about summary refs log tree commit diff
path: root/nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch')
-rw-r--r--nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch182
1 files changed, 182 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch b/nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch
new file mode 100644
index 000000000000..398100f3f398
--- /dev/null
+++ b/nixpkgs/pkgs/applications/virtualization/virtualbox/hardened.patch
@@ -0,0 +1,182 @@
+diff --git a/include/iprt/mangling.h b/include/iprt/mangling.h
+index c1daa8f..8618371 100644
+--- a/include/iprt/mangling.h
++++ b/include/iprt/mangling.h
+@@ -1440,6 +1440,7 @@
+ # define RTPathStripSuffix                              RT_MANGLER(RTPathStripSuffix)
+ # define RTPathStripFilename                            RT_MANGLER(RTPathStripFilename)
+ # define RTPathStripTrailingSlash                       RT_MANGLER(RTPathStripTrailingSlash)
++# define RTPathSuidDir                                  RT_MANGLER(RTPathSuidDir)
+ # define RTPathTemp                                     RT_MANGLER(RTPathTemp)
+ # define RTPathTraverseList                             RT_MANGLER(RTPathTraverseList)
+ # define RTPathUnlink                                   RT_MANGLER(RTPathUnlink)
+@@ -1478,6 +1479,7 @@
+ # define RTProcGetAffinityMask                          RT_MANGLER(RTProcGetAffinityMask)
+ # define RTProcGetExecutablePath                        RT_MANGLER(RTProcGetExecutablePath)
+ # define RTProcGetPriority                              RT_MANGLER(RTProcGetPriority)
++# define RTProcGetSuidPath                              RT_MANGLER(RTProcGetSuidPath)
+ # define RTProcIsRunningByName                          RT_MANGLER(RTProcIsRunningByName)
+ # define RTProcQueryParent                              RT_MANGLER(RTProcQueryParent)
+ # define RTProcQueryUsername                            RT_MANGLER(RTProcQueryUsername)
+diff --git a/include/iprt/path.h b/include/iprt/path.h
+index 8bd42bc..2c23d3e 100644
+--- a/include/iprt/path.h
++++ b/include/iprt/path.h
+@@ -1064,6 +1064,15 @@ RTDECL(int) RTPathCalcRelative(char *pszPathDst, size_t cbPathDst,
+ RTDECL(int) RTPathExecDir(char *pszPath, size_t cchPath);
+
+ /**
++ * Gets the path to the NixOS setuid wrappers directory.
++ *
++ * @returns iprt status code.
++ * @param   pszPath     Buffer where to store the path.
++ * @param   cchPath     Buffer size in bytes.
++ */
++RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath);
++
++/**
+  * Gets the user home directory.
+  *
+  * @returns iprt status code.
+diff --git a/include/iprt/process.h b/include/iprt/process.h
+index 043653e..1070280 100644
+--- a/include/iprt/process.h
++++ b/include/iprt/process.h
+@@ -327,6 +327,16 @@ RTR3DECL(const char *) RTProcShortName(void);
+ RTR3DECL(char *) RTProcGetExecutablePath(char *pszExecPath, size_t cbExecPath);
+
+ /**
++ * Gets the path to the NixOS setuid wrappers directory.
++ *
++ * @returns pszExecPath on success. NULL on buffer overflow or other errors.
++ *
++ * @param   pszExecPath     Where to store the path.
++ * @param   cbExecPath      The size of the buffer.
++ */
++RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath);
++
++/**
+  * Daemonize the current process, making it a background process.
+  *
+  * The way this work is that it will spawn a detached / backgrounded /
+diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+index ce0f288..6193108 100644
+--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
++++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+@@ -1502,9 +1502,9 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
+         bool fBad = !fRelaxed || pFsObjState->Stat.st_gid != 2 /*bin*/ || suplibHardenedStrCmp(pszPath, "/usr/lib/iconv");
+ # else
+         NOREF(fRelaxed);
+-        bool fBad = true;
++        bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
+ # endif
+-        if (fBad)
++        if (fBad && suplibHardenedStrCmp(pszPath, "/nix/store"))
+             return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
+                                           "An unknown (and thus untrusted) group has write access to '", pszPath,
+                                           "' and we therefore cannot trust the directory content or that of any subdirectory");
+diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp
+index 320c569..9bfe41f 100644
+--- a/src/VBox/Main/src-server/MachineImpl.cpp
++++ b/src/VBox/Main/src-server/MachineImpl.cpp
+@@ -7543,7 +7543,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
+
+     /* get the path to the executable */
+     char szPath[RTPATH_MAX];
+-    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
++    RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin");
+     size_t cchBufLeft = strlen(szPath);
+     szPath[cchBufLeft++] = RTPATH_DELIMITER;
+     szPath[cchBufLeft] = 0;
+diff --git a/src/VBox/Main/src-server/NetworkServiceRunner.cpp b/src/VBox/Main/src-server/NetworkServiceRunner.cpp
+index 1e38d99..5e43dda 100644
+--- a/src/VBox/Main/src-server/NetworkServiceRunner.cpp
++++ b/src/VBox/Main/src-server/NetworkServiceRunner.cpp
+@@ -85,7 +85,7 @@ int NetworkServiceRunner::start(bool aKillProcOnStop)
+
+     /* get the path to the executable */
+     char exePathBuf[RTPATH_MAX];
+-    const char *exePath = RTProcGetExecutablePath(exePathBuf, RTPATH_MAX);
++    const char *exePath = RTProcGetSuidPath(exePathBuf, RTPATH_MAX);
+     char *substrSl = strrchr(exePathBuf, '/');
+     char *substrBs = strrchr(exePathBuf, '\\');
+     char *suffix = substrSl ? substrSl : substrBs;
+diff --git a/src/VBox/Main/src-server/generic/NetIf-generic.cpp b/src/VBox/Main/src-server/generic/NetIf-generic.cpp
+index 98dc91a..43a819f 100644
+--- a/src/VBox/Main/src-server/generic/NetIf-generic.cpp
++++ b/src/VBox/Main/src-server/generic/NetIf-generic.cpp
+@@ -47,7 +47,7 @@ static int NetIfAdpCtl(const char * pcszIfName, const char *pszAddr, const char
+     const char *args[] = { NULL, pcszIfName, pszAddr, pszOption, pszMask, NULL };
+
+     char szAdpCtl[RTPATH_MAX];
+-    int rc = RTPathExecDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME));
++    int rc = RTPathSuidDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME));
+     if (RT_FAILURE(rc))
+     {
+         LogRel(("NetIfAdpCtl: failed to get program path, rc=%Rrc.\n", rc));
+@@ -89,7 +89,7 @@ static int NetIfAdpCtl(HostNetworkInterface * pIf, const char *pszAddr, const ch
+ int NetIfAdpCtlOut(const char * pcszName, const char * pcszCmd, char *pszBuffer, size_t cBufSize)
+ {
+     char szAdpCtl[RTPATH_MAX];
+-    int rc = RTPathExecDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " ") - strlen(pcszCmd));
++    int rc = RTPathSuidDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " ") - strlen(pcszCmd));
+     if (RT_FAILURE(rc))
+     {
+         LogRel(("NetIfAdpCtlOut: Failed to get program path, rc=%Rrc\n", rc));
+@@ -201,7 +201,7 @@ int NetIfCreateHostOnlyNetworkInterface(VirtualBox *pVirtualBox,
+             progress.queryInterfaceTo(aProgress);
+
+             char szAdpCtl[RTPATH_MAX];
+-            int rc = RTPathExecDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " add"));
++            int rc = RTPathSuidDir(szAdpCtl, sizeof(szAdpCtl) - sizeof("/" VBOXNETADPCTL_NAME " add"));
+             if (RT_FAILURE(rc))
+             {
+                 progress->i_notifyComplete(E_FAIL,
+diff --git a/src/VBox/Runtime/r3/path.cpp b/src/VBox/Runtime/r3/path.cpp
+index 944848e..744a261 100644
+--- a/src/VBox/Runtime/r3/path.cpp
++++ b/src/VBox/Runtime/r3/path.cpp
+@@ -81,6 +81,12 @@ RTDECL(int) RTPathExecDir(char *pszPath, size_t cchPath)
+ }
+
+
++RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
++{
++    return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin");
++}
++
++
+ RTDECL(int) RTPathAppPrivateNoArch(char *pszPath, size_t cchPath)
+ {
+ #if !defined(RT_OS_WINDOWS) && defined(RTPATH_APP_PRIVATE)
+diff --git a/src/VBox/Runtime/r3/process.cpp b/src/VBox/Runtime/r3/process.cpp
+index 2aab645..9795f21 100644
+--- a/src/VBox/Runtime/r3/process.cpp
++++ b/src/VBox/Runtime/r3/process.cpp
+@@ -111,6 +111,26 @@ RTR3DECL(char *) RTProcGetExecutablePath(char *pszExecPath, size_t cbExecPath)
+     return NULL;
+ }
+
++/*
++ * Note the / at the end! This is important, because the functions using this
++ * will cut off everything after the rightmost / as this function is analogous
++ * to RTProcGetExecutablePath().
++ */
++#define SUIDDIR "/run/wrappers/bin/"
++
++RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
++{
++    if (cbExecPath >= sizeof(SUIDDIR))
++    {
++        memcpy(pszExecPath, SUIDDIR, sizeof(SUIDDIR));
++        pszExecPath[sizeof(SUIDDIR)] = '\0';
++        return pszExecPath;
++    }
++
++    AssertMsgFailed(("Buffer too small (%zu <= %zu)\n", cbExecPath, sizeof(SUIDDIR)));
++    return NULL;
++}
++
+
+ RTR3DECL(const char *) RTProcShortName(void)
+ {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-22 12:33:35 +0000