about summary refs log tree commit diff
path: root/pkgs/applications/virtualization/virtualbox
diff options
context:
space:
mode:
authoraszlig <aszlig@redmoonstudios.org>2017-06-23 05:48:54 +0200
committeraszlig <aszlig@redmoonstudios.org>2017-06-23 05:48:54 +0200
commit63fb845fcf6ea02db7933f503948a01fb2f6c2a4 (patch)
treee19275aeea3bb977c2597454dc433cbd4f235ec8 /pkgs/applications/virtualization/virtualbox
parentfa6fd34fcca07c0762ef3bc44962e2dc49937454 (diff)
downloadnixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.tar
nixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.tar.gz
nixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.tar.bz2
nixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.tar.lz
nixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.tar.xz
nixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.tar.zst
nixlib-63fb845fcf6ea02db7933f503948a01fb2f6c2a4.zip
virtualbox: Rebase hardened.patch on top of 5.1.22
The merge of the version bump in
6fb9f892382b4b091fc9edcae00e2eb4c0729bda didn't take care of our patch
for the hardening mode and thus enabling VirtualBox without also
force-disabling hardening mode will result in a build error.

While the patch is largely identical with the old version, I've removed
one particular change around the following code:

    if (pFsObjState->Stat.st_mode & S_IWOTH)
        return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
                                      "World writable: '", pszPath, "'");

In the old version of the patch we have checked whether the path is
within the Nix store and suppressed the error return if that's the case.

The reason why I did that in the first place was because we had a bunch
of symlinks which were writable.

In VirtualBox 5.1.22 the code specifically checks whether the file is a
symlink, so we can safely drop our change.

Tested via all of the "virtualbox" NixOS VM subtests and they now all
succeed.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'pkgs/applications/virtualization/virtualbox')
-rw-r--r--pkgs/applications/virtualization/virtualbox/hardened.patch50
1 files changed, 19 insertions, 31 deletions
diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch
index 8d408d3494e3..bd29ca9a65af 100644
--- a/pkgs/applications/virtualization/virtualbox/hardened.patch
+++ b/pkgs/applications/virtualization/virtualbox/hardened.patch
@@ -1,8 +1,8 @@
 diff --git a/include/iprt/mangling.h b/include/iprt/mangling.h
-index 70c596a..78972ed 100644
+index c1daa8f..8618371 100644
 --- a/include/iprt/mangling.h
 +++ b/include/iprt/mangling.h
-@@ -1068,6 +1068,7 @@
+@@ -1440,6 +1440,7 @@
  # define RTPathStripSuffix                              RT_MANGLER(RTPathStripSuffix)
  # define RTPathStripFilename                            RT_MANGLER(RTPathStripFilename)
  # define RTPathStripTrailingSlash                       RT_MANGLER(RTPathStripTrailingSlash)
@@ -10,7 +10,7 @@ index 70c596a..78972ed 100644
  # define RTPathTemp                                     RT_MANGLER(RTPathTemp)
  # define RTPathTraverseList                             RT_MANGLER(RTPathTraverseList)
  # define RTPathUnlink                                   RT_MANGLER(RTPathUnlink)
-@@ -1105,6 +1106,7 @@
+@@ -1478,6 +1479,7 @@
  # define RTProcGetAffinityMask                          RT_MANGLER(RTProcGetAffinityMask)
  # define RTProcGetExecutablePath                        RT_MANGLER(RTProcGetExecutablePath)
  # define RTProcGetPriority                              RT_MANGLER(RTProcGetPriority)
@@ -19,10 +19,10 @@ index 70c596a..78972ed 100644
  # define RTProcQueryParent                              RT_MANGLER(RTProcQueryParent)
  # define RTProcQueryUsername                            RT_MANGLER(RTProcQueryUsername)
 diff --git a/include/iprt/path.h b/include/iprt/path.h
-index 7e42754..b4de4c8 100644
+index 8bd42bc..2c23d3e 100644
 --- a/include/iprt/path.h
 +++ b/include/iprt/path.h
-@@ -1049,6 +1049,15 @@ RTDECL(int) RTPathCalcRelative(char *pszPathDst, size_t cbPathDst,
+@@ -1064,6 +1064,15 @@ RTDECL(int) RTPathCalcRelative(char *pszPathDst, size_t cbPathDst,
  RTDECL(int) RTPathExecDir(char *pszPath, size_t cchPath);
  
  /**
@@ -39,10 +39,10 @@ index 7e42754..b4de4c8 100644
   *
   * @returns iprt status code.
 diff --git a/include/iprt/process.h b/include/iprt/process.h
-index 2760306..0ce6c92 100644
+index 043653e..1070280 100644
 --- a/include/iprt/process.h
 +++ b/include/iprt/process.h
-@@ -313,6 +313,16 @@ RTR3DECL(const char *) RTProcShortName(void);
+@@ -327,6 +327,16 @@ RTR3DECL(const char *) RTProcShortName(void);
  RTR3DECL(char *) RTProcGetExecutablePath(char *pszExecPath, size_t cbExecPath);
  
  /**
@@ -60,11 +60,11 @@ index 2760306..0ce6c92 100644
   *
   * The way this work is that it will spawn a detached / backgrounded /
 diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
-index c39d2f7..896b352 100644
+index ce0f288..6193108 100644
 --- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
 +++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
-@@ -1415,18 +1415,19 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
-         NOREF(fRelaxed);
+@@ -1489,9 +1489,9 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
+         bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
  #else
          NOREF(fRelaxed);
 -        bool fBad = true;
@@ -75,23 +75,11 @@ index c39d2f7..896b352 100644
              return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
                                            "An unknown (and thus untrusted) group has write access to '", pszPath,
                                            "' and we therefore cannot trust the directory content or that of any subdirectory");
-     }
- 
-     /*
--     * World must not have write access.  There is no relaxing this rule.
-+     * World must not have write access.
-+     * There is no relaxing this rule, except when it comes to the Nix store.
-      */
--    if (pFsObjState->Stat.st_mode & S_IWOTH)
-+    if (pFsObjState->Stat.st_mode & S_IWOTH && suplibHardenedStrCmp(pszPath, "/nix/store"))
-         return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
-                                       "World writable: '", pszPath, "'");
- 
 diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp
-index 95dc9a7..39170bc 100644
+index 320c569..9bfe41f 100644
 --- a/src/VBox/Main/src-server/MachineImpl.cpp
 +++ b/src/VBox/Main/src-server/MachineImpl.cpp
-@@ -7326,7 +7326,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
+@@ -7543,7 +7543,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
  
      /* get the path to the executable */
      char szPath[RTPATH_MAX];
@@ -101,10 +89,10 @@ index 95dc9a7..39170bc 100644
      szPath[cchBufLeft++] = RTPATH_DELIMITER;
      szPath[cchBufLeft] = 0;
 diff --git a/src/VBox/Main/src-server/NetworkServiceRunner.cpp b/src/VBox/Main/src-server/NetworkServiceRunner.cpp
-index e9e1ba62..4d1c1e1 100644
+index 1e38d99..5e43dda 100644
 --- a/src/VBox/Main/src-server/NetworkServiceRunner.cpp
 +++ b/src/VBox/Main/src-server/NetworkServiceRunner.cpp
-@@ -79,7 +79,7 @@ int NetworkServiceRunner::start()
+@@ -85,7 +85,7 @@ int NetworkServiceRunner::start(bool aKillProcOnStop)
  
      /* get the path to the executable */
      char exePathBuf[RTPATH_MAX];
@@ -114,7 +102,7 @@ index e9e1ba62..4d1c1e1 100644
      char *substrBs = strrchr(exePathBuf, '\\');
      char *suffix = substrSl ? substrSl : substrBs;
 diff --git a/src/VBox/Main/src-server/generic/NetIf-generic.cpp b/src/VBox/Main/src-server/generic/NetIf-generic.cpp
-index 8559d2a..2177f27 100644
+index 98dc91a..43a819f 100644
 --- a/src/VBox/Main/src-server/generic/NetIf-generic.cpp
 +++ b/src/VBox/Main/src-server/generic/NetIf-generic.cpp
 @@ -47,7 +47,7 @@ static int NetIfAdpCtl(const char * pcszIfName, const char *pszAddr, const char
@@ -126,7 +114,7 @@ index 8559d2a..2177f27 100644
      if (RT_FAILURE(rc))
      {
          LogRel(("NetIfAdpCtl: failed to get program path, rc=%Rrc.\n", rc));
-@@ -90,7 +90,7 @@ static int NetIfAdpCtl(HostNetworkInterface * pIf, const char *pszAddr, const ch
+@@ -89,7 +89,7 @@ static int NetIfAdpCtl(HostNetworkInterface * pIf, const char *pszAddr, const ch
  int NetIfAdpCtlOut(const char * pcszName, const char * pcszCmd, char *pszBuffer, size_t cBufSize)
  {
      char szAdpCtl[RTPATH_MAX];
@@ -135,7 +123,7 @@ index 8559d2a..2177f27 100644
      if (RT_FAILURE(rc))
      {
          LogRel(("NetIfAdpCtlOut: Failed to get program path, rc=%Rrc\n", rc));
-@@ -202,7 +202,7 @@ int NetIfCreateHostOnlyNetworkInterface(VirtualBox *pVirtualBox,
+@@ -201,7 +201,7 @@ int NetIfCreateHostOnlyNetworkInterface(VirtualBox *pVirtualBox,
              progress.queryInterfaceTo(aProgress);
  
              char szAdpCtl[RTPATH_MAX];
@@ -145,7 +133,7 @@ index 8559d2a..2177f27 100644
              {
                  progress->i_notifyComplete(E_FAIL,
 diff --git a/src/VBox/Runtime/r3/path.cpp b/src/VBox/Runtime/r3/path.cpp
-index be2ad8f..7ddf105 100644
+index 944848e..744a261 100644
 --- a/src/VBox/Runtime/r3/path.cpp
 +++ b/src/VBox/Runtime/r3/path.cpp
 @@ -81,6 +81,12 @@ RTDECL(int) RTPathExecDir(char *pszPath, size_t cchPath)
@@ -162,7 +150,7 @@ index be2ad8f..7ddf105 100644
  {
  #if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
 diff --git a/src/VBox/Runtime/r3/process.cpp b/src/VBox/Runtime/r3/process.cpp
-index 7bde6af..2656cae 100644
+index 2aab645..9795f21 100644
 --- a/src/VBox/Runtime/r3/process.cpp
 +++ b/src/VBox/Runtime/r3/process.cpp
 @@ -111,6 +111,26 @@ RTR3DECL(char *) RTProcGetExecutablePath(char *pszExecPath, size_t cbExecPath)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-11 18:47:36 +0000