summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/programs/virtualbox-host.nix16
-rw-r--r--pkgs/applications/virtualization/virtualbox/default.nix34
-rw-r--r--pkgs/applications/virtualization/virtualbox/hardened.patch26
3 files changed, 65 insertions, 11 deletions
diff --git a/nixos/modules/programs/virtualbox-host.nix b/nixos/modules/programs/virtualbox-host.nix
index d32ebc7ebcb6..ea962d5d6cee 100644
--- a/nixos/modules/programs/virtualbox-host.nix
+++ b/nixos/modules/programs/virtualbox-host.nix
@@ -16,6 +16,22 @@ in
     boot.extraModulePackages = [ virtualbox ];
     environment.systemPackages = [ virtualbox ];
 
+    security.setuidOwners = let
+      mkVboxStub = program: {
+        inherit program;
+        owner = "root";
+        group = "vboxusers";
+        setuid = true;
+      };
+    in map mkVboxStub [
+      "VBoxBFE"
+      "VBoxBalloonCtrl"
+      "VBoxHeadless"
+      "VBoxManage"
+      "VBoxSDL"
+      "VirtualBox"
+    ];
+
     users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
 
     services.udev.extraRules =
diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix
index 1eca32bb6637..a188d6620960 100644
--- a/pkgs/applications/virtualization/virtualbox/default.nix
+++ b/pkgs/applications/virtualization/virtualbox/default.nix
@@ -6,6 +6,7 @@
 , pythonBindings ? false, python ? null
 , enableExtensionPack ? false, requireFile ? null, patchelf ? null
 , pulseSupport ? false, pulseaudio ? null
+, enableHardening ? true
 }:
 
 with stdenv.lib;
@@ -83,28 +84,39 @@ in stdenv.mkDerivation {
     set +x
   '';
 
+  patches = optional enableHardening ./hardened.patch;
+
   configurePhase = ''
     sourcedir="$(pwd)"
+    cat >> LocalConfig.kmk <<LOCAL_CONFIG
+    VBOX_WITH_TESTCASES          :=
+    VBOX_WITH_TESTSUITE          :=
+    VBOX_WITH_VALIDATIONKIT      :=
+    VBOX_WITH_DOCS               :=
+    VBOX_WITH_WARNINGS_AS_ERRORS :=
+
+    VBOX_WITH_ORIGIN           :=
+    VBOX_PATH_APP_PRIVATE_ARCH := $out/libexec/virtualbox
+    VBOX_PATH_SHARED_LIBS      := $out/libexec/virtualbox
+    VBOX_WITH_RUNPATH          := $out/libexec/virtualbox
+    VBOX_PATH_APP_PRIVATE      := $out
+    VBOX_PATH_APP_DOCS         := $out/doc
+    ${optionalString javaBindings ''
+    VBOX_JAVA_HOME             := ${jdk}
+    ''}
+    LOCAL_CONFIG
+
     ./configure --with-qt4-dir=${qt4} \
       ${optionalString (!javaBindings) "--disable-java"} \
       ${optionalString (!pythonBindings) "--disable-python"} \
       ${optionalString (!pulseSupport) "--disable-pulse"} \
-      --disable-hardening --disable-kmods \
-      --with-mkisofs=${xorriso}/bin/xorrisofs
+      ${optionalString (!enableHardening) "--disable-hardening"} \
+      --disable-kmods --with-mkisofs=${xorriso}/bin/xorrisofs
     sed -e 's@PKG_CONFIG_PATH=.*@PKG_CONFIG_PATH=${libIDL}/lib/pkgconfig:${glib}/lib/pkgconfig ${libIDL}/bin/libIDL-config-2@' \
         -i AutoConfig.kmk
     sed -e 's@arch/x86/@@' \
         -i Config.kmk
     substituteInPlace Config.kmk --replace "VBOX_WITH_TESTCASES = 1" "#"
-    cat >> AutoConfig.kmk << END_PATHS
-    VBOX_PATH_APP_PRIVATE := $out
-    VBOX_PATH_APP_DOCS := $out/doc
-    ${optionalString javaBindings ''
-      VBOX_JAVA_HOME := ${jdk}
-    ''}
-    END_PATHS
-    echo "VBOX_WITH_DOCS :=" >> LocalConfig.kmk
-    echo "VBOX_WITH_WARNINGS_AS_ERRORS :=" >> LocalConfig.kmk
   '';
 
   enableParallelBuilding = true;
diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch
new file mode 100644
index 000000000000..b789ddbeacbd
--- /dev/null
+++ b/pkgs/applications/virtualization/virtualbox/hardened.patch
@@ -0,0 +1,26 @@
+diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+index c39d2f7..f6a4031 100644
+--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
++++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
+         NOREF(fRelaxed);
+ #else
+         NOREF(fRelaxed);
+-        bool fBad = true;
++        bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
+ #endif
+         if (fBad)
+             return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
+diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp
+index 95dc9a7..39170bc 100644
+--- a/src/VBox/Main/src-server/MachineImpl.cpp
++++ b/src/VBox/Main/src-server/MachineImpl.cpp
+@@ -7326,7 +7326,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
+ 
+     /* get the path to the executable */
+     char szPath[RTPATH_MAX];
+-    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
++    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
+     size_t cchBufLeft = strlen(szPath);
+     szPath[cchBufLeft++] = RTPATH_DELIMITER;
+     szPath[cchBufLeft] = 0;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-04 00:28:59 +0000