Virtualbox not able to write to /dev/vbox*

[Niklas974]

I'm using firejail version 0.9.58.2 and VirtualBox Version 6.06 on Ubuntu 19.04

Running virtualbox in firejail using the default virtualbox profile provided by firejail, I run into networking issues when accessing host-only network adapters in the virtualbox "host-only network manager"

Das Host-Netzwerkinterface konnte nicht erzeugt werden.

VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: Operation not permitted.

Fehlercode:NS_ERROR_FAILURE (0x80004005)
Komponente:HostNetworkInterfaceWrap
Interface:IHostNetworkInterface {455f8c45-44a0-a470-ba20-27890b96dba9}

(translated: The Host-Network Interface could not be created)

interestingly, /dev/vbox* looks pretty similar from the outside and from inside the virtualbox firejail:

ls -al /dev/vbox*
crw------- 1 root root      10, 53 Jul 22 15:09 /dev/vboxdrv
crw-rw-rw- 1 root root      10, 52 Jul 22 15:09 /dev/vboxdrvu
crw------- 1 root root      10, 51 Jul 22 15:09 /dev/vboxnetctl

/dev/vboxusb:
insgesamt 0
drwxr-x---  5 root vboxusers  100 Jul 22 15:09 .
drwxr-xr-x 23 root root      5080 Jul 22 15:10 ..
drwxr-x---  2 root vboxusers  100 Jul 22 15:09 001
drwxr-x---  2 root vboxusers   60 Jul 22 15:09 002
drwxr-x---  2 root vboxusers  160 Jul 22 15:10 003
 ~ firejail --join=16421
Switching to pid 16422, the first child process inside the sandbox
Child process initialized in 12.40 ms
ubuntu% ls -al /dev/vbox*
crw------- 1 root root      10, 53 Jul 22 15:09 /dev/vboxdrv
crw-rw-rw- 1 root root      10, 52 Jul 22 15:09 /dev/vboxdrvu
crw------- 1 root root      10, 51 Jul 22 15:09 /dev/vboxnetctl

/dev/vboxusb:
insgesamt 0
drwxr-x---  5 root vboxusers  100 Jul 22 15:09 .
drwxr-xr-x 23 root root      5080 Jul 22 15:10 ..
drwxr-x---  2 root vboxusers  100 Jul 22 15:09 001
drwxr-x---  2 root vboxusers   60 Jul 22 15:09 002
drwxr-x---  2 root vboxusers  160 Jul 22 15:10 003

commenting out "caps.drop all" in the virtualbox profile solves the issue locally
I think this should be fixed or at least annotated in the virtualbox profile.

I know that I do not run the latest version of firejail, but the one provided by ubuntu. If you need me to try with the newest version, please let me know.

EDIT: I previously claimed that commenting out "netfilter" would provide a work-around. It turns out that the "caps.drop all" line is the culprit.
Hint for debugging: On closing the virtualbox GUI, it takes a few seconds for the last virtualbox process to end, if you do not wait for them to end, firejail will not reload the config and thus ignore potential changes.

[Fred-Barclay]

Thanks for reporting this @Niklas974 !

Besides the error messages, does this cause any issues with virtualbox? If it's just error messages then it's probably better to say these are just cosmetic issues and not change/remove netfilter, but if it actually means you can't use firejail+virtualbox then we should maybe change this.

Thanks!
Fred

[Niklas974]

NOTE: I edited the original report, it is not "netfilter" but "caps.drop all" that causes the problem!

Hi @Fred-Barclay ,

thank you for helping with this issue!

Using the original config file provided by firejail, VirtualBox does work, at least the following do not work:
a) adding new Host-Only Network Interfaces in the Host-Only Network Manager
b) Accessing the external Network using NAT Interfaces. I have tried using a ubuntu host and a kali Linux Guest, I cannot ping external machines if the "caps.drop all" line is in the config file. Commenting it out and not changing anything else, I can ping external machines.

(see hints on Virtualbox Networking here)

[rusty-snake]

@Niklas974 getcap /usr/bin/V*

[Niklas974]

 ~  getcap /usr/bin/V*
 ~  getcap /usr/bin/v*
 ~  which virtualbox
/usr/local/bin/virtualbox
 ~  getcap /usr/local/bin/virtualbox

(From outside of firejail)
Am I missing something obvious?

[rusty-snake]

Same with getcap /usr/lib64/virtualbox/V* # or where ever on your system or?

[Niklas974]

 ~  which virtualbox
/usr/local/bin/virtualbox
 ~  ll /usr/local/bin/virtualbox
lrwxrwxrwx 1 root root 17 Jul 17 08:52 /usr/local/bin/virtualbox -> /usr/bin/firejail*
 ~  ll /usr/bin/virtualbox
lrwxrwxrwx 1 root root 27 Apr 17 00:08 /usr/bin/virtualbox -> ../share/virtualbox/VBox.sh*
 ~  getcap /usr/share/virtualbox/*
 ~  getcap /usr/lib/virtualbox/*        
 ~  ls /usr/lib/virtualbox 
components         VBoxAutostart    VBoxDDRC.rc            VBoxExtPackHelperApp    vbox-img         VBoxNetNAT              VBoxREM.so              vboxshell.py    VBoxVMMPreload.so  VirtualBox
ExtensionPacks     VBoxBalloonCtrl  VBoxDD.so              VBoxGlobal.so           VBoxKeyboard.so  VBoxNetNAT.so           VBoxRT.so               VBoxSVC         VBoxVMM.so         VirtualBoxVM
libvboxjxpcom.so   VBoxBugReport    VBoxDDU.so             VBoxGuestControlSvc.so  VBoxManage       VBoxOGLhostcrutil.so    VBoxSDL                 VBoxSVGA3D.so   VBoxVolInfo        VirtualBoxVM.so
__pycache__        VBoxCpuReport    VBoxDragAndDropSvc.so  VBoxGuestPropSvc.so     VBoxManageHelp   VBoxOGLhosterrorspu.so  VBoxSDL.so              VBoxSysInfo.sh  vboxwebsrv         VMMR0.r0
sdk                VBoxDbg.so       VBoxDTrace             VBoxHeadless            VBoxNetAdpCtl    VBoxOGLrenderspu.so     VBoxSharedClipboard.so  VBoxTestOGL     VBoxXPCOMC.so      VMMRC.rc
VBoxAuthSimple.so  VBoxDD2.so       VBoxEFI32.fd           VBoxHeadless.so         VBoxNetDHCP      VBoxPython3_7m.so       VBoxSharedCrOpenGL.so   VBoxTunctl      VBoxXPCOMIPCD      webtest
VBoxAuth.so        VBoxDDR0.r0      VBoxEFI64.fd           VBoxHostChannel.so      VBoxNetDHCP.so   VBoxPython.so           VBoxSharedFolders.so    VBoxVMMPreload  VBoxXPCOM.so

[rusty-snake]

Well, no idea more how to findout what we need for caps.keep.

[Vincent43]

AFAIK vbox uses full suid binaries instead of caps.

@Niklas974 could you show ls -al /usr/lib/virtualbox?

Also could you try replacing caps.drop all with caps.keep sys_admin in profile?

Alternatively caps.keep net_raw,sys_nice

[Niklas974]

@Vincent43 ls -al is attached at the bottom

• setting caps.drop all I cannot add and delete host only network adapters, and I cannot use NAT network adapters from within guests
• setting caps.keep sys_admin I can add and delete host only network adapters, but I cannot use NAT network adapters from within guests
• setting caps.keep net_raw,sys_nice I cannot add and delete host only network adapters, but I can use NAT network adapters from within guests
• setting caps.keep sys_admin,net_raw,sys_nice I can add and delete host only network adapters, and I can use NAT network adapters from within guests
• setting neither of those, I can add and delete host only network adapters, and I can use NAT network adapters from within guests

 ~  ls -al /usr/lib/virtualbox 
insgesamt 123684
drwxr-xr-x   6 root root    12288 Mai  7 08:40 .
drwxr-xr-x 160 root root    12288 Jul 19 15:49 ..
drwxr-xr-x   2 root root     4096 Mai  7 08:25 components
drwxr-xr-x   4 root root     4096 Mai  7 08:43 ExtensionPacks
-rw-r--r--   1 root root   126032 Apr 17 00:08 libvboxjxpcom.so
drwxr-xr-x   2 root root     4096 Mai  7 08:43 __pycache__
drwxr-xr-x   3 root root     4096 Feb 14 09:45 sdk
-rw-r--r--   1 root root    31168 Apr 17 00:08 VBoxAuthSimple.so
-rw-r--r--   1 root root    14496 Apr 17 00:08 VBoxAuth.so
-rwxr-xr-x   1 root root   121016 Apr 17 00:08 VBoxAutostart
-rwxr-xr-x   1 root root   170512 Apr 17 00:08 VBoxBalloonCtrl
-rwxr-xr-x   1 root root    88240 Apr 17 00:08 VBoxBugReport
-rwxr-xr-x   1 root root  1038864 Apr 17 00:08 VBoxCpuReport
-rw-r--r--   1 root root   171248 Apr 17 00:08 VBoxDbg.so
-rw-r--r--   1 root root   362392 Apr 17 00:08 VBoxDD2.so
-rw-r--r--   1 root root   261240 Apr 17 00:08 VBoxDDR0.r0
-rw-r--r--   1 root root   187932 Apr 17 00:08 VBoxDDRC.rc
-rw-r--r--   1 root root  2059400 Apr 17 00:08 VBoxDD.so
-rw-r--r--   1 root root   430656 Apr 17 00:08 VBoxDDU.so
-rw-r--r--   1 root root    39216 Apr 17 00:08 VBoxDragAndDropSvc.so
-rwxr-xr-x   1 root root    14408 Apr 17 00:08 VBoxDTrace
-rw-r--r--   1 root root  2097152 Jan 25  2019 VBoxEFI32.fd
-rw-r--r--   1 root root  2097152 Jan 25  2019 VBoxEFI64.fd
-rwxr-xr-x   1 root root    63712 Apr 17 00:08 VBoxExtPackHelperApp
-rw-r--r--   1 root root 37329640 Apr 17 00:08 VBoxGlobal.so
-rw-r--r--   1 root root    35064 Apr 17 00:08 VBoxGuestControlSvc.so
-rw-r--r--   1 root root    43488 Apr 17 00:08 VBoxGuestPropSvc.so
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxHeadless
-rw-r--r--   1 root root   101320 Apr 17 00:08 VBoxHeadless.so
-rw-r--r--   1 root root    18512 Apr 17 00:08 VBoxHostChannel.so
-rwxr-xr-x   1 root root  1889568 Apr 17 00:08 vbox-img
-rw-r--r--   1 root root    78248 Apr 17 00:08 VBoxKeyboard.so
-rwxr-xr-x   1 root root  1194232 Apr 17 00:08 VBoxManage
-rwxr-xr-x   1 root root  1256328 Apr 17 00:08 VBoxManageHelp
-rwsr-sr-x   1 root root    30888 Apr 17 00:08 VBoxNetAdpCtl
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxNetDHCP
-rw-r--r--   1 root root   183728 Apr 17 00:08 VBoxNetDHCP.so
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxNetNAT
-rw-r--r--   1 root root   282824 Apr 17 00:08 VBoxNetNAT.so
-rw-r--r--   1 root root   196360 Apr 17 00:08 VBoxOGLhostcrutil.so
-rw-r--r--   1 root root   136072 Apr 17 00:08 VBoxOGLhosterrorspu.so
-rw-r--r--   1 root root   172608 Apr 17 00:08 VBoxOGLrenderspu.so
-rw-r--r--   1 root root   209688 Apr 17 00:08 VBoxPython3_7m.so
-rw-r--r--   1 root root   209688 Apr 17 00:08 VBoxPython.so
-rw-r--r--   1 root root   768232 Apr 17 00:08 VBoxREM.so
-rw-r--r--   1 root root  3362888 Apr 17 00:08 VBoxRT.so
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VBoxSDL
-rw-r--r--   1 root root   175600 Apr 17 00:08 VBoxSDL.so
-rw-r--r--   1 root root    51712 Apr 17 00:08 VBoxSharedClipboard.so
-rw-r--r--   1 root root  1170352 Apr 17 00:08 VBoxSharedCrOpenGL.so
-rw-r--r--   1 root root    59984 Apr 17 00:08 VBoxSharedFolders.so
-rwxr-xr-x   1 root root   122000 Apr 17 00:08 vboxshell.py
-rwxr-xr-x   1 root root  7169560 Apr 17 00:08 VBoxSVC
-rw-r--r--   1 root root   244408 Apr 17 00:08 VBoxSVGA3D.so
-rwxr-xr-x   1 root root     4163 Apr 16 12:16 VBoxSysInfo.sh
-rwxr-xr-x   1 root root   108704 Apr 17 00:08 VBoxTestOGL
-rwxr-xr-x   1 root root    14328 Apr 17 00:08 VBoxTunctl
-rwxr-xr-x   1 root root   161872 Apr 17 00:08 VBoxVMMPreload
-rw-r--r--   1 root root    14552 Apr 17 00:08 VBoxVMMPreload.so
-rw-r--r--   1 root root  3946472 Apr 17 00:08 VBoxVMM.so
-rwxr-xr-x   1 root root    14328 Apr 17 00:08 VBoxVolInfo
-rwxr-xr-x   1 root root 26152768 Apr 17 00:08 vboxwebsrv
-rw-r--r--   1 root root    47752 Apr 17 00:08 VBoxXPCOMC.so
-rwxr-xr-x   1 root root    30880 Apr 17 00:08 VBoxXPCOMIPCD
-rw-r--r--   1 root root  1151184 Apr 17 00:08 VBoxXPCOM.so
-rwxr-xr-x   1 root root  2299368 Apr 17 00:08 VirtualBox
-rwsr-sr-x   1 root root   161872 Apr 17 00:08 VirtualBoxVM
-rw-r--r--   1 root root  1546728 Apr 17 00:08 VirtualBoxVM.so
-rw-r--r--   1 root root  2391616 Apr 17 00:08 VMMR0.r0
-rw-r--r--   1 root root  1588028 Apr 17 00:08 VMMRC.rc
-rwxr-xr-x   1 root root 20343152 Apr 17 00:08 webtest

[Vincent43]

setting caps.keep sys_admin,net_raw,sys_nice I can add and delete host only network adapters, and I can use NAT network adapters from within guests

So, this one looks sufficient.

@Niklas974
One more thing before we add it: could you try replacing sys_admin with net_admin, like caps.keep net_admin,net_raw,sys_nice?

[Niklas974]

I have just tried caps.keep net_admin,net_raw,sys_nice and with this directive I cannot add and delete host only network adapters.

[Vincent43]

Ok, we go for sys_admin then, thx for testing.

[githlp]

with this profile i still cannot change the IPv4 address for adapter and DHCP server when adding a Host-only network.

I already created an exception like described in this manual section:

cat /etc/vbox/networks.conf
* 10.0.0.0/8 192.168.0.0/16
* 2001::/64

and now it works when called dircetly via /usr/bin/virtualbox

But with firejail i still get this error message:

network interface parameter could not be stored.

Callee RC: E_ACCESSDENIED (0x80070005)
 

[glitsj16]

@githlp The virtualbox profile has private-etc, but that currently doesn't include /etc/vbox. If you can confirm your setup is working when adding private-etc vbox to a virtualbox.local IMO we should fix our profile.

[githlp]

that did not work, the error message remains the same.

[glitsj16]

I noticed the original fix from d94e38a got changed later on. Did you see the comment about needing sys_admin for host-only network? I can't find the commit that took that out of the original caps.keep sys_admin,net_raw,sys_nice but that could just be a side-effect of a github etc reorganization we went through. Did you try adding sys_admin to caps.keep yet, in combination with private-etc vbox?

[githlp]

Yes, I followed the comment within virtualbox.profile and added sys_admin to the caps.keep line. I just checked again and both is fullfilled:

/etc/firejail/virtualbox.profile
caps.keep sys_admin,net_raw,sys_nice

~/.config/firejail/virtualbox.local
private-etc vbox

[glitsj16]

@githlp Good. In that case you have some detective work to do. Adding ignore caps.keep and ignore private-etc to virtualbox.local would be where I'd start. You might need to go through a few different combinations here. TIP: keep a terminal open in which you tail journalctl (or syslog if you don't have a systemd system) so you can spot any relevant errors in there. When in doubt, post errors somewhere online and provide a link here so we can assist.

[githlp]

well with this setting in virtualbox.local the host-based network adapter can be set up/modified

private-etc vbox
ignore caps.keep

but does it make sense to ignore the caps.keep completely ?

i still get those messages in journal every time i start virtualbox

Jän 20 19:42:07 desktop firejail[85293]: blacklist violation - sandbox 85211, exe VBoxSVC, syscall lstat64, path /dev/sr0
Jän 20 19:42:07 desktop firejail[85293]: blacklist violation - sandbox 85211, exe VBoxSVC, syscall lstat64, path /dev/sr0
Jän 20 19:43:54 desktop firejail[87716]: blacklist violation - sandbox 87652, exe VBoxSVC, syscall lstat64, path /dev/sr0
Jän 20 19:43:54 desktop firejail[87716]: blacklist violation - sandbox 87652, exe VBoxSVC, syscall lstat64, path /dev/sr0

and this is the output on the shell
0bin.net

[githlp]

The network does not get a connection on the default route 10.0.2.15, too.

Started without firejail it works on same config settings.

[glitsj16]

@githlp Apologies for the radio-silence. The pastebin has expired but here's what I see in my notes:

• add ignore nodvd (the blacklist violations suggest VBox tries to access /dev/sr0);
• The libkmod 'permission denied' warnings stem from hardcoded protections but can be fixed by adding

noblacklist /sys/module
read-only /sys/module

[githlp]

but still no connection on my 10.0.2.x virtual eth

Reading profile /etc/firejail/virtualbox.profile
Reading profile /home/ronald/.config/firejail/virtualbox.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 680494, child pid 680495
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 2.05 ms
Warning: skipping vbox for private /usr/etc
Private /usr/etc installed in 0.07 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 209.39 ms
whoami: Für Benutzerkennung 1000 kann kein Name gefunden werden: Datei oder Verzeichnis nicht gefunden
Fehler: Liste von realen Benutzern muss auf -U folgen
..