Merge pull request #67968 from ambrop72/virtualbox-qt-fix

virtualbox: Fix #65564

2 files changed, 33 insertions, 3 deletions

diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix
index 20930b86537..104fc8a89bf 100644
--- a/pkgs/applications/virtualization/virtualbox/default.nix
+++ b/pkgs/applications/virtualization/virtualbox/default.nix
@@ -1,8 +1,8 @@
 { config, stdenv, fetchurl, lib, iasl, dev86, pam, libxslt, libxml2, wrapQtAppsHook
 , libX11, xorgproto, libXext, libXcursor, libXmu, libIDL, SDL, libcap, libGL
 , libpng, glib, lvm2, libXrandr, libXinerama, libopus, qtbase, qtx11extras
-, qttools, pkgconfig, which, docbook_xsl, docbook_xml_dtd_43
-, alsaLib, curl, libvpx, nettools, dbus
+, qttools, qtsvg, qtwayland, pkgconfig, which, docbook_xsl, docbook_xml_dtd_43
+, alsaLib, curl, libvpx, nettools, dbus, substituteAll
 , makeself, perl
 , javaBindings ? true, jdk ? null # Almost doesn't affect closure size
 , pythonBindings ? false, python3 ? null
@@ -37,7 +37,7 @@ in stdenv.mkDerivation {
   nativeBuildInputs = [ pkgconfig which docbook_xsl docbook_xml_dtd_43 patchelfUnstable ]
     ++ optional (!headless) wrapQtAppsHook;
 
-  # Wrap manually because we just need to wrap one executable
+  # Wrap manually because we wrap just a small number of executables.
   dontWrapQtApps = true;
 
   buildInputs =
@@ -79,6 +79,17 @@ in stdenv.mkDerivation {
 
   patches =
      optional enableHardening ./hardened.patch
+     # When hardening is enabled, we cannot use wrapQtApp to ensure that VirtualBoxVM sees
+     # the correct environment variables needed for Qt to work, specifically QT_PLUGIN_PATH.
+     # This is because VirtualBoxVM would detect that it is wrapped that and refuse to run,
+     # and also because it would unset QT_PLUGIN_PATH for security reasons. We work around
+     # these issues by patching the code to set QT_PLUGIN_PATH to the necessary paths,
+     # after the code that unsets it. Note that qtsvg is included so that SVG icons from
+     # the user's icon theme can be loaded.
+  ++ optional (!headless && enableHardening) (substituteAll {
+      src = ./qt-env-vars.patch;
+      qtPluginPath = "${qtbase.bin}/${qtbase.qtPluginPrefix}:${qtsvg.bin}/${qtbase.qtPluginPrefix}:${qtwayland.bin}/${qtbase.qtPluginPrefix}";
+    })
   ++ [
     ./qtx11extras.patch
   ];
@@ -184,6 +195,11 @@ in stdenv.mkDerivation {
 
   preFixup = optionalString (!headless) ''
     wrapQtApp $out/bin/VirtualBox
+  ''
+  # If hardening is disabled, wrap the VirtualBoxVM binary instead of patching
+  # the source code (see postPatch).
+  + optionalString (!headless && !enableHardening) ''
+    wrapQtApp $out/libexec/virtualbox/VirtualBoxVM
   '';
 
   passthru = {
diff --git a/pkgs/applications/virtualization/virtualbox/qt-env-vars.patch b/pkgs/applications/virtualization/virtualbox/qt-env-vars.patch
new file mode 100644
index 00000000000..ad1d1fd11f8
--- /dev/null
+++ b/pkgs/applications/virtualization/virtualbox/qt-env-vars.patch
@@ -0,0 +1,14 @@
+--- a/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp
++++ b/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp
+@@ -2131,6 +2131,11 @@ static void supR3HardenedMainPurgeEnvironment(char **envp)
+         /** @todo Call NT API to do the same. */
+ #endif
+     }
++
++    /*
++     * NixOS hack: Set QT_PLUGIN_PATH to make Qt find plugins.
++     */
++    setenv("QT_PLUGIN_PATH", "@qtPluginPath@", /*overwrite=*/ 1);
+ }
+ 
+