[vbox-dev] Access to vboxdrv

Frank Mehnert Frank.Mehnert at Sun.COM
Mon Sep 7 02:22:28 PDT 2009


On Monday 07 September 2009, Lubomir Rintel wrote:
> After RPM that targets Fedora 12 gained support for filesystem
> capabilities, we've stripped off the setuid bit from VirtualBox-OSE in
> development branch of RPM Fusion (repository that contains packages of
> VirtualBox-OSE for Fedora). As it no longer starts with root privileges,
> hardening is meaningless so we disabled it.

Please can you elaborate a bit more? How do filesystem capabilities
help here?

> In order to be possible for ordinary user to run guest machines, I
> chmodded it to 666 mode for now. Given I don't really know what does
> access to vboxdrv grant to the use I'm not really sure if I didn't just
> create a security hole. Could anyone please provide an opinion on this?

The /dev/vboxdrv device can be used to load custom code into the host
kernel. Hardening is used to ensure that only known binaries are able
to access to this device. The hardened stubs first check for several
permissions and check if every binary is in place. After these checks
are done, the device is opened and the root privileges are dropped.
Finally, the real VBox application is loaded and the open file descriptor
is inherited.

Kind regards,

Dr.-Ing. Frank Mehnert    Sun Microsystems, Inc.    www.sun.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://www.virtualbox.org/pipermail/vbox-dev/attachments/20090907/6c080e11/attachment-0001.bin 

More information about the vbox-dev mailing list