Bug 800155

Summary: PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
Product: Red Hat Enterprise Virtualization Manager Reporter: David Jaša <djasa>
Component: RFEsAssignee: Francesco Romani <fromani>
Status: CLOSED ERRATA QA Contact: Artyom <alukiano>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0.0CC: adahms, alukiano, avettath, cfergeau, degts, desktop-qa-list, djasa, fkobzik, fromani, ghelleks, iheim, lpeer, mavital, michal.skrivanek, mkalinin, myllynen, rbalakri, sherold, sputhenp, tbrunell, ylavi
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.5.0Flags: sherold: Triaged+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: ovirt-3.5.0-beta2 Doc Type: Enhancement
Doc Text:
This features adds the ability to disable copying and pasting to virtual machines through SPICE connections, allowing administrators to restrict this functionality due to security reasons. This functionality is enabled by default.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-11 17:49:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1082479    
Bug Blocks: 1142923, 1156165    

Description David Jaša 2012-03-05 21:00:50 UTC 
Description of problem:
Since RHEL6.2/RHEV3.0, SPICE supports disabling of copy & paste feature at spice-server level that is also supported in libvirt (implemented as bug #693638, bug #693645, bug #693661):
# qemu-kvm -spice disable-copy-paste

<devices>
  <graphics type="spice">
    <clipboard copypaste="no"/>
  </graphics>
</devices>

What is lacking is proper integration into RHEV permission system and per-VM configuration:

 * Add a "Allow Client-Guest Copy & Paste" permission to to 
   "VM - Basic Operations" group that is enabled by default

 * Add a "Enable Guest-Client Copy & Paste" checkbox to "Edit VM" dialog for
   PowerUser and more powerful role that is checked by default. When the user
   is not allowed to use the feature by system-wide permission, this checkbox
   is unchecked and disabled.

 * RHEV-M should validate input of above checkbox in all case to prevent
   circumvention via tools like DOM Inspector or Greasemonkey script in Firefox

Version-Release number of selected component (if applicable):
3.0.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Itamar Heim 2012-03-06 09:17:35 UTC 
workaround for now would be to use a custom hook until this is implemented
Comment 4 Francesco Romani 2013-12-23 12:31:39 UTC 
VDSM patch available here: http://gerrit.ovirt.org/#/c/22646/
Comment 6 Francesco Romani 2014-04-22 12:13:54 UTC 
engine patches: http://gerrit.ovirt.org/#/c/26241/ (and related)
Comment 7 Francesco Romani 2014-06-04 07:52:34 UTC 
move to MODIFIED because the UI patch was merged (only RESTAPI is left out, patch posted and verified, previous version ACKed).
Comment 8 Artyom 2014-08-07 14:53:46 UTC 
Verified on ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch
Comment 11 errata-xmlrpc 2015-02-11 17:49:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html