Hi. Quoting myself from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764894: Hi. Not sure whether the problem here is actually in virt-manager, libvirt or spice-client-glib-usb-acl-helper. So pleace redirect as necessary. I've just noted a very serious behaviour (which is also why I marked it as critical and root security hole): It seems that when plugging an USB device into ay computer where I run virtmanager and where I'm connected to some VMs via SPICE, that such USB devices are forwarded to that VM. o.O I wonder how it chooses to which the device is redirected if there are more VMs connected. Now SPICE seemst to be the default for newly created VMs via libvirt and the SPICE USB Redirector devices are created per default as well. Also this isn't like the "USB Host Device" hardware in virtmanager/libvirt/qemu, where one at least has to select *which* USB device is connected. Now since VM's are often used by people as kind of jails, e.g. running untrustworthy OSes or programs in it, or since the VM may be just on any remote server (from work or wherever), redirecting USB devices without asking is IMHO a great security hole. The USB device could contain just anything, my most recent hard disk backup (and thus root passwords, dmcrypt keys etc). or my private picture collection. The 2nd critical security aspect of this: A normal user(!) is apparently allowed to redirect a hardware device. Not sure whether this is the typical policykit problem that locally logged in users are handled as if they were root... but hell, one cannot simply give normal users full access to USB devices if root hasn't manually allowed them. Cheers, Chris
After some thinking I'd guess that there are actually two bugs: 1) That virt-manager automatically redirects without asking (because apparently it now has a menu (Virtual Machine/Redirect USB Device) which should do just that. Actually IMHO it should generally happen only manually, because it's quite annoying if everytime I put in some USB device, all my virt-manager consoles would ask for it. 2) A security hole in the polkit configuration, in that it allows any user actually redirect - and via that - gain full access to such USB device. So only if root has manually (via configuration) allowed a user to redirect all or specific USB devices polkit should even grant the whole thing. But even then, it shouldn't happen automatically, but only when the user really says "oh, yeah,... go and redirect". Cheers, Chris.
After some longer searching (the documentation of libvirt/virtmanager is really... well... not existent in so many fields :-( ) I found this: https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/Virtualization_Deployment_and_Administration_Guide/sect-limit-redirection.html This is of course no solution to the issues described above, since this is on the server side,... i.e. it would be just a voluntary "no we don't steal access to your USB devices" by some potential attacker. but btw: <redirfilter> <usbdev class='0x08' vendor='0x0951' product='0x1625' version='2.0' allow='yes'/> <usbdev allow='no'/> </redirfilter> Okay one can probably guess what class/vendor/product are (even though USB knows several kinds of classes),... but what's version? The USB bus version? If so it seems to not work, cause I connected a USB2.0 device on a ehci (on the host), and the guest was configured to USB2 as well, ... but the filter didn't match - removing the version='2.0'... and it got matched however.
The setting is org.virt-manager.virt-manager.console.auto-redirect to turn this off by default.
In Debian, this has been fixed now by Guido, at least on the virt-viewer side. But the following remain: 1) I just checked and the same problem issue exists in virt-viewer, i.e. USB devices are automatically redirected. This is now Debian bug #765016. 2) The issue (2) I describe in comment #1 above, of course exists as well. In Debian I've opened bug #765017 for that. 3) Are there other SPICE clients, known to upstream, which may be prone to these issues as well? In Debian there seems to be at least spice-client-gtk, vinagre and gnome-boxes which make use of the spice libs. Cheers, Chris.
Thanks for the report, but I don't see this behavior as a bug, or a default that needs to change. This feature is mostly made useful by its 'out of the box' behavior. Another way to disable it is to go Edit->Preferences->New VM->Add Spice USB redirection which will remove the device magic that makes redirection happen. The polkit rules should only work for the current active user, on the current seat, which means it should only work when the user at the physical machine plugs in a USB device. Meaning they should be expected to have access to it. If my understanding is incorrect and you still think there's a security implication, please open a bug against spice-gtk which provides this behavior.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Closing due to comment #5
It's simply outrageous how upstream "deals" with the security of their user's data. Why not just directly passing all host /dev/* on to the VM,... would make life for an attacker much easier.... o.O