With hardening, we need to go a bit further rather than just allowing
/nix/store being world-writable. We now use fakeroot to make sure the
VBoxExtPackHelperApp won't moan that the files are not owned by root.
They are, but only outside of the chrooted build process.
Another issue with using fakeroot is that it doesn't seem to cope well
with arguments that contain spaces. That's why I've piped the call into
${stdenv.shell}.
Now, the really gory and confusing part is the introduction of
VBOX_PATH_APP_PRIVATE_ARCH_TOP and the change of VBOX_PATH_APP_PRIVATE.
The VBOX_PATH_APP_PRIVATE_ARCH is *only* for modules and is checked by
the hardened implementation against whether things like VMMR0.r0 or
VBoxVMM.so reside in that directory. As a side note: I admit that the
whole libexec directory is quite polluted with stuff that shouldn't be
there, but for now we've broken enough things and will tear apart the
whole structure at some day in the future[TM].
For the confusing part we have VBOX_PATH_APP_PRIVATE_ARCH_TOP, which
_should_ be the same as VBOX_PATH_APP_PRIVATE_ARCH but unfortunately,
the hardened implementation is checking against this directory (in
IsValidBaseDir) for the extension pack(why!?).
Of course, we could put even that into the libexec directory, somewhat
similar as the official package, but after all, let's at least *try* to
separate things.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We are already checking whether /nix/store has the sticky bit set, so if
it is world-writable as well it doesn't mean that the actual store path
is writable. Let alone the fact that it is only writable during the
build process.
This should fix installing the extension pack when enableExtensionPack
is used.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.
The hardened.patch implements two things:
* Set the binary directory to the setuid-wrappers dir so that
VboxSVC calls them instead of the binaries from the store path. The
reason behind this is because nothing in the Nix store can have the
setuid flag.
* Excempt /nix/store from the group permission check, because while it
is group-writeable indeed it also has the sticky bit set (and also
the whole store is mounted read-only on most NixOS systems), so we're
checking on that as well.
Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Traversing the full source tree is unneccessary, because the calls are
only done within make files. Hence we only substitute make files now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Thanks to @iElectric for the notification, although I'm not really sure
whether this will fix the following failed Hydra build:
http://hydra.nixos.org/build/17609086/nixlog/1/raw
The reason is that this failure doesn't happen on every build, but let's
see whether it will happen again now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is a response to 1fdefd5562.
We are already using bundled protobuf for the beta and dev channels and
it also breaks regularly with about every new Chromium release, so let's
use bundled protobuf for all channels now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>