VirtualBox Guest Additions and Shared Folders

From Kicksecure
Jump to navigation Jump to search

VirtualBox Guest Additions is a software package that provides additional functionality to virtual machines (VMs) running in VirtualBox. The Guest Additions package includes drivers and utilities that enhance the performance and usability of the VMs.

Guest Additions provides features such as seamless mouse integration, shared folders between the host and guest operating systems, improved graphics performance, and the ability to resize the guest display dynamically.

Guest Additions are installed by default in Kicksecure and its derivatives such as Whonix®.

Clipboard Sharing[edit]

Clipboard Sharing Security Considerations[edit]

Bidirectional clipboard sharing is currently enabled by default in Kicksecure VirtualBox VM. [1] There are good reasons to disable clipboard sharing. The decision for the user to disable clipboard sharing or not.

Shared folders are discouraged because it weakens isolation between the guest and the host. Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host. [2] [3] [4]

Clipboard Sharing Instructions[edit]

To change the clipboard sharing setting:

  1. Power off the virtual machine. [5]
  2. Navigate to VirtualBox machine settingsGeneralAdvancedShared Clipboard
  3. Set the preferred configuration: Disabled, Guest to Host, Host to Guest or Bidirectional.
  4. Power on the virtual machine again.

To learn more, see: VirtualBox Manual - Chapter 3. Configuring Virtual Machinesarchive.org.

Shared Folder[edit]

Kicksecure-Default[edit]

Info Note:

  • It is unnecessary to power off the virtual machine. [6]
  • For better usability, the package vm-config-distarchive.org has already added the user user to the group vboxsf. [7]
  1. Host folder preparation: On the host operating system, create a folder to be shared with the virtual machine (VM). For example, on a Linux host operating system, create the folder /home/user/shared.
  2. VirtualBoxright-click the virtual machineSettingsShared Folder
  3. Click the folder icon with a + symbol in the upper right-hand section of the screen.
  4. Folder Path → Navigate to the folder you want to share.
  5. Folder Name → Type: shared. A different folder name can be used, but shared is recommended so it matches the example documented below -- do not use share (without the trailing d)!
  6. Uncheck Read-only. [8]
  7. Check Auto-mount. [9]
  8. Mount Point → Leave as is (leave it empty and do not make any changes). [10]
  9. Check Make Permanent (if that option exists). [11]
  10. Press OK to close the shared folder dialog.
  11. Press OK to close the VirtualBox settings.
  12. The process is now complete, and the shared folder can be used.

In the above example, the shared folder will accessible as /media/sf_shared. [12] The folder can be opened using a file manager such as Thunar, for example. To open it using the command line, run:

cd /media/sf_shared

Other Operating Systems[edit]

If you are using a Other Operating Systems (not using Kicksecure) additional steps are required. Please click on expand on the right.

Two options exist: automatic mounting or manual mounting. The automatic mounting method is described below. For additional information on shared folders refer to the VirtualBox manualarchive.org. Any additional questions are unspecific to Kicksecure and should be addressed as per the Self Support First Policy.

  1. Install VirtualBox guest additions inside the VM. [13]
  2. Add the user that will utilize shared folders from inside the VM to group vboxsf: sudo addgroup user vboxsf
  3. A reboot is required to make group changes take effect.
  4. Follow the instructions above.

VirtualBox Guest Additions[edit]

Introduction[edit]

In Kicksecure, VirtualBox guest additions are installed by default. [14]

To avoid any issues with the guest additions, users are highly recommended to:

  1. Use the Recommended VirtualBox Version for use with Kicksecure.
  2. Leave installation of the recommended version of VirtualBox guest additions to Kicksecure as dcoumented and to avoid manual installation. This documentation will be updated as required. Check back later in case you have issues.

There might be a few odd messages during updates which are actually non-issues. Unless actual functionality is broken, please do not ask about odd messages as per Support Request Policy.

In case of issues, see also VirtualBox troubleshooting and consider a bug report.

VirtualBox Guest Additions Installation Sources[edit]

There are multiple sources to install VirtualBox guest additions from. It is possible to switch from one installation source to another. However, only 1 installation source should be used at the same time. If migrating from one installation source to another, the previous installation source should be disabled.

Table: VirtualBox Guest Additions Installation Sources

Option Nickname Installation Source Technical Difference Installed by Default Used by Default
A Debian Style From Debian's (fasttrack.debian.net) packages virtualbox-guest-utils, virtualbox-guest-x11.
  • Adjusted by Debian specifically for Debian. Works very well when using the same version of the VirtualBox host software as well as VirtualBox guest additions.
  • After installation of the package(s), VirtualBox Guest Additions will be fully setup and functional.
Yes Yes
B Host ISO VirtualBox guest additions ISO / CD
  • This is the VirtualBox guest additions ISO / CD from Oracle, which is the company that develops VirtualBox.
  • This ISO is shipped with the VirtualBox host software.
  • The ISO contains generic VirtualBox guest additions installer for many Linux versions.
  • Not specifically designed for Debian.
  • Only recommended in case installing a newer version of VirtualBox from the VirtualBox.org Repository than available from Debian and only recommended if the ISO cannot instead be installed from the next entry in this table.
  • To actually install VirtualBox guest additions from this source, the user would have to mount or extract the ISO and run the setup installer as was per instructions on the VirtualBox websitearchive.org.
No No
C Oracle Style From Debian's (packages.debian.org) package virtualbox-guest-additions-isoarchive.org.
  • Similar to above.
  • A Debian maintainer has built the VirtualBox guest additions ISO and added it to the virtualbox-guest-additions-iso package to provide a more convenient method to acquire the ISO.
  • Installation alone of the package does effectively nothing. The package essentially only includes file /usr/share/virtualbox/VBoxGuestAdditions.iso.
  • Only recommended in case installing a newer version of VirtualBox from the VirtualBox.org Repository than available from Debian.
  • To actually install VirtualBox guest additions from this source, the user would have to, either:
    • A) mount or extract the ISO and run the setup installer as was per instructions on the VirtualBox website, or
    • B) use vbox-guest-installer.
Yes No

VirtualBox guest additions (from packages virtualbox-guest-utils, virtualbox-guest-x11) are installed by default and should be preferred over virtualbox-guest-additions-iso. [15]

vbox-guest-installer[edit]

vbox-guest-installerarchive.org is an installation helper created by Kicksecure developers. It is a helper utility for better usability that allows to install VirtualBox guest additions from Debian's (packages.debian.org) package virtualbox-guest-additions-isoarchive.org.

  • Not enabled by default.
  • Usually no user action required.
  • Usually no enable/disable or settings change required.

Whenever the Linux kernel package or virtualbox-guest-additions-iso is upgraded, vbox-guest-installer should be automatically running. [16]

vbox-guest-installer will refuse to install VirtualBox guest additions from package virtualbox-guest-additions-iso when either package virtualbox-guest-x11 and/or package virtualbox-guest-utils is still installed. This is because only 1 installation source should be used by default as mentions in chapter VirtualBox Guest Additions Installation Sources.

To use vbox-guest-installer, see chapter Migration to Oracle Style VirtualBox Guest Additions.

VirtualBox Guest Additions CD[edit]

Depending on the VM where you intent to use VirtualBox Guest Additions. See instructions for either A) or B).

  • A) If using Kicksecure for VirtualBox with the recommended VirtualBox version:
    • Kicksecure default: VirtualBox guest additions are installed by default. (Source: Debian's (fasttrack.debian.net) packages virtualbox-guest-utils, virtualbox-guest-x11)
    • Unneeded: It is therefore usually unnecessary and discouraged to install guest additions from Debian's (packages.debian.org) package virtualbox-guest-additions-iso or from the VirtualBox ISO / CD (VBoxGuestAdditions.iso).
    • Discouraged: Do not use VirtualBoxDevicesInsert Guest Additions CD image....
    • Potential issue: If disregarding this advice this could lead to version conflicts of the VirtualBox host version versus the VirtualBox guest additions version such as black screen, screen resolution bug, broken host to VM copy/paste and similar. [17]
  • B) If you are using other operating systems: Using VirtualBox Guest Additions CD is OK. In that case, issues should be resolved as per Self Support First Policy because it would be unspecific to Kicksecure.

Migration to Oracle Style VirtualBox Guest Additions[edit]

If the user is currently using VirtualBox packages virtualbox-guest-utils and virtualbox-guest-x11 (Debian style) and wishes to migrate to Oracle Style VirtualBox Guest Additions from package virtualbox-guest-additions-iso, complete the following steps.

1. Uninstall the Debian style VirtualBox Guest Additions Packages.

This step is mandatory. Otherwise vbox-guest-installer would refuse to install Oracle Style VirtualBox Guest Additions because only 1 installation source for guest additions must be active at the same time.

sudo apt purge virtualbox-guest-utils virtualbox-guest-x11

2. Make sure package virtualbox-guest-additions-iso is installed.

Should be installed by default. To check and install if required, run.

Install package(s) virtualbox-guest-additions-iso following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system The Web Archive Onion Version .

sudo apt update && sudo apt full-upgrade

3 Install the virtualbox-guest-additions-iso package(s).

Using apt command line --no-install-recommends option The Web Archive Onion Version is in most cases optional.

sudo apt install --no-install-recommends virtualbox-guest-additions-iso

4 Platform specific notice.

5 Done.

The procedure of installing package(s) virtualbox-guest-additions-iso is complete.

3. Run vbox-guest-installer.

sudo vbox-guest-installer

4. Reboot.

5. Done.

Migration from VirtualBox Guest Additions (Debian style) to VirtualBox Guest Additions ISO (Oracle style) has been completed.

Migration to Debian Style VirtualBox Guest Additions Packages[edit]

If the user is currently using VirtualBox Guest Additions from package virtualbox-guest-additions-iso and/or ISO / CD (Oracle style) and wishes to migrate to VirtualBox packages virtualbox-guest-utils and virtualbox-guest-x11 (Debian style), complete the following steps.

1. Uninstall virtualbox-guest-additions-iso.

2. Install VirtualBox Guest Additions from Debian.

Install package(s) virtualbox-guest-utils virtualbox-guest-x11 following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system The Web Archive Onion Version .

sudo apt update && sudo apt full-upgrade

3 Install the virtualbox-guest-utils virtualbox-guest-x11 package(s).

Using apt command line --no-install-recommends option The Web Archive Onion Version is in most cases optional.

sudo apt install --no-install-recommends virtualbox-guest-utils virtualbox-guest-x11

4 Platform specific notice.

5 Done.

The procedure of installing package(s) virtualbox-guest-utils virtualbox-guest-x11 is complete.

3. Reboot.

4. Done.

Migration from VirtualBox Guest Additions ISO (Oracle style) to VirtualBox Guest Additions (Debian style) packages has been completed.

VirtualBox Guest Additions Security[edit]

General concerns have been raised about the security of VirtualBox, for example see the article The VirtualBox Kernel Driver Is Tainted Craparchive.org . However, this refers to the kernel driver (on the host), not guest additions. For opposite viewpoints, see herearchive.org and herearchive.org.

The situation might have improved since some kernel modules have been upstreamed (integrated) to the Linux mainline kernel. [18]

Alternatives[edit]

It is possible to achieve similar functionality without installing guest additions:

  • For file exchange with Kicksecure, see: File Transfer and File Sharing.
  • To achieve a higher screen resolution, see: Higher Screen Resolution without VirtualBox Guest Additions.
  • To achieve mouse integration, it is possible to set a USB tablet in VirtualBox settings. This is recommended against because it requires adding a USB controller to VirtualBox. (VirtualBoxRight-click on Virtual MachineSettingsSystemEnable absolute pointing device)

Miscellaneous[edit]

Uninstall virtualbox-guest-additions-iso[edit]

This is discouraged and should not be required. However, if you wish to uninstall VirtualBox guest additions as installed by vbox-guest-installer by Kicksecure developers, follow the steps below.

1. Note about package virtualbox-guest-additions-iso.

No purge of package virtualbox-guest-additions-iso required since vbox-guest-installer effectively does nothing if VirtualBox guest additions packages are installed. If purging virtualbox-guest-additions-iso is desired this is OK too.

2. Uninstall Oracle style VirtualBox guest additions.

To remove VirtualBox guest additions (previously installed by Kicksecure from virtualbox-guest-additions-iso), run VirtualBox guest additions uninstaller by VirtualBox developers.

sudo /usr/sbin/vbox-uninstall-guest-additions

Debugging[edit]

To help debug issues, inspect the following logs and services.

cat /var/log/vboxadd-install.log

sudo systemctl status vboxadd

sudo systemctl status vboxadd-service.service

ls -la /opt/VBoxGuestAdditions-*/init/

Kernel Upgrades[edit]

The following issue is happening during kernel upgrades.

/etc/kernel/postinst.d/vboxadd:
VirtualBox Guest Additions: Building the modules for kernel 5.6.0-0.bpo.2-amd64.
Failed to rename process, ignoring: Operation not permitted
update-initramfs terminated by signal TERM.

Workaround in short: two reboots required.

Workaround details: This results in guest additions being non-functional after the next reboot. During the next reboot VirtualBox guest additions will automatically detect the missing kernel modules for the upgraded kernel and build them. Therefore when rebooting yet another time the issue should be resolved until the next kernel upgrade.

Please contribute to generic bug reproduction:

See also Kicksecure specific technical information, VirtualBox Integration.

One long term solution might be replacing initramfs-tools with dracut but that needs further research and development work. (develpoment discussionarchive.org, issuearchive.org)

Non-Issues[edit]

If the following message appears during a kernel upgrade, it is a non-issue.

None.

See Also[edit]

Footnotes[edit]

  1. Host -> Whonix-Gateway clipboard sharing enable by default?archive.org
  2. https://forums.whonix.org/t/security-risks-of-virtualbox-shared-folders/10119archive.org
  3. To learn more about VirtualBox shared folders, see: VirtualBox Manual - Chapter 4. Guest Additionsarchive.org.
  4. Admittedly, this recommendation does not have a strong rationale. Disabling additional features in other virtualizers or general applications will similarly lead to less code paths being utilized and arguably increasing security. VirtualBox software is not special in this regard.
  5. Because otherwise you cannot change VirtualBox VM settings.
  6. From VirtualBox v6+.
  7. Using /lib/systemd/system/mnt-shared-vbox.servicearchive.org.
  8. If you do not wish to write to that folder from within the VM, you are free to check/enable this setting.
  9. If the option is unavailable, upgrade VirtualBox.
  10. Alternatively, the folder /home/user/shared can be chosen. The VirtualBox default means that the folder would be owned by root and the group vboxsf.
  11. This is specific to the VirtualBox version; newer versions may no longer have this option. Check Make Permanent if this setting should persist after restarting the virtual machine. Otherwise, this setting will be temporary.
  12. By default, VirtualBox uses the prefix sf_.
  13. This step is required. Quote VirtualBox Manual - Chapter 4. Guest Additionsarchive.org:

    With the shared folders feature of Oracle VM VirtualBox, you can access files of your host system from within the guest system. This is similar to how you would use network shares in Windows networks, except that shared folders do not require networking, only the Guest Additions.

  14. virtualbox-guest-additions-iso is still installed by default. Should there be issues with virtualbox-guest-utils, virtualbox-guest-x11 as there was in past due to unavailability, then it's easier to fall back to that solution. vbox-guest-installer] (installation helper created by Kicksecure developers) is also still installed by default for the same purpose.
  15. debian/vm-config-dist.triggers
  16. Installation of VirtualBox guest additions from CD might also cause issues.archive.org

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!