12:05 p.m.
From: Marc-André Lureau <marcandre.lureau(a)redhat.com>
From a security pov copy and paste between the guest and the client is
not
always desirable. So we need to be able to enable/disable this. The best place
to do this from an administration pov is on the hypervisor, so the qemu cmdline
is getting a spice disable-copy-paste option, see bug 693645. Example qemu
invocation:
qemu -spice port=5932,disable-ticketing,disable-copy-paste
https://bugzilla.redhat.com/show_bug.cgi?id=693661
---
docs/formatdomain.html.in | 8 +++++++-
docs/schemas/domain.rng | 8 ++++++++
src/conf/domain_conf.c | 11 +++++++++++
src/conf/domain_conf.h | 1 +
src/qemu/qemu_command.c | 2 ++
.../qemuxml2argv-graphics-spice-compression.xml | 2 +-
.../qemuxml2argv-graphics-spice-qxl-vga.xml | 2 +-
.../qemuxml2argv-graphics-spice-timeout.xml | 2 +-
.../qemuxml2argv-graphics-spice.args | 2 +-
.../qemuxml2argv-graphics-spice.xml | 2 +-
10 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 98fb2b4..61af08e 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1833,7 +1833,7 @@ qemu-kvm -net nic,model=? /dev/null
and <span class="since">since 0.8.8</span>:
<code>smartcard</code>.
</p>
<pre>
- <graphics type='spice' port='-1' tlsPort='-1'
autoport='yes'>
+ <graphics type='spice' port='-1' tlsPort='-1'
autoport='yes' disableCopyPaste='no'>
<channel name='main' mode='secure'/>
<channel name='record' mode='insecure'/>
<image compression='auto_glz'/>
@@ -1862,6 +1862,12 @@ qemu-kvm -net nic,model=? /dev/null
of <code>filter</code>, <code>all</code>
or <code>off</code>, <span class="since">since
0.9.2</span>.
</p>
+ <p>
+ Copy & Paste from guest to client (via Spice agent)
+ can be disabled by setting
+ the <code>disableCopyPaste</code> property
+ to <code>yes</code>, <span class="since">since
0.9.2</span>.
+ </>
</dd>
<dt><code>"rdp"</code></dt>
<dd>
diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng
index 0be0371..b2333d5 100644
--- a/docs/schemas/domain.rng
+++ b/docs/schemas/domain.rng
@@ -1293,6 +1293,14 @@
<data type="dateTime"/>
</attribute>
</optional>
+ <optional>
+ <attribute name="disableCopyPaste">
+ <choice>
+ <value>yes</value>
+ <value>no</value>
+ </choice>
+ </attribute>
+ </optional>
<interleave>
<zeroOrMore>
<element name="channel">
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 65d4f89..61377c3 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -4099,6 +4099,7 @@ virDomainGraphicsDefParseXML(xmlNodePtr node, int flags) {
char *port = virXMLPropString(node, "port");
char *tlsPort;
char *autoport;
+ char *disableCopyPaste;
if (port) {
if (virStrToLong_i(port, NULL, 10, &def->data.spice.port) < 0) {
@@ -4143,6 +4144,13 @@ virDomainGraphicsDefParseXML(xmlNodePtr node, int flags) {
!def->data.spice.listenAddr[0])
VIR_FREE(def->data.spice.listenAddr);
+ if ((disableCopyPaste = virXMLPropString(node, "disableCopyPaste")) !=
NULL) {
+ if (STREQ(disableCopyPaste, "yes")) {
+ def->data.spice.disableCopyPaste = true;
+ }
+ VIR_FREE(disableCopyPaste);
+ }
+
if (virDomainGraphicsAuthDefParseXML(node, &def->data.spice.auth) < 0)
goto error;
@@ -9190,6 +9198,9 @@ virDomainGraphicsDefFormat(virBufferPtr buf,
virBufferEscapeString(buf, " keymap='%s'",
def->data.spice.keymap);
+ virBufferAsprintf(buf, " disableCopyPaste='%s'",
+ def->data.spice.disableCopyPaste ? "yes" :
"no");
+
virDomainGraphicsAuthDefFormatAttr(buf, &def->data.spice.auth, flags);
break;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 41c8136..9566d51 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -757,6 +757,7 @@ struct _virDomainGraphicsDef {
int zlib;
int playback;
int streaming;
+ bool disableCopyPaste;
} spice;
} data;
};
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index cb81354..8261088 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -4161,6 +4161,8 @@ qemuBuildCommandLine(virConnectPtr conn,
if (def->graphics[0]->data.spice.streaming)
virBufferAsprintf(&opt, ",streaming-video=%s",
virDomainGraphicsSpiceStreamingModeTypeToString(def->graphics[0]->data.spice.streaming));
+ if (def->graphics[0]->data.spice.disableCopyPaste)
+ virBufferAddLit(&opt, ",disable-copy-paste");
virCommandAddArg(cmd, "-spice");
virCommandAddArgBuffer(cmd, &opt);
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-compression.xml
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-compression.xml
index 64a6890..e502216 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-compression.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-compression.xml
@@ -21,7 +21,7 @@
</disk>
<controller type='ide' index='0'/>
<input type='mouse' bus='ps2'/>
- <graphics type='spice' port='5903' tlsPort='5904'
autoport='no' listen='127.0.0.1'>
+ <graphics type='spice' port='5903' tlsPort='5904'
autoport='no' listen='127.0.0.1' disableCopyPaste='no'>
<image compression='auto_glz'/>
<jpeg compression='auto'/>
<zlib compression='auto'/>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-qxl-vga.xml
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-qxl-vga.xml
index a38550c..0075d26 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-qxl-vga.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-qxl-vga.xml
@@ -21,7 +21,7 @@
</disk>
<controller type='ide' index='0'/>
<input type='mouse' bus='ps2'/>
- <graphics type='spice' port='5903' tlsPort='5904'
autoport='no' listen='127.0.0.1'>
+ <graphics type='spice' port='5903' tlsPort='5904'
autoport='no' listen='127.0.0.1' disableCopyPaste='no'>
<channel name='main' mode='secure'/>
<channel name='inputs' mode='insecure'/>
</graphics>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-timeout.xml
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-timeout.xml
index 4c0c57e..6b13d6b 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-timeout.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-timeout.xml
@@ -71,7 +71,7 @@
</console>
<input type='tablet' bus='usb'/>
<input type='mouse' bus='ps2'/>
- <graphics type='spice' port='5900' autoport='no'
passwd='sercet' passwdValidTo='2011-05-31T16:11:22'/>
+ <graphics type='spice' port='5900' autoport='no'
disableCopyPaste='no' passwd='sercet'
passwdValidTo='2011-05-31T16:11:22'/>
<sound model='ac97'>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
</sound>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
index 084a100..c9fdb99 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
@@ -4,6 +4,6 @@ unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda \
/dev/HostVG/QEMUGuest1 -usb -spice port=5903,tls-port=5904,addr=127.0.0.1,\
x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=inputs,\
image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,\
-playback-compression=on,streaming-video=filter -vga \
+playback-compression=on,streaming-video=filter,disable-copy-paste -vga \
qxl -global qxl.vram_size=18874368 -device
qxl,id=video1,vram_size=33554432,bus=pci.0,addr=0x4 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
index 0d3dd48..4b5840c 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
@@ -21,7 +21,7 @@
</disk>
<controller type='ide' index='0'/>
<input type='mouse' bus='ps2'/>
- <graphics type='spice' port='5903' tlsPort='5904'
autoport='no' listen='127.0.0.1'>
+ <graphics type='spice' port='5903' tlsPort='5904'
autoport='no' listen='127.0.0.1' disableCopyPaste='yes'>
<channel name='main' mode='secure'/>
<channel name='inputs' mode='insecure'/>
<image compression='auto_glz'/>
--
1.7.1