From 1894a2ace97cc61cf833f712581d31cf2c650c35 Mon Sep 17 00:00:00 2001 From: xeji Date: Tue, 20 Feb 2018 10:50:50 +0100 Subject: [PATCH] spice-gtk: fix usb redirection Build with polkit and acl to enable usb redirection in virt-viewer and virt-manager. Fixes #27199 usb redirection requires a setuid wrapper, see comment in code. --- .../development/libraries/spice-gtk/default.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/spice-gtk/default.nix b/pkgs/development/libraries/spice-gtk/default.nix index e4c614bf3b3a..440ee1b2c359 100644 --- a/pkgs/development/libraries/spice-gtk/default.nix +++ b/pkgs/development/libraries/spice-gtk/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, pkgconfig, spice-protocol, gettext, celt_0_5_1 , openssl, libpulseaudio, pixman, gobjectIntrospection, libjpeg_turbo, zlib , cyrus_sasl, python2Packages, autoreconfHook, usbredir, libsoup +, polkit, acl, usbutils, vala , gtk3, epoxy }: with stdenv.lib; @@ -18,19 +19,33 @@ in stdenv.mkDerivation rec { buildInputs = [ spice-protocol celt_0_5_1 openssl libpulseaudio pixman gobjectIntrospection libjpeg_turbo zlib cyrus_sasl python pygtk usbredir gtk3 epoxy + polkit acl usbutils ]; - nativeBuildInputs = [ pkgconfig gettext libsoup autoreconfHook ]; + nativeBuildInputs = [ pkgconfig gettext libsoup autoreconfHook vala ]; NIX_CFLAGS_COMPILE = "-fno-stack-protector"; + # put polkit action in the $out/share/polkit-1/actions preAutoreconf = '' + substituteInPlace configure.ac \ + --replace 'POLICYDIR=`''${PKG_CONFIG} polkit-gobject-1 --variable=policydir`' "POLICYDIR=$out/share/polkit-1/actions" ''; configureFlags = [ "--with-gtk3" ]; + # usb redirection needs spice-client-glib-usb-acl-helper to run setuid root + # the helper then uses polkit to check access + # in nixos, enable this with + # security.wrappers.spice-client-glib-usb-acl-helper.source = + # "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper.real"; + postFixup = '' + mv $out/bin/spice-client-glib-usb-acl-helper $out/bin/spice-client-glib-usb-acl-helper.real + ln -sf /run/wrappers/bin/spice-client-glib-usb-acl-helper $out/bin/spice-client-glib-usb-acl-helper + ''; + dontDisableStatic = true; # Needed by the coroutine test enableParallelBuilding = true;