Bug 800155 - PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
Summary: PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.5.0
Assignee: Francesco Romani
QA Contact: Artyom
URL:
Whiteboard: virt
Depends On: 1082479
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2012-03-05 21:00 UTC by David Jaša
Modified: 2019-04-28 09:48 UTC (History)
21 users (show)

Fixed In Version: ovirt-3.5.0-beta2
Doc Type: Enhancement
Doc Text:
This features adds the ability to disable copying and pasting to virtual machines through SPICE connections, allowing administrators to restrict this functionality due to security reasons. This functionality is enabled by default.
Clone Of:
Environment:
Last Closed: 2015-02-11 17:49:39 UTC
oVirt Team: ---
Target Upstream Version:
Embargoed:
sherold: Triaged+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 406693 0 None None None Never
Red Hat Product Errata RHSA-2015:0158 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC
oVirt gerrit 26916 0 None MERGED spice: allow to disable the to clipboard copypaste 2020-07-03 14:17:22 UTC

Description David Jaša 2012-03-05 21:00:50 UTC 
Description of problem:
Since RHEL6.2/RHEV3.0, SPICE supports disabling of copy & paste feature at spice-server level that is also supported in libvirt (implemented as bug #693638, bug #693645, bug #693661):
# qemu-kvm -spice disable-copy-paste

<devices>
  <graphics type="spice">
    <clipboard copypaste="no"/>
  </graphics>
</devices>

What is lacking is proper integration into RHEV permission system and per-VM configuration:

 * Add a "Allow Client-Guest Copy & Paste" permission to to 
   "VM - Basic Operations" group that is enabled by default

 * Add a "Enable Guest-Client Copy & Paste" checkbox to "Edit VM" dialog for
   PowerUser and more powerful role that is checked by default. When the user
   is not allowed to use the feature by system-wide permission, this checkbox
   is unchecked and disabled.

 * RHEV-M should validate input of above checkbox in all case to prevent
   circumvention via tools like DOM Inspector or Greasemonkey script in Firefox

Version-Release number of selected component (if applicable):
3.0.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Itamar Heim 2012-03-06 09:17:35 UTC 
workaround for now would be to use a custom hook until this is implemented
Comment 4 Francesco Romani 2013-12-23 12:31:39 UTC 
VDSM patch available here: http://gerrit.ovirt.org/#/c/22646/
Comment 6 Francesco Romani 2014-04-22 12:13:54 UTC 
engine patches: http://gerrit.ovirt.org/#/c/26241/ (and related)
Comment 7 Francesco Romani 2014-06-04 07:52:34 UTC 
move to MODIFIED because the UI patch was merged (only RESTAPI is left out, patch posted and verified, previous version ACKed).
Comment 8 Artyom 2014-08-07 14:53:46 UTC 
Verified on ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch
Comment 11 errata-xmlrpc 2015-02-11 17:49:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html
Note You need to log in before you can comment on or make changes to this bug.