Similar to vnc_auto_unix_socket, this option tells libvirt to allocate a listening socket path for default <graphics type='spice'/> config, taking precedence over spice_listen. https://bugzilla.redhat.com/show_bug.cgi?id=1043919 --- src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 11 +++++++++ src/qemu/qemu_command.c | 13 ++++++++--- src/qemu/qemu_conf.c | 1 + src/qemu/qemu_conf.h | 1 + src/qemu/test_libvirtd_qemu.aug.in | 1 + .../qemuxml2argv-graphics-spice-unix-auto.args | 21 +++++++++++++++++ .../qemuxml2argv-graphics-spice-unix-auto.xml | 27 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 6 +++++ 9 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.xml diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index b6f6dc4..49d59ad 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -40,6 +40,7 @@ module Libvirtd_qemu = | str_entry "spice_password" | bool_entry "spice_sasl" | str_entry "spice_sasl_dir" + | bool_entry "spice_auto_unix_socket" let nogfx_entry = bool_entry "nographics_allow_host_audio" diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 4fa5e8a..cd0a614 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -156,6 +156,17 @@ #spice_sasl_dir = "/some/directory/sasl2" +# Enable this option to have SPICE served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine. +# +# This will only be enabled for SPICE configurations that do not have +# a hardcoded 'listen' or 'socket' value. This setting takes preference +# over spice_listen. +# +#spice_auto_unix_socket = 1 + + # By default, if no graphical front end is configured, libvirt will disable # QEMU audio output since directly talking to alsa/pulseaudio may not work # with various security settings. If you know what you're doing, enable diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 8a5baf5..d2bfae6 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7370,7 +7370,8 @@ static int qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg, virCommandPtr cmd, virQEMUCapsPtr qemuCaps, - virDomainGraphicsDefPtr graphics) + virDomainGraphicsDefPtr graphics, + const char *domainLibDir) { virBuffer opt = VIR_BUFFER_INITIALIZER; const char *listenNetwork; @@ -7411,7 +7412,12 @@ qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg, /* TODO: Support ACLs later */ } - if (graphics->data.spice.socket) { + if (graphics->data.spice.socket || cfg->spiceAutoUnixSocket) { + if (!graphics->data.spice.socket && + virAsprintf(&graphics->data.spice.socket, + "%s/spice.sock", domainLibDir) == -1) + goto error; + virBufferAsprintf(&opt, "unix,addr=%s,", graphics->data.spice.socket); } else if (port > 0 || tlsPort > 0) { switch (virDomainGraphicsListenGetType(graphics, 0)) { @@ -7653,7 +7659,8 @@ qemuBuildGraphicsCommandLine(virQEMUDriverConfigPtr cfg, graphics, domainLibDir); case VIR_DOMAIN_GRAPHICS_TYPE_SPICE: - return qemuBuildGraphicsSPICECommandLine(cfg, cmd, qemuCaps, graphics); + return qemuBuildGraphicsSPICECommandLine(cfg, cmd, qemuCaps, + graphics, domainLibDir); case VIR_DOMAIN_GRAPHICS_TYPE_RDP: case VIR_DOMAIN_GRAPHICS_TYPE_DESKTOP: diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 77ef4fe..ac9e275 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -587,6 +587,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg, GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir); GET_VALUE_STR("spice_listen", cfg->spiceListen); GET_VALUE_STR("spice_password", cfg->spicePassword); + GET_VALUE_BOOL("spice_auto_unix_socket", cfg->spiceAutoUnixSocket); GET_VALUE_ULONG("remote_websocket_port_min", cfg->webSocketPortMin); diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index a714b84..c94bf13 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -123,6 +123,7 @@ struct _virQEMUDriverConfig { char *spiceSASLdir; char *spiceListen; char *spicePassword; + bool spiceAutoUnixSocket; int remotePortMin; int remotePortMax; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 8bec743..d09ecd3 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -17,6 +17,7 @@ module Test_libvirtd_qemu = { "spice_password" = "XYZ12345" } { "spice_sasl" = "1" } { "spice_sasl_dir" = "/some/directory/sasl2" } +{ "spice_auto_unix_socket" = "1" } { "nographics_allow_host_audio" = "1" } { "remote_display_port_min" = "5900" } { "remote_display_port_max" = "65535" } diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.args new file mode 100644 index 0000000..7f54855 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.args @@ -0,0 +1,21 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/home/test \ +USER=test \ +LOGNAME=test \ +QEMU_AUDIO_DRV=spice \ +/usr/bin/qemu \ +-name QEMUGuest1 \ +-S \ +-M pc \ +-m 214 \ +-smp 1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-nodefaults \ +-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \ +-no-acpi \ +-boot c \ +-spice unix,addr=/tmp/lib/domain--1-QEMUGuest1/spice.sock \ +-vga qxl \ +-global qxl-vga.ram_size=67108864 \ +-global qxl-vga.vram_size=33554432 diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.xml new file mode 100644 index 0000000..7378be8 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-unix-auto.xml @@ -0,0 +1,27 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <controller type='usb' model='none' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <graphics type='spice'/> + <video> + <model type='qxl' ram='65536' vram='32768' vgamem='8192' heads='1'/> + </video> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 76b64bd..15dde3d 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -994,6 +994,12 @@ mymain(void) QEMU_CAPS_VGA_QXL, QEMU_CAPS_SPICE, QEMU_CAPS_DEVICE_QXL); + driver.config->spiceAutoUnixSocket = true; + DO_TEST("graphics-spice-unix-auto", + QEMU_CAPS_VGA_QXL, + QEMU_CAPS_SPICE, + QEMU_CAPS_DEVICE_QXL); + driver.config->spiceAutoUnixSocket = false; DO_TEST("input-usbmouse", NONE); DO_TEST("input-usbtablet", NONE); -- 2.5.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list