virtualbox: Remove group check on /nix/store.

This is espacially cruicial when it comes to Nix 1.9, where we even have
a more restrictive /nix/store. In any event, VirtualBox in hardenend
mode doesn't have to check the /nix/store path, because it's read-only
on NixOS systems. So this check would not introduce more security but
more hurdles, thus I'm removing it (of course _only_ for /nix/store).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2015-04-04 16:59:56 +02:00
parent 1165a243f8
commit 416545a57b
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961

View File

@ -60,19 +60,21 @@ index 2760306..0ce6c92 100644
*
* The way this work is that it will spawn a detached / backgrounded /
diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
index c39d2f7..cd19186 100644
index c39d2f7..896b352 100644
--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
@@ -1415,18 +1415,19 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
NOREF(fRelaxed);
#else
NOREF(fRelaxed);
- bool fBad = true;
+ bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
#endif
if (fBad)
- if (fBad)
+ if (fBad && suplibHardenedStrCmp(pszPath, "/nix/store"))
return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
@@ -1424,9 +1424,10 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
"An unknown (and thus untrusted) group has write access to '", pszPath,
"' and we therefore cannot trust the directory content or that of any subdirectory");
}
/*