From owner-freebsd-emulation@FreeBSD.ORG  Wed Aug 28 12:24:29 2013
Return-Path: <owner-freebsd-emulation@FreeBSD.ORG>
Delivered-To: freebsd-emulation@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id C3749E1;
 Wed, 28 Aug 2013 12:24:29 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
 by mx1.freebsd.org (Postfix) with ESMTP id 59B962368;
 Wed, 28 Aug 2013 12:24:28 +0000 (UTC)
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
 [212.40.38.100])
 by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id PAA09014;
 Wed, 28 Aug 2013 15:24:26 +0300 (EEST)
 (envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
 by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
 id 1VEenS-000OTH-Fs; Wed, 28 Aug 2013 15:24:26 +0300
Message-ID: <521DEBC2.1080602@FreeBSD.org>
Date: Wed, 28 Aug 2013 15:23:30 +0300
From: Andriy Gapon <avg@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130810 Thunderbird/17.0.8
MIME-Version: 1.0
To: freebsd-emulation@FreeBSD.org
Subject: Re: [kde-freebsd] virtualbox file dialog problem
References: <51E6B030.1080009@FreeBSD.org>
 <alpine.BSF.2.00.1307171910260.2397@badger.tharned.org>
 <51E793DB.2020607@FreeBSD.org> <521DE891.9070107@FreeBSD.org>
In-Reply-To: <521DE891.9070107@FreeBSD.org>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-hackers@FreeBSD.org, freebsd-standards@FreeBSD.org,
 freebsd-security@FreeBSD.org
X-BeenThere: freebsd-emulation@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Development of Emulators of other operating systems
 <freebsd-emulation.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-emulation>, 
 <mailto:freebsd-emulation-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-emulation>
List-Post: <mailto:freebsd-emulation@freebsd.org>
List-Help: <mailto:freebsd-emulation-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-emulation>, 
 <mailto:freebsd-emulation-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 12:24:29 -0000

on 28/08/2013 15:09 Andriy Gapon said the following:
> Now a description of the problem.
> 
> 1. VirtualBox executable is installed setuid root.  Apparently, when it is run
> it does some privileged things and then drops all of the uids and gids (real,
> effective and saved) back to what they should have been originally.
> VirtualBox does not do any (re-)exec of itself after the above manipulations.
> 
> 2. issetugid(2) (which is apparently a BSD extension) on FreeBSD does not
> consider the above manipulations as sufficient to mark an executable as
> untainted.  So it would return 1 for the VirtualBox process.
> 
> 3. dbus code seems to impose some limitations on communication by such "tainted"
> processes.  It has the following code:
> http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c#n4139
> For web-impaired :) the gist is that on BSD systems the code uses issetugid but
> on other systems (like Linux) it uses getresuid and getresgid and checks that
> all 3 uids are the same and all 3 gids are the same.
> 
> As a result, on FreeBSD the dbus code would consider the VirtualBox process
> tainted and that impairs its communication with KDE components.
> On systems without issetugid or those that implement it differently, dbus would
> work as for a normal process and all the communications are OK.
> 
> I've also verified this conclusion by forcing dbus to use the alternative logic
> on FreeBSD.
> 
> So, possible solutions:
[snip]
> B. change VirtualBox to be friendly to FreeBSD issetugid(2) and exec itself
> after dropping the privileges
[snip]

BTW, I've just found this "interesting" code in the VirtualBox sources (forgive
me a full paste, but I couldn't resist):

#if defined(RT_OS_DARWIN)
# include <dlfcn.h>
# include <sys/mman.h>
# include <iprt/asm.h>
# include <iprt/system.h>

/** Really ugly hack to shut up a silly check in AppKit. */
static void ShutUpAppKit(void)
{
    /* Check for Snow Leopard or higher */
    char szInfo[64];
    int rc = RTSystemQueryOSInfo (RTSYSOSINFO_RELEASE, szInfo, sizeof(szInfo));
    if (   RT_SUCCESS (rc)
        && szInfo[0] == '1') /* higher than 1x.x.x */
    {
        /*
         * Find issetguid() and make it always return 0 by modifying the code.
         */
        void *addr = dlsym(RTLD_DEFAULT, "issetugid");
        int rc = mprotect((void *)((uintptr_t)addr & ~(uintptr_t)0xfff), 0x2000,
PROT_WRITE|PROT_READ|PROT_EXEC);
        if (!rc)
            ASMAtomicWriteU32((volatile uint32_t *)addr, 0xccc3c031); /* xor
eax, eax; ret; int3 */
    }
}
#endif /* DARWIN */


-- 
Andriy Gapon