This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1308734 - USB Filter not blocking keyboard and mouse
USB Filter not blocking keyboard and mouse
Status: NEW
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: spice-usb-share-win (Show other bugs)
3.5.7
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Uri Lublin
SPICE QE bug list
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-15 16:59 EST by Frank DeLorey
Modified: 2016-08-26 10:42 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Spice
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Customers usb filter (146 bytes, text/plain)
2016-02-15 16:59 EST, Frank DeLorey
no flags Details
Customers console.vv (1.99 KB, text/plain)
2016-02-15 17:00 EST, Frank DeLorey
no flags Details

  None (edit)
Description Frank DeLorey 2016-02-15 16:59:14 EST
Created attachment 1127455 [details]
Customers usb filter

Issue:

USB redirection is permitting the USB keyboard and mouse to be redirected to the guest from the client.
The USB filter does not appear to be functioning properly.
The customer uses Belkin, among others, KVM (Keyboard-Video-Mouse) Switches to access client systems.
The KVM switches present proper USB keyboard and mouse devices to the client and should be filtered out from the guest.
Customer believes the problem also exists with USB keyboards and mice directly attached to the client.
Customer has added additional rules to the /etc/ovirt-engine/usbfilter.txt file attempting to filter the KVM devices without success.
~~~~~~~~

Testing:

Testing supports the customer's contention. When USB redirection is enabled, all USB devices are selectable for redirection to the guest including the keyboard and mouse. The same behavior is observable in both the admin and user portal. It is also observable using the native client (vv file) or the browser plug-in.

When the keyboard and mouse devices are selected, they are immediately made unavailable to the client system and can't be recovered without shutting down the guest.

The 'console.vv' file does contain a proper usb-filter string in both the admin and user portal.
    Admin Portal: usb-filter=-1,-1,-1,-1,0
    User Portal: usb-filter=-1,60186,10000,256,1|-1,1118,245,-1,1|-1,1133,2245,-1,1|-1,1133,2242,5,1|8,-1,-1,-1,1|7,-1,-1,-1,1|-1,-1,-1,-1,0

In fact, the admin portal should filter all USB devices with a filter of '-1,-1,-1,-1,0'.
~~~~~~~~~

Test Configuration:

    RHEV-M: rhevm-3.5.7-0.1.el6ev.noarch
    RHEV-H: RHEV Hypervisor - 7.2 - 20160105.1.el7ev
    virt-viewer: virt-viewer-0.6.0-12.el7.x86_64
    rhev guest tools: rhev-guest-tools-iso-3.5-14.el6ev.noarch.rpm
    Guest Windows version: Windows 7 Enterprise Service Pack 1
Comment 1 Frank DeLorey 2016-02-15 17:00 EST
Created attachment 1127456 [details]
Customers console.vv
Comment 2 Fabiano Fidêncio 2016-02-15 17:30:35 EST
I've submitted a similar fix for the very same issue on Boxes.
Here is the commit: https://git.gnome.org/browse/gnome-boxes/commit/?id=8f8f5882a2ddc50ffc6e784fcf6ef49cb4f6fa83

At that point we ended up agreeing that the solution must be provided by the client. Now, I start thinking that the solution can be provided by spice-gtk.
Comment 3 Uri Lublin 2016-02-16 11:26:38 EST
Do they use the File -> Usb Devices menu to share devices ?
From the description (virt-viewer version) I understand their client
machine is running RHEL-7.
I assume their VM is configured to use "Native" USB Support, right ?
Comment 5 Uri Lublin 2016-02-17 09:02:29 EST
Currently, the usb filter does not apply to manual redirection of USB devices,
only for auto-share. If a user manually picks up a USB device from the menu
File->USB Device Selection then Spice (remote-viewer/spice-gtk) tries to
usbredir that device to the guest.

To workaround mistakenly choosing the keyboard, one can use the mouse to
un-redirect the device (using the same menu File->Usb Device Selection).
Comment 6 Frank DeLorey 2016-02-18 09:43:21 EST
This may just be a documentation bug as stated below by the end customer:

Unfortunately, this answer and explanation will not be acceptable. 

1. Once you've accidentally re-directed your KVM switch (keyboard/mouse) input devices, they are "disconnected" from the physical client system. Therefore, one cannot "reverse" the process to remove the re-direction. This process works fine for scanners/printers/USB drives, but not KVM.

2. Documentation:

The USB Filter Editor is a Windows tool used to configure the usbfilter.txt policy file. The policy rules defined in this file allow or deny the pass-through of specific USB devices from client machines to virtual machines managed using the Red Hat Enterprise Virtualization Manager. The policy file resides on the Red Hat Enterprise Virtualization Manager in the following location:

/etc/ovirt-engine/usbfilter.txt
Changes to USB filter policies do not take effect unless the ovirt-engine service on the Red Hat Enterprise Virtualization Manager server is restarted. 

*** Documentation and architecture state that you can filter out devices. 

This is still a bug or should be an RFE. If it isn't fixed, all documentation needs to be updated to state USBFilter is only for automatically re-directed devices and doesn't exact work as described.
Comment 8 David Blechter 2016-08-26 10:42:43 EDT
(In reply to Frank DeLorey from comment #6)
> This may just be a documentation bug as stated below by the end customer:
> 
> Unfortunately, this answer and explanation will not be acceptable. 
> 
> 1. Once you've accidentally re-directed your KVM switch (keyboard/mouse)
> input devices, they are "disconnected" from the physical client system.
> Therefore, one cannot "reverse" the process to remove the re-direction. This
> process works fine for scanners/printers/USB drives, but not KVM.
> 
> 2. Documentation:
> 
> The USB Filter Editor is a Windows tool used to configure the usbfilter.txt
> policy file. The policy rules defined in this file allow or deny the
> pass-through of specific USB devices from client machines to virtual
> machines managed using the Red Hat Enterprise Virtualization Manager. The
> policy file resides on the Red Hat Enterprise Virtualization Manager in the
> following location:
> 
> /etc/ovirt-engine/usbfilter.txt
> Changes to USB filter policies do not take effect unless the ovirt-engine
> service on the Red Hat Enterprise Virtualization Manager server is
> restarted. 
> 
> *** Documentation and architecture state that you can filter out devices. 
> 
> This is still a bug or should be an RFE. If it isn't fixed, all
> documentation needs to be updated to state USBFilter is only for
> automatically re-directed devices and doesn't exact work as described.

the doc was fixed, it states clear that the filter policy is used for automatic re-direction: "...allow or deny automatic pass-through ...".

Note You need to log in before you can comment on or make changes to this bug.