pkgs/applications/virtualization/virtualbox/hardened.patch at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / applications / virtualization / virtualbox / hardened.patch
at master 181 lines 8.7 kB view raw
  1diff --git a/include/iprt/mangling.h b/include/iprt/mangling.h
  2index 991dd9e..defc781 100644
  3--- a/include/iprt/mangling.h
  4+++ b/include/iprt/mangling.h
  5@@ -1802,6 +1802,7 @@
  6 # define RTPathStripSuffix                              RT_MANGLER(RTPathStripSuffix)
  7 # define RTPathStripFilename                            RT_MANGLER(RTPathStripFilename)
  8 # define RTPathStripTrailingSlash                       RT_MANGLER(RTPathStripTrailingSlash)
  9+# define RTPathSuidDir                                  RT_MANGLER(RTPathSuidDir)
 10 # define RTPathTemp                                     RT_MANGLER(RTPathTemp)
 11 # define RTPathTraverseList                             RT_MANGLER(RTPathTraverseList)
 12 # define RTPathUnlink                                   RT_MANGLER(RTPathUnlink)
 13@@ -1842,6 +1843,7 @@
 14 # define RTProcGetAffinityMask                          RT_MANGLER(RTProcGetAffinityMask)
 15 # define RTProcGetExecutablePath                        RT_MANGLER(RTProcGetExecutablePath)
 16 # define RTProcGetPriority                              RT_MANGLER(RTProcGetPriority)
 17+# define RTProcGetSuidPath                              RT_MANGLER(RTProcGetSuidPath)
 18 # define RTProcIsRunningByName                          RT_MANGLER(RTProcIsRunningByName)
 19 # define RTProcQueryParent                              RT_MANGLER(RTProcQueryParent)
 20 # define RTProcQueryUsername                            RT_MANGLER(RTProcQueryUsername)
 21diff --git a/include/iprt/path.h b/include/iprt/path.h
 22index 89bf8f6..5caa578 100644
 23--- a/include/iprt/path.h
 24+++ b/include/iprt/path.h
 25@@ -1235,6 +1235,15 @@ RTDECL(int) RTPathCalcRelative(char *pszPathDst, size_t cbPathDst, const char *p
 26  */
 27 RTDECL(int) RTPathExecDir(char *pszPath, size_t cchPath);
 28 
 29+/**
 30+ * Gets the path to the NixOS setuid wrappers directory.
 31+ *
 32+ * @returns iprt status code.
 33+ * @param   pszPath     Buffer where to store the path.
 34+ * @param   cchPath     Buffer size in bytes.
 35+ */
 36+RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath);
 37+
 38 /**
 39  * Gets the user home directory.
 40  *
 41diff --git a/include/iprt/process.h b/include/iprt/process.h
 42index 4ca981e..058ae7a 100644
 43--- a/include/iprt/process.h
 44+++ b/include/iprt/process.h
 45@@ -384,6 +384,16 @@ RTR3DECL(const char *) RTProcExecutablePath(void);
 46  */
 47 RTR3DECL(char *) RTProcGetExecutablePath(char *pszExecPath, size_t cbExecPath);
 48 
 49+/**
 50+ * Gets the path to the NixOS setuid wrappers directory.
 51+ *
 52+ * @returns pszExecPath on success. NULL on buffer overflow or other errors.
 53+ *
 54+ * @param   pszExecPath     Where to store the path.
 55+ * @param   cbExecPath      The size of the buffer.
 56+ */
 57+RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath);
 58+
 59 /**
 60  * Daemonize the current process, making it a background process.
 61  *
 62diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
 63index e78a397..ff5b541 100644
 64--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
 65+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
 66@@ -1541,9 +1541,9 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
 67         bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
 68 # else
 69         NOREF(fRelaxed);
 70-        bool fBad = true;
 71+        bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
 72 # endif
 73-        if (fBad)
 74+        if (fBad && suplibHardenedStrCmp(pszPath, "/nix/store"))
 75             return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
 76                                           "An unknown (and thus untrusted) group has write access to '", pszPath,
 77                                           "' and we therefore cannot trust the directory content or that of any subdirectory");
 78diff --git a/src/VBox/Main/src-all/MachineLaunchVMCommonWorker.cpp b/src/VBox/Main/src-all/MachineLaunchVMCommonWorker.cpp
 79index 01d7a9f..e52a291 100644
 80--- a/src/VBox/Main/src-all/MachineLaunchVMCommonWorker.cpp
 81+++ b/src/VBox/Main/src-all/MachineLaunchVMCommonWorker.cpp
 82@@ -100,7 +100,7 @@ int MachineLaunchVMCommonWorker(const Utf8Str &aNameOrId,
 83 
 84     /* Get the path to the executable directory w/ trailing slash: */
 85     char szPath[RTPATH_MAX];
 86-    int vrc = RTPathAppPrivateArch(szPath, sizeof(szPath));
 87+    int vrc = RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin");
 88     AssertRCReturn(vrc, vrc);
 89     size_t cbBufLeft = RTPathEnsureTrailingSeparator(szPath, sizeof(szPath));
 90     AssertReturn(cbBufLeft > 0, VERR_FILENAME_TOO_LONG);
 91diff --git a/src/VBox/Main/src-server/NetworkServiceRunner.cpp b/src/VBox/Main/src-server/NetworkServiceRunner.cpp
 92index 773d27f..874ec2d 100644
 93--- a/src/VBox/Main/src-server/NetworkServiceRunner.cpp
 94+++ b/src/VBox/Main/src-server/NetworkServiceRunner.cpp
 95@@ -198,7 +198,7 @@ int NetworkServiceRunner::start(bool aKillProcessOnStop)
 96      * ASSUME it is relative to the directory that holds VBoxSVC.
 97      */
 98     char szExePath[RTPATH_MAX];
 99-    AssertReturn(RTProcGetExecutablePath(szExePath, RTPATH_MAX), VERR_FILENAME_TOO_LONG);
100+    AssertReturn(RTProcGetSuidPath(szExePath, RTPATH_MAX), VERR_FILENAME_TOO_LONG);
101     RTPathStripFilename(szExePath);
102     int vrc = RTPathAppend(szExePath, sizeof(szExePath), m->pszProcName);
103     AssertLogRelRCReturn(vrc, vrc);
104diff --git a/src/VBox/Main/src-server/generic/NetIf-generic.cpp b/src/VBox/Main/src-server/generic/NetIf-generic.cpp
105index 1e2eb61..893344c 100644
106--- a/src/VBox/Main/src-server/generic/NetIf-generic.cpp
107+++ b/src/VBox/Main/src-server/generic/NetIf-generic.cpp
108@@ -62,7 +62,7 @@ static int NetIfAdpCtl(const char * pcszIfName, const char *pszAddr, const char
109     const char *args[] = { NULL, pcszIfName, pszAddr, pszOption, pszMask, NULL };
110 
111     char szAdpCtl[RTPATH_MAX];
112-    int vrc = RTPathExecDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME));
113+    int vrc = RTPathSuidDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME));
114     if (RT_FAILURE(vrc))
115     {
116         LogRel(("NetIfAdpCtl: failed to get program path, vrc=%Rrc.\n", vrc));
117@@ -109,7 +109,7 @@ static int NetIfAdpCtl(HostNetworkInterface * pIf, const char *pszAddr, const ch
118 int NetIfAdpCtlOut(const char * pcszName, const char * pcszCmd, char *pszBuffer, size_t cBufSize)
119 {
120     char szAdpCtl[RTPATH_MAX];
121-    int vrc = RTPathExecDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " ") - strlen(pcszCmd));
122+    int vrc = RTPathSuidDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " ") - strlen(pcszCmd));
123     if (RT_FAILURE(vrc))
124     {
125         LogRel(("NetIfAdpCtlOut: Failed to get program path, vrc=%Rrc\n", vrc));
126@@ -224,7 +224,7 @@ int NetIfCreateHostOnlyNetworkInterface(VirtualBox *pVirtualBox,
127             progress.queryInterfaceTo(aProgress);
128 
129             char szAdpCtl[RTPATH_MAX];
130-            vrc = RTPathExecDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " add"));
131+            vrc = RTPathSuidDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " add"));
132             if (RT_FAILURE(vrc))
133             {
134                 progress->i_notifyComplete(E_FAIL,
135diff --git a/src/VBox/Runtime/r3/path.cpp b/src/VBox/Runtime/r3/path.cpp
136index bcd8deb..46ecd1e 100644
137--- a/src/VBox/Runtime/r3/path.cpp
138+++ b/src/VBox/Runtime/r3/path.cpp
139@@ -91,6 +91,12 @@ RTDECL(int) RTPathExecDir(char *pszPath, size_t cchPath)
140 }
141 
142 
143+RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
144+{
145+    return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin");
146+}
147+
148+
149 RTDECL(int) RTPathAppPrivateNoArch(char *pszPath, size_t cchPath)
150 {
151 #if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
152diff --git a/src/VBox/Runtime/r3/process.cpp b/src/VBox/Runtime/r3/process.cpp
153index f9d1ecf..042e599 100644
154--- a/src/VBox/Runtime/r3/process.cpp
155+++ b/src/VBox/Runtime/r3/process.cpp
156@@ -127,6 +127,25 @@ RTR3DECL(const char *) RTProcExecutablePath(void)
157     return g_szrtProcExePath;
158 }
159 
160+/*
161+ * Note the / at the end! This is important, because the functions using this
162+ * will cut off everything after the rightmost / as this function is analogous
163+ * to RTProcGetExecutablePath().
164+ */
165+#define SUIDDIR "/run/wrappers/bin/"
166+
167+RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
168+{
169+    if (cbExecPath >= sizeof(SUIDDIR))
170+    {
171+        memcpy(pszExecPath, SUIDDIR, sizeof(SUIDDIR));
172+        pszExecPath[sizeof(SUIDDIR)] = '\0';
173+        return pszExecPath;
174+    }
175+
176+    AssertMsgFailed(("Buffer too small (%zu <= %zu)\n", cbExecPath, sizeof(SUIDDIR)));
177+    return NULL;
178+}
179 
180 RTR3DECL(const char *) RTProcShortName(void)
181 {