Author: eelco Date: Tue Mar 20 16:30:43 2012 New Revision: 33301 URL: https://nixos.org/websvn/nix/?rev=33301&sc=1
Log: * Restrict VirtualBox to users in the vboxusers group. The VirtualBox build in Nixpkgs is insecure because it uses the "--disable-hardened" flag, which disables some checks in the VirtualBox kernel module. Since getting rid of that flag looks like too much work, it's better to ensure that only explicitly permitted users have access to VirtualBox. * Drop the 666 permission on "sonypi" because it's not clear why that device should be world-writable. Modified: nixos/trunk/modules/programs/virtualbox.nix nixos/trunk/modules/services/hardware/udev.nix Modified: nixos/trunk/modules/programs/virtualbox.nix ============================================================================== --- nixos/trunk/modules/programs/virtualbox.nix Tue Mar 20 16:29:22 2012 (r33300) +++ nixos/trunk/modules/programs/virtualbox.nix Tue Mar 20 16:30:43 2012 (r33301) @@ -9,13 +9,11 @@ boot.extraModulePackages = [ virtualbox ]; environment.systemPackages = [ virtualbox ]; - # ‘VBoxNetAdpCtl’ needs to be setuid root to allow users to create - # host-only networks (https://www.virtualbox.org/ticket/4014). - security.setuidOwners = singleton - { program = "VBoxNetAdpCtl"; - source = "${virtualbox}/virtualbox/VBoxNetAdpCtl"; - owner = "root"; - group = "root"; - setuid = true; - }; + users.extraGroups = singleton { name = "vboxusers"; }; + + services.udev.extraRules = + '' + KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660" + KERNEL=="vboxnetctl", OWNER="root", GROUP="root", MODE="0600" + ''; } Modified: nixos/trunk/modules/services/hardware/udev.nix ============================================================================== --- nixos/trunk/modules/services/hardware/udev.nix Tue Mar 20 16:29:22 2012 (r33300) +++ nixos/trunk/modules/services/hardware/udev.nix Tue Mar 20 16:30:43 2012 (r33301) @@ -17,12 +17,8 @@ nixosRules = '' # Miscellaneous devices. - KERNEL=="sonypi", MODE="0666" KERNEL=="kvm", MODE="0666" KERNEL=="kqemu", MODE="0666" - KERNEL=="vboxdrv", NAME="vboxdrv", OWNER="root", GROUP="root", MODE="0666" - KERNEL=="vboxadd", NAME="vboxadd", OWNER="root", GROUP="root", MODE="0660" - KERNEL=="vboxuser", NAME="vboxuser", OWNER="root", GROUP="root", MODE="0666" ''; # Perform substitutions in all udev rules files. _______________________________________________ nix-commits mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-commits
