- The printing of the warning about the insecurity in USB passthru had been lost. As most people are likely to want that feature,

the logic has been inverted. Now, the required udev commands to allow passthru are included. The first time that VB is started,
  the user will get a screen that points to the bug entry discussing the problem and states what they should do to block the
  insecure usage. In any case, that screen will only be printed once. File "virtualbox-60-vboxdrv.rules" has been added
  These changes address the issues in bnc #1018340.

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virtualbox?expand=0&rev=303

vbox-usb-warning.diff

@@ -62,7 +62,7 @@ Index: a/src/apps/VBoxUSB_DevRules/VBoxUSB_DevRules.cpp
 +        QApplication app(argc, argv);
 +        QMessageBox msgBox;
 +        msgBox.setWindowTitle(QObject::tr("USB Rules and Permissions !"));
-+        msgBox.setText(QObject::tr("USB passthru opens a security hole. Please read \n\nhttps://bugzilla.novell.com/show_bug.cgi?id=664520\n\nto understand the problem. If you really want/need to use USB passthru, then copy /usr/lib/udev/rules.d/60-vboxdrv.rules to /etc/udev/rules.d/, and modify that file as outlined in the comments.\n\nTo avoid seeing this message every time VirtualBox is started, a dummy file is being created."));
++        msgBox.setText(QObject::tr("USB passthru opens a security hole. Please read \n\nhttps://bugzilla.novell.com/show_bug.cgi?id=664520\n\nto understand the problem. If you really want/need to use USB passthru and are willing to accept the security risk, then do nothing. To plug the security hole, remove all 'usb' lines from /etc/udev/rules.d/60-vboxdrv.rules.\n\nThis message will not be seen again!"));
 +        int ret = msgBox.exec();
 +        app.quit();
 +        return 0;

virtualbox-60-vboxdrv.rules

@@ -0,0 +1,7 @@
+KERNEL=="vboxdrv", NAME="vboxdrv", OWNER="root", GROUP="root", MODE="0600"
+KERNEL=="vboxdrvu", NAME="vboxdrvu", OWNER="root", GROUP="root", MODE="0666"
+KERNEL=="vboxnetctl", NAME="vboxnetctl", OWNER="root", GROUP="root", MODE="0600"
+SUBSYSTEM=="usb_device", ACTION=="add", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
+SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
+SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
+SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="/usr/lib/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"

virtualbox-wrapper.sh

@@ -1,4 +1,9 @@
 #!/bin/bash
 export QT_NO_KDE_INTEGRATION=1
 /usr/bin/id -nG | grep -v -e "root" -e "vboxusers" >/dev/null && /usr/lib/virtualbox/VBoxPermissionMessage && exit
+if [ ! -f ~/.vbox/message_out ] ; then
+    /usr/lib/virtualbox/VBoxUSB_DevRules
+    mkdir -p ~/.vbox/
+    touch ~/.vbox/message_out
+fi
 LD_LIBRARY_PATH="/usr/lib/virtualbox${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" /usr/lib/virtualbox/VirtualBox $@

virtualbox.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Sat Jan 14 02:14:27 UTC 2017 - Larry.Finger@lwfinger.net
+
+- The printing of the warning about the insecurity in USB passthru had been lost. As most people are likely to want that feature,
+  the logic has been inverted. Now, the required udev commands to allow passthru are included. The first time that VB is started,
+  the user will get a screen that points to the bug entry discussing the problem and states what they should do to block the
+  insecure usage. In any case, that screen will only be printed once. File "virtualbox-60-vboxdrv.rules" has been added
+  These changes address the issues in bnc #1018340.
+
 -------------------------------------------------------------------
 Wed Dec 21 03:19:26 UTC 2016 - Larry.Finger@lwfinger.net
 

virtualbox.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package virtualbox
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define _vbox_instdir  %{_libexecdir}/virtualbox
-%define _udevrulesdir %{_libexecdir}/udev/rules.d
+%define _udevrulesdir %{_sysconfdir}/udev/rules.d
 Name:           virtualbox
 Version:        5.1.12
 Release:        0
@@ -40,6 +40,7 @@ Source7:        %{name}-host-preamble
 Source8:        %{name}-guest-preamble
 Source9:        %{name}-wrapper.sh
 Source10:       %{name}-LocalConfig.kmk
+Source11:       %{name}-60-vboxdrv.rules
 # init script to start virtual boxes during boot, to be configured via /etc/sysconfig/vbox bnc#582398
 Source12:       %{name}-vboxes
 Source13:       %{name}-sysconfig.vbox
@@ -530,6 +531,7 @@ install -m 755 VBoxXPCOMIPCD 			%{buildroot}%{_vbox_instdir}
 install -m 755 VBoxExtPackHelperApp		%{buildroot}%{_vbox_instdir}
 install -m 755 VBoxTestOGL			%{buildroot}%{_vbox_instdir}
 install -m 755 VBoxPermissionMessage		%{buildroot}%{_vbox_instdir}
+install -m 755 VBoxUSB_DevRules			%{buildroot}%{_vbox_instdir}
 install -m 755 VBoxNetDHCP			%{buildroot}%{_vbox_instdir}
 install -m 755 VBoxNetAdpCtl			%{buildroot}%{_vbox_instdir}
 install -m 755 VirtualBox			%{buildroot}%{_vbox_instdir}
@@ -544,6 +546,7 @@ install -m 644 nls/*				%{buildroot}%{_datadir}/virtualbox/nls/
 # install kmp src
 mkdir -p %{buildroot}%{_usrsrc}/kernel-modules
 cp -a src %{buildroot}%{_usrsrc}/kernel-modules/virtualbox
+install -m 644 %{SOURCE11}			%{buildroot}%{_udevrulesdir}/60-vboxdrv.rules
 popd
 
 # install desktop file
@@ -792,6 +795,7 @@ exit 0
 %files qt
 %defattr(-, root, root)
 %attr(0755,root,vboxusers) %{_vbox_instdir}/VBoxPermissionMessage
+%attr(0755,root,vboxusers) %{_vbox_instdir}/VBoxUSB_DevRules
 %verify(not mode) %attr(4750,root,vboxusers) %{_vbox_instdir}/VirtualBox
 #wrapper script is in bindir
 %attr(0755,root,root) %{_bindir}/VirtualBox
@@ -802,6 +806,7 @@ exit 0
 %{_vbox_instdir}/VirtualBox.so
 %{_datadir}/pixmaps/virtualbox.png
 %{_datadir}/applications/%{name}.desktop
+%{_udevrulesdir}/60-vboxdrv.rules
 
 %files guest-x11
 %defattr(-, root, root)