VirtualBox Guest Additions and Shared Folders

From Kicksecure

Cd-699786640.jpg

Introduction[edit]

Bidirectional clipboard sharing is currently enabled by default in Kicksecure ™ VirtualBox VM. [1] There are good reasons to disable clipboard sharing, Left to the user to decide if he want to disable it or not.

Shared folders are discouraged because it weakens isolation between the guest and the host. Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host. [2] [3] [4]

Clipboard Sharing[edit]

To change the clipboard sharing setting:

  1. Power off the virtual machine. [5]
  2. Navigate to VirtualBox machine settingsGeneralAdvancedShared Clipboard
  3. Set the preferred configuration: Disabled, Guest to Host, Host to Guest or Bidirectional.
  4. Power on the virtual machine again.

To learn more, see: VirtualBox Manual - Chapter 3. Configuring Virtual Machines.

Shared Folder[edit]

Kicksecure ™-Default[edit]

Info Note:

  • From VirtualBox v6+ it is no longer necessary to power off the virtual machine.
  • For better usability, package vm-config-dist has already added user user to group vboxsf. [6]
  1. Host folder preparation. On the host operating create a folder that should be shared with the virtual machine (VM). For example, on a Linux host operating system folder /home/user/shared.
  2. VirtualBoxright-click the virtual machineSettingsShared Folder
  3. Click the folder icon that has a + symbol in the upper right-hand section of the screen.
  4. Folder Path → Navigate to the folder you want to share.
  5. Folder Name → Type: shared. A different folder name can be utilized, but shared is recommended so it is the same as the example documented below -- do not use share (without the trailing d)!
  6. Uncheck Read-only. [7]
  7. Check Auto-mount. [8]
  8. Mount Point → Leave as is (leave it empty and do not make any changes). [9]
  9. Check Make Permanent (if that option exists). [10]
  10. Press OK to close shared folder dialog.
  11. Press OK to close VirtualBox settings.
  12. The process is now complete and the shared folder can be used.

VirtualBox shared folders are found inside the virtual machine in folder /media/. </ref>

In the above example, the shared folder will become cd /media/sf_shared. [11] The folder can be opened using a file manager such as for example Thunar. To open it using the the command line, run.

cd /media/sf_shared

Kicksecure-Custom-Workstation ™[edit]

If you are using a Kicksecure-Custom-Workstation ™ additional steps are required. Please click on expand on the right.

Two options exist: automatic mounting or manual mounting. The automatic mounting method is described below. For additional information on shared folders refer to the VirtualBox manual. Any additional questions are unspecific to Kicksecure ™ and should be addressed as per the Free Support Principle.

  1. Install VirtualBox guest additions inside the VM. [12]
  2. Add the user that will utilize shared folders from inside the VM to group vboxsf:
    sudo addgroup user vboxsf
  3. A reboot is required to make group changes take effect.
  4. Follow the instructions above.

VirtualBox Guest Additions[edit]

Introduction[edit]

In Kicksecure ™, VirtualBox guest additions are installed by default. [13]

To avoid any issues with the guest additions, users are highly recommended to:

  1. Use the Recommended VirtualBox Version for use with Kicksecure ™.
  2. Leave installation of the recommended version of VirtualBox guest additions to Kicksecure ™ as dcoumented and to avoid manual installation. This documentation will be updated as required. Check back later in case you have issues.

There might be a few odd messages during updates which are actually non-issues. Unless actual functionality is broken, please do not ask about odd messages as per Support Request Policy.

In case of issues, see also VirtualBox troubleshooting and consider a bug report.

VirtualBox Guest Additions Installation Sources[edit]

There are multiple sources to install VirtualBox guest additions from. It is possible to switch from one installation source to another. However, only 1 installation source should be used at the same time. If migrating from one installation source to another, the previous installation source should be disabled.

Table: VirtualBox Guest Additions Installation Sources

Option Nickname Installation Source Technical Difference Installed by Default Used by Default
A Debian Style From Debian's (fasttrack.debian.net) packages virtualbox-guest-utils, virtualbox-guest-x11.
  • Adjusted by Debian specifically for Debian. Works very well when using the same version of the VirtualBox host software as well as VirtualBox guest additions.
  • After installation of the package(s), VirtualBox Guest Additions will be fully setup and functional.
Yes Yes
B Host ISO VirtualBox guest additions ISO / CD
  • This is the VirtualBox guest additions ISO / CD from Oracle, which is the company that develops VirtualBox.
  • This ISO is shipped with the VirtualBox host software.
  • The ISO contains generic VirtualBox guest additions installer for many Linux versions.
  • Not specifically designed for Debian.
  • Only recommended in case installing a newer version of VirtualBox from the VirtualBox.org Repository than available from Debian and only recommended if the ISO cannot instead be installed from the next entry in this table.
  • To actually install VirtualBox guest additions from this source, the user would have to mount or extract the ISO and run the setup installer as was per instructions on the VirtualBox website.
No No
C Oracle Style From Debian's (packages.debian.org) package virtualbox-guest-additions-iso.
  • Similar to above.
  • A Debian maintainer has built the VirtualBox guest additions ISO and added it to the virtualbox-guest-additions-iso package to provide a more convenient method to acquire the ISO.
  • Installation alone of the package does effectively nothing. The package essentially only includes file /usr/share/virtualbox/VBoxGuestAdditions.iso.
  • Only recommended in case installing a newer version of VirtualBox from the VirtualBox.org Repository than available from Debian.
  • To actually install VirtualBox guest additions from this source, the user would have to, either:
    • A) mount or extract the ISO and run the setup installer as was per instructions on the VirtualBox website, or
    • B) use vbox-guest-installer.
Yes No

VirtualBox guest additions (from packages virtualbox-guest-utils, virtualbox-guest-x11) are installed by default and should be preferred over virtualbox-guest-additions-iso. [14]

vbox-guest-installer[edit]

vbox-guest-installer is an installation helper created by Kicksecure ™ developers. It is a helper utility for better usability that allows to install VirtualBox guest additions from Debian's (packages.debian.org) package virtualbox-guest-additions-iso.

  • Not enabled by default.
  • Usually no user action required.
  • Usually no enable/disable or settings change required.

Whenever the Linux kernel package or virtualbox-guest-additions-iso is upgraded, vbox-guest-installer should be automatically running. [15]

vbox-guest-installer will refuse to install VirtualBox guest additions from package virtualbox-guest-additions-iso when either package virtualbox-guest-x11 and/or package virtualbox-guest-utils is still installed. This is because only 1 installation source should be used by default as mentions in chapter VirtualBox Guest Additions Installation Sources.

To use vbox-guest-installer, see chapter Migration to Oracle Style VirtualBox Guest Additions.

VirtualBox Guest Additions CD[edit]

  • If using Kicksecure ™ for VirtualBox with the recommended VirtualBox version:
    • VirtualBox guest additions are installed by default. (Debian's (fasttrack.debian.net) packages virtualbox-guest-utils, virtualbox-guest-x11)
    • It is therefore usually unnecessary and discouraged to install guest additions from Debian's (packages.debian.org) package virtualbox-guest-additions-iso or from VirtualBox ISO / CD.
    • Do not use VirtualBoxDevicesInsert Guest Additions CD image....
    • Doing otherwise could lead to version conflicts of the VirtualBox host version versus the VirtualBox guest additions version such as black screen, screen resolution bug, broken host to VM copy/paste and similar. [16]
  • If you are using other operating systems: Using VirtualBox Guest Additions CD is OK. In that case, issues should be resolved as per Free Support Principle because it would be unspecific to Kicksecure ™.

Migration to Oracle Style VirtualBox Guest Additions[edit]

If the user is currently using VirtualBox packages virtualbox-guest-utils and virtualbox-guest-x11 (Debian style) and wishes to migrate to Oracle Style VirtualBox Guest Additions from package virtualbox-guest-additions-iso, complete the following steps.

1. Uninstall the Debian style VirtualBox Guest Additions Packages.

This step is mandatory. Otherwise vbox-guest-installer would refuse to install Oracle Style VirtualBox Guest Additions because only 1 installation source for guest additions must be active at the same time.

sudo apt purge virtualbox-guest-utils virtualbox-guest-x11

2. Make sure package virtualbox-guest-additions-iso is installed.

Should be installed by default. To check and install if required, run.

Install virtualbox-guest-additions-iso. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the virtualbox-guest-additions-iso package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends virtualbox-guest-additions-iso

D. Done.

The procedure of installing virtualbox-guest-additions-iso is complete.

3. Run vbox-guest-installer.

sudo vbox-guest-installer

4. Reboot.

5. Done.

Migration from VirtualBox Guest Additions (Debian style) to VirtualBox Guest Additions ISO (Oracle style) has been completed.

Migration to Debian Style VirtualBox Guest Additions Packages[edit]

If the user is currently using VirtualBox Guest Additions from package virtualbox-guest-additions-iso and/or ISO / CD (Oracle style) and wishes to migrate to VirtualBox packages virtualbox-guest-utils and virtualbox-guest-x11 (Debian style), complete the following steps.

1. Uninstall virtualbox-guest-additions-iso.

2. Install.

Install virtualbox-guest-utils virtualbox-guest-x11. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the virtualbox-guest-utils virtualbox-guest-x11 package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends virtualbox-guest-utils virtualbox-guest-x11

D. Done.

The procedure of installing virtualbox-guest-utils virtualbox-guest-x11 is complete.

3. Reboot.

4. Done.

Migration from VirtualBox Guest Additions ISO (Oracle style) to VirtualBox Guest Additions (Debian style) packages has been completed.

VirtualBox Guest Additions Security[edit]

General concerns have been raised about the security of VirtualBox, for example see the article The VirtualBox Kernel Driver Is Tainted Crap . However, this refers to the kernel driver (on the host), not guest additions. For opposite viewpoints, see here and here.

Alternatives[edit]

It is possible to achieve similar functionality without installing guest additions:

  • For file exchange with Kicksecure ™, see: File Transfer and File Sharing.
  • To achieve a higher screen resolution, see: Higher Screen Resolution without VirtualBox Guest Additions.
  • To achieve mouse integration, it is possible to set a USB tablet in VirtualBox settings. This is recommended against because it requires adding a USB controller to VirtualBox. (VirtualBoxRight-click on Virtual MachineSettingsSystemEnable absolute pointing device)

Miscellaneous[edit]

Uninstall virtualbox-guest-additions-iso[edit]

This is discouraged and should not be required. However, if you wish to uninstall VirtualBox guest additions as installed by vbox-guest-installer by Kicksecure ™ developers, follow the steps below.

1. Kicksecure ™ 16: No purge of package virtualbox-guest-additions-iso required since vbox-guest-installer effectively does nothing if VirtualBox guest additions packages are installed. If purging virtualbox-guest-additions-iso is desired this is OK too.

2. Remove VirtualBox guest additions (previously installed by Kicksecure ™ from virtualbox-guest-additions-iso. Run VirtualBox guest additions uninstaller by VirtualBox developers.

sudo /usr/sbin/vbox-uninstall-guest-additions

Debugging[edit]

To help debug issues, inspect the following logs and services.

cat /var/log/vboxadd-install.log

sudo systemctl status vboxadd

sudo systemctl status vboxadd-service.service

ls -la /opt/VBoxGuestAdditions-*/init/

Kernel Upgrades[edit]

The following issue is happening during kernel upgrades.

/etc/kernel/postinst.d/vboxadd:
VirtualBox Guest Additions: Building the modules for kernel 5.6.0-0.bpo.2-amd64.
Failed to rename process, ignoring: Operation not permitted
update-initramfs terminated by signal TERM.

Workaround in short: two reboots required.

Workaround details: This results in guest additions being non-functional after the next reboot. During the next reboot VirtualBox guest additions will automatically detect the missing kernel modules for the upgraded kernel and build them. Therefore when rebooting yet another time the issue should be resolved until the next kernel upgrade.

Please contribute to generic bug reproduction:

See also Kicksecure ™ specific technical information, VirtualBox Integration.

One long term solution might be replacing initramfs-tools with dracut but that needs further research and development work. (develpoment discussion, issue)

Non-Issues[edit]

If the following message appears during a kernel upgrade, it is a non-issue.

None.

See Also[edit]

Footnotes[edit]

  1. Host -> Whonix-Gateway clipboard sharing enable by default?
  2. https://forums.whonix.org/t/security-risks-of-virtualbox-shared-folders/10119
  3. To learn more about VirtualBox shared folders, see: VirtualBox Manual - Chapter 4. Guest Additions.
  4. Admittedly, this recommendation does not have a strong rationale. Disabling additional features in other virtualizers or general applications will similarly lead to less code paths being utilized and arguably increasing security. VirtualBox software is not special in this regard.
  5. Because otherwise you cannot change VirtualBox VM settings.
  6. Using /lib/systemd/system/mnt-shared-vbox.service.
  7. If you do not wish to write to that folder from within the VM then the user is free to check/enable this setting.
  8. If the option is unavailable, upgrade VirtualBox.
  9. Alternatively folder /home/user/shared can be chosen. The VirtualBox default means that folder would be owned by owner root and group vboxsf.
  10. This is specific to the VirtualBox version; newer versions do not have this option anymore. Check Make Permanent if this setting should persist after restart of the virtual machine. Otherwise this setting will be temporary.
  11. By default, VirtualBox uses the prefix sf_.
  12. This step is required. Quote VirtualBox Manual - Chapter 4. Guest Additions:

    With the shared folders feature of Oracle VM VirtualBox, you can access files of your host system from within the guest system. This is similar to how you would use network shares in Windows networks, except that shared folders do not require networking, only the Guest Additions.

  13. virtualbox-guest-additions-iso is still installed by default. Should there be issues with virtualbox-guest-utils, virtualbox-guest-x11 as there was in past due to unavailability, then it's easier to fall back to that solution. vbox-guest-installer] (installation helper created by Kicksecure ™ developers) is also still installed by default for the same purpose.
  14. debian/vm-config-dist.triggers
  15. Installation of VirtualBox guest additions from CD might also cause issues.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.