Re: [Tails-dev] VirtualBox host software vs. networking [Was…

Supprimer ce message

Répondre à ce message
Auteur: ade
Date:  
À: The Tails public development discussion list
Sujet: Re: [Tails-dev] VirtualBox host software vs. networking [Was: Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer]
> I'd like to see todo/add_virtualbox_host_software move forward,
> and I fear it's currently blocked due to needlessly high goals.
>
> Assuming one can just delete these few networking drivers file to
> disable network support altogether, without breaking anything else,
> how about, as a first iteration, we ship VirtualBox host software
> without networking support at all?
>
> I think this would at least satisfy the "I want to use InDesign on
> Windows on Tails to produce a leaflet" usecase, and at least be the
> first step towards more involved usecases like the one adev had
> in mind.
>
> What do you think?



Good news on Virtualbox


I decided to test different networking setups in Virtualbox. This could be
called an initial test



Step I did:

1. Install virtualbox


2. Modprobe remove the vboxnetflt kernel module


3. Setup various tails virtual machines to test them out, and ran
do_not_ever_run_me script on all guests and the host machine to try out
manual iptables configurations.


As a result of unloading the vboxnetflt kernel module virtual machines
would not start if they had a host-only networking adapter, or bridge mode
networking adapter attached to them.

This is what we expect.



With vboxnetflt kernel module unloaded, the NAT networking mode still
functioned correctly, but bridge mode would not. This is good.


I did a very basic and quick test of iptables and with NAT mode networking
enabled, the host iptables firewall was still able to control the virtual
machines traffic.

Setting the OUTPUT policy of the host machine iptables firewall to DROP
stopped the guest tails from sending outbound pings to the host machines
eth0 interface




So it looks like Virtualbox could be shipped without support for bridge
networking, or without any networking support at all. In future it looks
promising that the NAT mode could be useful to provide the guest OS with
Tor access. Lack of vboxnetflt should stop bridge mode and associated
leaking from the guest OS if the host iptables firewall is configured
appropriately.



Is there any interest in shipping Virtualbox with bridge mode disabled (or
no networking at all) but include a script that only root can run, to
enable bridge mode for those that want to use it?


Thanks



What does everyone think about this?