[Spice-devel] RFC [spice-gtk] session: Allow to delay sending clipboard to the guest

Tue Jan 9 16:08:44 UTC 2018

Hi

----- Original Message -----
> Hey,
> 
> On Tue, Jan 09, 2018 at 09:46:48AM -0500, Marc-André Lureau wrote:
> > ----- Original Message -----
> > > This is used to prevent unfocused guests from sniffing the clipboard
> > > content without the host or other guests noticing. This can be a
> > > security issue if any VM can track the clipboard activity in the
> > > session.
> > > This commit sets a boolean in SpiceGtkSession on focus in/out events.
> > > The client -> guest sending of clipboard data is then delayed until the
> > > window is focused again. This behaviour matches the behaviour we get on
> > > Wayland.
> > > 
> > > This mostly solves https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> > 
> > As Hans corrected in the bug, the data isn't actually transferred until the
> > guest actually requested it.
> > 
> > Now, a malicious guest could try to get the clipboard content in a loop,
> > even without previous notification of clipboard content.
> 
> Yes, that's the issue, for example 'watch xsel -o --clipboard'
> 
> > However, isn't this true for any application running in the client
> > desktop? What makes Spice guest different here? And by that I mean
> > that the problem shouldn't probably be solved at the spice/spice-gtk
> > level.
> 
> What makes spice different here is that it's used to access a VM, and a
> VM is supposed to give you isolation. If some hostile code is running in
> the VM, its impact on the host/client OS should be minimal. The fact
> that a VM with an open client connection can monitor everything that
> goes in the clipboard breaks that isolation. For example, I have a ton
> of password going through my clipboard, which I don't necessarily want
> VM to have direct access to.

Spice isn't that tied to the VM or isolation concept. It's a remote display protocol, aiming to blur the lines between remote and locate applications or desktop. As such, it's not that different from say, the X protocol or the Wayland protocol...

> 
> 
> > I am not that familiar with Wayland clipboard behaviour, could you
> > explained what changed? That could help me to understand this patch
> > better.
> 
> I'll detail this in the commit log, but if you try the 'watch' command
> from above in a VM, then copy something to your clipboard on the client,
> you'll notice that the clipboard content shows up in the VM only after
> you give it focus. In a way, this answers your "this shouldn't be solved
> at the spice/spice-gtk level" concern, and this was indeed solved at a
> different level. However, we still have the issue on x11 for now.

Ok, but then I think we should accept the fact that this is a x11 "limitation", like many others x11 security issues. If not, try to fix it at a different level, like the toolkit.