Merge pull request #97826 from lheckemann/spice-usb-redir

nixos/spice-usb-redirection: init

nixos/modules/module-list.nix

@@ -1027,6 +1027,7 @@
   ./virtualisation/podman.nix
   ./virtualisation/qemu-guest-agent.nix
   ./virtualisation/railcar.nix
+  ./virtualisation/spice-usb-redirection.nix
   ./virtualisation/virtualbox-guest.nix
   ./virtualisation/virtualbox-host.nix
   ./virtualisation/vmware-guest.nix

nixos/modules/virtualisation/spice-usb-redirection.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+{
+  options.virtualisation.spiceUSBRedirection.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+    description = ''
+      Install the SPICE USB redirection helper with setuid
+      privileges. This allows unprivileged users to pass USB devices
+      connected to this machine to libvirt VMs, both local and
+      remote. Note that this allows users arbitrary access to USB
+      devices.
+    '';
+  };
+
+  config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
+    environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
+    security.wrappers.spice-client-glib-usb-acl-helper ={
+      source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
+      capabilities = "cap_fowner+ep";
+    };
+  };
+
+  meta.maintainers = [ lib.maintainers.lheckemann ];
+}