VirtualBox Clipboard sharing not working

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

VirtualBox Clipboard sharing not working

Postby nelsooon » Wed Jan 11, 2017 11:09 am

Hi all,

Just in case someone needs the answer. In order to make Clipboard sharing work on VirtualBox with a guest running Linux (hardened 4.7.10 Gentoo in my case), the kernel needs to be compiled with:
GRKERNSEC_HIDESYM=n
GRKERNSEC_RANDSTRUCT=n

Those two are enabled by default.

Question/Request: is it possible to disable them (or avoir stripping symbols used by virtualbox) when the user configures automatically grsec by selecting VirtualBox profile ?

Thank you,
Nelson
nelsooon
 
Posts: 4
Joined: Wed Jan 11, 2017 11:04 am

Re: VirtualBox Clipboard sharing not working

Postby spender » Thu Jan 12, 2017 6:46 pm

We can likely work around the RANDSTRUCT incompatibility. If you can modify scripts/gcc-plugins/randomize_layout.c to make this code:

Code: Select all
#ifdef __DEBUG_PLUGIN
        fprintf(stderr, "Shuffling struct %s %p\n", (const char *)structname, type);
#ifdef __DEBUG_VERBOSE
        debug_tree((tree)type);
#endif
#endif


look like this:

Code: Select all
fprintf(stderr, "Shuffling struct %s %p\n", (const char *)structname, type);


and give me the output of compiling the virtualbox module for the kernel, I can check the source to see what new struct we should exempt.

Thanks!
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: VirtualBox Clipboard sharing not working

Postby nelsooon » Fri Jan 13, 2017 8:14 am

In order to compile virtualbox-modules-4.3.38 on Gentoo Linux + 4.7.10-hardened kernel, we need to patch VBoxNetAdp-linux.c like the following:
Code: Select all
--- a/vboxnetadp/linux/VBoxNetAdp-linux.c   2016-10-08 21:52:24.983596056 +0100
+++ b/vboxnetadp/linux/VBoxNetAdp-linux.c   2016-10-08 21:55:12.171311337 +0100
@@ -134,8 +134,10 @@
     /* Update the stats. */
     pPriv->Stats.tx_packets++;
     pPriv->Stats.tx_bytes += pSkb->len;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 31)
     /* Update transmission time stamp. */
     pNetDev->trans_start = jiffies;
+#endif
     /* Nothing else to do, just free the sk_buff. */
     dev_kfree_skb(pSkb);
     return 0;


After that, the compilation works fine, here is the (too long to paste) output: https://www.pastiebin.com/5878c44c68860

Thank you :)
Nelson
nelsooon
 
Posts: 4
Joined: Wed Jan 11, 2017 11:04 am

Re: VirtualBox Clipboard sharing not working

Postby spender » Fri Jan 13, 2017 9:12 am

I don't see anything in that list of randomized structs that would suggest an incompatibility with RANDSTRUCT. Also it doesn't make much sense that the clipboard sharing code would care about kernel internals as it's implemented entirely in userland as an X11 interaction. Can you tell me what the visible effects are re: clipboard sharing when RANDSTRUCT/HIDESYM are enabled? Have you tried all combinations of the two features?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: VirtualBox Clipboard sharing not working

Postby nelsooon » Fri Jan 13, 2017 10:35 am

Yes, the only way to make it work is by disabling both kernel options, there are no other visible effects.

In Gentoo there are 2 possibilities to install VirtualBox Guest Additions:
- through a binary package provided as iso file that contains installable files (eg. /media/cdrom/VBoxLinuxAdditions.run)
- through app-emulation/virtualbox-guest-additions

The app-emulation/virtualbox-modules (the one compiled here) is only needed on the Host for making networking, ... working. I was mistaken compiling this, sorry.

By installing:
- /media/cdrom/VBoxLinuxAdditions.run => needs to disable both RANDSTRUCT/HIDESYM (all combinations tried)
- app-emulation/virtualbox-guest-additions => also needs to disable both RANDSTRUCT/HIDESYM (all combinations tried). Here is the compilation output: https://www.pastiebin.com/5878e365e5dcb

Thank you
nelsooon
 
Posts: 4
Joined: Wed Jan 11, 2017 11:04 am

Re: VirtualBox Clipboard sharing not working

Postby nelsooon » Fri Jan 20, 2017 5:50 am

Any news about the clipboard sharing?

I also noticed that filesharing through vboxsf doesn't work also.

Code: Select all
# mount.vboxsf myshare /mnt/myfolder
mount.vboxsf: mounting failed with the error: Protocol error
# dmesg | tail -n 9
[112086.854122] VbglR0HGCMInternalCall: vbglR0HGCMInternalPreprocessCall failed. rc=-5
[112086.854146] VBoxGuestCommonIOCtl: HGCM_CALL: 64 Failed. rc=-5.
[112086.854329] sf_read_super_aux err=-71
[112086.854608] VbglR0HGCMInternalCall: vbglR0HGCMInternalPreprocessCall failed. rc=-5
[112086.854629] VBoxGuestCommonIOCtl: HGCM_CALL: 64 Failed. rc=-5.
[112086.854733] sf_read_super_aux err=-71
[112086.854836] VbglR0HGCMInternalCall: vbglR0HGCMInternalPreprocessCall failed. rc=-5
[112086.854855] VBoxGuestCommonIOCtl: HGCM_CALL: 64 Failed. rc=-5.
[112086.854903] sf_read_super_aux err=-71


The driver used for that is vboxsf.so (Shuffling when compiling are also visible in the patebin put in the previous post: https://www.pastiebin.com/5878e365e5dcb)

This time, disabling GRKERNSEC_HIDESYM and GRKERNSEC_RANDSTRUCT doesn't fix the problem. We must disable GRKERNSEC :)

Thank you
nelsooon
 
Posts: 4
Joined: Wed Jan 11, 2017 11:04 am


Return to grsecurity support