Merge pull request #87576 from xtruder/pkgs/libvirtd/polkit
libvirtd: polkit integration, security fixes
This commit is contained in:
commit
9a29fe5808
2 changed files with 14 additions and 6 deletions
|
@ -7,10 +7,8 @@ let
|
|||
cfg = config.virtualisation.libvirtd;
|
||||
vswitch = config.virtualisation.vswitch;
|
||||
configFile = pkgs.writeText "libvirtd.conf" ''
|
||||
unix_sock_group = "libvirtd"
|
||||
unix_sock_rw_perms = "0770"
|
||||
auth_unix_ro = "none"
|
||||
auth_unix_rw = "none"
|
||||
auth_unix_ro = "polkit"
|
||||
auth_unix_rw = "polkit"
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
qemuConfigFile = pkgs.writeText "qemu.conf" ''
|
||||
|
@ -269,5 +267,14 @@ in {
|
|||
|
||||
systemd.sockets.libvirtd .wantedBy = [ "sockets.target" ];
|
||||
systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ];
|
||||
|
||||
security.polkit.extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.libvirt.unix.manage" &&
|
||||
subject.isInGroup("libvirtd")) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
, iproute, iptables, readline, lvm2, utillinux, systemd, libpciaccess, gettext
|
||||
, libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor
|
||||
, dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages
|
||||
, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode
|
||||
, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, dbus
|
||||
, enableXen ? false, xen ? null
|
||||
, enableIscsi ? false, openiscsi
|
||||
, enableCeph ? false, ceph
|
||||
|
@ -36,7 +36,7 @@ in stdenv.mkDerivation rec {
|
|||
nativeBuildInputs = [ makeWrapper pkgconfig docutils ] ++ optionals (!buildFromTarball) [ autoreconfHook ];
|
||||
buildInputs = [
|
||||
libxml2 gnutls perl python2 readline gettext libtasn1 libgcrypt yajl
|
||||
libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib
|
||||
libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib dbus
|
||||
] ++ optionals stdenv.isLinux [
|
||||
libpciaccess lvm2 utillinux systemd libnl numad zfs
|
||||
libapparmor libcap_ng numactl attr parted
|
||||
|
@ -74,6 +74,7 @@ in stdenv.mkDerivation rec {
|
|||
"--with-test"
|
||||
"--with-esx"
|
||||
"--with-remote"
|
||||
"--with-polkit"
|
||||
] ++ optionals stdenv.isLinux [
|
||||
"QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper"
|
||||
"QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper"
|
||||
|
|
Loading…
Reference in a new issue