Francesco Romani has uploaded a new change for review. Change subject: virt: graphics: enforce spice default mode ......................................................................
virt: graphics: enforce spice default mode Libvirt grants and additional protection layer for spice channels, using the defaultMode of the graphics device. This patch makes Vdsm explicitely set this value for improved security, depending on the 'ssl config value. Change-Id: I169e7c4a76717dda8aeacbdb20ee031f453ed4fa Backport-To: 3.6 Signed-off-by: Francesco Romani <from...@redhat.com> --- M tests/deviceTests.py M vdsm/virt/vmdevices/graphics.py 2 files changed, 16 insertions(+), 6 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/46/56746/1 diff --git a/tests/deviceTests.py b/tests/deviceTests.py index 40bba97..cd59dda 100644 --- a/tests/deviceTests.py +++ b/tests/deviceTests.py @@ -44,13 +44,15 @@ GRAPHICS_XMLS = [ """ - <graphics autoport="yes" keymap="en-us" passwd="*****" + <graphics autoport="yes" defaultMode="secure" + keymap="en-us" passwd="*****" passwdValidTo="1970-01-01T00:00:01" port="-1" type="vnc"> <listen network="vdsm-vmDisplay" type="network"/> </graphics>""", """ - <graphics autoport="yes" listen="0" passwd="*****" + <graphics autoport="yes" defaultMode="secure" + listen="0" passwd="*****" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice"> <channel mode="secure" name="main"/> @@ -62,21 +64,24 @@ </graphics>""", """ - <graphics autoport="yes" listen="0" passwd="*****" + <graphics autoport="yes" defaultMode="secure" + listen="0" passwd="*****" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice"> <channel mode="secure" name="main"/> </graphics>""", """ - <graphics autoport="yes" listen="0" passwd="*****" + <graphics autoport="yes" defaultMode="secure" + listen="0" passwd="*****" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice"> <clipboard copypaste="no"/> </graphics>""", """ - <graphics autoport="yes" listen="0" passwd="*****" + <graphics autoport="yes" defaultMode="secure" + listen="0" passwd="*****" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice"> <filetransfer enable="no"/> diff --git a/vdsm/virt/vmdevices/graphics.py b/vdsm/virt/vmdevices/graphics.py index 935ceca..2a0fe58 100644 --- a/vdsm/virt/vmdevices/graphics.py +++ b/vdsm/virt/vmdevices/graphics.py @@ -108,7 +108,12 @@ graphicsAttrs = { 'type': self.device, 'port': self.port, - 'autoport': 'yes'} + 'autoport': 'yes', + } + if config.getboolean('vars', 'ssl'): + graphicsAttrs['defaultMode'] = 'secure' + # the default, 'any', has automatic fallback to + # insecure mode, so works with ssl off. if self.device == 'spice': graphicsAttrs['tlsPort'] = self.tlsPort -- To view, visit https://gerrit.ovirt.org/56746 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I169e7c4a76717dda8aeacbdb20ee031f453ed4fa Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Francesco Romani <from...@redhat.com> _______________________________________________ vdsm-patches mailing list vdsm-patches@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches