Bug 1308734

Summary:

USB Filter not blocking keyboard and mouse

Product:

Red Hat Enterprise Virtualization Manager

Reporter:

Frank DeLorey <fdelorey>

Component:

spice-usb-share-win

Assignee:

Default Assignee for SPICE Bugs <rh-spice-bugs>

Status:

CLOSED CURRENTRELEASE

QA Contact:

SPICE QE bug list <spice-qe-bugs>

Severity:

high

Docs Contact:

Priority:

high

Version:

3.5.7

CC:

bsanford, cfergeau, dblechte, fidencio, lsurette, lsvaty, rduda, Rhev-m-bugs, rmcswain, srevivo, tpelka, uril

Target Milestone:

ovirt-4.3.0

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2019-03-25 15:18:37 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

Spice

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Customers usb filter	none
Customers console.vv	none
spice-debug log: unplug and plug keyboard after connection to win10 VM	none

Description Frank DeLorey 2016-02-15 21:59:14 UTC

Created attachment 1127455 [details]
Customers usb filter

Issue:

USB redirection is permitting the USB keyboard and mouse to be redirected to the guest from the client.
The USB filter does not appear to be functioning properly.
The customer uses Belkin, among others, KVM (Keyboard-Video-Mouse) Switches to access client systems.
The KVM switches present proper USB keyboard and mouse devices to the client and should be filtered out from the guest.
Customer believes the problem also exists with USB keyboards and mice directly attached to the client.
Customer has added additional rules to the /etc/ovirt-engine/usbfilter.txt file attempting to filter the KVM devices without success.
~~~~~~~~

Testing:

Testing supports the customer's contention. When USB redirection is enabled, all USB devices are selectable for redirection to the guest including the keyboard and mouse. The same behavior is observable in both the admin and user portal. It is also observable using the native client (vv file) or the browser plug-in.

When the keyboard and mouse devices are selected, they are immediately made unavailable to the client system and can't be recovered without shutting down the guest.

The 'console.vv' file does contain a proper usb-filter string in both the admin and user portal.
    Admin Portal: usb-filter=-1,-1,-1,-1,0
    User Portal: usb-filter=-1,60186,10000,256,1|-1,1118,245,-1,1|-1,1133,2245,-1,1|-1,1133,2242,5,1|8,-1,-1,-1,1|7,-1,-1,-1,1|-1,-1,-1,-1,0

In fact, the admin portal should filter all USB devices with a filter of '-1,-1,-1,-1,0'.
~~~~~~~~~

Test Configuration:

    RHEV-M: rhevm-3.5.7-0.1.el6ev.noarch
    RHEV-H: RHEV Hypervisor - 7.2 - 20160105.1.el7ev
    virt-viewer: virt-viewer-0.6.0-12.el7.x86_64
    rhev guest tools: rhev-guest-tools-iso-3.5-14.el6ev.noarch.rpm
    Guest Windows version: Windows 7 Enterprise Service Pack 1

Comment 1 Frank DeLorey 2016-02-15 22:00:09 UTC

Created attachment 1127456 [details]
Customers console.vv

Comment 2 Fabiano Fidêncio 2016-02-15 22:30:35 UTC

I've submitted a similar fix for the very same issue on Boxes.
Here is the commit: https://git.gnome.org/browse/gnome-boxes/commit/?id=8f8f5882a2ddc50ffc6e784fcf6ef49cb4f6fa83

At that point we ended up agreeing that the solution must be provided by the client. Now, I start thinking that the solution can be provided by spice-gtk.

Comment 3 Uri Lublin 2016-02-16 16:26:38 UTC

Do they use the File -> Usb Devices menu to share devices ?
From the description (virt-viewer version) I understand their client
machine is running RHEL-7.
I assume their VM is configured to use "Native" USB Support, right ?

Comment 5 Uri Lublin 2016-02-17 14:02:29 UTC

Currently, the usb filter does not apply to manual redirection of USB devices,
only for auto-share. If a user manually picks up a USB device from the menu
File->USB Device Selection then Spice (remote-viewer/spice-gtk) tries to
usbredir that device to the guest.

To workaround mistakenly choosing the keyboard, one can use the mouse to
un-redirect the device (using the same menu File->Usb Device Selection).

Comment 6 Frank DeLorey 2016-02-18 14:43:21 UTC

This may just be a documentation bug as stated below by the end customer:

Unfortunately, this answer and explanation will not be acceptable. 

1. Once you've accidentally re-directed your KVM switch (keyboard/mouse) input devices, they are "disconnected" from the physical client system. Therefore, one cannot "reverse" the process to remove the re-direction. This process works fine for scanners/printers/USB drives, but not KVM.

2. Documentation:

The USB Filter Editor is a Windows tool used to configure the usbfilter.txt policy file. The policy rules defined in this file allow or deny the pass-through of specific USB devices from client machines to virtual machines managed using the Red Hat Enterprise Virtualization Manager. The policy file resides on the Red Hat Enterprise Virtualization Manager in the following location:

/etc/ovirt-engine/usbfilter.txt
Changes to USB filter policies do not take effect unless the ovirt-engine service on the Red Hat Enterprise Virtualization Manager server is restarted. 

*** Documentation and architecture state that you can filter out devices. 

This is still a bug or should be an RFE. If it isn't fixed, all documentation needs to be updated to state USBFilter is only for automatically re-directed devices and doesn't exact work as described.

Comment 8 David Blechter 2016-08-26 14:42:43 UTC

(In reply to Frank DeLorey from comment #6)
> This may just be a documentation bug as stated below by the end customer:
> 
> Unfortunately, this answer and explanation will not be acceptable. 
> 
> 1. Once you've accidentally re-directed your KVM switch (keyboard/mouse)
> input devices, they are "disconnected" from the physical client system.
> Therefore, one cannot "reverse" the process to remove the re-direction. This
> process works fine for scanners/printers/USB drives, but not KVM.
> 
> 2. Documentation:
> 
> The USB Filter Editor is a Windows tool used to configure the usbfilter.txt
> policy file. The policy rules defined in this file allow or deny the
> pass-through of specific USB devices from client machines to virtual
> machines managed using the Red Hat Enterprise Virtualization Manager. The
> policy file resides on the Red Hat Enterprise Virtualization Manager in the
> following location:
> 
> /etc/ovirt-engine/usbfilter.txt
> Changes to USB filter policies do not take effect unless the ovirt-engine
> service on the Red Hat Enterprise Virtualization Manager server is
> restarted. 
> 
> *** Documentation and architecture state that you can filter out devices. 
> 
> This is still a bug or should be an RFE. If it isn't fixed, all
> documentation needs to be updated to state USBFilter is only for
> automatically re-directed devices and doesn't exact work as described.

the doc was fixed, it states clear that the filter policy is used for automatic re-direction: "...allow or deny automatic pass-through ...".

Comment 9 Radek Duda 2018-03-29 14:44:59 UTC

I tested this and the bug is still there.
Maybe this can be divided into two bugs:

1) usb-filter does not work - if I use admin vv-file: enable-usb-autoshare=1 and
usb-filter=-1,-1,-1,-1,0 all devices are auto-shared (automatically redirected to guest when physically connected to client) to guest.

2) HID devices are automatically redirected as well - with exception that they are not usable in guest (cannot type anything in guest nor in client if keyboard was redirected) and relevant checkbox in USB redirection menu is not checked. So it is some quasi-redirection.


client win7:
Virtual Machine Viewer 2.0-240
UsbDk 1.0.19.0

guest win10
RHEV-Tools 4.2.4

cannot reproduce with rhel7.5 client.

Comment 10 Radek Duda 2018-03-29 14:46:23 UTC

Created attachment 1414787 [details]
spice-debug log: unplug and plug keyboard after connection to win10 VM

Comment 11 Sandro Bonazzola 2019-01-28 09:40:21 UTC

This bug has not been marked as blocker for oVirt 4.3.0.
Since we are releasing it tomorrow, January 29th, this bug has been re-targeted to 4.3.1.

Comment 13 Bill Sanford 2019-03-05 13:56:03 UTC

I have just tested this with a Windows 7 guest and client and this still happens. I used a mouse to confirm bug is still valid.

usb-filter=-1,-1,-1,-1,0

RHEL-7.6-updates-20190220.0
RHVM - rhv-4.3.1-2/el7/

Comment 15 David Blechter 2019-03-25 11:46:07 UTC

(In reply to Bill Sanford from comment #13)
> I have just tested this with a Windows 7 guest and client and this still
> happens. I used a mouse to confirm bug is still valid.
> 
> usb-filter=-1,-1,-1,-1,0
> 
> RHEL-7.6-updates-20190220.0
> RHVM - rhv-4.3.1-2/el7/

can you clarify, that the keyboard and the mouse can be redirected manually, but are not re-directed automatically upon connection to the guest. 
Please, use the latest RHV 4.3 windows client, and rhel 7.7 v.35-4 of spice-gtk

Comment 17 Radek Duda 2019-03-25 15:09:17 UTC

I can not reproduce this bug using win7/(win10 tried) client and latest rhel7.7 guest with spice-gtk 35.4
rhv4.3.2.1-0.1.el7

vv-file:
..
usb-filter=-1,-1,-1,-1,0
enable-usb-autoshare=1
..

reproduction steps:
1. Connect to guest using vv-file with options stated above ^^
2. Focus remote-viewer window
3. physically unplug and plug USB mouse and keyboard

Nor mouse neither keyboard are redirected to guest after their physical reconnection to client.