diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2018-11-17 13:14:20 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2018-11-17 13:14:20 -0200 |
commit | 9ec16fe469674f5ad978350a91c8f7fe467a691e (patch) | |
tree | b85fa30910c0f075c46d459e072886d70c3f5365 | |
parent | f6bc81d9016b268d3ddd8e8213a947b23bd37b2b (diff) | |
download | kvmx-9ec16fe469674f5ad978350a91c8f7fe467a691e.tar.gz kvmx-9ec16fe469674f5ad978350a91c8f7fe467a691e.tar.bz2 |
Provide SPICE isolation between guests by using unix sockets
-rwxr-xr-x | kvmx | 17 |
1 files changed, 12 insertions, 5 deletions
@@ -178,6 +178,7 @@ function __kvmx_initialize { SSHFILE="$STATE_DIR/ssh" DISPLAYFILE="$STATE_DIR/display" SPICEFILE="$STATE_DIR/spice" + SPICESOCKET="$STATE_DIR/spice.socket" XEPHYRFILE="$STATE_DIR/xephyr" LOGFILE="$LOG_DIR/qemu" SPICELOG="$LOG_DIR/spice" @@ -245,7 +246,7 @@ function kvmx_spice { # Ensure we have the right port configuration: we can also be # running directly from command line. - PORT="`cat $PORTFILE`" + #PORT="`cat $PORTFILE`" if [ -z "$PORT" ]; then echo "$BASENAME: cannot get spice port for $VM" @@ -253,16 +254,19 @@ function kvmx_spice { fi if [ "$spice_client" == "spicy" ] && which spicy &> /dev/null; then - spicy -h localhost -p $PORT & + #spicy -h localhost -p $PORT & + spicy --uri=spice+unix://$SPICESOCKET & elif [ "$spice_client" == "virt-viewer" ] && which virt-viewer &> /dev/null; then - remote-viewer spice://localhost:$PORT & + #remote-viewer spice://localhost:$PORT & + remote-viewer spice+unix://$SPICESOCKET & #elif [ ! -z "$spice_client" ] && [ "$spice_client" != "spicec" ]; then elif [ ! -z "$spice_client" ]; then echo "$BASENAME: spice_client $spice_client not currently supported" exit 1 else if which spicy &> /dev/null; then - spicy -h localhost -p $PORT & + #spicy -h localhost -p $PORT & + spicy --uri=spice+unix://$SPICESOCKET & fi #if which spicec &> /dev/null; then @@ -467,8 +471,11 @@ function kvmx_up { net_opts="-net $net_opts" + # Always run spice using a socket to provide some GUI isolation between guest + # Otherwise any guest could open a spice connection to another guest using the host local IP (10.0.2.2) and the other guest spice port if [ -z "$spice" ] || [ "$spice" == "1" ]; then - spice_opts="-spice port=$PORT,addr=127.0.0.1,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off" + #spice_opts="-spice port=$PORT,addr=127.0.0.1,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off" + spice_opts="-spice unix,addr=$SPICESOCKET,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off" spice_opts="$spice_opts -device virtio-serial-pci" spice_opts="$spice_opts -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0" spice_opts="$spice_opts -chardev spicevmc,id=spicechannel0,name=vdagent" |