著者: adrelanos 日付: To: tails-dev 題目: Re: [Tails-dev] VirtualBox host software vs. networking [Was: Tails
0.14 rc1 virtualization testing & howto install virtualbox and vmplayer]
ade: >> I'd like to see todo/add_virtualbox_host_software move forward,
>> and I fear it's currently blocked due to needlessly high goals.
>>
>> Assuming one can just delete these few networking drivers file to
>> disable network support altogether, without breaking anything else,
>> how about, as a first iteration, we ship VirtualBox host software
>> without networking support at all?
>>
>> I think this would at least satisfy the "I want to use InDesign on
>> Windows on Tails to produce a leaflet" usecase, and at least be the
>> first step towards more involved usecases like the one adev had
>> in mind.
>>
>> What do you think?
>
> Good news on Virtualbox
>
> I decided to test different networking setups in Virtualbox. This could be
> called an initial test
>
> Step I did:
>
> 1. Install virtualbox
>
> 2. Modprobe remove the vboxnetflt kernel module
>
> 3. Setup various tails virtual machines to test them out, and ran
> do_not_ever_run_me script on all guests and the host machine to try out
> manual iptables configurations.
>
> As a result of unloading the vboxnetflt kernel module virtual machines
> would not start if they had a host-only networking adapter, or bridge mode
> networking adapter attached to them.
>
> This is what we expect.
>
> With vboxnetflt kernel module unloaded, the NAT networking mode still
> functioned correctly, but bridge mode would not. This is good.
>
> I did a very basic and quick test of iptables and with NAT mode networking
> enabled, the host iptables firewall was still able to control the virtual
> machines traffic.
>
> Setting the OUTPUT policy of the host machine iptables firewall to DROP
> stopped the guest tails from sending outbound pings to the host machines
> eth0 interface
>
> So it looks like Virtualbox could be shipped without support for bridge
> networking, or without any networking support at all. In future it looks
> promising that the NAT mode could be useful to provide the guest OS with
> Tor access. Lack of vboxnetflt should stop bridge mode and associated
> leaking from the guest OS if the host iptables firewall is configured
> appropriately.
>
> Is there any interest in shipping Virtualbox with bridge mode disabled (or
> no networking at all) but include a script that only root can run, to
> enable bridge mode for those that want to use it?
>
> Thanks
>
> What does everyone think about this?
I have some questions.
Did you get Virtual Box networking to internet working while Tails
firewall was up? Guest's internet access was torified?
Tails has a tight firewall, Virtual Box does not support any http or
socks proxy settings for the guests. How could you teach Virtual Box NAT
to connect through Tor?
Perhaps running Virtual Box as user virtualbox and torify that user
account with iptables? Or won't that work because Virtual Box NAT is a
kernel module?