virtualbox: Fix runtime paths in hardening mode.

Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.

Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

1 files changed, 7 insertions, 2 deletions

diff --git a/nixos/modules/programs/virtualbox-host.nix b/nixos/modules/programs/virtualbox-host.nix
index c6abc9ddf894..504ef36d44be 100644
--- a/nixos/modules/programs/virtualbox-host.nix
+++ b/nixos/modules/programs/virtualbox-host.nix
@@ -62,15 +62,20 @@ in
     ));
 
     security.setuidOwners = let
-      mkVboxStub = program: {
+      mkSuid = program: {
         inherit program;
+        source = "${virtualbox}/libexec/virtualbox/${program}";
         owner = "root";
         group = "vboxusers";
         setuid = true;
       };
-    in mkIf cfg.enableHardening (map mkVboxStub [
+    in mkIf cfg.enableHardening (map mkSuid [
       "VBoxHeadless"
+      "VBoxNetAdpCtl"
+      "VBoxNetDHCP"
+      "VBoxNetNAT"
       "VBoxSDL"
+      "VBoxVolInfo"
       "VirtualBox"
     ]);