*/
int rc = VINF_SUCCESS;
{
}
/*
* Verify the program name if specified, that is to say, just check that
* it's in the table (=> we've already verified it).
*/
if (pszProgName)
{
}
return rc;
}
/**
* Gets the pre-init data for the hand-over to the other version
* of this code.
*
* The reason why we pass this information on is that it contains
* open directories and files. Later it may include even more info
* (int the verified arrays mostly).
*
* The receiver is supR3HardenedRecvPreInitData.
*
* @param pPreInitData Where to store it.
*/
{
}
/**
* Receives the pre-init data from the static executable stub.
*
* @returns VBox status code. Will not bitch on failure since the
* runtime isn't ready for it, so that is left to the exe stub.
*
* @param pPreInitData The hand-over data.
*/
{
/*
* Compare the array lengths and the contents of g_aSupInstallFiles.
*/
return VERR_VERSION_MISMATCH;
return VERR_VERSION_MISMATCH;
/*
* Check that we're not called out of order.
* If dynamic linking it screwed up, we may end up here.
*/
return VERR_WRONG_ORDER;
/*
* Copy the verification data over.
*/
return VINF_SUCCESS;
}