[Spice-devel] [PATCH spice-gtk 4/5] Add a suid root helper to open usb device nodes

Hans de Goede hdegoede at redhat.com
Tue Nov 15 09:14:56 PST 2011


On 11/15/2011 04:56 PM, Alon Levy wrote:
> On Tue, Nov 15, 2011 at 04:31:00PM +0100, Hans de Goede wrote:
>> spice-client needs to be able to open the device nodes under /dev/bus/usb
>> to be able to redirect a usb device to the guest. Normally opening these
>> nodes is only allowed by root. This patch adds a suid root helper which
>> asks policykit if it is ok to grant raw usb device access, and if policykit
>> says it is ok, opens up the acl so that the spice-client can open the device
>> node.
>> As soon as spice-client closes the stdin of the helper, the helper removes
>> the extra rights. This ensures that the acl gets put back to normal even if
>> the spice client crashes. Normally the spice-client closes stdin directly
>> after opening the device node.
>> Signed-off-by: Hans de Goede<hdegoede at redhat.com>
>> ---
>>   configure.ac                                  |   15 ++
>>   data/Makefile.am                              |    4 +
>>   data/org.spice-space.lowlevelusbaccess.policy |   20 ++
> Why spice-space and not spice? because it has to be a domain?
> (and for all other uses of spice-space as a namespace)
> If so no objection.

Because it traditionally is a domain, I did not really think a lot
about this, I just went with spice-space, and I think that makes
sense as just "spice" is a rather overloaded term / name.



More information about the Spice-devel mailing list