diff options
Diffstat (limited to 'nixos/modules/virtualisation/spice-usb-redirection.nix')
| -rw-r--r-- | nixos/modules/virtualisation/spice-usb-redirection.nix | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix new file mode 100644 index 00000000000..255327f2622 --- /dev/null +++ b/nixos/modules/virtualisation/spice-usb-redirection.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: +{ + options.virtualisation.spiceUSBRedirection.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Install the SPICE USB redirection helper with setuid + privileges. This allows unprivileged users to pass USB devices + connected to this machine to libvirt VMs, both local and + remote. Note that this allows users arbitrary access to USB + devices. + ''; + }; + + config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable { + environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions + security.wrappers.spice-client-glib-usb-acl-helper = { + owner = "root"; + group = "root"; + capabilities = "cap_fowner+ep"; + source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; + }; + }; + + meta.maintainers = [ lib.maintainers.lheckemann ]; +} |