public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix

133 lines
4.5 KiB
Nix
Raw Normal View History

nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
{ config, lib, pkgs, ... }:
with lib;
let
nixos/vbox: Move all options to virtualisation.*. Commit 687caeb renamed services.virtualboxHost to programs.virtualbox, but according to the discussion on the commit, it's probably a better to put it into virtualisation.virtualbox instead. The discussion can be found here: https://github.com/NixOS/nixpkgs/commit/687caeb#commitcomment-12664978 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-08-13 12:17:32 +02:00
cfg = config.virtualisation.virtualbox.host;
virtualbox: Split kernel modules into own package Putting the kernel modules into the same output path as the main VirtualBox derivation causes all of VirtualBox to be rebuilt on every single kernel update. The build process of VirtualBox already outputs the kernel module source along with the generated files for the configuration of the main VirtualBox package. We put this into a different output called "modsrc" which we re-use from linuxPackages.virtualbox, which is now only containing the resulting kernel modules without the main user space implementation. This not only has the advantage of decluttering the Nix expression for the user space portions but also gets rid of the need to nuke references and the need to patch out "depmod -a". Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-13 03:42:16 +02:00
virtualbox = pkgs.virtualbox.override {
virtualisation.virtualbox.host: introduce enableExtensionPack
2018-05-01 22:45:31 +02:00
inherit (cfg) enableExtensionPack enableHardening headless;
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
};
virtualbox: Split kernel modules into own package Putting the kernel modules into the same output path as the main VirtualBox derivation causes all of VirtualBox to be rebuilt on every single kernel update. The build process of VirtualBox already outputs the kernel module source along with the generated files for the configuration of the main VirtualBox package. We put this into a different output called "modsrc" which we re-use from linuxPackages.virtualbox, which is now only containing the resulting kernel modules without the main user space implementation. This not only has the advantage of decluttering the Nix expression for the user space portions but also gets rid of the need to nuke references and the need to patch out "depmod -a". Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-13 03:42:16 +02:00
kernelModules = config.boot.kernelPackages.virtualbox.override {
inherit virtualbox;
};
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
in
{
nixos/vbox: Move all options to virtualisation.*. Commit 687caeb renamed services.virtualboxHost to programs.virtualbox, but according to the discussion on the commit, it's probably a better to put it into virtualisation.virtualbox instead. The discussion can be found here: https://github.com/NixOS/nixpkgs/commit/687caeb#commitcomment-12664978 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-08-13 12:17:32 +02:00
options.virtualisation.virtualbox.host = {
virtualisation.virtualbox.host: migrate from mkOption to mkEnableOption
2018-05-01 22:46:28 +02:00
enable = mkEnableOption "VirtualBox" // {
nixos/virtualbox: Note about "vboxusers" group. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:33:56 +01:00
description = ''
Rename services.virtualboxHost -> programs.virtualbox VirtualBox is an application, not a system service.
2015-08-12 14:11:03 +02:00
Whether to enable VirtualBox.
nixos/virtualbox: Note about "vboxusers" group. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:33:56 +01:00
<note><para>
In order to pass USB devices from the host to the guests, the user
needs to be in the <literal>vboxusers</literal> group.
</para></note>
'';
};
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
virtualisation.virtualbox.host: introduce enableExtensionPack
2018-05-01 22:45:31 +02:00
enableExtensionPack = mkEnableOption "VirtualBox extension pack";
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
addNetworkInterface = mkOption {
type = types.bool;
default = true;
description = ''
Automatically set up a vboxnet0 host-only network interface.
'';
};
enableHardening = mkOption {
virtualbox: Allow disabling the network interface. The current nixos module for VirtualBox unconditionally configures a vboxnet0 network interface at boot. This may be undesired, especially when the user wants to manage network interfaces in a centralized manner.
2014-12-11 23:28:09 +01:00
type = types.bool;
nixos/virtualbox: Revert disable hardening. This reverts commit 5d67b17901ff2c9a18647bd9453c6b0d4294b875. The issues have been resolved by ac603e208c98b260db675fa0c13be94fa95216f4. Tested this with hostonlyifs and USB support with extension pack. Conflicts: nixos/modules/programs/virtualbox-host.nix Signed-off-by: aszlig <aszlig@redmoonstudios.org> Tested-by: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>
2014-12-18 18:12:25 +01:00
default = true;
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
description = ''
Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
<important><para>
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
</para></important>
'';
virtualbox: Allow disabling the network interface. The current nixos module for VirtualBox unconditionally configures a vboxnet0 network interface at boot. This may be undesired, especially when the user wants to manage network interfaces in a centralized manner.
2014-12-11 23:28:09 +01:00
};
virtualbox: add headless build (without Qt dependency) (#18026)
2016-09-01 18:54:58 +00:00
headless = mkOption {
type = types.bool;
default = false;
description = ''
Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
and when virtual machines are controlled only via SSH.
'';
};
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
};
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
config = mkIf cfg.enable (mkMerge [{
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
virtualbox: Split kernel modules into own package Putting the kernel modules into the same output path as the main VirtualBox derivation causes all of VirtualBox to be rebuilt on every single kernel update. The build process of VirtualBox already outputs the kernel module source along with the generated files for the configuration of the main VirtualBox package. We put this into a different output called "modsrc" which we re-use from linuxPackages.virtualbox, which is now only containing the resulting kernel modules without the main user space implementation. This not only has the advantage of decluttering the Nix expression for the user space portions but also gets rid of the need to nuke references and the need to patch out "depmod -a". Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-13 03:42:16 +02:00
boot.extraModulePackages = [ kernelModules ];
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
environment.systemPackages = [ virtualbox ];
Fixing a bunch of issues
2017-01-29 01:58:12 -06:00
security.wrappers = let
nixos/virtualbox: unbreak wrt. new security.wrappers The new option takes an attrset, not a list.
2017-02-14 22:56:37 +01:00
mkSuid = program: {
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
source = "${virtualbox}/libexec/virtualbox/${program}";
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
owner = "root";
group = "vboxusers";
setuid = true;
nixos/virtualbox: unbreak wrt. new security.wrappers The new option takes an attrset, not a list.
2017-02-14 22:56:37 +01:00
};
in mkIf cfg.enableHardening
(builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) [
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
"VBoxHeadless"
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
"VBoxNetAdpCtl"
"VBoxNetDHCP"
"VBoxNetNAT"
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
"VBoxSDL"
virtualbox: Fix runtime paths in hardening mode. Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 11:37:32 +01:00
"VBoxVolInfo"
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
"VirtualBox"
nixos/virtualbox: unbreak wrt. new security.wrappers The new option takes an attrset, not a list.
2017-02-14 22:56:37 +01:00
]));
virtualbox: Enable hardening by default. VirtualBox with hardening support requires the main binaries to be setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are pointing to the libexec directory and we also need to unset VBOX_WITH_ORIGIN to make sure that the build system is actually setting those RPATHs. The hardened.patch implements two things: * Set the binary directory to the setuid-wrappers dir so that VboxSVC calls them instead of the binaries from the store path. The reason behind this is because nothing in the Nix store can have the setuid flag. * Excempt /nix/store from the group permission check, because while it is group-writeable indeed it also has the sticky bit set (and also the whole store is mounted read-only on most NixOS systems), so we're checking on that as well. Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers directly, so someone would ever want to change those on a NixOS system, please provide a patch to set those paths on build time. However, for simplicity, it's best to do it when we _really_ need it. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 08:09:50 +01:00
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
services.udev.extraRules =
''
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
'';
Addressing PR feedback
2017-01-28 20:48:03 -08:00
# Since we lack the right setuid/setcap binaries, set up a host-only network by default.
nixos/virtualbox: Allow to disable hardening. Hardening mode in VirtualBox is quite restrictive and on some systems it could make sense to disable hardening mode, especially while we still have issues with hostonly networking and other issues[TM] we don't know or haven't tested yet. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 07:08:56 +01:00
} (mkIf cfg.addNetworkInterface {
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
systemd.services."vboxnet0" =
{ description = "VirtualBox vboxnet0 Interface";
requires = [ "dev-vboxnetctl.device" ];
after = [ "dev-vboxnetctl.device" ];
wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
path = [ virtualbox ];
serviceConfig.RemainAfterExit = true;
serviceConfig.Type = "oneshot";
nixos/virtualbox/hostonlyif: Fix writing to /root. Creates unnecessary cruft in the root users home directory, which we really don't need. Except the log, but therefore we now cat the log to stderr and the private temporary directory is cleaned up afterwards. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 19:12:58 +01:00
serviceConfig.PrivateTmp = true;
environment.VBOX_USER_HOME = "/tmp";
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
script =
''
if ! [ -e /sys/class/net/vboxnet0 ]; then
VBoxManage hostonlyif create
nixos/virtualbox/hostonlyif: Fix writing to /root. Creates unnecessary cruft in the root users home directory, which we really don't need. Except the log, but therefore we now cat the log to stderr and the private temporary directory is cleaned up afterwards. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 19:12:58 +01:00
cat /tmp/VBoxSVC.log >&2
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
fi
'';
postStop =
''
VBoxManage hostonlyif remove vboxnet0
'';
};
Virtualbox: Fix type error in `networking.interfaces.vboxnet0.ipv4.addresses` This error introduced in e239c1e5820bdbb3d94ccc46e2d6756b0d37057d prevented evaluation on my machine.
2018-02-19 17:48:15 +01:00
networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }];
virtualbox service: hide vboxnet0 from NetworkManager, fixes #10862
2015-11-07 14:07:11 +01:00
# Make sure NetworkManager won't assume this interface being up
# means we have internet access.
networking.networkmanager.unmanaged = ["vboxnet0"];
virtualbox: Unbreak the nixos module.
2014-12-12 00:15:28 +01:00
})]);
nixos: Add enable option for programs/virtualbox. We will simply rename the previous module and add a warning whenever the module is included directly, pointing the user to the right option and also enable it as well (in case somebody has missed the option and is wondering why VirtualBox doesn't work anymore). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:24:57 +01:00
}
Reference in New Issue Copy Permalink