Isolating USB devices forwarded by NoMachine to Linux hosts

ID: FR04Q03828 Priority: Low
Products: NoMachine Device Services Target: 6
Status: Approved  

All USB devices forwarded to a Linux host are treated globally, i.e. they are accessible by all system users on that host.

NoMachine could implement a mechanism to isolate USB devices on a per-user basis. In this way each user will access only those USB devices he/she has forwarded inside session. This applies to virtual desktops and custom sessions and to multiple connections to the physical display.

This mechanism could cover also the specific case of USB drives forwarding, which at the moment requires that  the user who forwards the device is part of the 'Disk' system group on the remote host.

All devices forwarded by each user, should be listed only in the /dev folder of that specific user.
In case of two NoMachine sessions run by the same user, both sessions will have access to the USB devices forwarded by that user. 
When the session is shared, i.e. two or more users are connected to the same physical or virtual desktop, each user will access only his/her own devices.

This implementation can be extended to provide isolation of USB devices also for NoMachine sessions running in a Docker container.

Note that users will be not able to forward HID devices to NoMachine virtual desktops and customs sessions, as explained here:

Implementing the isolation mechanism requires to implement a NoMachine kernel driver that will retrieve the list of forwarded devices and the correspondent users who forwarded them from the user space and will show in /dev folder of the current user only those devices forwarded by him/her. Devices physically connected on the server are not affected.