[Bug 285] Review Request: VirtualBox-OSE - A general-purpose full virtualizer for PC hardware

RPM Fusion Bugzilla noreply at rpmfusion.org
Sun Apr 12 18:35:34 CEST 2009 

http://bugzilla.rpmfusion.org/show_bug.cgi?id=285





--- Comment #21 from Lubomir Rintel <lkundrak at v3.sk>  2009-04-12 18:35:33 ---
(In reply to comment #19)
> > 26 rpath issues (you'll need to check kbuild files)
> 
> I was under impression rpaths are used here (and we are not having only the
> standard rpaths), but I'll check and see what can be done.

/usr/lib/virtualbox/VirtualBox.so uses RPATH to locate other .so-s in
/usr/lib/virtualbox. I'm not going to remove those.

> > 03 setuid on binaries (easy fix)
> 
> This was upstream decision and I'd be careful to change that. On the other
> hand, having the beast completely setuid really doesn't sound much sane to me.
> What would you do with that? Use consolehelper? (well, you see, PolicyKit is
> probably not going to happen ;)
> 
> > VirtualBox-OSE-devel-2.1.4-2.fc11.i586 :
> > -----------------------------------------
> > 17 executable scripts issues (easy fix)
> 
> Will take a look.

Fixed.

> > VirtualBox-OSE-guest-2.1.4-2.fc11.i586 :
> > -----------------------------------------
> > 04 unstripped binary (easy fix)
> 
> See above.
> 
> > 02 executable files in modules sub-dir /etc/sysconfig/modules
> 
> This makes sense to be executable, no?
> 

Yes, other files there are executable as well.

> > Package tree and dependencies :
> > ------------------------------------
> > Currently -guest and main packages provide the same virtual (-kmod-common's)
> > which's harmless at first sight but, imply to install main package even on the
> > guest system.
> > As kmod package requires -kmod-common, that's sound fair enough as kmod package
> > is shipped with both main vboxdrv and Guest drivers.
> > The current state is when trying to install -guest, it's looking for kmod
> > package which's looking for -kmod-common which pull down main package and
> > -guest's.
> 
> This sounds like a yum (a bug?) glitch to me. I would not expect such behavior,
> will need to check.
> 
> > Also note that udev's rule (kmod common file) which's required by vboxdrv is
> > shipped by main package.
> 
> And only main package makes use of vboxdrv. Makes sense to me.
> 
> > Actually, the easiest way to avoid a such thing is to build a
> > kmod-VirtualBox-OSE and kmod-VirtualBox-OSE-GuestAddition packages.
> > That will also avoid to install vboxdrv on guest which is useless.
> 
> Sounds like too much overhead to me and I'd prefer to avoid as much as I can.

So I tried that and I could not reproduce your problem:

[root at localhost vboxrepo]# yum install VirtualBox-OSE-guest
...
Installing:
 VirtualBox-OSE-guest                                                i586      
                    2.1.4-2.fc11                            vbox               
           483 k
Installing for dependencies:
 kmod-VirtualBox-OSE                                                 i586      
                    2.1.4-1.fc11                            vbox               
           2.9 k
 kmod-VirtualBox-OSE-2.6.29.1-54.fc11.i586                           i586      
                    2.1.4-1.fc11                            vbox               
           134 k

I'm not going to split the 134k package even more, hope you understand that :)

Given you haven't replied on the rest, I'm assuming you don't object. Also, new
version is out, but I'm not going to update the reviewed package since I've
already wasted too much time doing that four times without a single line of
feedback from you. I hope you understand that.

(In reply to comment #20)
> In reply to comment #19
> > 03 setuid on binaries (easy fix)
> 
> This was upstream decision and I'd be careful to change that. On the other
> hand, having the beast completely setuid really doesn't sound much sane to me.
> What would you do with that? Use consolehelper? (well, you see, PolicyKit is
> probably not going to happen ;)
> 
> File capabilities (man setcap) are afaik what should be used instead of suid
> binaries if possible.

Finally this. I did nothing here as well :)
I've prepared spec file that would set capabilities on file and got this:

RPM build errors:
    File capability support not built in
    File capability support not built in
    File capability support not built in

What VirtualBox does with the setuid bit is dropping the all the capabilities
besides raw network access for nat and icmp with "all-eip cap_net_raw+ep" and
then drops setuid. I believe filesystem capabilities would be nicer, but this
is not all that bad and I'd prefer to stick with it before our rpm gains
filesystem capabilities support. Not deviating from upstream is a strong
argument as well.

Sooooo... the new package (no big changes, everything explained though)

Main package:

SPEC: http://v3.sk/~lkundrak/SPECS/VirtualBox-OSE.spec
SRPM: http://v3.sk/~lkundrak/SRPMS/VirtualBox-OSE-2.1.4-3.fc11.src.rpm

Kernel module (stays the same):

SPEC: http://v3.sk/~lkundrak/SPECS/VirtualBox-OSE-kmod.spec
SRPM: http://v3.sk/~lkundrak/SRPMS/VirtualBox-OSE-kmod-2.1.4-1.fc11.src.rpm


-- 
Configure bugmail: http://bugzilla.rpmfusion.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the rpmfusion-developers mailing list