From 010578d8a4805a3461787cf38bde05ae60018382 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 20 Mar 2012 16:30:43 +0000 Subject: [PATCH] * Restrict VirtualBox to users in the vboxusers group. The VirtualBox build in Nixpkgs is insecure because it uses the "--disable-hardened" flag, which disables some checks in the VirtualBox kernel module. Since getting rid of that flag looks like too much work, it's better to ensure that only explicitly permitted users have access to VirtualBox. * Drop the 666 permission on "sonypi" because it's not clear why that device should be world-writable. svn path=/nixos/trunk/; revision=33301 --- modules/programs/virtualbox.nix | 16 +++++++--------- modules/services/hardware/udev.nix | 4 ---- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/modules/programs/virtualbox.nix b/modules/programs/virtualbox.nix index 05209cb38e5..34b2c156632 100644 --- a/modules/programs/virtualbox.nix +++ b/modules/programs/virtualbox.nix @@ -9,13 +9,11 @@ let virtualbox = config.boot.kernelPackages.virtualbox; in boot.extraModulePackages = [ virtualbox ]; environment.systemPackages = [ virtualbox ]; - # ‘VBoxNetAdpCtl’ needs to be setuid root to allow users to create - # host-only networks (https://www.virtualbox.org/ticket/4014). - security.setuidOwners = singleton - { program = "VBoxNetAdpCtl"; - source = "${virtualbox}/virtualbox/VBoxNetAdpCtl"; - owner = "root"; - group = "root"; - setuid = true; - }; + users.extraGroups = singleton { name = "vboxusers"; }; + + services.udev.extraRules = + '' + KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660" + KERNEL=="vboxnetctl", OWNER="root", GROUP="root", MODE="0600" + ''; } diff --git a/modules/services/hardware/udev.nix b/modules/services/hardware/udev.nix index c4cd394108f..2a75212725a 100644 --- a/modules/services/hardware/udev.nix +++ b/modules/services/hardware/udev.nix @@ -17,12 +17,8 @@ let nixosRules = '' # Miscellaneous devices. - KERNEL=="sonypi", MODE="0666" KERNEL=="kvm", MODE="0666" KERNEL=="kqemu", MODE="0666" - KERNEL=="vboxdrv", NAME="vboxdrv", OWNER="root", GROUP="root", MODE="0666" - KERNEL=="vboxadd", NAME="vboxadd", OWNER="root", GROUP="root", MODE="0660" - KERNEL=="vboxuser", NAME="vboxuser", OWNER="root", GROUP="root", MODE="0666" ''; # Perform substitutions in all udev rules files.