[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Installing VirtualBox Guest Addition by Default?

We’ve been recommending against installing VirtualBox Guest Addition for a while now. It’s time to reconsider this.

Not having VirtualBox Guest Addition installed creates more confusion than gain. Without using guest additions shared folder feature, file transfer in and out VMs is really difficult. Users tend to use free online file sharing services to transfer their files form one VM to another or in/out the VM. While doing so, they might make mistakes during encryption of the file, because there are also no file/folder encryption tools with good usability. And even if such a tool would exist, after the Snowden revelations, we know that encrypted files are indefinitely stored, because perhaps the encryption can be cracked in (distant) future. Therefore users should be discouraged to upload their most private files. Also other issues such as with screen resolution or catching the mouse cursor might prevents users from using Whonix at all.

Why did we recommend against installing guest additions in the first place? There were some statement, that The VirtualBox Kernel Driver Is Tainted Crap. On the other hand, there are contradictory statements by Debian Developers:

http://lists.debian.org/debian-devel/2013/08/msg00112.html

http://lists.debian.org/debian-devel/2013/08/msg00116.html

After reading virtually everything on that topic on the internet, I think it may have been an overly paranoid recommendation to avoid installing them. The usability issues of not having them installed by default may be a bigger security issue than the risk of having them installed.

What exactly is the risk? When does it apply? A greater risk of remote code execution when they are installed or just easier breakout of a VM after being compromised? The latter doesn’t really count since attacker could install them – unless the adversary got only a user compromise and lacks a root privilege escalation exploit.

I am considering to install guest additions by default to make Whonix for VirtualBox users more usable while keeping those might disagree happy as well. Users of physical isolation would be unaffected, because the build script would skip installing them. Apart from a little disk space, download users Qubes or KVM would be unaffected. Those would not be loaded then, just as KVM’s spice (pre installed) doesn’t load in VirtualBox. It would be possible to simply uninstall them (sudo apt-get purge virtualbox-guest-x11 && sudo apt-get autoremove && sudo reboot), because no anon-meta-package would depend on virtualbox-guest-x11. The possibility to uninstall them and the eventual security gain would be document in the security guide. Builds from source could use something like a –vbox-guest false option to skip installing them.

Ticket:
https://phabricator.whonix.org/T13

Those would not be loaded then, just as KVM’s spice (pre installed) doesn’t load in VirtualBox.

Ok good. I was about to ask about that.

What exactly is the risk? When does it apply? A greater risk of remote code execution when they are installed or just easier breakout of a VM after being compromised? The latter doesn’t really count since attacker could install them – unless the adversary got only a user compromise and lacks a root privilege escalation exploit.

Exactly.

The VirtualBox Kernel Driver Is Tainted Crap.

That statement was about VirtualBox’s hypervisor kernel modules for Linux, which makes it all more troubling.

That statement was about VirtualBox’s hypervisor kernel modules for Linux, which makes it all more troubling.[/quote]
I guess you would likely get a similar statement by top grade security researcher* Joanna Rutkowska for KVM. I don’t find a reference at the moment, but we could call it interview, ask her and publish on Whonix blog.

Assuming lazy consensus in 5 days or so.

After reading virtually everything on that topic on the internet, I think it may have been an overly paranoid recommendation to avoid installing them. The usability issues of not having them installed by default may be a bigger security issue than the risk of having them installed.
Yes, the problem is files transfer. I have tried the recommended solutions in the wiki and some of the ones periodically popping in the forum. Too complicated, too prone to mistakes (in the case of the cloud, not even a solution, for me).

The share does not have to (may be should not?) be mounted on boot. A three letters command in /usr/bin or /usr/local/bin is quite handy to mount it quickly whenever it’s needed.

Auto mounting vs not auto mounting is a separate topic. Please use:

Implemented:

just to make it easier to experiment:

actually removed:

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]