mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-20 04:33:57 +00:00
318fbb34e7
We are already checking whether /nix/store has the sticky bit set, so if it is world-writable as well it doesn't mean that the actual store path is writable. Let alone the fact that it is only writable during the build process. This should fix installing the extension pack when enableExtensionPack is used. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
40 lines
1.9 KiB
Diff
40 lines
1.9 KiB
Diff
diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
|
|
index c39d2f7..cd19186 100644
|
|
--- a/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
|
|
+++ b/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp
|
|
@@ -1415,7 +1415,7 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
|
|
NOREF(fRelaxed);
|
|
#else
|
|
NOREF(fRelaxed);
|
|
- bool fBad = true;
|
|
+ bool fBad = !(fDir && pFsObjState->Stat.st_mode & S_ISVTX && !suplibHardenedStrCmp(pszPath, "/nix/store"));
|
|
#endif
|
|
if (fBad)
|
|
return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
|
|
@@ -1424,9 +1424,10 @@ static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bo
|
|
}
|
|
|
|
/*
|
|
- * World must not have write access. There is no relaxing this rule.
|
|
+ * World must not have write access.
|
|
+ * There is no relaxing this rule, except when it comes to the Nix store.
|
|
*/
|
|
- if (pFsObjState->Stat.st_mode & S_IWOTH)
|
|
+ if (pFsObjState->Stat.st_mode & S_IWOTH && suplibHardenedStrCmp(pszPath, "/nix/store"))
|
|
return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
|
|
"World writable: '", pszPath, "'");
|
|
|
|
diff --git a/src/VBox/Main/src-server/MachineImpl.cpp b/src/VBox/Main/src-server/MachineImpl.cpp
|
|
index 95dc9a7..39170bc 100644
|
|
--- a/src/VBox/Main/src-server/MachineImpl.cpp
|
|
+++ b/src/VBox/Main/src-server/MachineImpl.cpp
|
|
@@ -7326,7 +7326,7 @@ HRESULT Machine::i_launchVMProcess(IInternalSessionControl *aControl,
|
|
|
|
/* get the path to the executable */
|
|
char szPath[RTPATH_MAX];
|
|
- RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
|
|
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
|
|
size_t cchBufLeft = strlen(szPath);
|
|
szPath[cchBufLeft++] = RTPATH_DELIMITER;
|
|
szPath[cchBufLeft] = 0;
|