diff options
| author | aszlig <aszlig@redmoonstudios.org> | 2014-12-15 07:08:56 +0100 |
|---|---|---|
| committer | aszlig <aszlig@redmoonstudios.org> | 2014-12-15 17:52:18 +0100 |
| commit | e03e0ff42a6bb6caaa3e9308d377600875559e96 (patch) | |
| tree | 5af477cd84d87320fc40be6046b22aebc142456c | |
| parent | 77831e8467ae24ca4ddf1a48d8dd8a17faae10d6 (diff) | |
| download | nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.tar nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.tar.gz nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.tar.bz2 nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.tar.lz nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.tar.xz nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.tar.zst nixlib-e03e0ff42a6bb6caaa3e9308d377600875559e96.zip | |
nixos/virtualbox: Allow to disable hardening.
Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
| -rw-r--r-- | nixos/modules/programs/virtualbox-host.nix | 40 |
1 files changed, 31 insertions, 9 deletions
diff --git a/nixos/modules/programs/virtualbox-host.nix b/nixos/modules/programs/virtualbox-host.nix index 603b25e3cfce..c0cf49e2aacf 100644 --- a/nixos/modules/programs/virtualbox-host.nix +++ b/nixos/modules/programs/virtualbox-host.nix @@ -3,20 +3,42 @@ with lib; let - virtualbox = config.boot.kernelPackages.virtualbox; + cfg = config.services.virtualboxHost; + virtualbox = config.boot.kernelPackages.virtualbox.override { + inherit (cfg) enableHardening; + }; + in { - options = { - services.virtualboxHost.enable = mkEnableOption "VirtualBox Host support"; - services.virtualboxHost.addNetworkInterface = mkOption { + options.services.virtualboxHost = { + enable = mkEnableOption "VirtualBox Host support"; + + addNetworkInterface = mkOption { + type = types.bool; + default = true; + description = '' + Automatically set up a vboxnet0 host-only network interface. + ''; + }; + + enableHardening = mkOption { type = types.bool; default = true; - description = "Automatically set up a vboxnet0 host-only network interface."; + description = '' + Enable hardened VirtualBox, which ensures that only the binaries in the + system path get access to the devices exposed by the kernel modules + instead of all users in the vboxusers group. + + <important><para> + Disabling this can put your system's security at risk, as local users + in the vboxusers group can tamper with the VirtualBox device files. + </para></important> + ''; }; }; - config = mkIf config.services.virtualboxHost.enable (mkMerge [{ + config = mkIf cfg.enable (mkMerge [{ boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; boot.extraModulePackages = [ virtualbox ]; environment.systemPackages = [ virtualbox ]; @@ -28,11 +50,11 @@ in group = "vboxusers"; setuid = true; }; - in map mkVboxStub [ + in mkIf cfg.enableHardening (map mkVboxStub [ "VBoxHeadless" "VBoxSDL" "VirtualBox" - ]; + ]); users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers; @@ -48,7 +70,7 @@ in ''; # Since we lack the right setuid binaries, set up a host-only network by default. - } (mkIf config.services.virtualboxHost.addNetworkInterface { + } (mkIf cfg.addNetworkInterface { systemd.services."vboxnet0" = { description = "VirtualBox vboxnet0 Interface"; requires = [ "dev-vboxnetctl.device" ]; |