Francesco Romani has uploaded a new change for review.
Change subject: virt: graphics: enforce spice default mode
......................................................................
virt: graphics: enforce spice default mode
Libvirt grants and additional protection layer for spice channels,
using the defaultMode of the graphics device.
This patch makes Vdsm explicitely set this value for improved security,
depending on the 'ssl config value.
Change-Id: I169e7c4a76717dda8aeacbdb20ee031f453ed4fa
Backport-To: 3.6
Signed-off-by: Francesco Romani <from...@redhat.com>
---
M tests/deviceTests.py
M vdsm/virt/vmdevices/graphics.py
2 files changed, 16 insertions(+), 6 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/46/56746/1
diff --git a/tests/deviceTests.py b/tests/deviceTests.py
index 40bba97..cd59dda 100644
--- a/tests/deviceTests.py
+++ b/tests/deviceTests.py
@@ -44,13 +44,15 @@
GRAPHICS_XMLS = [
"""
- <graphics autoport="yes" keymap="en-us" passwd="*****"
+ <graphics autoport="yes" defaultMode="secure"
+ keymap="en-us" passwd="*****"
passwdValidTo="1970-01-01T00:00:01" port="-1" type="vnc">
<listen network="vdsm-vmDisplay" type="network"/>
</graphics>""",
"""
- <graphics autoport="yes" listen="0" passwd="*****"
+ <graphics autoport="yes" defaultMode="secure"
+ listen="0" passwd="*****"
passwdValidTo="1970-01-01T00:00:01" port="-1"
tlsPort="-1" type="spice">
<channel mode="secure" name="main"/>
@@ -62,21 +64,24 @@
</graphics>""",
"""
- <graphics autoport="yes" listen="0" passwd="*****"
+ <graphics autoport="yes" defaultMode="secure"
+ listen="0" passwd="*****"
passwdValidTo="1970-01-01T00:00:01" port="-1"
tlsPort="-1" type="spice">
<channel mode="secure" name="main"/>
</graphics>""",
"""
- <graphics autoport="yes" listen="0" passwd="*****"
+ <graphics autoport="yes" defaultMode="secure"
+ listen="0" passwd="*****"
passwdValidTo="1970-01-01T00:00:01" port="-1"
tlsPort="-1" type="spice">
<clipboard copypaste="no"/>
</graphics>""",
"""
- <graphics autoport="yes" listen="0" passwd="*****"
+ <graphics autoport="yes" defaultMode="secure"
+ listen="0" passwd="*****"
passwdValidTo="1970-01-01T00:00:01" port="-1"
tlsPort="-1" type="spice">
<filetransfer enable="no"/>
diff --git a/vdsm/virt/vmdevices/graphics.py b/vdsm/virt/vmdevices/graphics.py
index 935ceca..2a0fe58 100644
--- a/vdsm/virt/vmdevices/graphics.py
+++ b/vdsm/virt/vmdevices/graphics.py
@@ -108,7 +108,12 @@
graphicsAttrs = {
'type': self.device,
'port': self.port,
- 'autoport': 'yes'}
+ 'autoport': 'yes',
+ }
+ if config.getboolean('vars', 'ssl'):
+ graphicsAttrs['defaultMode'] = 'secure'
+ # the default, 'any', has automatic fallback to
+ # insecure mode, so works with ssl off.
if self.device == 'spice':
graphicsAttrs['tlsPort'] = self.tlsPort
--
To view, visit https://gerrit.ovirt.org/56746
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I169e7c4a76717dda8aeacbdb20ee031f453ed4fa
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Francesco Romani <from...@redhat.com>
_______________________________________________
vdsm-patches mailing list
vdsm-patches@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
