Commit f986e50d authored by Felix Singer's avatar Felix Singer
Browse files

nixos/virtualbox-guest: Limit access to /dev/vboxuser 



Permitting all users read-write access to the /dev/vboxuser device is
not needed and rather a security issue. So, remove the read-write
access to "other" users and only permit access to seat sessions by
adding the uaccess tag.

Also, since robot-like configurations might depend on the access to
this device as well, create the group `vboxuserdev` and change the group
ownership of the device accordingly permitting trusted system users
access to it.

Tested and verified with a graphical session that the VirtualBox guest
boots and works.

Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent 1427725f

nixos/modules/virtualisation/virtualbox-guest.nix

+3 −1
Original line number Diff line number Diff line
@@ -131,10 +131,12 @@ in 
          serviceConfig.ExecStart = "@${kernel.virtualboxGuestAdditions}/bin/VBoxService VBoxService --foreground";

        };



        users.groups.vboxuserdev = { };



        services.udev.extraRules = ''

          # /dev/vboxuser is necessary for VBoxClient to work.  Maybe we

          # should restrict this to logged-in users.

          KERNEL=="vboxuser",  OWNER="root", GROUP="root", MODE="0666"

          KERNEL=="vboxuser",  OWNER="root", GROUP="vboxuserdev", MODE="0660", TAG+="uaccess"



          # Allow systemd dependencies on vboxguest.

          SUBSYSTEM=="misc", KERNEL=="vboxguest", TAG+="systemd"