diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 4f22099443f4..f89e5d544b22 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -7,10 +7,8 @@ let cfg = config.virtualisation.libvirtd; vswitch = config.virtualisation.vswitch; configFile = pkgs.writeText "libvirtd.conf" '' - unix_sock_group = "libvirtd" - unix_sock_rw_perms = "0770" - auth_unix_ro = "none" - auth_unix_rw = "none" + auth_unix_ro = "polkit" + auth_unix_rw = "polkit" ${cfg.extraConfig} ''; qemuConfigFile = pkgs.writeText "qemu.conf" '' @@ -269,5 +267,14 @@ in { systemd.sockets.libvirtd .wantedBy = [ "sockets.target" ]; systemd.sockets.libvirtd-tcp.wantedBy = [ "sockets.target" ]; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtd")) { + return polkit.Result.YES; + } + }); + ''; }; } diff --git a/pkgs/development/libraries/libvirt/default.nix b/pkgs/development/libraries/libvirt/default.nix index c1b34879eef3..3c0cc9751e3b 100644 --- a/pkgs/development/libraries/libvirt/default.nix +++ b/pkgs/development/libraries/libvirt/default.nix @@ -4,7 +4,7 @@ , iproute, iptables, readline, lvm2, utillinux, systemd, libpciaccess, gettext , libtasn1, ebtables, libgcrypt, yajl, pmutils, libcap_ng, libapparmor , dnsmasq, libnl, libpcap, libxslt, xhtml1, numad, numactl, perlPackages -, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode +, curl, libiconv, gmp, zfs, parted, bridge-utils, dmidecode, dbus , enableXen ? false, xen ? null , enableIscsi ? false, openiscsi , enableCeph ? false, ceph @@ -36,7 +36,7 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ makeWrapper pkgconfig docutils ] ++ optionals (!buildFromTarball) [ autoreconfHook ]; buildInputs = [ libxml2 gnutls perl python2 readline gettext libtasn1 libgcrypt yajl - libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib + libxslt xhtml1 perlPackages.XMLXPath curl libpcap glib dbus ] ++ optionals stdenv.isLinux [ libpciaccess lvm2 utillinux systemd libnl numad zfs libapparmor libcap_ng numactl attr parted @@ -74,6 +74,7 @@ in stdenv.mkDerivation rec { "--with-test" "--with-esx" "--with-remote" + "--with-polkit" ] ++ optionals stdenv.isLinux [ "QEMU_BRIDGE_HELPER=/run/wrappers/bin/qemu-bridge-helper" "QEMU_PR_HELPER=/run/libvirt/nix-helpers/qemu-pr-helper"