pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / virtualbox-host.nix
at release-16.03-start 4.1 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.virtualisation.virtualbox.host; 7 virtualbox = config.boot.kernelPackages.virtualbox.override { 8 inherit (cfg) enableHardening; 9 }; 10 11in 12 13{ 14 options.virtualisation.virtualbox.host = { 15 enable = mkOption { 16 type = types.bool; 17 default = false; 18 description = '' 19 Whether to enable VirtualBox. 20 21 <note><para> 22 In order to pass USB devices from the host to the guests, the user 23 needs to be in the <literal>vboxusers</literal> group. 24 </para></note> 25 ''; 26 }; 27 28 addNetworkInterface = mkOption { 29 type = types.bool; 30 default = true; 31 description = '' 32 Automatically set up a vboxnet0 host-only network interface. 33 ''; 34 }; 35 36 enableHardening = mkOption { 37 type = types.bool; 38 default = true; 39 description = '' 40 Enable hardened VirtualBox, which ensures that only the binaries in the 41 system path get access to the devices exposed by the kernel modules 42 instead of all users in the vboxusers group. 43 44 <important><para> 45 Disabling this can put your system's security at risk, as local users 46 in the vboxusers group can tamper with the VirtualBox device files. 47 </para></important> 48 ''; 49 }; 50 }; 51 52 config = mkIf cfg.enable (mkMerge [{ 53 boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ]; 54 boot.extraModulePackages = [ virtualbox ]; 55 environment.systemPackages = [ virtualbox ]; 56 57 security.setuidOwners = let 58 mkSuid = program: { 59 inherit program; 60 source = "${virtualbox}/libexec/virtualbox/${program}"; 61 owner = "root"; 62 group = "vboxusers"; 63 setuid = true; 64 }; 65 in mkIf cfg.enableHardening (map mkSuid [ 66 "VBoxHeadless" 67 "VBoxNetAdpCtl" 68 "VBoxNetDHCP" 69 "VBoxNetNAT" 70 "VBoxSDL" 71 "VBoxVolInfo" 72 "VirtualBox" 73 ]); 74 75 users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers; 76 77 services.udev.extraRules = 78 '' 79 KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" 80 KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd" 81 KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd" 82 SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" 83 SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}" 84 SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" 85 SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" 86 ''; 87 88 # Since we lack the right setuid binaries, set up a host-only network by default. 89 } (mkIf cfg.addNetworkInterface { 90 systemd.services."vboxnet0" = 91 { description = "VirtualBox vboxnet0 Interface"; 92 requires = [ "dev-vboxnetctl.device" ]; 93 after = [ "dev-vboxnetctl.device" ]; 94 wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ]; 95 path = [ virtualbox ]; 96 serviceConfig.RemainAfterExit = true; 97 serviceConfig.Type = "oneshot"; 98 serviceConfig.PrivateTmp = true; 99 environment.VBOX_USER_HOME = "/tmp"; 100 script = 101 '' 102 if ! [ -e /sys/class/net/vboxnet0 ]; then 103 VBoxManage hostonlyif create 104 cat /tmp/VBoxSVC.log >&2 105 fi 106 ''; 107 postStop = 108 '' 109 VBoxManage hostonlyif remove vboxnet0 110 ''; 111 }; 112 113 networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ]; 114 # Make sure NetworkManager won't assume this interface being up 115 # means we have internet access. 116 networking.networkmanager.unmanaged = ["vboxnet0"]; 117 })]); 118}