The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
Updates VirtualBox from version 5.0.12 to 5.0.14.
Upstream changes are (without bug IDs):
* GUI: properly limit the number of VCPUs to the number of physical cores
on Mac OS X
* Audio: fixed a bug which prevented loading a saved state of a saved
guests with HDA emulation (5.0.12 regression)
* Audio: don't crash if the backend is unable to initialize
* Audio: fixed audio capture on Mac OS X
* Storage: fixed a possible crash when attaching the same ISO image
multiple times to the same VM
* BIOS: properly report if two floppy drives are attached
* USB: fixed a problem with filters which would not capture the device
under certain circumstances (5.0.10 regression)
* ExtPack: black-list Extension Packs older than 4.3.30 due to
incompatible changes not being properly handled in the past
* Windows hosts: fixed a regression which caused robocopy to fail
* Linux hosts: properly create the /sbin/rcvboxdrv symbolic link (5.0.12
regression)
* Mac OS X hosts: several fixes for USB on El Capitan
* Linux Additions: fixes for Linux 4.5
Full upstream changelog with bug IDs can be found at:
https://www.virtualbox.org/wiki/Changelog
The reason I was reluctant to merge this before were these symbol lookup
errors:
vboxsf: Unknown symbol VBoxGuest_RTMemTmpFree (err 0)
vboxsf: Unknown symbol VBoxGuestIDCCall (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemFastMutexRequest (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemFastMutexRelease (err 0)
vboxsf: Unknown symbol VBoxGuest_RTLogRelGetDefaultInstanceEx (err 0)
vboxsf: Unknown symbol VBoxGuest_RTErrConvertToErrno (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemFastMutexCreate (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemFastMutexDestroy (err 0)
vboxsf: Unknown symbol VBoxGuest_RTMemContFree (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemMutexRelease (err 0)
vboxsf: Unknown symbol VBoxGuestIDCOpen (err 0)
vboxsf: Unknown symbol VBoxGuest_RTAssertShouldPanic (err 0)
vboxsf: Unknown symbol VBoxGuest_RTMemContAlloc (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemMutexRequest (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemMutexCreate (err 0)
vboxsf: Unknown symbol VBoxGuest_RTMemTmpAllocTag (err 0)
vboxsf: Unknown symbol VBoxGuest_RTSemMutexDestroy (err 0)
vboxsf: Unknown symbol VBoxGuest_RTAssertMsg1Weak (err 0)
vboxsf: Unknown symbol VBoxGuestIDCClose (err 0)
vboxsf: Unknown symbol VBoxGuest_RTAssertMsg2Weak (err 0)
However, after testing it against 5.0.12, the same errors occur there as
well, so it is likely related to our VM tests.
This makes pythonPackages.sqlalchemy the most up to date revision (it
was called sqlalchemy_1_0 before), and maintains the various “legacy”
versions available as pythonPackages.sqlalchemyX for X in {7,8,9}.
All derivations that required `sqlalchemy_1_0` now require `sqlalchemy`
while those that required `sqlalchemy` now require `sqlalchemy7`.
The derivations are not changed, only the attribute names they are
bound to.
This will probably be mandatory soon, and is a step in the right
direction. Removes the deprecated meta.version, and move some meta
sections to the end of the file where I should have put them in
the first place.
See http://nixos.org/nixpkgs/manual/#sec-package-naming
I've added an alias for multipath_tools to make sure that we don't break
existing configurations referencing the old name.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Excerpt from upstream release notes:
This release also contains the security fixes for XSA-137, XSA-138, XSA-141 to XSA-153.
XSA-139 and XSA-140 only apply to QEMU Upstream and are fixed from versions 2.3.1 and 2.4.0 of QEMU.
The qemu portion of XSA-135 has also been applied to qemu-traditional.
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
Also prepare to support multiple stage1 flavors.
The 'host' flavor would be preferred to reuse systemd components instead
of downloading/unpacking/processing a CoreOS PXE image.
* bump stage1 base image to v794.1.0 according to upstream release
* make use of BUILDDIR environment variable to control output path
* make use of the configure option for the stage1 image path and the stage1 base image path
* fix homepage URL
* add myself to the list of maintianers
This fixes the error message: GLib-GIO-Message: Using the 'memory'
GSettings backend. Your settings will not be saved or shared with other
applications.
It caused old saved settings to be forgotten, and new settings to be lost
when virt-manager is closed.
VirtualBox had support for DBUS even in version 4.x, but it appears that
nothing in our VM test triggered it to load, thus I didn't notice the
runtime error:
rtldrNativeLoad: dlopen('libdbus-1.so.3', RTLD_NOW | RTLD_LOCAL) failed:
libdbus-1.so.3: cannot open shared object file: No such
file or directory
The upstream commits I think are responsible for this to come to surface
are _probably_ (did I ever mention that I love SVN? *cough*) one of
these:
https://www.virtualbox.org/changeset/55664/vboxhttps://www.virtualbox.org/changeset/55602/vbox
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This seems to have been confusing people, using both xlibs and xorg, etc.
- Avoided renaming local (and different) xlibs binding in gcc*.
- Fixed cases where both xorg and xlibs were used.
Hopefully everything still works as before.
Regression introduced in 7ffb1f3bde.
Also added a small notice so that this hopefully won't happen with
future updates.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit 0e0e3c0c08.
I've been seeing quite some QEMU segfaults on Hydra,
hopefully reverting the bump will fix the issue.
(cherry picked from commit 863c121c0782b82900d736f9f71dbcfa80f62e1d)
Signed-off-by: Domen Kožar <domen@dev.si>
Second attempt to resolve this issue. Copies stage1 image into expected
place manually. This has been improved in rkt master where there is a
configure option for specifying the location of this file. Can update
when next stable rkt is released.
The rkt build process requires a stage1 image. By default it will try
and download one with wget from coreos.com during the build. This change
explicitly downloads the image using `fetchurl`, verifying checksum,
then passes that to the build using appropriate configure flag.
Using $storepath/sbin is deprecated according to commit 98cedb3, so
let's avoid putting anything in .../sbin for the guest additions.
This is a continuation of the initial commit done by @ctheune at
1fb1360, which unfortunately broke VM tests and only changed the path of
the mount.vboxsf helper.
With this commit, the VM test is fixed and I've also verified on my
machine that it is indeed working again.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This places mount.vboxsf in $out/bin instead of sbin, because as
reported in #9063 it seems that the the mount tools are no longer
looking into $storepath/sbin/mount.$what but into
$storepath/bin/mount.$what instead.
However, I haven't found any commit which changes this behavior and
couldn't reproduce it. Also, merging this will break the VirtualBox
tests, but I'm merging it anyway in an effort to remove $storepath/sbin
from virtualboxGuestAdditions entirely.
Tested against virtualbox NixOS VM test, which of course failed as said
before.
Changes:
- RemoteBox now requires VirtualBox 5.0.x
- Added guest support for USB 3.0
- Added OS icons for Windows 10, OS/2 1.x, Yosemite, El Capitan
- Added command line options for automatic login. See manual
- Added option to set the virtual VGA card of a guest to either
VirtualBox VGA or VMware SVGA-II
- Allow snapshots to be taken while the guest is paused
- Added support for adding USB storage controller to a guest
- Added support for adding transient shared folders
- Added support for setting IPv6 Port Forwarding rules on NAT networks
- Added option to convert disk images to VDI when importing an
appliance
- Changed the way guest details are displayed and added an option
to show extended (slower) or reduced (faster) guest details
- Added support for selecting built-in presets for the RDP clients.
These are currently FreeRDP (New Syntax), FreeRDP (Old Syntax),
Rdesktop, Windows Remote Desktop Client
- Added support for selecting the paravirtualization interface for
a guest
- Added keyboard toolbutton for quick access to common keyboard
sequences. The full keyboard menu is still available
- Fixed a problem with trailing slashes in a URL preventing the
remote display to a guest from opening.
- Fixed a problem with UTF8 strings affecting the listing of storage
attached to controllers
- Fixed an issue where stuck guests couldn't be stopped from the GUI
- Various GUI tweaks
Xen required a few changes in order to be usable:
* Include xenfs module in initrd as loading it in the activation
script was failing.
* Include /etc/default/xendomains, which is needed by
xen-domains service.
* Create /var/log/xen and /var/lib/xen directories in
the xen-store service, which are needed by the xl command.
The directories could be created by any other script as long as
they are guaranteed to exist before xl is called.
* Fix a reference to /bin/ls in the xendomains script.
Within fractions* of a second, the beautifully crafted history and
branching mechanisms of SVN found out the exact revision which caused
this to be visible in version 5.x but not in version 4.x:
https://www.virtualbox.org/changeset?old_path=%2Fvbox%2Ftrunk&old=30933&new_path=%2Fvbox%2Ftrunk&new=30934
Also note the very short URL and the informative changeset message which
shows you exactly what was the issue, I think.
Be warned however, it may contain traces of history amnesia, revision
epilepsy and other related diseases.
As for the issue itself: This was very much broken in 4.x as well, but
it didn't show an error message in the UI. The PulseAudio library is
loaded at runtime and it's not able to do that unless it's in
LD_LIBRARY_PATH.
Now, we're doing the same as with the ALSA libraries: We're hardcoding
the path to the shared object file in patchPhase.
Thanks to @devhell for reporting and testing.
*: Might be off several minutes or hours due to rounding errors in
floating point arithmetic.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: devhell <"^"@regexmail.net>
Tested-by: devhell <"^"@regexmail.net>
Contains quite a lot of fixes, so for information and details about
them, please have a look at https://www.virtualbox.org/wiki/Changelog.
We also needed to drop the hunk about NATNetworkServiceRunner.cpp in the
hardened.patch, because the file was unused and thus has been removed
from upstream in r54821:
https://www.virtualbox.org/changeset?reponame=vbox&new=54821
Tested successfully against nixos/tests/virtualbox.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Upstream changelog:
* GUI: in the snapshots pane, protect the age of snapshots against
wrong host time
* NAT Network: fixed a bug which prevented to propagate any DNS name
server / domain / search string information to the NAT
network (4.3.24 regression)
* NAT Network: don't delay the shutdown of VBoxSVC on Windows hosts
* Mouse support: the mouse could not be moved under rare conditions if
no Guest Additions are installed (4.3.24 regression)
* Storage: if the guest ejects a virtual CD/DVD medium, make the change
permanent
* VGA: made saving secondary screen sizes possible in X11 guests
* SDK: fixed the VirtualBox.tlb file (4.3.20 regression)
* rdesktop-vrdp: make it work with USB devices again (4.3.14
regression)
* USB: fixed a possible BSOD on Windows hosts under rare conditions
* iPXE: enable the HTTP download protocol on non-Linux hosts
* Mac OS X hosts: don't panic on hosts with activated SMAP (Broadwell
and later)
* Linux hosts: don't crash Linux 4.0 hosts
The same with bug IDs can be found at:
https://www.virtualbox.org/wiki/Changelog
Tested on my machine using the virtualbox NixOS VM test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is espacially cruicial when it comes to Nix 1.9, where we even have
a more restrictive /nix/store. In any event, VirtualBox in hardenend
mode doesn't have to check the /nix/store path, because it's read-only
on NixOS systems. So this check would not introduce more security but
more hurdles, thus I'm removing it (of course _only_ for /nix/store).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
New maintenance release, changes:
* VMM: emulation fix for the ENTER instruction under certain
conditions; fixes Solaris 10 guests (VT-x without unrestricted guest
execution)
* VMM: fix for handling NMIs on Linux hosts with X2APIC enabled
* NAT/NAT Network: fix connection drops when the host's DHCP lease was
renewed (4.3.22 regression; Windows hosts only)
* NAT: don't crash on an empty domain list when switching the DNS host
configuration (4.3.22 regression; Mac OS X hosts only)
* PXE: re-enable it on Windows hosts (4.3.22 regression; Windows hosts
only)
* Shared Folders: fixed a problem with Windows guests (4.3.22
regression)
* Audio: improved record quality when using the DirectSound audio
backend
* VBoxManage: when executing the controlvm command take care that the
corresponding VM runtime changes are saved permanently
* Windows Installer: properly install the 32-bit version of VBoxRes.dll
on 32-bit hosts
* Linux hosts / guests: Linux 4.0 fixes
* OS/2 Additions: fixed mouse integration (4.3.22 regression)
* X11 Additions: fixed a sporadic failure to deactivate virtual screens
Full changelog with bug IDs can be found at:
https://www.virtualbox.org/wiki/Changelog
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The Nixos Qemu VM that are used for VM tests can now start without
boot menu even when using a bootloader.
The Nixos Qemu VM with bootloader can emulate a EFI boot now.
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.
Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Not really changes anything in functionality, but makes it easier to
change the build type to "debug", for example.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Just accidentally found this while debugging and it's needed for
fetching a few interface details, not sure however whether because of
this anything has been broken so far.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Instead of coping it to $out and later deleting it, we now exclude the
src directory during copy. Also, we no longer cd into the release
directory during installPhase, which should make sure that we are
constantly in $sourceRoot.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes this error, as seen when trying to open a guest VM when
virt-viewer is accessed over ssh with X forwarding:
GLib-GIO-ERROR **: Settings schema 'org.gnome.system.proxy' is not installed
A similar issue was fixed for virt-manager in commit
fb8a2b3be7 ("virt-manager: fix missing
schema error")
We divert to the $out/share/virtualbox directory only if we have
hardening enabled, so let's put the extension pack into
$out/libexec/virtualbox instead if we're compiling without hardening.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* Add missing dependency on 'spice_protocol'
* Fix new build error which came now that ./configure enables SPICE support:
building virt-viewer
CCLD virt-viewer
/nix/store/b8qhjrwf8sf9ggkjxqqav7f1m6w83bh0-binutils-2.23.1/bin/ld: cannot find -lgdbm
/nix/store/b8qhjrwf8sf9ggkjxqqav7f1m6w83bh0-binutils-2.23.1/bin/ld: cannot find -lcap
collect2: error: ld returned 1 exit status
Fix by adding gddbm and libcap as inputs. Yes, libcap is needed
_in addition_ to libcap_ng (I tested removing libcap_ng, it failed).
Without this change, virt-viewer cannot be used with guests machines
that uses SPICE.
Yes, this is only on the package level, so it's possible to use
VirtualBox for example installed by nix-env -i, which of course doesn't
have access to the functionality provided by the various VirtualBox
kernel modules.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With hardening, we need to go a bit further rather than just allowing
/nix/store being world-writable. We now use fakeroot to make sure the
VBoxExtPackHelperApp won't moan that the files are not owned by root.
They are, but only outside of the chrooted build process.
Another issue with using fakeroot is that it doesn't seem to cope well
with arguments that contain spaces. That's why I've piped the call into
${stdenv.shell}.
Now, the really gory and confusing part is the introduction of
VBOX_PATH_APP_PRIVATE_ARCH_TOP and the change of VBOX_PATH_APP_PRIVATE.
The VBOX_PATH_APP_PRIVATE_ARCH is *only* for modules and is checked by
the hardened implementation against whether things like VMMR0.r0 or
VBoxVMM.so reside in that directory. As a side note: I admit that the
whole libexec directory is quite polluted with stuff that shouldn't be
there, but for now we've broken enough things and will tear apart the
whole structure at some day in the future[TM].
For the confusing part we have VBOX_PATH_APP_PRIVATE_ARCH_TOP, which
_should_ be the same as VBOX_PATH_APP_PRIVATE_ARCH but unfortunately,
the hardened implementation is checking against this directory (in
IsValidBaseDir) for the extension pack(why!?).
Of course, we could put even that into the libexec directory, somewhat
similar as the official package, but after all, let's at least *try* to
separate things.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We are already checking whether /nix/store has the sticky bit set, so if
it is world-writable as well it doesn't mean that the actual store path
is writable. Let alone the fact that it is only writable during the
build process.
This should fix installing the extension pack when enableExtensionPack
is used.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.
The hardened.patch implements two things:
* Set the binary directory to the setuid-wrappers dir so that
VboxSVC calls them instead of the binaries from the store path. The
reason behind this is because nothing in the Nix store can have the
setuid flag.
* Excempt /nix/store from the group permission check, because while it
is group-writeable indeed it also has the sticky bit set (and also
the whole store is mounted read-only on most NixOS systems), so we're
checking on that as well.
Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>