Bug 800155 - PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs (Show other bugs)
3.0.0
Unspecified Unspecified
medium Severity medium
: ---
: 3.5.0
Assigned To: Francesco Romani
Artyom
virt
: FutureFeature
Depends On: 1082479
Blocks: rhev3.5beta 1156165
  Show dependency treegraph
 
Reported: 2012-03-05 16:00 EST by David Jaša
Modified: 2015-02-11 12:49 EST (History)
22 users (show)

See Also:
Fixed In Version: ovirt-3.5.0-beta2
Doc Type: Enhancement
Doc Text:
This features adds the ability to disable copying and pasting to virtual machines through SPICE connections, allowing administrators to restrict this functionality due to security reasons. This functionality is enabled by default.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-11 12:49:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sherold: Triaged+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 406693 None None None Never
oVirt gerrit 26916 None None None Never

  None (edit)
Description David Jaša 2012-03-05 16:00:50 EST
Description of problem:
Since RHEL6.2/RHEV3.0, SPICE supports disabling of copy & paste feature at spice-server level that is also supported in libvirt (implemented as bug #693638, bug #693645, bug #693661):
# qemu-kvm -spice disable-copy-paste

<devices>
  <graphics type="spice">
    <clipboard copypaste="no"/>
  </graphics>
</devices>

What is lacking is proper integration into RHEV permission system and per-VM configuration:

 * Add a "Allow Client-Guest Copy & Paste" permission to to 
   "VM - Basic Operations" group that is enabled by default

 * Add a "Enable Guest-Client Copy & Paste" checkbox to "Edit VM" dialog for
   PowerUser and more powerful role that is checked by default. When the user
   is not allowed to use the feature by system-wide permission, this checkbox
   is unchecked and disabled.

 * RHEV-M should validate input of above checkbox in all case to prevent
   circumvention via tools like DOM Inspector or Greasemonkey script in Firefox

Version-Release number of selected component (if applicable):
3.0.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Itamar Heim 2012-03-06 04:17:35 EST
workaround for now would be to use a custom hook until this is implemented
Comment 4 Francesco Romani 2013-12-23 07:31:39 EST
VDSM patch available here: http://gerrit.ovirt.org/#/c/22646/
Comment 6 Francesco Romani 2014-04-22 08:13:54 EDT
engine patches: http://gerrit.ovirt.org/#/c/26241/ (and related)
Comment 7 Francesco Romani 2014-06-04 03:52:34 EDT
move to MODIFIED because the UI patch was merged (only RESTAPI is left out, patch posted and verified, previous version ACKed).
Comment 8 Artyom 2014-08-07 10:53:46 EDT
Verified on ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch
Comment 11 errata-xmlrpc 2015-02-11 12:49:39 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html

Note You need to log in before you can comment on or make changes to this bug.