aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2018-11-17 13:14:20 -0200
committerSilvio Rhatto <rhatto@riseup.net>2018-11-17 13:14:20 -0200
commit9ec16fe469674f5ad978350a91c8f7fe467a691e (patch)
treeb85fa30910c0f075c46d459e072886d70c3f5365
parentf6bc81d9016b268d3ddd8e8213a947b23bd37b2b (diff)
downloadkvmx-9ec16fe469674f5ad978350a91c8f7fe467a691e.tar.gz
kvmx-9ec16fe469674f5ad978350a91c8f7fe467a691e.tar.bz2
Provide SPICE isolation between guests by using unix sockets
-rwxr-xr-xkvmx17
1 files changed, 12 insertions, 5 deletions
diff --git a/kvmx b/kvmx
index 8e00fc1..36b1150 100755
--- a/kvmx
+++ b/kvmx
@@ -178,6 +178,7 @@ function __kvmx_initialize {
SSHFILE="$STATE_DIR/ssh"
DISPLAYFILE="$STATE_DIR/display"
SPICEFILE="$STATE_DIR/spice"
+ SPICESOCKET="$STATE_DIR/spice.socket"
XEPHYRFILE="$STATE_DIR/xephyr"
LOGFILE="$LOG_DIR/qemu"
SPICELOG="$LOG_DIR/spice"
@@ -245,7 +246,7 @@ function kvmx_spice {
# Ensure we have the right port configuration: we can also be
# running directly from command line.
- PORT="`cat $PORTFILE`"
+ #PORT="`cat $PORTFILE`"
if [ -z "$PORT" ]; then
echo "$BASENAME: cannot get spice port for $VM"
@@ -253,16 +254,19 @@ function kvmx_spice {
fi
if [ "$spice_client" == "spicy" ] && which spicy &> /dev/null; then
- spicy -h localhost -p $PORT &
+ #spicy -h localhost -p $PORT &
+ spicy --uri=spice+unix://$SPICESOCKET &
elif [ "$spice_client" == "virt-viewer" ] && which virt-viewer &> /dev/null; then
- remote-viewer spice://localhost:$PORT &
+ #remote-viewer spice://localhost:$PORT &
+ remote-viewer spice+unix://$SPICESOCKET &
#elif [ ! -z "$spice_client" ] && [ "$spice_client" != "spicec" ]; then
elif [ ! -z "$spice_client" ]; then
echo "$BASENAME: spice_client $spice_client not currently supported"
exit 1
else
if which spicy &> /dev/null; then
- spicy -h localhost -p $PORT &
+ #spicy -h localhost -p $PORT &
+ spicy --uri=spice+unix://$SPICESOCKET &
fi
#if which spicec &> /dev/null; then
@@ -467,8 +471,11 @@ function kvmx_up {
net_opts="-net $net_opts"
+ # Always run spice using a socket to provide some GUI isolation between guest
+ # Otherwise any guest could open a spice connection to another guest using the host local IP (10.0.2.2) and the other guest spice port
if [ -z "$spice" ] || [ "$spice" == "1" ]; then
- spice_opts="-spice port=$PORT,addr=127.0.0.1,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off"
+ #spice_opts="-spice port=$PORT,addr=127.0.0.1,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off"
+ spice_opts="-spice unix,addr=$SPICESOCKET,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off"
spice_opts="$spice_opts -device virtio-serial-pci"
spice_opts="$spice_opts -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0"
spice_opts="$spice_opts -chardev spicevmc,id=spicechannel0,name=vdagent"