Commit Graph

298 Commits

Author SHA1 Message Date
Thomas Strobel
732c303bb8 Update: Xen -> 4.4.1 2014-12-22 09:51:27 +01:00
Pascal Wittmann
f94580da69 Fix license attribute of many bsd-like licensed packages 2014-12-21 00:00:35 +01:00
aszlig
ac603e208c
virtualbox: Fix runtime paths in hardening mode.
Because we have to rely on setuid wrappers on NixOS, we can't easily
hardcode the executable paths and set it 4755. So for all calls, we need
to change the runtime path executable directory to /var/setuid-wrappers/
and for verification we need to retain the executable directory.

Also note, that usually VBoxNetAdpCtl, VBoxNetDHCP, VBoxNetNAT, VBoxSDL
and VBoxVolInfo don't reside in directories that are commonly in PATH,
but in /usr/lib/virtualbox in most mainstream distros. But because the
names of these executables are distinctive enough to not cause
collisions with other setuid programs, I'll leave it like that and not
patch up setuid-wrappers.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 14:06:13 +01:00
aszlig
b69ac6c159
virtualbox: Allow to easily change the build type.
Not really changes anything in functionality, but makes it easier to
change the build type to "debug", for example.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 14:06:12 +01:00
aszlig
14ef3446e1
virtualbox: Fix hardcoded /sbin/ifconfig path.
Just accidentally found this while debugging and it's needed for
fetching a few interface details, not sure however whether because of
this anything has been broken so far.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 14:06:12 +01:00
aszlig
5a8c5d2768
virtualbox: Explicitly excempt src during install.
Instead of coping it to $out and later deleting it, we now exclude the
src directory during copy. Also, we no longer cd into the release
directory during installPhase, which should make sure that we are
constantly in $sourceRoot.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-18 14:06:12 +01:00
Rob Vermaas
90c3dc79c5 docker: update from 1.3.1 to 1.3.3, potentially fixes CVE-2014-6407, CVE-2014-6408 2014-12-17 15:47:56 +01:00
Bjørn Forsman
a2bb84a936 virt-viewer: fix missing schema error
Fixes this error, as seen when trying to open a guest VM when
virt-viewer is accessed over ssh with X forwarding:

  GLib-GIO-ERROR **: Settings schema 'org.gnome.system.proxy' is not installed

A similar issue was fixed for virt-manager in commit
fb8a2b3be7 ("virt-manager: fix missing
schema error")
2014-12-16 14:07:02 +01:00
aszlig
eb561f0798
virtualbox: Fix extension pack without hardening.
We divert to the $out/share/virtualbox directory only if we have
hardening enabled, so let's put the extension pack into
$out/libexec/virtualbox instead if we're compiling without hardening.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-16 11:24:55 +01:00
Bjørn Forsman
477bc03568 virt-viewer: fix SPICE support
* Add missing dependency on 'spice_protocol'

* Fix new build error which came now that ./configure enables SPICE support:

  building virt-viewer
    CCLD     virt-viewer
  /nix/store/b8qhjrwf8sf9ggkjxqqav7f1m6w83bh0-binutils-2.23.1/bin/ld: cannot find -lgdbm
  /nix/store/b8qhjrwf8sf9ggkjxqqav7f1m6w83bh0-binutils-2.23.1/bin/ld: cannot find -lcap
  collect2: error: ld returned 1 exit status

  Fix by adding gddbm and libcap as inputs. Yes, libcap is needed
  _in addition_ to libcap_ng (I tested removing libcap_ng, it failed).

Without this change, virt-viewer cannot be used with guests machines
that uses SPICE.
2014-12-16 10:48:40 +01:00
Eelco Dolstra
d9ce3ae57f virtualbox: Get tid of runtime dependency on linux.dev 2014-12-15 17:54:06 +01:00
aszlig
a199eedfce
virtualbox package: Disable hardening by default.
Yes, this is only on the package level, so it's possible to use
VirtualBox for example installed by nix-env -i, which of course doesn't
have access to the functionality provided by the various VirtualBox
kernel modules.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-15 17:52:18 +01:00
Michael Raskin
a199693cab Update/Fix OVMF 2014-12-11 08:46:13 +03:00
aszlig
2b58a6ab0d
virtualbox: Fix extension pack installation.
With hardening, we need to go a bit further rather than just allowing
/nix/store being world-writable. We now use fakeroot to make sure the
VBoxExtPackHelperApp won't moan that the files are not owned by root.

They are, but only outside of the chrooted build process.

Another issue with using fakeroot is that it doesn't seem to cope well
with arguments that contain spaces. That's why I've piped the call into
${stdenv.shell}.

Now, the really gory and confusing part is the introduction of
VBOX_PATH_APP_PRIVATE_ARCH_TOP and the change of VBOX_PATH_APP_PRIVATE.

The VBOX_PATH_APP_PRIVATE_ARCH is *only* for modules and is checked by
the hardened implementation against whether things like VMMR0.r0 or
VBoxVMM.so reside in that directory. As a side note: I admit that the
whole libexec directory is quite polluted with stuff that shouldn't be
there, but for now we've broken enough things and will tear apart the
whole structure at some day in the future[TM].

For the confusing part we have VBOX_PATH_APP_PRIVATE_ARCH_TOP, which
_should_ be the same as VBOX_PATH_APP_PRIVATE_ARCH but unfortunately,
the hardened implementation is checking against this directory (in
IsValidBaseDir) for the extension pack(why!?).

Of course, we could put even that into the libexec directory, somewhat
similar as the official package, but after all, let's at least *try* to
separate things.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-01 03:32:55 +01:00
aszlig
318fbb34e7
virtualbox: Allow /nix/store being world-writable.
We are already checking whether /nix/store has the sticky bit set, so if
it is world-writable as well it doesn't mean that the actual store path
is writable. Let alone the fact that it is only writable during the
build process.

This should fix installing the extension pack when enableExtensionPack
is used.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-30 18:23:19 +01:00
aszlig
017e6b72c1
virtualbox: Update to upstream version 4.3.20.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-30 06:25:50 +01:00
aszlig
3e49487c1a
virtualbox: Enable hardening by default.
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.

The hardened.patch implements two things:

 * Set the binary directory to the setuid-wrappers dir so that
   VboxSVC calls them instead of the binaries from the store path. The
   reason behind this is because nothing in the Nix store can have the
   setuid flag.
 * Excempt /nix/store from the group permission check, because while it
   is group-writeable indeed it also has the sticky bit set (and also
   the whole store is mounted read-only on most NixOS systems), so we're
   checking on that as well.

Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 19:21:46 +01:00
aszlig
deec767efa
virtualbox: Disable depmod only where necessary.
Traversing the full source tree is unneccessary, because the calls are
only done within make files. Hence we only substitute make files now.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 19:21:46 +01:00
Rob Vermaas
f54c852a36 docker: update from 1.3.0 to 1.3.1, potentially fixes CVE-2014-5277 2014-11-18 16:06:36 +01:00
AndersonTorres
c7d83e5ee0 Bochs: upgrade to 2.6.7
Now, with SDL2 upgrade!
2014-11-18 10:53:40 -02:00
Jonathan Rudenberg
29d708176c virtualbox: 4.3.16 -> 4.3.18 2014-11-03 21:47:59 +01:00
Michael Raskin
830af476eb Update virtviewer 2014-11-03 16:54:38 +03:00
Corey O'Connor
48dc0eacb8 add pulseaudio to virtualbox 2014-10-22 20:56:25 +02:00
Paul Colomiets
f86967ac8a docker: upgrade to 1.3.0 2014-10-17 23:20:09 +03:00
Bjørn Forsman
fb8a2b3be7 virt-manager: fix missing schema error
The dependency on gsettings_desktop_schemas wasn't specified correctly.
Now it works.

Fixes this error, as seen when trying to open a guest VM when
virt-manager is accessed over ssh with X forwarding:

  GLib-GIO-ERROR **: Settings schema 'org.gnome.system.proxy' is not installed
2014-10-03 16:09:03 +02:00
Domen Kožar
58b6c4fce9 xen: note about security for next bump 2014-10-02 10:23:09 +02:00
AndersonTorres
59418454e6 Bochs: adding configurable options
Now, Bochs expression has a bunch of configurable options!

Unhappily, it is a big and complex project, and some configure options
are in constant clash. But the set created for now is very usable and
stable.

Closes #4366
2014-10-02 06:48:50 +01:00
ambrop7@gmail.com
f8738a6d09 Update VirtualBox to 4.3.16. 2014-09-18 23:43:11 +02:00
ambrop7@gmail.com
2f79a85767 VirtualBox: Fix ALSA audio.
Use a sed replacement to ensure that dynamic loading of libasound works.
2014-09-14 11:28:34 +02:00
Pascal Wittmann
8d67b9a240 transformed meta.maintainers of some packages into lists 2014-09-13 13:52:02 +02:00
AndersonTorres
b39e5ce957 Small style fixups
In this commit, I modified some files, conforming them to a
idiosyncratic standard - mainly, a template for meta attribs.
2014-09-10 21:34:50 -03:00
Vladimír Čunát
06fea81c6e Merge recent master into staging
Hydra: ?compare=1150594
2014-09-06 16:52:45 +02:00
Jaka Hudoklin
0c398f6040 docker: add xz to PATH, make importing from archives work 2014-09-04 01:30:59 +02:00
Jaka Hudoklin
e5194e5aea docker: fix docker not finding dockerinit 2014-09-03 18:24:51 +02:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
Aristid Breitkreuz
a2eb68a6dc update virtualbox to 4.3.14 2014-08-28 21:27:08 +02:00
Aristid Breitkreuz
10a3369c99 virtinst: fix name resolution ambiguity breaking the runnability 2014-08-27 21:24:13 +02:00
Domen Kožar
d52d71a04b pythonPackages.boto_1_9: remove 2014-08-27 13:26:00 +02:00
Jaka Hudoklin
88391a5c65 docker: update to 1.2.0 2014-08-24 17:30:50 +02:00
Michael Raskin
ff4c6f39da Merge pull request #3671 from madjar/master
Added e2fsprogs to docker dependencies.
2014-08-23 13:08:07 +04:00
Michael Raskin
2991b5a2f3 Merge pull request #3529 from AndersonTorres/bochs
Bochs: update to version 2.6.6
2014-08-23 12:48:05 +04:00
AndersonTorres
6a78135865 Bochs: update to version 2.6.6 2014-08-21 07:08:09 -03:00
Georges Dubus
a82e9e4b5c Added e2fsprogs to docker dependencies.
Otherwise, it complains about mkfs.ext4 not being present at service
start (and stops).
2014-08-19 11:00:46 +02:00
Luca Bruno
36bef2b267 gobject-introspection: refer to shlibs with absolute paths in typelibs
After this, LD_LIBRARY_PATH should not be required anymore.
The patch has been applied only for .la files, so there may
be some other cases missing.
2014-08-14 23:16:51 +02:00
Russell O'Connor
a431a96df9 Allow QEMU to fallback to full simulation if /dev/kvm is not available. 2014-08-13 23:26:26 +02:00
Eelco Dolstra
8a7f3c3618 Mark a bunch of packages as broken or not supported on Darwin 2014-08-08 17:59:02 +02:00
Rob Vermaas
64561b437d Remove broken flag for xen, build with gcc45. 2014-08-01 17:18:27 +02:00
Paul Colomiets
9bc1676e5a Upgrade docker to 1.1.2 and add docker module
This version of module has disabled socketActivation, because until
nixos upgrade systemd to at least 214, systemd does not support
SocketGroup. So socket is created with "root" group when
socketActivation enabled. Should be fixed as soon as systemd upgraded.

Includes changes from #3015 and supersedes #3028
2014-07-28 21:45:49 +02:00
Mateusz Kowalczyk
7a45996233 Turn some license strings into lib.licenses values 2014-07-28 11:31:14 +02:00
Austin Seipp
de96d25294 qemu: 1.7.1 -> 2.0.0
The patch for CVE-2014-0150 is still required.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 15:52:44 -05:00