010578d8a4
The VirtualBox build in Nixpkgs is insecure because it uses the "--disable-hardened" flag, which disables some checks in the VirtualBox kernel module. Since getting rid of that flag looks like too much work, it's better to ensure that only explicitly permitted users have access to VirtualBox. * Drop the 666 permission on "sonypi" because it's not clear why that device should be world-writable. svn path=/nixos/trunk/; revision=33301
20 lines
511 B
Nix
20 lines
511 B
Nix
{ config, pkgs, ... }:
|
|
|
|
with pkgs.lib;
|
|
|
|
let virtualbox = config.boot.kernelPackages.virtualbox; in
|
|
|
|
{
|
|
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
|
|
boot.extraModulePackages = [ virtualbox ];
|
|
environment.systemPackages = [ virtualbox ];
|
|
|
|
users.extraGroups = singleton { name = "vboxusers"; };
|
|
|
|
services.udev.extraRules =
|
|
''
|
|
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660"
|
|
KERNEL=="vboxnetctl", OWNER="root", GROUP="root", MODE="0600"
|
|
'';
|
|
}
|