We’ve been recommending against installing VirtualBox Guest Addition for a while now. It’s time to reconsider this.
Not having VirtualBox Guest Addition installed creates more confusion than gain. Without using guest additions shared folder feature, file transfer in and out VMs is really difficult. Users tend to use free online file sharing services to transfer their files form one VM to another or in/out the VM. While doing so, they might make mistakes during encryption of the file, because there are also no file/folder encryption tools with good usability. And even if such a tool would exist, after the Snowden revelations, we know that encrypted files are indefinitely stored, because perhaps the encryption can be cracked in (distant) future. Therefore users should be discouraged to upload their most private files. Also other issues such as with screen resolution or catching the mouse cursor might prevents users from using Whonix at all.
Why did we recommend against installing guest additions in the first place? There were some statement, that The VirtualBox Kernel Driver Is Tainted Crap. On the other hand, there are contradictory statements by Debian Developers:
After reading virtually everything on that topic on the internet, I think it may have been an overly paranoid recommendation to avoid installing them. The usability issues of not having them installed by default may be a bigger security issue than the risk of having them installed.
What exactly is the risk? When does it apply? A greater risk of remote code execution when they are installed or just easier breakout of a VM after being compromised? The latter doesn’t really count since attacker could install them – unless the adversary got only a user compromise and lacks a root privilege escalation exploit.
I am considering to install guest additions by default to make Whonix for VirtualBox users more usable while keeping those might disagree happy as well. Users of physical isolation would be unaffected, because the build script would skip installing them. Apart from a little disk space, download users Qubes or KVM would be unaffected. Those would not be loaded then, just as KVM’s spice (pre installed) doesn’t load in VirtualBox. It would be possible to simply uninstall them (sudo apt-get purge virtualbox-guest-x11 && sudo apt-get autoremove && sudo reboot), because no anon-meta-package would depend on virtualbox-guest-x11. The possibility to uninstall them and the eventual security gain would be document in the security guide. Builds from source could use something like a –vbox-guest false option to skip installing them.