virtualbox: Enable hardening by default.

VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.

The hardened.patch implements two things:

 * Set the binary directory to the setuid-wrappers dir so that
   VboxSVC calls them instead of the binaries from the store path. The
   reason behind this is because nothing in the Nix store can have the
   setuid flag.
 * Excempt /nix/store from the group permission check, because while it
   is group-writeable indeed it also has the sticky bit set (and also
   the whole store is mounted read-only on most NixOS systems), so we're
   checking on that as well.

Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2014-11-29 08:09:50 +01:00
parent deec767efa
commit 3e49487c1a
No known key found for this signature in database
GPG key ID: D0EBD0EC8C2DC961
3 changed files with 65 additions and 11 deletions

View file

@ -16,6 +16,22 @@ in
boot.extraModulePackages = [ virtualbox ];
environment.systemPackages = [ virtualbox ];
security.setuidOwners = let
mkVboxStub = program: {
inherit program;
owner = "root";
group = "vboxusers";
setuid = true;
};
in map mkVboxStub [
"VBoxBFE"
"VBoxBalloonCtrl"
"VBoxHeadless"
"VBoxManage"
"VBoxSDL"
"VirtualBox"
];
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
services.udev.extraRules =

View file

@ -6,6 +6,7 @@
, pythonBindings ? false, python ? null
, enableExtensionPack ? false, requireFile ? null, patchelf ? null
, pulseSupport ? false, pulseaudio ? null
, enableHardening ? true
}:
with stdenv.lib;
@ -83,28 +84,39 @@ in stdenv.mkDerivation {
set +x
'';
patches = optional enableHardening ./hardened.patch;
configurePhase = ''
sourcedir="$(pwd)"
cat >> LocalConfig.kmk <<LOCAL_CONFIG
VBOX_WITH_TESTCASES :=
VBOX_WITH_TESTSUITE :=
VBOX_WITH_VALIDATIONKIT :=
VBOX_WITH_DOCS :=
VBOX_WITH_WARNINGS_AS_ERRORS :=
VBOX_WITH_ORIGIN :=
VBOX_PATH_APP_PRIVATE_ARCH := $out/libexec/virtualbox
VBOX_PATH_SHARED_LIBS := $out/libexec/virtualbox
VBOX_WITH_RUNPATH := $out/libexec/virtualbox
VBOX_PATH_APP_PRIVATE := $out
VBOX_PATH_APP_DOCS := $out/doc
${optionalString javaBindings ''
VBOX_JAVA_HOME := ${jdk}
''}
LOCAL_CONFIG
./configure --with-qt4-dir=${qt4} \
${optionalString (!javaBindings) "--disable-java"} \
${optionalString (!pythonBindings) "--disable-python"} \
${optionalString (!pulseSupport) "--disable-pulse"} \
--disable-hardening --disable-kmods \
--with-mkisofs=${xorriso}/bin/xorrisofs
${optionalString (!enableHardening) "--disable-hardening"} \
--disable-kmods --with-mkisofs=${xorriso}/bin/xorrisofs
sed -e 's@PKG_CONFIG_PATH=.*@PKG_CONFIG_PATH=${libIDL}/lib/pkgconfig:${glib}/lib/pkgconfig ${libIDL}/bin/libIDL-config-2@' \
-i AutoConfig.kmk
sed -e 's@arch/x86/@@' \
-i Config.kmk
substituteInPlace Config.kmk --replace "VBOX_WITH_TESTCASES = 1" "#"
cat >> AutoConfig.kmk << END_PATHS
VBOX_PATH_APP_PRIVATE := $out
VBOX_PATH_APP_DOCS := $out/doc
${optionalString javaBindings ''
VBOX_JAVA_HOME := ${jdk}
''}
END_PATHS
echo "VBOX_WITH_DOCS :=" >> LocalConfig.kmk
echo "VBOX_WITH_WARNINGS_AS_ERRORS :=" >> LocalConfig.kmk
'';
enableParallelBuilding = true;

View file

@ -0,0 +1,26 @@
diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
index c39d2f7..f6a4031 100644
--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
NOREF(fRelaxed);
#else
NOREF(fRelaxed);
- bool fBad = true;
+ bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
#endif
if (fBad)
return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp
index 95dc9a7..39170bc 100644
--- a/src/VBox/Main/src-server/MachineImpl.cpp
+++ b/src/VBox/Main/src-server/MachineImpl.cpp
@@ -7326,7 +7326,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
/* get the path to the executable */
char szPath[RTPATH_MAX];
- RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
size_t cchBufLeft = strlen(szPath);
szPath[cchBufLeft++] = RTPATH_DELIMITER;
szPath[cchBufLeft] = 0;