Merge pull request #87576 from xtruder/pkgs/libvirtd/polkit

libvirtd: polkit integration, security fixes
2024-09-22 13:29:00 +02:00 · 2020-05-13 21:00:51 +07:00 · 2020-05-13 21:00:51 +07:00 · 9a29fe5808
parent 2b51171fb6 056ab3d278
commit 9a29fe5808
2 changed files with 14 additions and 6 deletions
--- a/nixos/modules/virtualisation/libvirtd.nix
+++ b/nixos/modules/virtualisation/libvirtd.nix
@ -7,10 +7,8 @@ let
  cfg = config.virtualisation.libvirtd;
  vswitch = config.virtualisation.vswitch;
  configFile = pkgs.writeText "libvirtd.conf" ''
-    unix_sock_group = "libvirtd"
-    unix_sock_rw_perms = "0770"
-    auth_unix_ro = "none"
-    auth_unix_rw = "none"
+    auth_unix_ro = "polkit"
+    auth_unix_rw = "polkit"
    ${cfg.extraConfig}
  '';
  qemuConfigFile = pkgs.writeText "qemu.conf" ''
@ -269,5 +267,14 @@ in {

    systemd.sockets.libvirtd    .wantedBy = [ "sockets.target" ];
    systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ];
+
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.libvirt.unix.manage" &&
+          subject.isInGroup("libvirtd")) {
+          return polkit.Result.YES;
+        }
+      });
+    '';
  };
 }
--- a/pkgs/development/libraries/libvirt/default.nix
+++ b/pkgs/development/libraries/libvirt/default.nix
@ -4,7 +4,7 @@
 , iproute, iptables, readline, lvm2, utillinux, systemd, libpciaccess, gettext
 , libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor
 , dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages
-, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode
+, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, dbus
 , enableXen ? false, xen ? null
 , enableIscsi ? false, openiscsi
 , enableCeph ? false, ceph
@ -36,7 +36,7 @@ in stdenv.mkDerivation rec {
  nativeBuildInputs = [ makeWrapper pkgconfig docutils ] ++ optionals (!buildFromTarball) [ autoreconfHook ];
  buildInputs = [
    libxml2 gnutls perl python2 readline gettext libtasn1 libgcrypt yajl
-    libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib
+    libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib dbus
  ] ++ optionals stdenv.isLinux [
    libpciaccess lvm2 utillinux systemd libnl numad zfs
    libapparmor libcap_ng numactl attr parted
@ -74,6 +74,7 @@ in stdenv.mkDerivation rec {
    "--with-test"
    "--with-esx"
    "--with-remote"
+    "--with-polkit"
  ] ++ optionals stdenv.isLinux [
    "QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper"
    "QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper"