diff options
Diffstat (limited to 'src/VBox/HostDrivers/Support/win')
4 files changed, 54 insertions, 25 deletions
diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h b/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h index 0f953e38..a14ee4a7 100644 --- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h +++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h @@ -151,8 +151,9 @@ DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 p # define SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT RT_BIT(2) /** Whether to allow image verification by catalog file. */ # define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION RT_BIT(3) -/** The file owner must be TrustedInstaller on Vista+. */ -# define SUPHNTVI_F_TRUSTED_INSTALLER_OWNER RT_BIT(4) +/** The file owner must be TrustedInstaller, Builtin\\Administrators + * (S-1-5-32-544) or local system (S-1-5-21) on Vista+. */ +# define SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER RT_BIT(4) /** Ignore the image architecture (otherwise it must match the verification * code). Used with resource images and such. */ # define SUPHNTVI_F_IGNORE_ARCHITECTURE RT_BIT(30) diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp index 747d975e..c05d0210 100644 --- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp +++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp @@ -807,7 +807,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u pwsz = pwszName + cwcOther + 1; /* Must be owned by trusted installer. (This test is superfuous, thus no relaxation here.) */ - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; @@ -868,7 +868,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u return rc; /* Must be owned by trusted installer. */ - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; return VINF_LDRVI_NOT_SIGNED; @@ -885,7 +885,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR); /* ASSUMES System32 is called System32. */ pwsz = pwszName + cwcOther + 1; - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; @@ -933,7 +933,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u # endif ) { - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; return VINF_LDRVI_NOT_SIGNED; @@ -943,7 +943,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u /* * Anything that's owned by the trusted installer. */ - if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) || supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return VINF_LDRVI_NOT_SIGNED; @@ -1379,7 +1379,7 @@ DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 pw */ /** @todo Since we're now allowing Builtin\\Administrators after all, perhaps we * could drop these system32 + winsxs hacks?? */ - if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(pNtViRdr->hFile, pwszName)) { if (supHardViUtf16PathStartsWithEx(pwszName, (uint32_t)RTUtf16Len(pwszName), diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp index ec6b6a0a..f7ef4408 100644 --- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp +++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp @@ -2147,7 +2147,7 @@ static int supHardNtLdrCacheNewEntry(PSUPHNTLDRCACHEENTRY pEntry, const char *ps * for this image. */ uint32_t fFlags = fDll - ? SUPHNTVI_F_TRUSTED_INSTALLER_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION + ? SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION : SUPHNTVI_F_REQUIRE_BUILD_CERT; if (f32bitResourceDll) fFlags |= SUPHNTVI_F_IGNORE_ARCHITECTURE; @@ -2394,10 +2394,12 @@ static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis) "NtQueryInformationProcess/ProcessImageInformation failed: %#x hProcess=%#x", rcNt, pThis->hProcess); } +#ifndef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT /* A kernel code signing cert is only via way to use /IntegrityCheck. */ if ( !(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)) return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_FORCE_INTEGRITY, "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY to be set.", ImageInfo.DllCharacteristics); +#endif if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_DYNAMIC_BASE, "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE to be set.", diff --git a/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp b/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp index a7dccfd9..ada99ee5 100644 --- a/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp +++ b/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp @@ -1477,33 +1477,46 @@ supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfA #ifndef VBOX_PERMIT_EVEN_MORE /* * Check the path. We don't allow DLLs to be loaded from just anywhere: - * 1. System32 - normal code or cat signing, owner TrustedInstaller. - * 2. WinSxS - normal code or cat signing, owner TrustedInstaller. - * 3. VirtualBox - kernel code signing and integrity checks. - * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller. - * 5. Program Files - normal code or cat signing, owner TrustedInstaller. - * 6. Common Files - normal code or cat signing, owner TrustedInstaller. + * 1. System32 - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 2. WinSxS - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 3. VirtualBox - build with: + * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem. + * - kernel code signing cert: kernel code signing and integrity checks. + * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 5. Program Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 6. Common Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. * 7. x86 variations of 4 & 5 - ditto. + * + * Note! VBOX_WITHOUT_KERNEL_CODE_SIGNING_CERT means the /IntegrityCheck does + * work as it doesn't seems like MS has come up with a generally accessible + * alternative to the expired kernel code signing scheme for using this + * securty enhancement. */ uint32_t fFlags = 0; if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_System32NtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/)) +# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT + /** @todo r=bird: See SUPHNTVI_F_REQUIRE_BUILD_CERT comment below (in the + * code that's actually used). */ + fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; +# else fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT; +# endif # ifdef VBOX_PERMIT_MORE else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR))) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; # ifdef RT_ARCH_AMD64 else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; # endif # endif # ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING @@ -1531,14 +1544,27 @@ supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfA #else /* VBOX_PERMIT_EVEN_MORE */ /* * Require trusted installer + some kind of signature on everything, except - * for the VBox bits where we require kernel code signing and special - * integrity checks. + * for the VBox bits where we have extra requirements depending on the signing + * certificate used: + * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem. + * - kernel code signing cert: kernel code signing and integrity checks. */ uint32_t fFlags = 0; if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/)) +# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT + /** @todo r=bird: Since extension packs are installed under + * g_SupLibHardenedAppBinNtPath and I'm pretty sure that everything loaded into + * a VBox VM process goes thru this validation step at DLL load time, this means + * only we can now sign extension packs. + * + * I suspect we have to relax the signing restrictions on the ExtensionPacks + * subdirectory to keep 3rd party extensions working. */ + fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; +# else fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT; +# endif else - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; #endif /* VBOX_PERMIT_EVEN_MORE */ /* |