diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
| commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
| tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/virtualisation/spice-usb-redirection.nix | |
| parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) | |
| download | nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.gz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.bz2 nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.lz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.xz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.zst nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.zip | |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/virtualisation/spice-usb-redirection.nix')
| -rw-r--r-- | nixos/modules/virtualisation/spice-usb-redirection.nix | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix index 4168cebe79b..255327f2622 100644 --- a/nixos/modules/virtualisation/spice-usb-redirection.nix +++ b/nixos/modules/virtualisation/spice-usb-redirection.nix @@ -14,9 +14,11 @@ config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable { environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions - security.wrappers.spice-client-glib-usb-acl-helper ={ - source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; + security.wrappers.spice-client-glib-usb-acl-helper = { + owner = "root"; + group = "root"; capabilities = "cap_fowner+ep"; + source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; }; }; |