nixos/virtualbox: Allow to disable hardening.

Hardening mode in VirtualBox is quite restrictive and on some systems it
could make sense to disable hardening mode, especially while we still
have issues with hostonly networking and other issues[TM] we don't know
or haven't tested yet.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2014-12-15 07:08:56 +01:00
parent 77831e8467
commit e03e0ff42a
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961
1 changed files with 31 additions and 9 deletions

View File

@ -3,20 +3,42 @@
with lib;
let
virtualbox = config.boot.kernelPackages.virtualbox;
cfg = config.services.virtualboxHost;
virtualbox = config.boot.kernelPackages.virtualbox.override {
inherit (cfg) enableHardening;
};
in
{
options = {
services.virtualboxHost.enable = mkEnableOption "VirtualBox Host support";
services.virtualboxHost.addNetworkInterface = mkOption {
options.services.virtualboxHost = {
enable = mkEnableOption "VirtualBox Host support";
addNetworkInterface = mkOption {
type = types.bool;
default = true;
description = "Automatically set up a vboxnet0 host-only network interface.";
description = ''
Automatically set up a vboxnet0 host-only network interface.
'';
};
enableHardening = mkOption {
type = types.bool;
default = true;
description = ''
Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
<important><para>
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
</para></important>
'';
};
};
config = mkIf config.services.virtualboxHost.enable (mkMerge [{
config = mkIf cfg.enable (mkMerge [{
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
boot.extraModulePackages = [ virtualbox ];
environment.systemPackages = [ virtualbox ];
@ -28,11 +50,11 @@ in
group = "vboxusers";
setuid = true;
};
in map mkVboxStub [
in mkIf cfg.enableHardening (map mkVboxStub [
"VBoxHeadless"
"VBoxSDL"
"VirtualBox"
];
]);
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
@ -48,7 +70,7 @@ in
'';
# Since we lack the right setuid binaries, set up a host-only network by default.
} (mkIf config.services.virtualboxHost.addNetworkInterface {
} (mkIf cfg.addNetworkInterface {
systemd.services."vboxnet0" =
{ description = "VirtualBox vboxnet0 Interface";
requires = [ "dev-vboxnetctl.device" ];