From: Pavel Hrdina Date: Wed, 18 May 2016 12:11:20 +0000 (+0200) Subject: spice: introduce spice_auto_unix_socket config option X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=ffac5056390c2401da497db4f5ea9730d3c9c094;p=libvirt.git spice: introduce spice_auto_unix_socket config option Signed-off-by: Pavel Hrdina --- diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index b6f6dc49fd..8bc23baa66 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -37,6 +37,7 @@ module Libvirtd_qemu = let spice_entry = str_entry "spice_listen" | bool_entry "spice_tls" | str_entry "spice_tls_x509_cert_dir" + | bool_entry "spice_auto_unix_socket" | str_entry "spice_password" | bool_entry "spice_sasl" | str_entry "spice_sasl_dir" diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 59c839ea8d..796427368e 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -130,6 +130,17 @@ #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" +# Enable this option to have SPICE served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine. +# +# This will only be enabled for SPICE configurations that have listen +# type=address but without any address specified. This setting takes +# preference over spice_listen. +# +#spice_auto_unix_socket = 1 + + # The default SPICE password. This parameter is only used if the # per-domain XML config does not already provide a password. To # allow access without passwords, leave this commented out. An diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index e00ddcaa57..d4c34c994c 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -588,6 +588,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir); GET_VALUE_STR("spice_listen", cfg->spiceListen); GET_VALUE_STR("spice_password", cfg->spicePassword); + GET_VALUE_BOOL("spice_auto_unix_socket", cfg->spiceAutoUnixSocket); GET_VALUE_ULONG("remote_websocket_port_min", cfg->webSocketPortMin); diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 1fdef70859..e830b4096c 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -123,6 +123,7 @@ struct _virQEMUDriverConfig { char *spiceSASLdir; char *spiceListen; char *spicePassword; + bool spiceAutoUnixSocket; int remotePortMin; int remotePortMax; diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index ce6bcce3c0..7d61ecde79 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4035,6 +4035,7 @@ qemuProcessGraphicsSetupListen(virQEMUDriverConfigPtr cfg, break; case VIR_DOMAIN_GRAPHICS_TYPE_SPICE: + useSocket = cfg->spiceAutoUnixSocket; listenAddr = cfg->spiceListen; break; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 8bec7437cd..c4d4f1945e 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -14,6 +14,7 @@ module Test_libvirtd_qemu = { "spice_listen" = "0.0.0.0" } { "spice_tls" = "1" } { "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" } +{ "spice_auto_unix_socket" = "1" } { "spice_password" = "XYZ12345" } { "spice_sasl" = "1" } { "spice_sasl_dir" = "/some/directory/sasl2" } diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args new file mode 100644 index 0000000000..61335b0460 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args @@ -0,0 +1,20 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=spice \ +/usr/bin/qemu \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-m 214 \ +-smp 1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nodefaults \ +-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \ +-no-acpi \ +-boot c \ +-usb \ +-spice unix,addr=/tmp/lib/domain--1-QEMUGuest1/spice.sock \ +-vga cirrus diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml new file mode 100644 index 0000000000..f2e3d124e4 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml @@ -0,0 +1,30 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219100 + 219100 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu + + + + + + + + + + + + diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 4dc3d66735..1d88084df1 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -972,6 +972,11 @@ mymain(void) DO_TEST("graphics-spice-auto-socket", QEMU_CAPS_SPICE, QEMU_CAPS_SPICE_UNIX); + driver.config->spiceAutoUnixSocket = true; + DO_TEST("graphics-spice-auto-socket-cfg", + QEMU_CAPS_SPICE, + QEMU_CAPS_SPICE_UNIX); + driver.config->spiceAutoUnixSocket = false; DO_TEST("input-usbmouse", NONE); DO_TEST("input-usbtablet", NONE); diff --git a/tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml b/tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml new file mode 100644 index 0000000000..7548184f85 --- /dev/null +++ b/tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml @@ -0,0 +1,35 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219100 + 219100 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu + +
+ + +
+ + + + + + + +