From e2fd022d633127cf9349333ad40e507387a859bf Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Sat, 12 Sep 2020 09:10:06 +0200
Subject: [PATCH 1/2] nixos/spice-usb-redirection: init

Fixes #39618
---
 nixos/modules/module-list.nix                 |  1 +
 .../virtualisation/spice-usb-redirection.nix  | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 nixos/modules/virtualisation/spice-usb-redirection.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index b516b1785195..c7343e47ead1 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1026,6 +1026,7 @@
   ./virtualisation/podman.nix
   ./virtualisation/qemu-guest-agent.nix
   ./virtualisation/railcar.nix
+  ./virtualisation/spice-usb-redirection.nix
   ./virtualisation/virtualbox-guest.nix
   ./virtualisation/virtualbox-host.nix
   ./virtualisation/vmware-guest.nix
diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix
new file mode 100644
index 000000000000..39bfa0e6047b
--- /dev/null
+++ b/nixos/modules/virtualisation/spice-usb-redirection.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+{
+  options.virtualisation.spiceUSBRedirection.enable = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+    description = ''
+      Install the SPICE USB redirection helper with setuid
+      privileges. This allows unprivileged users to pass USB devices
+      connected to this machine to libvirt VMs, both local and
+      remote. Note that this allows users arbitrary access to USB
+      devices.
+    '';
+  };
+
+  config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
+    environment.systemPackages = [ pkgs.spice_gtk ];
+    security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper";
+  };
+
+  meta.maintainers = [ lib.maintainers.lheckemann ];
+}

From ad7b27b4c848826e12b76f5fc05f3dfa3e9b50a9 Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Sat, 12 Sep 2020 17:00:44 +0200
Subject: [PATCH 2/2] fixup: address @jtojnar's review comments

---
 nixos/modules/virtualisation/spice-usb-redirection.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix
index 39bfa0e6047b..4168cebe79b1 100644
--- a/nixos/modules/virtualisation/spice-usb-redirection.nix
+++ b/nixos/modules/virtualisation/spice-usb-redirection.nix
@@ -13,8 +13,11 @@
   };
 
   config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
-    environment.systemPackages = [ pkgs.spice_gtk ];
-    security.wrappers.spice-client-glib-usb-acl-helper.source = "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper";
+    environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
+    security.wrappers.spice-client-glib-usb-acl-helper ={
+      source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
+      capabilities = "cap_fowner+ep";
+    };
   };
 
   meta.maintainers = [ lib.maintainers.lheckemann ];