mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-23 15:33:13 +00:00
virtualbox: Remove group check on /nix/store.
This is espacially cruicial when it comes to Nix 1.9, where we even have a more restrictive /nix/store. In any event, VirtualBox in hardenend mode doesn't have to check the /nix/store path, because it's read-only on NixOS systems. So this check would not introduce more security but more hurdles, thus I'm removing it (of course _only_ for /nix/store). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
1165a243f8
commit
416545a57b
@ -60,19 +60,21 @@ index 2760306..0ce6c92 100644
|
||||
*
|
||||
* The way this work is that it will spawn a detached / backgrounded /
|
||||
diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
|
||||
index c39d2f7..cd19186 100644
|
||||
index c39d2f7..896b352 100644
|
||||
--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
|
||||
+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
|
||||
@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
|
||||
@@ -1415,18 +1415,19 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
|
||||
NOREF(fRelaxed);
|
||||
#else
|
||||
NOREF(fRelaxed);
|
||||
- bool fBad = true;
|
||||
+ bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
|
||||
#endif
|
||||
if (fBad)
|
||||
- if (fBad)
|
||||
+ if (fBad && suplibHardenedStrCmp(pszPath, "/nix/store"))
|
||||
return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
|
||||
@@ -1424,9 +1424,10 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
|
||||
"An unknown (and thus untrusted) group has write access to '", pszPath,
|
||||
"' and we therefore cannot trust the directory content or that of any subdirectory");
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user