Merge pull request #237477 from accelbread/usbguard-dbus-support (f751061a) · Commits · nix / nixpkgs

nixos/modules/services/security/usbguard.nix

+84 −41

Original line number	Diff line number	Diff line
		@@ -150,6 +150,8 @@ in
		Generate device specific rules including the "via-port" attribute.
		'';
		};

		dbus.enable = mkEnableOption (lib.mdDoc "USBGuard dbus daemon");
		};
		};

		@@ -160,7 +162,8 @@ in

		environment.systemPackages = [ cfg.package ];

		systemd.services.usbguard = {
		systemd.services = {
		usbguard = {
		description = "USBGuard daemon";

		wantedBy = [ "basic.target" ];
		@@ -203,6 +206,46 @@ in
		UMask = "0077";
		};
		};

		usbguard-dbus = mkIf cfg.dbus.enable {
		description = "USBGuard D-Bus Service";

		wantedBy = [ "multi-user.target" ];
		requires = [ "usbguard.service" ];

		serviceConfig = {
		Type = "dbus";
		BusName = "org.usbguard1";
		ExecStart = "${cfg.package}/bin/usbguard-dbus --system";
		Restart = "on-failure";
		};

		aliases = [ "dbus-org.usbguard.service" ];
		};
		};

		security.polkit.extraConfig =
		let
		groupCheck = (lib.concatStrings (map
		(g: "subject.isInGroup(\"${g}\") \|\| ")
		cfg.IPCAllowedGroups))
		+ "false";
		in
		optionalString cfg.dbus.enable ''
		polkit.addRule(function(action, subject) {
		if ((action.id == "org.usbguard.Policy1.listRules" \|\|
		action.id == "org.usbguard.Policy1.appendRule" \|\|
		action.id == "org.usbguard.Policy1.removeRule" \|\|
		action.id == "org.usbguard.Devices1.applyDevicePolicy" \|\|
		action.id == "org.usbguard.Devices1.listDevices" \|\|
		action.id == "org.usbguard1.getParameter" \|\|
		action.id == "org.usbguard1.setParameter") &&
		subject.active == true && subject.local == true &&
		(${groupCheck})) {
		return polkit.Result.YES;
		}
		});
		'';
		};
		imports = [
		(mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.")

Admin message