Skip to content
GitLab
Closed
Created by import-from-Redmine@import-from-Redmine

Virtualbox guest additions: enable by default the display management service

Originally created by Tails on #5730 (Redmine)

When running tails as a Virtualbox guest, the display management service is disabled by default. Thus the "auto-resize guest display" option in Virtualbox doesn’t work. It can be enabled by the following command:

sudo VBoxClient —display

This could be made default if there is no security risk involved.

/etc/X11/Xsession.d/98vboxadd-xclient already tries to start this service, but fails: Failed to connect to the VirtualBox kernel service in ~/.xsession-errors. Giving the default user read/write access to /dev/vboxuser allows her to run VBoxClient --display without being root.

The virtualbox-guest-dkms Debian package ships the udev rules that should fix these permissions, but we intentionally remove this package at build time after having built the modules.

One should change config/chroot_local-hooks/50-virtualbox to duplicate the udev rules file installed by virtualbox-guest-dkms.

I’m not convinced we want to do this. First, auto-resize guest display results in super weird resolutions that are essentially unique identifiers. The only application I’m aware of leaking the resolution is Iceweasel. Torbutton does stuff here which maybe is good enough (setting desktop resolution to window size rounded to multiples of 50, I believe). OTOH a VirtualBox host with guest additions installed has a pretty ok selection of resolutions, and user-set resolutions will be remembered and re-set by the guest additions. Isn’t that good enough?

Second, if we give the amnesia user permission to /dev/vboxuser it can also enable clipboard sharing at will. Of course, since the amnesia user is a passwordless sudoer it currently can do that any way, but when tails-greeter is released it won’t. Tthe default when creating a VirtualBox appliance is bi-directional clipboard sharing, and hence a compromised Tails session results in the Tails session always having access to the host’s clipboard. The user could of course disable clipboard sharing in the VirtualBox guest appliance settings when not needed, but I don’t expect users to think about this.

Conslusion: If we think auto-resizing is important and safe, we should enable it by default without giving the user access to /dev/vboxuser. I suppose we could also activate clipboard sharing, but only in the Tails -> host direction.

Until someone gives us convincing arguments for the above this bug is marked wontfix => .

Feature Branch: feature/5730-enable-virtualbox-guest-additions

Related issues

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information