[Spice-devel] [spice-gtk] Add --spice-disable-clipboard option

Victor Toso victortoso at redhat.com
Tue Feb 20 11:48:48 UTC 2018 

On Thu, Jan 18, 2018 at 10:31:26AM +0100, Christophe Fergeau wrote:
> At least on X.org, malicious code could run the equivalent of "watch
> xsel -o --clipboard" in a VM, and would then be able to track all the
> clipboard content, even when the spice-gtk widget is not focused.
> 
> At the moment, applications call spice_set_session_option(), and then
> set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
> This commit adds a --spice-disable-clipboard option, and if it's set,
> SpiceGtkSession::auto-clipboard will not be changeable and will always
> be FALSE.
> The only side effect I noticed is that enabling "clipboard sharing" in
> GNOME Boxes VM preferences will appear to work, but will not enable
> clipboard, and will be reset to off next time the preferences dialog is
> open.

You mean running gnome-boxes --spice-disable-clipboard still
shows clipboard enabled? Any bug filed already? If yes, I think
we could add to the commit log.

> https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> ---
>  man/spice-client.pod     |  4 ++++
>  src/spice-gtk-session.c  | 16 +++++++++++++++-
>  src/spice-option.c       |  6 ++++++
>  src/spice-session-priv.h |  1 +
>  src/spice-session.c      | 35 +++++++++++++++++++++++++++++++++++
>  5 files changed, 61 insertions(+), 1 deletion(-)
> 
> diff --git a/man/spice-client.pod b/man/spice-client.pod
> index 7288b84e..76a7d207 100644
> --- a/man/spice-client.pod
> +++ b/man/spice-client.pod
> @@ -111,6 +111,10 @@ SPICE_DEBUG environment variable, or using G_MESSAGES_DEBUG=all
>  
>  Disable audio support
>  
> +=item --spice-disable-clipboard
> +
> +Disable clipboard sharing between client OS and guest OS
> +
>  =item --spice-disable-usbredir
>  
>  Disable USB redirection support
> diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
> index 31f60dc4..c3546209 100644
> --- a/src/spice-gtk-session.c
> +++ b/src/spice-gtk-session.c
> @@ -309,6 +309,20 @@ static void spice_gtk_session_finalize(GObject *gobject)
>          G_OBJECT_CLASS(spice_gtk_session_parent_class)->finalize(gobject);
>  }
>  
> +static void spice_gtk_session_set_auto_clipboard(SpiceGtkSession *self,
> +                                                 gboolean auto_clipboard)
> +{
> +    gboolean disable_clipboard;
> +    g_object_get(self->priv->session,
> +                 "disable-clipboard", &disable_clipboard,
> +                 NULL);
> +    if (disable_clipboard && auto_clipboard) {
> +        g_debug("not enabling clipboard sharing as it was disabled on the command-line");
> +        auto_clipboard = FALSE;
> +    }
> +    self->priv->auto_clipboard_enable = auto_clipboard;
> +}
> +
>  static void spice_gtk_session_get_property(GObject    *gobject,
>                                             guint       prop_id,
>                                             GValue     *value,
> @@ -352,7 +366,7 @@ static void spice_gtk_session_set_property(GObject      *gobject,
>          s->session = g_value_get_object(value);
>          break;
>      case PROP_AUTO_CLIPBOARD:
> -        s->auto_clipboard_enable = g_value_get_boolean(value);
> +        spice_gtk_session_set_auto_clipboard(self, g_value_get_boolean(value));
>          break;
>      case PROP_AUTO_USBREDIR: {
>          SpiceDesktopIntegration *desktop_int;
> diff --git a/src/spice-option.c b/src/spice-option.c
> index 6b400bca..0f2f795d 100644
> --- a/src/spice-option.c
> +++ b/src/spice-option.c
> @@ -21,6 +21,7 @@
>  #include <glib-object.h>
>  #include <glib/gi18n-lib.h>
>  #include "spice-session.h"
> +#include "spice-session-priv.h"
>  #include "spice-util.h"
>  #include "spice-channel-priv.h"
>  #include "usb-device-manager.h"
> @@ -35,6 +36,7 @@ static char *usbredir_auto_redirect_filter = NULL;
>  static char *usbredir_redirect_on_connect = NULL;
>  static gboolean smartcard = FALSE;
>  static gboolean disable_audio = FALSE;
> +static gboolean disable_clipboard = FALSE;
>  static gboolean disable_usbredir = FALSE;
>  static gint cache_size = 0;
>  static gint glz_window_size = 0;
> @@ -203,6 +205,8 @@ GOptionGroup* spice_get_option_group(void)
>            N_("Subject of the host certificate (field=value pairs separated by commas)"), N_("<host-subject>") },
>          { "spice-disable-audio", '\0', 0, G_OPTION_ARG_NONE, &disable_audio,
>            N_("Disable audio support"), NULL },
> +        { "spice-disable-clipboard", '\0', 0, G_OPTION_ARG_NONE, &disable_clipboard,
> +          N_("Disable client/guest clipboard sharing"), NULL },
>          { "spice-smartcard", '\0', 0, G_OPTION_ARG_NONE, &smartcard,
>            N_("Enable smartcard support"), NULL },
>          { "spice-smartcard-certificates", '\0', 0, G_OPTION_ARG_STRING, &smartcard_certificates,
> @@ -312,6 +316,8 @@ void spice_set_session_option(SpiceSession *session)
>          g_object_set(session, "enable-usbredir", FALSE, NULL);
>      if (disable_audio)
>          g_object_set(session, "enable-audio", FALSE, NULL);
> +    if (disable_clipboard)
> +        spice_session_set_disable_clipboard(session, TRUE);
>      if (cache_size)
>          g_object_set(session, "cache-size", cache_size, NULL);
>      if (glz_window_size)
> diff --git a/src/spice-session-priv.h b/src/spice-session-priv.h
> index 03005aac..459a04b8 100644
> --- a/src/spice-session-priv.h
> +++ b/src/spice-session-priv.h
> @@ -91,6 +91,7 @@ void spice_session_set_shared_dir(SpiceSession *session, const gchar *dir);
>  gboolean spice_session_get_audio_enabled(SpiceSession *session);
>  gboolean spice_session_get_smartcard_enabled(SpiceSession *session);
>  gboolean spice_session_get_usbredir_enabled(SpiceSession *session);
> +void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled);
>  
>  const guint8* spice_session_get_webdav_magic(SpiceSession *session);
>  PhodavServer *spice_session_get_webdav_server(SpiceSession *session);
> diff --git a/src/spice-session.c b/src/spice-session.c
> index 2aabf585..c22014dc 100644
> --- a/src/spice-session.c
> +++ b/src/spice-session.c
> @@ -64,6 +64,9 @@ struct _SpiceSessionPrivate {
>      /* whether to enable audio */
>      gboolean          audio;
>  
> +    /* whether clipboard sharing was disabled through the command line */
> +    gboolean          disable_clipboard;
> +
>      /* whether to enable smartcard event forwarding to the server */
>      gboolean          smartcard;
>  
> @@ -203,6 +206,7 @@ enum {
>      PROP_USERNAME,
>      PROP_UNIX_PATH,
>      PROP_PREF_COMPRESSION,
> +    PROP_DISABLE_CLIPBOARD,
>  };
>  
>  /* signals */
> @@ -695,6 +699,9 @@ static void spice_session_get_property(GObject    *gobject,
>      case PROP_PREF_COMPRESSION:
>          g_value_set_enum(value, s->preferred_compression);
>          break;
> +    case PROP_DISABLE_CLIPBOARD:
> +        g_value_set_boolean(value, s->disable_clipboard);
> +        break;
>      default:
>  	G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
>  	break;
> @@ -834,6 +841,9 @@ static void spice_session_set_property(GObject      *gobject,
>      case PROP_PREF_COMPRESSION:
>          s->preferred_compression = g_value_get_enum(value);
>          break;
> +    case PROP_DISABLE_CLIPBOARD:
> +        s->disable_clipboard = g_value_get_boolean(value);
> +        break;
>      default:
>          G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
>          break;
> @@ -1458,6 +1468,26 @@ static void spice_session_class_init(SpiceSessionClass *klass)
>                             G_PARAM_READWRITE |
>                             G_PARAM_STATIC_STRINGS));
>  
> +    /**
> +     * SpiceSession:disable-clipboard:
> +     *
> +     * Whether to clipboard sharing was disabled on the command line.
> +     *
> +     * Since: 0.35
> +     **/
> +    /* This property is read-only, and set through a method so that
> +     * applications using the library cannot override what the user set on the
> +     * command line
> +     */

I would make this part of the documentation too.

If the lack of GSettings is not deal breaker for others,
Acked-by: Victor Toso <victortoso at redhat.com>

> +    g_object_class_install_property
> +        (gobject_class, PROP_DISABLE_CLIPBOARD,
> +         g_param_spec_boolean("disable-clipboard",
> +                              "Disable clipboard sharing",
> +                              "Clipboard sharing was disabled on the command line",
> +                              FALSE,
> +                              G_PARAM_READABLE |
> +                              G_PARAM_STATIC_STRINGS));
> +
>      g_type_class_add_private(klass, sizeof(SpiceSessionPrivate));
>  }
>  
> @@ -2761,6 +2791,11 @@ end:
>      return priv->webdav;
>  }
>  
> +void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled)
> +{
> +    session->priv->disable_clipboard = !!disabled;
> +}
> +
>  /**
>   * spice_session_is_for_migration:
>   * @session: a Spice session
> -- 
> 2.14.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20180220/aa34905e/attachment-0001.sig>

More information about the Spice-devel mailing list