Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 800155

Summary: PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
Product: Red Hat Enterprise Virtualization Manager Reporter: David Jaša <djasa>
Component: RFEsAssignee: Francesco Romani <fromani>
Status: CLOSED ERRATA QA Contact: Artyom <alukiano>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0.0CC: adahms, alukiano, avettath, cfergeau, degts, desktop-qa-list, djasa, fkobzik, fromani, ghelleks, gklein, iheim, lpeer, mavital, michal.skrivanek, mkalinin, myllynen, rbalakri, sherold, sputhenp, tbrunell, ylavi
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.5.0Flags: sherold: Triaged+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: ovirt-3.5.0-beta2 Doc Type: Enhancement
Doc Text:
This features adds the ability to disable copying and pasting to virtual machines through SPICE connections, allowing administrators to restrict this functionality due to security reasons. This functionality is enabled by default.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-11 17:49:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1082479    
Bug Blocks: 1142923, 1156165    

Description David Jaša 2012-03-05 21:00:50 UTC
Description of problem:
Since RHEL6.2/RHEV3.0, SPICE supports disabling of copy & paste feature at spice-server level that is also supported in libvirt (implemented as bug #693638, bug #693645, bug #693661):
# qemu-kvm -spice disable-copy-paste

<devices>
  <graphics type="spice">
    <clipboard copypaste="no"/>
  </graphics>
</devices>

What is lacking is proper integration into RHEV permission system and per-VM configuration:

 * Add a "Allow Client-Guest Copy & Paste" permission to to 
   "VM - Basic Operations" group that is enabled by default

 * Add a "Enable Guest-Client Copy & Paste" checkbox to "Edit VM" dialog for
   PowerUser and more powerful role that is checked by default. When the user
   is not allowed to use the feature by system-wide permission, this checkbox
   is unchecked and disabled.

 * RHEV-M should validate input of above checkbox in all case to prevent
   circumvention via tools like DOM Inspector or Greasemonkey script in Firefox

Version-Release number of selected component (if applicable):
3.0.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Itamar Heim 2012-03-06 09:17:35 UTC
workaround for now would be to use a custom hook until this is implemented

Comment 4 Francesco Romani 2013-12-23 12:31:39 UTC
VDSM patch available here: http://gerrit.ovirt.org/#/c/22646/

Comment 6 Francesco Romani 2014-04-22 12:13:54 UTC
engine patches: http://gerrit.ovirt.org/#/c/26241/ (and related)

Comment 7 Francesco Romani 2014-06-04 07:52:34 UTC
move to MODIFIED because the UI patch was merged (only RESTAPI is left out, patch posted and verified, previous version ACKed).

Comment 8 Artyom 2014-08-07 14:53:46 UTC
Verified on ovirt-engine-3.5.0-0.0.master.20140804172041.git23b558e.el6.noarch

Comment 11 errata-xmlrpc 2015-02-11 17:49:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html