diff options
| author | aszlig <aszlig@redmoonstudios.org> | 2015-04-04 16:59:56 +0200 |
|---|---|---|
| committer | aszlig <aszlig@redmoonstudios.org> | 2015-04-04 17:09:15 +0200 |
| commit | 416545a57b763b6ab7fc45cceb9f7d66ffd49c14 (patch) | |
| tree | 7b4d45daf26ed90594064ca0220aa120ef660727 /pkgs | |
| parent | 1165a243f857b070dd935870e1244e3f3e25dcdb (diff) | |
| download | nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.tar nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.tar.gz nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.tar.bz2 nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.tar.lz nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.tar.xz nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.tar.zst nixlib-416545a57b763b6ab7fc45cceb9f7d66ffd49c14.zip | |
virtualbox: Remove group check on /nix/store.
This is espacially cruicial when it comes to Nix 1.9, where we even have a more restrictive /nix/store. In any event, VirtualBox in hardenend mode doesn't have to check the /nix/store path, because it's read-only on NixOS systems. So this check would not introduce more security but more hurdles, thus I'm removing it (of course _only_ for /nix/store). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'pkgs')
| -rw-r--r-- | pkgs/applications/virtualization/virtualbox/hardened.patch | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch index aad9171b68e8..3df41228ae59 100644 --- a/pkgs/applications/virtualization/virtualbox/hardened.patch +++ b/pkgs/applications/virtualization/virtualbox/hardened.patch @@ -60,19 +60,21 @@ index 2760306..0ce6c92 100644 * * The way this work is that it will spawn a detached / backgrounded / diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp -index c39d2f7..cd19186 100644 +index c39d2f7..896b352 100644 --- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp +++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp -@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo +@@ -1415,18 +1415,19 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo NOREF(fRelaxed); #else NOREF(fRelaxed); - bool fBad = true; + bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store")); #endif - if (fBad) +- if (fBad) ++ if (fBad && suplibHardenedStrCmp(pszPath, "/nix/store")) return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo, -@@ -1424,9 +1424,10 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo + "An unknown (and thus untrusted) group has write access to '", pszPath, + "' and we therefore cannot trust the directory content or that of any subdirectory"); } /* |