diff options
| author | Hans de Goede <hdegoede@redhat.com> | 2011-11-09 20:33:47 +0100 |
|---|---|---|
| committer | Hans de Goede <hdegoede@redhat.com> | 2011-11-16 18:31:30 +0100 |
| commit | 2161b5464fa8ad995ce6116f78aacb4c2389af55 (patch) | |
| tree | d2e1930cdaf60449193e5651d928276047c1b244 /data | |
| parent | 012f2de1215b2f654571e2ca924f106c24315ba4 (diff) | |
Add a suid root helper to open usb device nodes
spice-client needs to be able to open the device nodes under /dev/bus/usb
to be able to redirect a usb device to the guest. Normally opening these
nodes is only allowed by root. This patch adds a suid root helper which
asks policykit if it is ok to grant raw usb device access, and if policykit
says it is ok, opens up the acl so that the spice-client can open the device
node.
As soon as spice-client closes the stdin of the helper, the helper removes
the extra rights. This ensures that the acl gets put back to normal even if
the spice client crashes. Normally the spice-client closes stdin directly
after opening the device node.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Diffstat (limited to 'data')
| -rw-r--r-- | data/Makefile.am | 4 | ||||
| -rw-r--r-- | data/org.spice-space.lowlevelusbaccess.policy | 20 |
2 files changed, 24 insertions, 0 deletions
diff --git a/data/Makefile.am b/data/Makefile.am index 5ad1157..71934af 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -17,6 +17,7 @@ EXTRA_DIST = \ spice-protocol.vapi \ gtkrc \ $(desktop_in_files) \ + org.spice-space.lowlevelusbaccess.policy \ $(NULL) CLEANFILES = \ @@ -30,4 +31,7 @@ DISTCLEANFILES = \ vapidir = $(VAPIDIR) vapi_DATA = spice-protocol.vapi +policydir = $(POLICYDIR) +policy_DATA = org.spice-space.lowlevelusbaccess.policy + -include $(top_srcdir)/git.mk diff --git a/data/org.spice-space.lowlevelusbaccess.policy b/data/org.spice-space.lowlevelusbaccess.policy new file mode 100644 index 0000000..170f5ff --- /dev/null +++ b/data/org.spice-space.lowlevelusbaccess.policy @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> +<policyconfig> + + <vendor>The Spice Project</vendor> + <vendor_url>http://spice-space.org/</vendor_url> + <icon_name>spice</icon_name> + + <action id="org.spice-space.lowlevelusbaccess"> + <description>Low level USB device access</description> + <message>Privileges are required for low level USB device access (for usb device pass through).</message> + <defaults> + <allow_inactive>no</allow_inactive> + <allow_active>auth_admin_keep</allow_active> + </defaults> + </action> + +</policyconfig> |