spice-gtk: fix usb redirection

Build with polkit and acl to enable usb redirection
in virt-viewer and virt-manager. Fixes #27199
usb redirection requires a setuid wrapper, see comment in code.

pkgs/development/libraries/spice-gtk/default.nix

@@ -1,6 +1,7 @@
 { stdenv, fetchurl, pkgconfig, spice-protocol, gettext, celt_0_5_1
 , openssl, libpulseaudio, pixman, gobjectIntrospection, libjpeg_turbo, zlib
 , cyrus_sasl, python2Packages, autoreconfHook, usbredir, libsoup
+, polkit, acl, usbutils, vala
 , gtk3, epoxy }:
 
 with stdenv.lib;
@@ -18,19 +19,33 @@ in stdenv.mkDerivation rec {
   buildInputs = [
     spice-protocol celt_0_5_1 openssl libpulseaudio pixman gobjectIntrospection
     libjpeg_turbo zlib cyrus_sasl python pygtk usbredir gtk3 epoxy
+    polkit acl usbutils
   ];
 
-  nativeBuildInputs = [ pkgconfig gettext libsoup autoreconfHook ];
+  nativeBuildInputs = [ pkgconfig gettext libsoup autoreconfHook vala ];
 
   NIX_CFLAGS_COMPILE = "-fno-stack-protector";
 
+  # put polkit action in the $out/share/polkit-1/actions
   preAutoreconf = ''
+    substituteInPlace configure.ac \
+      --replace 'POLICYDIR=`''${PKG_CONFIG} polkit-gobject-1 --variable=policydir`' "POLICYDIR=$out/share/polkit-1/actions"
   '';
 
   configureFlags = [
     "--with-gtk3"
   ];
 
+  # usb redirection needs spice-client-glib-usb-acl-helper to run setuid root
+  # the helper then uses polkit to check access
+  # in nixos, enable this with
+  # security.wrappers.spice-client-glib-usb-acl-helper.source =
+  #   "${pkgs.spice_gtk}/bin/spice-client-glib-usb-acl-helper.real";
+  postFixup = ''
+    mv $out/bin/spice-client-glib-usb-acl-helper $out/bin/spice-client-glib-usb-acl-helper.real
+    ln -sf /run/wrappers/bin/spice-client-glib-usb-acl-helper $out/bin/spice-client-glib-usb-acl-helper
+  '';
+
   dontDisableStatic = true; # Needed by the coroutine test
 
   enableParallelBuilding = true;