[vbox-dev] Hardening levels in VBox OSE?

Frank Mehnert Frank.Mehnert at Sun.COM
Tue Mar 23 05:44:19 PDT 2010


On Tuesday 23 March 2010, Angel Tsankov wrote:
> Frank Mehnert wrote:
> > On Tuesday 23 March 2010, Angel Tsankov wrote:
> >> Frank Mehnert wrote:
> >>> On Tuesday 23 March 2010, Angel Tsankov wrote:
> >>>> Is there any way to disable the root ownership and group/other
> >>>> writability checks on directories in VBox OSE?
> >>>
> >>> ./configure --disable-hardening
> >>>
> >>> ?
> >>
> >> How about some way that does not disable hardening at all?
> >
> > If hardenening is enabled the binaries must be suid root to be
> > able to access the kernel driver. All these checks ensure the
> > integrity of the VirtualBox installation. Either hardening is
> > enabled (which is strongly recommended) or it is disabled (usually
> > for development only). There is no 'weak' hardening.
>
> I guess it will be much easier if I just explain what I want to achieve
> so that you can tell me how to do it, if it is at all possible.
>
> So, I'd like to install VBox OSE in the standard directories, i.e.
> binaries in /usr/bin/, shared libraries below /usr/lib/, docs below
> /usr/share/doc/, etc. I also want all standard directories to be group
> writable.  This is not possible with a hardened build, is it?

Well, to use different standard locations for the binaries have a look
at

  debian/LocalConfig.kmk

There we set some config variables (VBOX_PATH_APP_PRIVATE_ARCH,
VBOX_PATH_SHARED_LIBS, ...) to change the installation pathes of the
binaries/libs. Of course you have to copy the binaries yourself there.

The other stuff is programmed in

  src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp

around line 356. Actually I don't know why the directory should be
writable for the group but anyway, you can directly change the code.

Kind regards,

Frank
-- 
Dr.-Ing. Frank Mehnert

Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, 85551 Kirchheim-Heimstetten
Amtsgericht München: HRB 161028
Geschäftsführer: Thomas Schröder
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://www.virtualbox.org/pipermail/vbox-dev/attachments/20100323/e4c1c1f2/attachment-0001.bin 


More information about the vbox-dev mailing list