[Spice-devel] [spice-gtk] Add --spice-disable-clipboard option

Christophe Fergeau cfergeau at redhat.com
Thu Jan 18 09:31:26 UTC 2018


At least on X.org, malicious code could run the equivalent of "watch
xsel -o --clipboard" in a VM, and would then be able to track all the
clipboard content, even when the spice-gtk widget is not focused.

At the moment, applications call spice_set_session_option(), and then
set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
This commit adds a --spice-disable-clipboard option, and if it's set,
SpiceGtkSession::auto-clipboard will not be changeable and will always
be FALSE.
The only side effect I noticed is that enabling "clipboard sharing" in
GNOME Boxes VM preferences will appear to work, but will not enable
clipboard, and will be reset to off next time the preferences dialog is
open.

https://bugzilla.redhat.com/show_bug.cgi?id=1320263
---
 man/spice-client.pod     |  4 ++++
 src/spice-gtk-session.c  | 16 +++++++++++++++-
 src/spice-option.c       |  6 ++++++
 src/spice-session-priv.h |  1 +
 src/spice-session.c      | 35 +++++++++++++++++++++++++++++++++++
 5 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/man/spice-client.pod b/man/spice-client.pod
index 7288b84e..76a7d207 100644
--- a/man/spice-client.pod
+++ b/man/spice-client.pod
@@ -111,6 +111,10 @@ SPICE_DEBUG environment variable, or using G_MESSAGES_DEBUG=all
 
 Disable audio support
 
+=item --spice-disable-clipboard
+
+Disable clipboard sharing between client OS and guest OS
+
 =item --spice-disable-usbredir
 
 Disable USB redirection support
diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
index 31f60dc4..c3546209 100644
--- a/src/spice-gtk-session.c
+++ b/src/spice-gtk-session.c
@@ -309,6 +309,20 @@ static void spice_gtk_session_finalize(GObject *gobject)
         G_OBJECT_CLASS(spice_gtk_session_parent_class)->finalize(gobject);
 }
 
+static void spice_gtk_session_set_auto_clipboard(SpiceGtkSession *self,
+                                                 gboolean auto_clipboard)
+{
+    gboolean disable_clipboard;
+    g_object_get(self->priv->session,
+                 "disable-clipboard", &disable_clipboard,
+                 NULL);
+    if (disable_clipboard && auto_clipboard) {
+        g_debug("not enabling clipboard sharing as it was disabled on the command-line");
+        auto_clipboard = FALSE;
+    }
+    self->priv->auto_clipboard_enable = auto_clipboard;
+}
+
 static void spice_gtk_session_get_property(GObject    *gobject,
                                            guint       prop_id,
                                            GValue     *value,
@@ -352,7 +366,7 @@ static void spice_gtk_session_set_property(GObject      *gobject,
         s->session = g_value_get_object(value);
         break;
     case PROP_AUTO_CLIPBOARD:
-        s->auto_clipboard_enable = g_value_get_boolean(value);
+        spice_gtk_session_set_auto_clipboard(self, g_value_get_boolean(value));
         break;
     case PROP_AUTO_USBREDIR: {
         SpiceDesktopIntegration *desktop_int;
diff --git a/src/spice-option.c b/src/spice-option.c
index 6b400bca..0f2f795d 100644
--- a/src/spice-option.c
+++ b/src/spice-option.c
@@ -21,6 +21,7 @@
 #include <glib-object.h>
 #include <glib/gi18n-lib.h>
 #include "spice-session.h"
+#include "spice-session-priv.h"
 #include "spice-util.h"
 #include "spice-channel-priv.h"
 #include "usb-device-manager.h"
@@ -35,6 +36,7 @@ static char *usbredir_auto_redirect_filter = NULL;
 static char *usbredir_redirect_on_connect = NULL;
 static gboolean smartcard = FALSE;
 static gboolean disable_audio = FALSE;
+static gboolean disable_clipboard = FALSE;
 static gboolean disable_usbredir = FALSE;
 static gint cache_size = 0;
 static gint glz_window_size = 0;
@@ -203,6 +205,8 @@ GOptionGroup* spice_get_option_group(void)
           N_("Subject of the host certificate (field=value pairs separated by commas)"), N_("<host-subject>") },
         { "spice-disable-audio", '\0', 0, G_OPTION_ARG_NONE, &disable_audio,
           N_("Disable audio support"), NULL },
+        { "spice-disable-clipboard", '\0', 0, G_OPTION_ARG_NONE, &disable_clipboard,
+          N_("Disable client/guest clipboard sharing"), NULL },
         { "spice-smartcard", '\0', 0, G_OPTION_ARG_NONE, &smartcard,
           N_("Enable smartcard support"), NULL },
         { "spice-smartcard-certificates", '\0', 0, G_OPTION_ARG_STRING, &smartcard_certificates,
@@ -312,6 +316,8 @@ void spice_set_session_option(SpiceSession *session)
         g_object_set(session, "enable-usbredir", FALSE, NULL);
     if (disable_audio)
         g_object_set(session, "enable-audio", FALSE, NULL);
+    if (disable_clipboard)
+        spice_session_set_disable_clipboard(session, TRUE);
     if (cache_size)
         g_object_set(session, "cache-size", cache_size, NULL);
     if (glz_window_size)
diff --git a/src/spice-session-priv.h b/src/spice-session-priv.h
index 03005aac..459a04b8 100644
--- a/src/spice-session-priv.h
+++ b/src/spice-session-priv.h
@@ -91,6 +91,7 @@ void spice_session_set_shared_dir(SpiceSession *session, const gchar *dir);
 gboolean spice_session_get_audio_enabled(SpiceSession *session);
 gboolean spice_session_get_smartcard_enabled(SpiceSession *session);
 gboolean spice_session_get_usbredir_enabled(SpiceSession *session);
+void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled);
 
 const guint8* spice_session_get_webdav_magic(SpiceSession *session);
 PhodavServer *spice_session_get_webdav_server(SpiceSession *session);
diff --git a/src/spice-session.c b/src/spice-session.c
index 2aabf585..c22014dc 100644
--- a/src/spice-session.c
+++ b/src/spice-session.c
@@ -64,6 +64,9 @@ struct _SpiceSessionPrivate {
     /* whether to enable audio */
     gboolean          audio;
 
+    /* whether clipboard sharing was disabled through the command line */
+    gboolean          disable_clipboard;
+
     /* whether to enable smartcard event forwarding to the server */
     gboolean          smartcard;
 
@@ -203,6 +206,7 @@ enum {
     PROP_USERNAME,
     PROP_UNIX_PATH,
     PROP_PREF_COMPRESSION,
+    PROP_DISABLE_CLIPBOARD,
 };
 
 /* signals */
@@ -695,6 +699,9 @@ static void spice_session_get_property(GObject    *gobject,
     case PROP_PREF_COMPRESSION:
         g_value_set_enum(value, s->preferred_compression);
         break;
+    case PROP_DISABLE_CLIPBOARD:
+        g_value_set_boolean(value, s->disable_clipboard);
+        break;
     default:
 	G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
 	break;
@@ -834,6 +841,9 @@ static void spice_session_set_property(GObject      *gobject,
     case PROP_PREF_COMPRESSION:
         s->preferred_compression = g_value_get_enum(value);
         break;
+    case PROP_DISABLE_CLIPBOARD:
+        s->disable_clipboard = g_value_get_boolean(value);
+        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
         break;
@@ -1458,6 +1468,26 @@ static void spice_session_class_init(SpiceSessionClass *klass)
                            G_PARAM_READWRITE |
                            G_PARAM_STATIC_STRINGS));
 
+    /**
+     * SpiceSession:disable-clipboard:
+     *
+     * Whether to clipboard sharing was disabled on the command line.
+     *
+     * Since: 0.35
+     **/
+    /* This property is read-only, and set through a method so that
+     * applications using the library cannot override what the user set on the
+     * command line
+     */
+    g_object_class_install_property
+        (gobject_class, PROP_DISABLE_CLIPBOARD,
+         g_param_spec_boolean("disable-clipboard",
+                              "Disable clipboard sharing",
+                              "Clipboard sharing was disabled on the command line",
+                              FALSE,
+                              G_PARAM_READABLE |
+                              G_PARAM_STATIC_STRINGS));
+
     g_type_class_add_private(klass, sizeof(SpiceSessionPrivate));
 }
 
@@ -2761,6 +2791,11 @@ end:
     return priv->webdav;
 }
 
+void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled)
+{
+    session->priv->disable_clipboard = !!disabled;
+}
+
 /**
  * spice_session_is_for_migration:
  * @session: a Spice session
-- 
2.14.3



More information about the Spice-devel mailing list