Commit graph

286 commits

Author SHA1 Message Date
Michael Raskin
a199693cab Update/Fix OVMF 2014-12-11 08:46:13 +03:00
aszlig
2b58a6ab0d
virtualbox: Fix extension pack installation.
With hardening, we need to go a bit further rather than just allowing
/nix/store being world-writable. We now use fakeroot to make sure the
VBoxExtPackHelperApp won't moan that the files are not owned by root.

They are, but only outside of the chrooted build process.

Another issue with using fakeroot is that it doesn't seem to cope well
with arguments that contain spaces. That's why I've piped the call into
${stdenv.shell}.

Now, the really gory and confusing part is the introduction of
VBOX_PATH_APP_PRIVATE_ARCH_TOP and the change of VBOX_PATH_APP_PRIVATE.

The VBOX_PATH_APP_PRIVATE_ARCH is *only* for modules and is checked by
the hardened implementation against whether things like VMMR0.r0 or
VBoxVMM.so reside in that directory. As a side note: I admit that the
whole libexec directory is quite polluted with stuff that shouldn't be
there, but for now we've broken enough things and will tear apart the
whole structure at some day in the future[TM].

For the confusing part we have VBOX_PATH_APP_PRIVATE_ARCH_TOP, which
_should_ be the same as VBOX_PATH_APP_PRIVATE_ARCH but unfortunately,
the hardened implementation is checking against this directory (in
IsValidBaseDir) for the extension pack(why!?).

Of course, we could put even that into the libexec directory, somewhat
similar as the official package, but after all, let's at least *try* to
separate things.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-12-01 03:32:55 +01:00
aszlig
318fbb34e7
virtualbox: Allow /nix/store being world-writable.
We are already checking whether /nix/store has the sticky bit set, so if
it is world-writable as well it doesn't mean that the actual store path
is writable. Let alone the fact that it is only writable during the
build process.

This should fix installing the extension pack when enableExtensionPack
is used.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-30 18:23:19 +01:00
aszlig
017e6b72c1
virtualbox: Update to upstream version 4.3.20.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-30 06:25:50 +01:00
aszlig
3e49487c1a
virtualbox: Enable hardening by default.
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.

The hardened.patch implements two things:

 * Set the binary directory to the setuid-wrappers dir so that
   VboxSVC calls them instead of the binaries from the store path. The
   reason behind this is because nothing in the Nix store can have the
   setuid flag.
 * Excempt /nix/store from the group permission check, because while it
   is group-writeable indeed it also has the sticky bit set (and also
   the whole store is mounted read-only on most NixOS systems), so we're
   checking on that as well.

Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 19:21:46 +01:00
aszlig
deec767efa
virtualbox: Disable depmod only where necessary.
Traversing the full source tree is unneccessary, because the calls are
only done within make files. Hence we only substitute make files now.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-29 19:21:46 +01:00
Rob Vermaas
f54c852a36 docker: update from 1.3.0 to 1.3.1, potentially fixes CVE-2014-5277 2014-11-18 16:06:36 +01:00
AndersonTorres
c7d83e5ee0 Bochs: upgrade to 2.6.7
Now, with SDL2 upgrade!
2014-11-18 10:53:40 -02:00
Jonathan Rudenberg
29d708176c virtualbox: 4.3.16 -> 4.3.18 2014-11-03 21:47:59 +01:00
Michael Raskin
830af476eb Update virtviewer 2014-11-03 16:54:38 +03:00
Corey O'Connor
48dc0eacb8 add pulseaudio to virtualbox 2014-10-22 20:56:25 +02:00
Paul Colomiets
f86967ac8a docker: upgrade to 1.3.0 2014-10-17 23:20:09 +03:00
Bjørn Forsman
fb8a2b3be7 virt-manager: fix missing schema error
The dependency on gsettings_desktop_schemas wasn't specified correctly.
Now it works.

Fixes this error, as seen when trying to open a guest VM when
virt-manager is accessed over ssh with X forwarding:

  GLib-GIO-ERROR **: Settings schema 'org.gnome.system.proxy' is not installed
2014-10-03 16:09:03 +02:00
Domen Kožar
58b6c4fce9 xen: note about security for next bump 2014-10-02 10:23:09 +02:00
AndersonTorres
59418454e6 Bochs: adding configurable options
Now, Bochs expression has a bunch of configurable options!

Unhappily, it is a big and complex project, and some configure options
are in constant clash. But the set created for now is very usable and
stable.

Closes #4366
2014-10-02 06:48:50 +01:00
ambrop7@gmail.com
f8738a6d09 Update VirtualBox to 4.3.16. 2014-09-18 23:43:11 +02:00
ambrop7@gmail.com
2f79a85767 VirtualBox: Fix ALSA audio.
Use a sed replacement to ensure that dynamic loading of libasound works.
2014-09-14 11:28:34 +02:00
Pascal Wittmann
8d67b9a240 transformed meta.maintainers of some packages into lists 2014-09-13 13:52:02 +02:00
AndersonTorres
b39e5ce957 Small style fixups
In this commit, I modified some files, conforming them to a
idiosyncratic standard - mainly, a template for meta attribs.
2014-09-10 21:34:50 -03:00
Vladimír Čunát
06fea81c6e Merge recent master into staging
Hydra: ?compare=1150594
2014-09-06 16:52:45 +02:00
Jaka Hudoklin
0c398f6040 docker: add xz to PATH, make importing from archives work 2014-09-04 01:30:59 +02:00
Jaka Hudoklin
e5194e5aea docker: fix docker not finding dockerinit 2014-09-03 18:24:51 +02:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
Aristid Breitkreuz
a2eb68a6dc update virtualbox to 4.3.14 2014-08-28 21:27:08 +02:00
Aristid Breitkreuz
10a3369c99 virtinst: fix name resolution ambiguity breaking the runnability 2014-08-27 21:24:13 +02:00
Domen Kožar
d52d71a04b pythonPackages.boto_1_9: remove 2014-08-27 13:26:00 +02:00
Jaka Hudoklin
88391a5c65 docker: update to 1.2.0 2014-08-24 17:30:50 +02:00
Michael Raskin
ff4c6f39da Merge pull request #3671 from madjar/master
Added e2fsprogs to docker dependencies.
2014-08-23 13:08:07 +04:00
Michael Raskin
2991b5a2f3 Merge pull request #3529 from AndersonTorres/bochs
Bochs: update to version 2.6.6
2014-08-23 12:48:05 +04:00
AndersonTorres
6a78135865 Bochs: update to version 2.6.6 2014-08-21 07:08:09 -03:00
Georges Dubus
a82e9e4b5c Added e2fsprogs to docker dependencies.
Otherwise, it complains about mkfs.ext4 not being present at service
start (and stops).
2014-08-19 11:00:46 +02:00
Luca Bruno
36bef2b267 gobject-introspection: refer to shlibs with absolute paths in typelibs
After this, LD_LIBRARY_PATH should not be required anymore.
The patch has been applied only for .la files, so there may
be some other cases missing.
2014-08-14 23:16:51 +02:00
Russell O'Connor
a431a96df9 Allow QEMU to fallback to full simulation if /dev/kvm is not available. 2014-08-13 23:26:26 +02:00
Eelco Dolstra
8a7f3c3618 Mark a bunch of packages as broken or not supported on Darwin 2014-08-08 17:59:02 +02:00
Rob Vermaas
64561b437d Remove broken flag for xen, build with gcc45. 2014-08-01 17:18:27 +02:00
Paul Colomiets
9bc1676e5a Upgrade docker to 1.1.2 and add docker module
This version of module has disabled socketActivation, because until
nixos upgrade systemd to at least 214, systemd does not support
SocketGroup. So socket is created with "root" group when
socketActivation enabled. Should be fixed as soon as systemd upgraded.

Includes changes from #3015 and supersedes #3028
2014-07-28 21:45:49 +02:00
Mateusz Kowalczyk
7a45996233 Turn some license strings into lib.licenses values 2014-07-28 11:31:14 +02:00
Austin Seipp
de96d25294 qemu: 1.7.1 -> 2.0.0
The patch for CVE-2014-0150 is still required.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 15:52:44 -05:00
Benno Fünfstück
8b6300822b virtualbox: update 4.3.10 -> 4.3.12
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 08:33:25 -05:00
Austin Seipp
aae821493d Revert "virtualbox: update 4.3.10 -> 4.3.12"
This reverts commit a0ae412a10.

It snuck by me in #2677. I'll test it more first.
2014-05-17 16:45:58 -05:00
Benno Fünfstück
a0ae412a10 virtualbox: update 4.3.10 -> 4.3.12 2014-05-17 12:28:33 +02:00
AndersonTorres
2e950bd72e 8086tiny: update to 1.25
Locally build BIOS support
2014-05-14 22:40:09 +02:00
Benjamin Podszun
2ce5162252 Bump virt-viewer to 0.6.0, from the 2009 version 2014-05-14 22:24:01 +02:00
cillianderoiste
7adc00b8bc Merge pull request #2484 from chexxor/feature/bump-docker-0.10.0
Bump docker version to 0.10.0
2014-05-11 10:33:43 +02:00
Bjørn Forsman
cb7c920e24 virt-manager: add missing gsettings schema
Without this it'll complain and abort when clicking "Take Screenshot" or
"Browse Local" when creating a new VM and looking for an CD-ROM image to boot
from:

GLib-GIO-ERROR **: Settings schema 'org.gtk.Settings.FileChooser' is not installed
2014-05-11 01:03:27 +02:00
Alex Berg
47090c9bdc Bump docker version to 0.10.0. 2014-05-03 17:03:33 +02:00
Eelco Dolstra
39faed1f2f qemu: Apply patch for CVE-2014-0150, CVE-2014-2894 2014-04-28 14:37:46 +02:00
Eelco Dolstra
0af5d11a6f qemu-image: Remove (obsolete) 2014-04-28 14:34:34 +02:00
Eelco Dolstra
f2cb4def59 qemu: Update to 1.7.1 2014-04-17 15:54:42 +02:00
Alex Berg
7dff8a8aaf Bump Docker to v0.9.1. Tested pulling, committing, pushing.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-07 15:08:07 -05:00