
Because we have to rely on setuid wrappers on NixOS, we can't easily hardcode the executable paths and set it 4755. So for all calls, we need to change the runtime path executable directory to /var/setuid-wrappers/ and for verification we need to retain the executable directory. Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL and VBoxVolInfo don't reside in directories that are commonly in PATH, but in /usr/lib/virtualbox in most mainstream distros. But because the names of these executables are distinctive enough to not cause collisions with other setuid programs, I'll leave it like that and not patch up setuid-wrappers. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
123 lines
4.2 KiB
Nix
123 lines
4.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.virtualboxHost;
|
|
virtualbox = config.boot.kernelPackages.virtualbox.override {
|
|
inherit (cfg) enableHardening;
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
options.services.virtualboxHost = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable host-side support for VirtualBox.
|
|
|
|
<note><para>
|
|
In order to pass USB devices from the host to the guests, the user
|
|
needs to be in the <literal>vboxusers</literal> group.
|
|
</para></note>
|
|
'';
|
|
};
|
|
|
|
addNetworkInterface = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
Automatically set up a vboxnet0 host-only network interface.
|
|
'';
|
|
};
|
|
|
|
enableHardening = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable hardened VirtualBox, which ensures that only the binaries in the
|
|
system path get access to the devices exposed by the kernel modules
|
|
instead of all users in the vboxusers group.
|
|
|
|
<important><para>
|
|
Disabling this can put your system's security at risk, as local users
|
|
in the vboxusers group can tamper with the VirtualBox device files.
|
|
</para></important>
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable (mkMerge [{
|
|
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
|
|
boot.extraModulePackages = [ virtualbox ];
|
|
environment.systemPackages = [ virtualbox ];
|
|
|
|
warnings = mkIf (!cfg.enableHardening) (singleton (
|
|
"Hardening is currently disabled for VirtualBox, because of some " +
|
|
"issues in conjunction with host-only-interfaces. If you don't use " +
|
|
"hostonlyifs, it's strongly recommended to set " +
|
|
"`services.virtualboxHost.enableHardening = true'!"
|
|
));
|
|
|
|
security.setuidOwners = let
|
|
mkSuid = program: {
|
|
inherit program;
|
|
source = "${virtualbox}/libexec/virtualbox/${program}";
|
|
owner = "root";
|
|
group = "vboxusers";
|
|
setuid = true;
|
|
};
|
|
in mkIf cfg.enableHardening (map mkSuid [
|
|
"VBoxHeadless"
|
|
"VBoxNetAdpCtl"
|
|
"VBoxNetDHCP"
|
|
"VBoxNetNAT"
|
|
"VBoxSDL"
|
|
"VBoxVolInfo"
|
|
"VirtualBox"
|
|
]);
|
|
|
|
users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
|
|
|
|
services.udev.extraRules =
|
|
''
|
|
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
|
|
KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
|
|
KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
|
|
SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
|
|
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
|
|
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
|
|
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
|
|
'';
|
|
|
|
# Since we lack the right setuid binaries, set up a host-only network by default.
|
|
} (mkIf cfg.addNetworkInterface {
|
|
systemd.services."vboxnet0" =
|
|
{ description = "VirtualBox vboxnet0 Interface";
|
|
requires = [ "dev-vboxnetctl.device" ];
|
|
after = [ "dev-vboxnetctl.device" ];
|
|
wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
|
|
path = [ virtualbox ];
|
|
serviceConfig.RemainAfterExit = true;
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.PrivateTmp = true;
|
|
environment.VBOX_USER_HOME = "/tmp";
|
|
script =
|
|
''
|
|
if ! [ -e /sys/class/net/vboxnet0 ]; then
|
|
VBoxManage hostonlyif create
|
|
cat /tmp/VBoxSVC.log >&2
|
|
fi
|
|
'';
|
|
postStop =
|
|
''
|
|
VBoxManage hostonlyif remove vboxnet0
|
|
'';
|
|
};
|
|
|
|
networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
|
|
})]);
|
|
}
|