* Restrict VirtualBox to users in the vboxusers group.

The VirtualBox build in Nixpkgs is insecure because it uses the
  "--disable-hardened" flag, which disables some checks in the
  VirtualBox kernel module.  Since getting rid of that flag looks like
  too much work, it's better to ensure that only explicitly permitted
  users have access to VirtualBox.

* Drop the 666 permission on "sonypi" because it's not clear why that
  device should be world-writable.

svn path=/nixos/trunk/; revision=33301

modules/programs/virtualbox.nix

@@ -9,13 +9,11 @@ let virtualbox = config.boot.kernelPackages.virtualbox; in
   boot.extraModulePackages = [ virtualbox ];
   environment.systemPackages = [ virtualbox ];
 
-  # ‘VBoxNetAdpCtl’ needs to be setuid root to allow users to create
-  # host-only networks (https://www.virtualbox.org/ticket/4014).
-  security.setuidOwners = singleton
-    { program = "VBoxNetAdpCtl";
-      source = "${virtualbox}/virtualbox/VBoxNetAdpCtl";
-      owner = "root";
-      group = "root";
-      setuid = true;
-    };
+  users.extraGroups = singleton { name = "vboxusers"; };
+  
+  services.udev.extraRules =
+    ''
+      KERNEL=="vboxdrv",    OWNER="root", GROUP="vboxusers", MODE="0660"
+      KERNEL=="vboxnetctl", OWNER="root", GROUP="root",      MODE="0600"
+    '';
 }

modules/services/hardware/udev.nix

@@ -17,12 +17,8 @@ let
   nixosRules = ''
 
     # Miscellaneous devices.
-    KERNEL=="sonypi",               MODE="0666"
     KERNEL=="kvm",                  MODE="0666"
     KERNEL=="kqemu",                MODE="0666"
-    KERNEL=="vboxdrv",  NAME="vboxdrv",  OWNER="root", GROUP="root", MODE="0666"
-    KERNEL=="vboxadd",  NAME="vboxadd",  OWNER="root", GROUP="root", MODE="0660"
-    KERNEL=="vboxuser", NAME="vboxuser", OWNER="root", GROUP="root", MODE="0666"
   '';
 
   # Perform substitutions in all udev rules files.