VirtualBox/setuid binaries

Michael Thayer michael.thayer at oracle.com
Thu Nov 15 14:32:14 UTC 2018 

15.11.18 13:50, Alexander Larsson wrote:
> On Thu, Nov 15, 2018 at 1:12 PM Michael Thayer
> <michael.thayer at oracle.com> wrote:
>>
>> I have been following Flatpak for some time, given that we (VirtualBox)
>> maintain about twenty different builds for different Linux
>> distributions.  Obviously Flatpak could potentially solve quite a big
>> problem for us, but there is a big catch: the main binaries in
>> VirtualBox run setuid root, and that is not something which is going to
>> change in the near future.  So the question: could you conceive adding
>> an option to allow setuid root in a Flatpak?[...]
> In other words, the second you allow a flatpak sandbox to run a setuid
> program you can use it to exploit the host system by shipping its own
> /etc/sudoers and spawning the host sudo. So, just enabling setuid is
> not going to fly.
> 
> Maybe there is some workaround though. What exactly is it you need to
> be root permissions to do?

Thank you all for the replies.  Since the main question in all cases was
the one above I will answer that once.  The main reason that we provide
our own hypervisor in a kernel module.  Why not use KVM?  We support
four different host platforms officially and a couple more inofficially,
so our hypervisor interface is cross-platform.  (And it is older than
KVM, or at least than KVM has been in the Linux kernel.)  We do not have
plans to put it into the Linux kernel (nor the kernel developers,
especially Greg, to accept it) as we are continuously developing it, the
interface changes in lock-step with VirtualBox versions and our small
team really do not need the extra work of co-ordinating with a version
in the Linux kernel (presumably different versions in each kernel
version).  As an added security layer we only let root processes open
the hypervisor device, rather than giving a group access to it.  Our
main virtual machine process starts setuid root, opens the device and
possibly (would have to check) does a couple of other things like
opening a raw socket for ICMP, then drops privileges.  And Bastian, no,
Hans has been putting our guest drivers into the kernel tree.  Robert,
thank you, I will certainly look at that, but of course I prefer to find
a solution which will make people happier.

Thanks all again.
Regards
Michael
-- 
Michael Thayer | VirtualBox engineer
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | D-71384 Weinstadt

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Nederland, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2468 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20181115/ba6fc786/attachment.key>

More information about the Flatpak mailing list