public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix

119 lines
4.0 KiB
Nix
Raw Normal View History

nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
{ config, lib, pkgs, ... }:
with lib;
let
nixos/vbox: Move all options to virtualisation.*. Commit 687caeb renamed services.virtualboxHost to programs.virtualbox, but according to the discussion on the commit, it's probably a better to put it into virtualisation.virtualbox instead. The discussion can be found here: https://github.com/NixOS/nixpkgs/commit/687caeb#commitcomment-12664978 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-08-13 12:17:32 +02:00
cfg = config.virtualisation.virtualbox.host;
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
virtualbox = config.boot.kernelPackages.virtualbox.override {
inherit (cfg) enableHardening;
};
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
in
{
nixos/vbox: Move all options to virtualisation.*. Commit 687caeb renamed services.virtualboxHost to programs.virtualbox, but according to the discussion on the commit, it's probably a better to put it into virtualisation.virtualbox instead. The discussion can be found here: https://github.com/NixOS/nixpkgs/commit/687caeb#commitcomment-12664978 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-08-13 12:17:32 +02:00
options.virtualisation.virtualbox.host = {
nixos/virtualbox: Note about "vboxusers" group. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:33:56 +01:00
enable = mkOption {
type = types.bool;
default = false;
description = ''
Rename services.virtualboxHost -> programs.virtualbox VirtualBox is an application, not a system service.
2015-08-12 14:11:03 +02:00
Whether to enable VirtualBox.
nixos/virtualbox: Note about "vboxusers" group. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:33:56 +01:00
<note><para>
In order to pass USB devices from the host to the guests, the user
needs to be in the <literal>vboxusers</literal> group.
</para></note>
'';
};
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
addNetworkInterface = mkOption {
type = types.bool;
default = true;
description = ''
Automatically set up a vboxnet0 host-only network interface.
'';
};
enableHardening = mkOption {
virtualbox: Allow disabling the network interface. The current nixos module for VirtualBox unconditionally configures a vboxnet0 network interface at boot. This may be undesired, especially when the user wants to manage network interfaces in a centralized manner.
2014-12-11 23:28:09 +01:00
type = types.bool;
nixos/virtualbox: Revert disable hardening. This reverts commit 5d67b17901ff2c9a18647bd9453c6b0d4294b875. The issues have been resolved by ac603e208c98b260db675fa0c13be94fa95216f4. Tested this with hostonlyifs and USB support with extension pack. Conflicts: nixos/modules/programs/virtualbox-host.nix Signed-off-by: aszlig <aszlig@redmoonstudios.org> Tested-by: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>
2014-12-18 18:12:25 +01:00
default = true;
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
description = ''
Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
<important><para>
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
</para></important>
'';
virtualbox: Allow disabling the network interface. The current nixos module for VirtualBox unconditionally configures a vboxnet0 network interface at boot. This may be undesired, especially when the user wants to manage network interfaces in a centralized manner.
2014-12-11 23:28:09 +01:00
};
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
};
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
config = mkIf cfg.enable (mkMerge [{
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
boot.extraModulePackages = [ virtualbox ];
environment.systemPackages = [ virtualbox ];
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
security.setuidOwners = let
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
mkSuid = program: {
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
inherit program;
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
source = "${virtualbox}/libexec/virtualbox/${program}";
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
owner = "root";
group = "vboxusers";
setuid = true;
};
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
in mkIf cfg.enableHardening (map mkSuid [
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
"VBoxHeadless"
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
"VBoxNetAdpCtl"
"VBoxNetDHCP"
"VBoxNetNAT"
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
"VBoxSDL"
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
"VBoxVolInfo"
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
"VirtualBox"
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
]);
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
services.udev.extraRules =
''
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
'';
# Since we lack the right setuid binaries, set up a host-only network by default.
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
} (mkIf cfg.addNetworkInterface {
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
systemd.services."vboxnet0" =
{ description = "VirtualBox vboxnet0 Interface";
requires = [ "dev-vboxnetctl.device" ];
after = [ "dev-vboxnetctl.device" ];
wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
path = [ virtualbox ];
serviceConfig.RemainAfterExit = true;
serviceConfig.Type = "oneshot";
nixos/virtualbox/hostonlyif: Fix writing to /root. Creates unnecessary cruft in the root users home directory, which we really don't need. Except the log, but therefore we now cat the log to stderr and the private temporary directory is cleaned up afterwards. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 19:12:58 +01:00
serviceConfig.PrivateTmp = true;
environment.VBOX_USER_HOME = "/tmp";
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
script =
''
if ! [ -e /sys/class/net/vboxnet0 ]; then
VBoxManage hostonlyif create
nixos/virtualbox/hostonlyif: Fix writing to /root. Creates unnecessary cruft in the root users home directory, which we really don't need. Except the log, but therefore we now cat the log to stderr and the private temporary directory is cleaned up afterwards. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 19:12:58 +01:00
cat /tmp/VBoxSVC.log >&2
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
fi
'';
postStop =
''
VBoxManage hostonlyif remove vboxnet0
'';
};
networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
virtualbox service: hide vboxnet0 from NetworkManager, fixes #10862
2015-11-07 14:07:11 +01:00
# Make sure NetworkManager won't assume this interface being up
# means we have internet access.
networking.networkmanager.unmanaged = ["vboxnet0"];
virtualbox: Unbreak the nixos module.
2014-12-12 00:15:28 +01:00
})]);
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
}
Reference in New Issue Copy Permalink