RFC [spice-gtk] session: Allow to delay sending clipboard to the guest

Submitted by Christophe Fergeau on Jan. 9, 2018, 2:35 p.m.

Details

Message ID 20180109143540.8286-1-cfergeau@redhat.com
State New
Headers show
Series "RFC [spice-gtk] session: Allow to delay sending clipboard to the guest" ( rev: 1 ) in Spice

Not browsing as part of any series.

Commit Message

Christophe Fergeau Jan. 9, 2018, 2:35 p.m.
This is used to prevent unfocused guests from sniffing the clipboard
content without the host or other guests noticing. This can be a
security issue if any VM can track the clipboard activity in the
session.
This commit sets a boolean in SpiceGtkSession on focus in/out events.
The client -> guest sending of clipboard data is then delayed until the
window is focused again. This behaviour matches the behaviour we get on
Wayland.

This mostly solves https://bugzilla.redhat.com/show_bug.cgi?id=1320263

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
Not overly happy with the added complexity, maybe someone will have
suggestions for a better approach ;)


 src/spice-gtk-session-priv.h |  1 +
 src/spice-gtk-session.c      | 97 +++++++++++++++++++++++++++++++++++++++++---
 src/spice-widget.c           |  5 +++
 3 files changed, 97 insertions(+), 6 deletions(-)

Patch hide | download patch | download mbox

diff --git a/src/spice-gtk-session-priv.h b/src/spice-gtk-session-priv.h
index 0dbc9e96..efd36806 100644
--- a/src/spice-gtk-session-priv.h
+++ b/src/spice-gtk-session-priv.h
@@ -44,6 +44,7 @@  void spice_gtk_session_set_keyboard_has_focus(SpiceGtkSession *self, gboolean ke
 void spice_gtk_session_set_mouse_has_pointer(SpiceGtkSession *self, gboolean  mouse_has_pointer);
 gboolean spice_gtk_session_get_keyboard_has_focus(SpiceGtkSession *self);
 gboolean spice_gtk_session_get_mouse_has_pointer(SpiceGtkSession *self);
+void spice_gtk_session_set_clipboard_delayed(SpiceGtkSession *self, gboolean clipboard_delayed);
 
 G_END_DECLS
 
diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
index 31f60dc4..15f2b531 100644
--- a/src/spice-gtk-session.c
+++ b/src/spice-gtk-session.c
@@ -59,6 +59,17 @@  struct _SpiceGtkSessionPrivate {
     gboolean                clip_hasdata[CLIPBOARD_LAST];
     gboolean                clip_grabbed[CLIPBOARD_LAST];
     gboolean                clipboard_by_guest[CLIPBOARD_LAST];
+
+    /* Used to prevent sending host->guest clipboard data when the guest
+     * display is not focused
+     */
+    gboolean                clipboard_delayed;
+    gboolean                clipboard_pending_selection_release[CLIPBOARD_LAST];
+    gboolean                clipboard_pending_selection[CLIPBOARD_LAST];
+    guint32                 clipboard_pending_type[CLIPBOARD_LAST];
+    guchar                  *clipboard_pending_data[CLIPBOARD_LAST];
+    gsize                   clipboard_pending_len[CLIPBOARD_LAST];
+
     /* auto-usbredir related */
     gboolean                auto_usbredir_enable;
     int                     auto_usbredir_reqs;
@@ -666,6 +677,24 @@  static void clipboard_get_targets(GtkClipboard *clipboard,
     s->nclip_targets[selection] = 0;
 }
 
+static void
+clipboard_selection_release(SpiceGtkSession *self, int selection)
+{
+    g_return_if_fail(selection >= 0);
+    g_return_if_fail(selection < CLIPBOARD_LAST);
+
+    g_warning("selection_release");
+
+    if (!self->priv->clipboard_delayed) {
+        spice_main_channel_clipboard_selection_release(self->priv->main, selection);
+    } else {
+        self->priv->clipboard_pending_selection_release[selection] = TRUE;
+        g_clear_pointer(&self->priv->clipboard_pending_data[selection], g_free);
+        self->priv->clipboard_pending_len[selection] = 0;
+        self->priv->clipboard_pending_selection[selection] = FALSE;
+    }
+}
+
 static void clipboard_owner_change(GtkClipboard        *clipboard,
                                    GdkEventOwnerChange *event,
                                    gpointer            user_data)
@@ -685,7 +714,7 @@  static void clipboard_owner_change(GtkClipboard        *clipboard,
     if (s->clip_grabbed[selection]) {
         s->clip_grabbed[selection] = FALSE;
         if (spice_main_channel_agent_test_capability(s->main, VD_AGENT_CAP_CLIPBOARD_BY_DEMAND))
-            spice_main_channel_clipboard_selection_release(s->main, selection);
+            clipboard_selection_release(self, selection);
     }
 
     switch (event->reason) {
@@ -714,6 +743,18 @@  typedef struct
     guint selection;
 } RunInfo;
 
+static void
+clipboard_delayed_selection_notify(SpiceGtkSession *self);
+
+G_GNUC_INTERNAL void spice_gtk_session_set_clipboard_delayed(SpiceGtkSession *self,
+                                                             gboolean clipboard_delayed)
+{
+    self->priv->clipboard_delayed = clipboard_delayed;
+    if (!self->priv->clipboard_delayed) {
+        clipboard_delayed_selection_notify(self);
+    }
+}
+
 static void clipboard_got_from_guest(SpiceMainChannel *main, guint selection,
                                      guint type, const guchar *data, guint size,
                                      gpointer user_data)
@@ -927,6 +968,52 @@  static char *fixup_clipboard_text(SpiceGtkSession *self, const char *text, int *
     return conv;
 }
 
+static void
+clipboard_delayed_selection_notify(SpiceGtkSession *self)
+{
+    unsigned int i;
+
+    for (i = 0; i < CLIPBOARD_LAST; i++) {
+        if (self->priv->clipboard_pending_selection_release[i]) {
+            g_warn_if_fail(!self->priv->clipboard_pending_selection[i]);
+            spice_main_channel_clipboard_selection_release(self->priv->main, i);
+            self->priv->clipboard_pending_selection_release[i] = FALSE;
+        }
+        if (!self->priv->clipboard_pending_selection[i]) {
+            continue;
+        }
+        spice_main_channel_clipboard_selection_notify(self->priv->main,
+                                                      i,
+                                                      self->priv->clipboard_pending_type[i],
+                                                      self->priv->clipboard_pending_data[i],
+                                                      self->priv->clipboard_pending_len[i]);
+        g_clear_pointer(&self->priv->clipboard_pending_data[i], g_free);
+        self->priv->clipboard_pending_len[i] = 0;
+        self->priv->clipboard_pending_selection[i] = FALSE;
+    }
+}
+
+static void
+clipboard_selection_notify(SpiceGtkSession *self, int selection, guint32 type,
+                           const guchar *data, gsize len)
+{
+    g_return_if_fail(selection >= 0);
+    g_return_if_fail(selection < CLIPBOARD_LAST);
+
+    if (!self->priv->clipboard_delayed) {
+        spice_main_channel_clipboard_selection_notify(self->priv->main,
+                                                      selection, type,
+                                                      data, len);
+    } else {
+        self->priv->clipboard_pending_selection[selection] = TRUE;
+        self->priv->clipboard_pending_type[selection] = type;
+        g_clear_pointer(&self->priv->clipboard_pending_data[selection], g_free);
+        self->priv->clipboard_pending_data[selection] = g_memdup(data, len);
+        self->priv->clipboard_pending_len[selection] = len;
+        self->priv->clipboard_pending_selection_release[selection] = FALSE;
+    }
+}
+
 static void clipboard_received_text_cb(GtkClipboard *clipboard,
                                        const gchar *text,
                                        gpointer user_data)
@@ -965,10 +1052,8 @@  static void clipboard_received_text_cb(GtkClipboard *clipboard,
 
     data = (const guchar *) (conv != NULL ? conv : text);
 notify_agent:
-    spice_main_channel_clipboard_selection_notify(self->priv->main, selection,
-                                                  VD_AGENT_CLIPBOARD_UTF8_TEXT,
-                                                  data,
-                                                  (data != NULL) ? len : 0);
+    clipboard_selection_notify(self, selection, VD_AGENT_CLIPBOARD_UTF8_TEXT,
+                               data, (data != NULL) ? len : 0);
     g_free(conv);
 }
 
@@ -1021,7 +1106,7 @@  static void clipboard_received_cb(GtkClipboard *clipboard,
      */
     g_warn_if_fail(type != VD_AGENT_CLIPBOARD_UTF8_TEXT);
 
-    spice_main_channel_clipboard_selection_notify(s->main, selection, type, data, len);
+    clipboard_selection_notify(self, selection, type, data, len);
 }
 
 static gboolean clipboard_request(SpiceMainChannel *main, guint selection,
diff --git a/src/spice-widget.c b/src/spice-widget.c
index 316043a9..7fd8349b 100644
--- a/src/spice-widget.c
+++ b/src/spice-widget.c
@@ -1833,6 +1833,8 @@  static gboolean focus_in_event(GtkWidget *widget, GdkEventFocus *focus G_GNUC_UN
 
     DISPLAY_DEBUG(display, "%s", __FUNCTION__);
 
+    spice_gtk_session_set_clipboard_delayed(d->gtk_session, FALSE);
+
     /*
      * Ignore focus in when we already have the focus
      * (this happens when doing an ungrab from the leave_event callback).
@@ -1868,6 +1870,9 @@  static gboolean focus_out_event(GtkWidget *widget, GdkEventFocus *focus G_GNUC_U
     SpiceDisplay *display = SPICE_DISPLAY(widget);
 
     DISPLAY_DEBUG(display, "%s", __FUNCTION__);
+
+    spice_gtk_session_set_clipboard_delayed(display->priv->gtk_session, TRUE);
+
     update_display(NULL);
 
     /*

Comments

Hi

----- Original Message -----
> This is used to prevent unfocused guests from sniffing the clipboard
> content without the host or other guests noticing. This can be a
> security issue if any VM can track the clipboard activity in the
> session.
> This commit sets a boolean in SpiceGtkSession on focus in/out events.
> The client -> guest sending of clipboard data is then delayed until the
> window is focused again. This behaviour matches the behaviour we get on
> Wayland.
> 
> This mostly solves https://bugzilla.redhat.com/show_bug.cgi?id=1320263

As Hans corrected in the bug, the data isn't actually transferred until the guest actually requested it.

Now, a malicious guest could try to get the clipboard content in a loop, even without previous notification of clipboard content.

However, isn't this true for any application running in the client desktop? What makes Spice guest different here? And by that I mean that the problem shouldn't probably be solved at the spice/spice-gtk level.

I am not that familiar with Wayland clipboard behaviour, could you explained what changed? That could help me to understand this patch better.

thanks

> 
> Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
> ---
> Not overly happy with the added complexity, maybe someone will have
> suggestions for a better approach ;)
> 
> 
>  src/spice-gtk-session-priv.h |  1 +
>  src/spice-gtk-session.c      | 97
>  +++++++++++++++++++++++++++++++++++++++++---
>  src/spice-widget.c           |  5 +++
>  3 files changed, 97 insertions(+), 6 deletions(-)
> 
> diff --git a/src/spice-gtk-session-priv.h b/src/spice-gtk-session-priv.h
> index 0dbc9e96..efd36806 100644
> --- a/src/spice-gtk-session-priv.h
> +++ b/src/spice-gtk-session-priv.h
> @@ -44,6 +44,7 @@ void
> spice_gtk_session_set_keyboard_has_focus(SpiceGtkSession *self, gboolean ke
>  void spice_gtk_session_set_mouse_has_pointer(SpiceGtkSession *self, gboolean
>  mouse_has_pointer);
>  gboolean spice_gtk_session_get_keyboard_has_focus(SpiceGtkSession *self);
>  gboolean spice_gtk_session_get_mouse_has_pointer(SpiceGtkSession *self);
> +void spice_gtk_session_set_clipboard_delayed(SpiceGtkSession *self, gboolean
> clipboard_delayed);
>  
>  G_END_DECLS
>  
> diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
> index 31f60dc4..15f2b531 100644
> --- a/src/spice-gtk-session.c
> +++ b/src/spice-gtk-session.c
> @@ -59,6 +59,17 @@ struct _SpiceGtkSessionPrivate {
>      gboolean                clip_hasdata[CLIPBOARD_LAST];
>      gboolean                clip_grabbed[CLIPBOARD_LAST];
>      gboolean                clipboard_by_guest[CLIPBOARD_LAST];
> +
> +    /* Used to prevent sending host->guest clipboard data when the guest
> +     * display is not focused
> +     */
> +    gboolean                clipboard_delayed;
> +    gboolean
> clipboard_pending_selection_release[CLIPBOARD_LAST];
> +    gboolean                clipboard_pending_selection[CLIPBOARD_LAST];
> +    guint32                 clipboard_pending_type[CLIPBOARD_LAST];
> +    guchar                  *clipboard_pending_data[CLIPBOARD_LAST];
> +    gsize                   clipboard_pending_len[CLIPBOARD_LAST];
> +
>      /* auto-usbredir related */
>      gboolean                auto_usbredir_enable;
>      int                     auto_usbredir_reqs;
> @@ -666,6 +677,24 @@ static void clipboard_get_targets(GtkClipboard
> *clipboard,
>      s->nclip_targets[selection] = 0;
>  }
>  
> +static void
> +clipboard_selection_release(SpiceGtkSession *self, int selection)
> +{
> +    g_return_if_fail(selection >= 0);
> +    g_return_if_fail(selection < CLIPBOARD_LAST);
> +
> +    g_warning("selection_release");
> +
> +    if (!self->priv->clipboard_delayed) {
> +        spice_main_channel_clipboard_selection_release(self->priv->main,
> selection);
> +    } else {
> +        self->priv->clipboard_pending_selection_release[selection] = TRUE;
> +        g_clear_pointer(&self->priv->clipboard_pending_data[selection],
> g_free);
> +        self->priv->clipboard_pending_len[selection] = 0;
> +        self->priv->clipboard_pending_selection[selection] = FALSE;
> +    }
> +}
> +
>  static void clipboard_owner_change(GtkClipboard        *clipboard,
>                                     GdkEventOwnerChange *event,
>                                     gpointer            user_data)
> @@ -685,7 +714,7 @@ static void clipboard_owner_change(GtkClipboard
> *clipboard,
>      if (s->clip_grabbed[selection]) {
>          s->clip_grabbed[selection] = FALSE;
>          if (spice_main_channel_agent_test_capability(s->main,
>          VD_AGENT_CAP_CLIPBOARD_BY_DEMAND))
> -            spice_main_channel_clipboard_selection_release(s->main,
> selection);
> +            clipboard_selection_release(self, selection);
>      }
>  
>      switch (event->reason) {
> @@ -714,6 +743,18 @@ typedef struct
>      guint selection;
>  } RunInfo;
>  
> +static void
> +clipboard_delayed_selection_notify(SpiceGtkSession *self);
> +
> +G_GNUC_INTERNAL void spice_gtk_session_set_clipboard_delayed(SpiceGtkSession
> *self,
> +                                                             gboolean
> clipboard_delayed)
> +{
> +    self->priv->clipboard_delayed = clipboard_delayed;
> +    if (!self->priv->clipboard_delayed) {
> +        clipboard_delayed_selection_notify(self);
> +    }
> +}
> +
>  static void clipboard_got_from_guest(SpiceMainChannel *main, guint
>  selection,
>                                       guint type, const guchar *data, guint
>                                       size,
>                                       gpointer user_data)
> @@ -927,6 +968,52 @@ static char *fixup_clipboard_text(SpiceGtkSession *self,
> const char *text, int *
>      return conv;
>  }
>  
> +static void
> +clipboard_delayed_selection_notify(SpiceGtkSession *self)
> +{
> +    unsigned int i;
> +
> +    for (i = 0; i < CLIPBOARD_LAST; i++) {
> +        if (self->priv->clipboard_pending_selection_release[i]) {
> +            g_warn_if_fail(!self->priv->clipboard_pending_selection[i]);
> +            spice_main_channel_clipboard_selection_release(self->priv->main,
> i);
> +            self->priv->clipboard_pending_selection_release[i] = FALSE;
> +        }
> +        if (!self->priv->clipboard_pending_selection[i]) {
> +            continue;
> +        }
> +        spice_main_channel_clipboard_selection_notify(self->priv->main,
> +                                                      i,
> +
> self->priv->clipboard_pending_type[i],
> +
> self->priv->clipboard_pending_data[i],
> +
> self->priv->clipboard_pending_len[i]);
> +        g_clear_pointer(&self->priv->clipboard_pending_data[i], g_free);
> +        self->priv->clipboard_pending_len[i] = 0;
> +        self->priv->clipboard_pending_selection[i] = FALSE;
> +    }
> +}
> +
> +static void
> +clipboard_selection_notify(SpiceGtkSession *self, int selection, guint32
> type,
> +                           const guchar *data, gsize len)
> +{
> +    g_return_if_fail(selection >= 0);
> +    g_return_if_fail(selection < CLIPBOARD_LAST);
> +
> +    if (!self->priv->clipboard_delayed) {
> +        spice_main_channel_clipboard_selection_notify(self->priv->main,
> +                                                      selection, type,
> +                                                      data, len);
> +    } else {
> +        self->priv->clipboard_pending_selection[selection] = TRUE;
> +        self->priv->clipboard_pending_type[selection] = type;
> +        g_clear_pointer(&self->priv->clipboard_pending_data[selection],
> g_free);
> +        self->priv->clipboard_pending_data[selection] = g_memdup(data, len);
> +        self->priv->clipboard_pending_len[selection] = len;
> +        self->priv->clipboard_pending_selection_release[selection] = FALSE;
> +    }
> +}
> +
>  static void clipboard_received_text_cb(GtkClipboard *clipboard,
>                                         const gchar *text,
>                                         gpointer user_data)
> @@ -965,10 +1052,8 @@ static void clipboard_received_text_cb(GtkClipboard
> *clipboard,
>  
>      data = (const guchar *) (conv != NULL ? conv : text);
>  notify_agent:
> -    spice_main_channel_clipboard_selection_notify(self->priv->main,
> selection,
> -
> VD_AGENT_CLIPBOARD_UTF8_TEXT,
> -                                                  data,
> -                                                  (data != NULL) ? len : 0);
> +    clipboard_selection_notify(self, selection,
> VD_AGENT_CLIPBOARD_UTF8_TEXT,
> +                               data, (data != NULL) ? len : 0);
>      g_free(conv);
>  }
>  
> @@ -1021,7 +1106,7 @@ static void clipboard_received_cb(GtkClipboard
> *clipboard,
>       */
>      g_warn_if_fail(type != VD_AGENT_CLIPBOARD_UTF8_TEXT);
>  
> -    spice_main_channel_clipboard_selection_notify(s->main, selection, type,
> data, len);
> +    clipboard_selection_notify(self, selection, type, data, len);
>  }
>  
>  static gboolean clipboard_request(SpiceMainChannel *main, guint selection,
> diff --git a/src/spice-widget.c b/src/spice-widget.c
> index 316043a9..7fd8349b 100644
> --- a/src/spice-widget.c
> +++ b/src/spice-widget.c
> @@ -1833,6 +1833,8 @@ static gboolean focus_in_event(GtkWidget *widget,
> GdkEventFocus *focus G_GNUC_UN
>  
>      DISPLAY_DEBUG(display, "%s", __FUNCTION__);
>  
> +    spice_gtk_session_set_clipboard_delayed(d->gtk_session, FALSE);
> +
>      /*
>       * Ignore focus in when we already have the focus
>       * (this happens when doing an ungrab from the leave_event callback).
> @@ -1868,6 +1870,9 @@ static gboolean focus_out_event(GtkWidget *widget,
> GdkEventFocus *focus G_GNUC_U
>      SpiceDisplay *display = SPICE_DISPLAY(widget);
>  
>      DISPLAY_DEBUG(display, "%s", __FUNCTION__);
> +
> +    spice_gtk_session_set_clipboard_delayed(display->priv->gtk_session,
> TRUE);
> +
>      update_display(NULL);
>  
>      /*
> --
> 2.14.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>
Hey,

On Tue, Jan 09, 2018 at 09:46:48AM -0500, Marc-André Lureau wrote:
> ----- Original Message -----
> > This is used to prevent unfocused guests from sniffing the clipboard
> > content without the host or other guests noticing. This can be a
> > security issue if any VM can track the clipboard activity in the
> > session.
> > This commit sets a boolean in SpiceGtkSession on focus in/out events.
> > The client -> guest sending of clipboard data is then delayed until the
> > window is focused again. This behaviour matches the behaviour we get on
> > Wayland.
> > 
> > This mostly solves https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> 
> As Hans corrected in the bug, the data isn't actually transferred until the guest actually requested it.
> 
> Now, a malicious guest could try to get the clipboard content in a loop, even without previous notification of clipboard content.

Yes, that's the issue, for example 'watch xsel -o --clipboard'

> However, isn't this true for any application running in the client
> desktop? What makes Spice guest different here? And by that I mean
> that the problem shouldn't probably be solved at the spice/spice-gtk
> level.

What makes spice different here is that it's used to access a VM, and a
VM is supposed to give you isolation. If some hostile code is running in
the VM, its impact on the host/client OS should be minimal. The fact
that a VM with an open client connection can monitor everything that
goes in the clipboard breaks that isolation. For example, I have a ton
of password going through my clipboard, which I don't necessarily want
VM to have direct access to.


> I am not that familiar with Wayland clipboard behaviour, could you
> explained what changed? That could help me to understand this patch
> better.

I'll detail this in the commit log, but if you try the 'watch' command
from above in a VM, then copy something to your clipboard on the client,
you'll notice that the clipboard content shows up in the VM only after
you give it focus. In a way, this answers your "this shouldn't be solved
at the spice/spice-gtk level" concern, and this was indeed solved at a
different level. However, we still have the issue on x11 for now.

Christophe
Hi

----- Original Message -----
> Hey,
> 
> On Tue, Jan 09, 2018 at 09:46:48AM -0500, Marc-André Lureau wrote:
> > ----- Original Message -----
> > > This is used to prevent unfocused guests from sniffing the clipboard
> > > content without the host or other guests noticing. This can be a
> > > security issue if any VM can track the clipboard activity in the
> > > session.
> > > This commit sets a boolean in SpiceGtkSession on focus in/out events.
> > > The client -> guest sending of clipboard data is then delayed until the
> > > window is focused again. This behaviour matches the behaviour we get on
> > > Wayland.
> > > 
> > > This mostly solves https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> > 
> > As Hans corrected in the bug, the data isn't actually transferred until the
> > guest actually requested it.
> > 
> > Now, a malicious guest could try to get the clipboard content in a loop,
> > even without previous notification of clipboard content.
> 
> Yes, that's the issue, for example 'watch xsel -o --clipboard'
> 
> > However, isn't this true for any application running in the client
> > desktop? What makes Spice guest different here? And by that I mean
> > that the problem shouldn't probably be solved at the spice/spice-gtk
> > level.
> 
> What makes spice different here is that it's used to access a VM, and a
> VM is supposed to give you isolation. If some hostile code is running in
> the VM, its impact on the host/client OS should be minimal. The fact
> that a VM with an open client connection can monitor everything that
> goes in the clipboard breaks that isolation. For example, I have a ton
> of password going through my clipboard, which I don't necessarily want
> VM to have direct access to.

Spice isn't that tied to the VM or isolation concept. It's a remote display protocol, aiming to blur the lines between remote and locate applications or desktop. As such, it's not that different from say, the X protocol or the Wayland protocol...

> 
> 
> > I am not that familiar with Wayland clipboard behaviour, could you
> > explained what changed? That could help me to understand this patch
> > better.
> 
> I'll detail this in the commit log, but if you try the 'watch' command
> from above in a VM, then copy something to your clipboard on the client,
> you'll notice that the clipboard content shows up in the VM only after
> you give it focus. In a way, this answers your "this shouldn't be solved
> at the spice/spice-gtk level" concern, and this was indeed solved at a
> different level. However, we still have the issue on x11 for now.

Ok, but then I think we should accept the fact that this is a x11 "limitation", like many others x11 security issues. If not, try to fix it at a different level, like the toolkit.
On Tue, Jan 09, 2018 at 11:08:44AM -0500, Marc-André Lureau wrote:
> ----- Original Message -----
> > 
> > What makes spice different here is that it's used to access a VM, and a
> > VM is supposed to give you isolation. If some hostile code is running in
> > the VM, its impact on the host/client OS should be minimal. The fact
> > that a VM with an open client connection can monitor everything that
> > goes in the clipboard breaks that isolation. For example, I have a ton
> > of password going through my clipboard, which I don't necessarily want
> > VM to have direct access to.
> 
> Spice isn't that tied to the VM or isolation concept. It's a remote
> display protocol, aiming to blur the lines between remote and locate
> applications or desktop. As such, it's not that different from say,
> the X protocol or the Wayland protocol...

In theory it's not tied to VMs, in practice, 90% of the time (and I'm
being conservative) it's used to access VMs.

> > > I am not that familiar with Wayland clipboard behaviour, could you
> > > explained what changed? That could help me to understand this patch
> > > better.
> > 
> > I'll detail this in the commit log, but if you try the 'watch' command
> > from above in a VM, then copy something to your clipboard on the client,
> > you'll notice that the clipboard content shows up in the VM only after
> > you give it focus. In a way, this answers your "this shouldn't be solved
> > at the spice/spice-gtk level" concern, and this was indeed solved at a
> > different level. However, we still have the issue on x11 for now.
> 
> Ok, but then I think we should accept the fact that this is a x11
> "limitation", like many others x11 security issues. If not, try to fix
> it at a different level, like the toolkit.

For most applications using gtk+, this really is a non-issue, or
something not really important, so it does not really make sense to do
that at the gtk+ level. spice on the other hand takes local clipboard
data, and forwards it remotely, so I think it makes sense that it's
careful with what it does with it.

Christophe
Hi

----- Original Message -----
> On Tue, Jan 09, 2018 at 11:08:44AM -0500, Marc-André Lureau wrote:
> > ----- Original Message -----
> > > 
> > > What makes spice different here is that it's used to access a VM, and a
> > > VM is supposed to give you isolation. If some hostile code is running in
> > > the VM, its impact on the host/client OS should be minimal. The fact
> > > that a VM with an open client connection can monitor everything that
> > > goes in the clipboard breaks that isolation. For example, I have a ton
> > > of password going through my clipboard, which I don't necessarily want
> > > VM to have direct access to.
> > 
> > Spice isn't that tied to the VM or isolation concept. It's a remote
> > display protocol, aiming to blur the lines between remote and locate
> > applications or desktop. As such, it's not that different from say,
> > the X protocol or the Wayland protocol...
> 
> In theory it's not tied to VMs, in practice, 90% of the time (and I'm
> being conservative) it's used to access VMs.
> 
> > > > I am not that familiar with Wayland clipboard behaviour, could you
> > > > explained what changed? That could help me to understand this patch
> > > > better.
> > > 
> > > I'll detail this in the commit log, but if you try the 'watch' command
> > > from above in a VM, then copy something to your clipboard on the client,
> > > you'll notice that the clipboard content shows up in the VM only after
> > > you give it focus. In a way, this answers your "this shouldn't be solved
> > > at the spice/spice-gtk level" concern, and this was indeed solved at a
> > > different level. However, we still have the issue on x11 for now.
> > 
> > Ok, but then I think we should accept the fact that this is a x11
> > "limitation", like many others x11 security issues. If not, try to fix
> > it at a different level, like the toolkit.
> 
> For most applications using gtk+, this really is a non-issue, or
> something not really important, so it does not really make sense to do
> that at the gtk+ level. spice on the other hand takes local clipboard
> data, and forwards it remotely, so I think it makes sense that it's
> careful with what it does with it.

I think it's problematic for traditional applications as well. clipboard access is probably going to be limited by default and only accessed through so-called "portals", just like file access etc. This topic should be brought on desktop / flatpak mailing list.

Thus I don't believe the problem should be solved at spice-gtk level, as this can potentially break some use cases, like clipboard managers running in the guest etc
> 
> Hi
> 
> ----- Original Message -----
> > On Tue, Jan 09, 2018 at 11:08:44AM -0500, Marc-André Lureau wrote:
> > > ----- Original Message -----
> > > > 
> > > > What makes spice different here is that it's used to access a VM, and a
> > > > VM is supposed to give you isolation. If some hostile code is running
> > > > in
> > > > the VM, its impact on the host/client OS should be minimal. The fact
> > > > that a VM with an open client connection can monitor everything that
> > > > goes in the clipboard breaks that isolation. For example, I have a ton
> > > > of password going through my clipboard, which I don't necessarily want
> > > > VM to have direct access to.
> > > 
> > > Spice isn't that tied to the VM or isolation concept. It's a remote
> > > display protocol, aiming to blur the lines between remote and locate
> > > applications or desktop. As such, it's not that different from say,
> > > the X protocol or the Wayland protocol...
> > 
> > In theory it's not tied to VMs, in practice, 90% of the time (and I'm
> > being conservative) it's used to access VMs.
> > 
> > > > > I am not that familiar with Wayland clipboard behaviour, could you
> > > > > explained what changed? That could help me to understand this patch
> > > > > better.
> > > > 
> > > > I'll detail this in the commit log, but if you try the 'watch' command
> > > > from above in a VM, then copy something to your clipboard on the
> > > > client,
> > > > you'll notice that the clipboard content shows up in the VM only after
> > > > you give it focus. In a way, this answers your "this shouldn't be
> > > > solved
> > > > at the spice/spice-gtk level" concern, and this was indeed solved at a
> > > > different level. However, we still have the issue on x11 for now.
> > > 
> > > Ok, but then I think we should accept the fact that this is a x11
> > > "limitation", like many others x11 security issues. If not, try to fix
> > > it at a different level, like the toolkit.
> > 
> > For most applications using gtk+, this really is a non-issue, or
> > something not really important, so it does not really make sense to do
> > that at the gtk+ level. spice on the other hand takes local clipboard
> > data, and forwards it remotely, so I think it makes sense that it's
> > careful with what it does with it.
> 
> I think it's problematic for traditional applications as well. clipboard
> access is probably going to be limited by default and only accessed through
> so-called "portals", just like file access etc. This topic should be brought
> on desktop / flatpak mailing list.
> 
> Thus I don't believe the problem should be solved at spice-gtk level, as this
> can potentially break some use cases, like clipboard managers running in the
> guest etc

This patch is solving guest <-> client issue, I doubt portals would address this
so I think only spice-gtk can address it. The agent could do something but the
agent is controlled by the guest so cannot protect client data.

On the implementation I didn't have a deep look but saving data from clipboard
to later usage seems really wrong. I don't know how clipboard works on Unix or
GTK but on Windows data copies are done (or can be done) lazily to avoid huge
copies or optimize some cases (for instance same app c&p or avoiding useless
conversions). I would just save which clipboards were changed during out of
focus (so kind of some bools variable) and tell the guest the change when we
receive the focus. Can't we do it?

Frediano
Hi,

On Tue, 2018-01-09 at 15:35 +0100, Christophe Fergeau wrote:
> This is used to prevent unfocused guests from sniffing the clipboard
> content without the host or other guests noticing. This can be a
> security issue if any VM can track the clipboard activity in the
> session.
> This commit sets a boolean in SpiceGtkSession on focus in/out events.
> The client -> guest sending of clipboard data is then delayed until
> the
> window is focused again. This behaviour matches the behaviour we get
> on
> Wayland.
> 
> This mostly solves https://bugzilla.redhat.com/show_bug.cgi?id=132026
> 3

I wouldn't say this behaviour matches the one on Wayland.
On Wayland, spice-gtk receives no owner-change events when the window
is out of focus and therefore doesn't send any clipboard grabs.
With this patch on X11, clipboard grab messages are sent to guest even
when the window is not focused.

Besides that I don't think delaying the data is a good idea. Some apps
might have a timeout for the requests. afaik there's a timeout of 30
seconds in gtk when requesting the data with
gtk_clipboard_request_contents().

What about saving the last relevant (valid) owner change event in
clipboard_owner_change() callback and dealing with it (requesting
clipboard targets and sending clipboard grab to guest) once the window
gains focus? (This would match the Wayland behaviour more closely.)


There's still the issue, that your potential password stored in the
clipboard is exposed to the remote machine once you focus the spice-gtk 
window (if you don't clear it before entering the window).

So if we really wanted to make this secure, we could add a dialog to
spice-gtk that would enable the user to approve every clipboard data
request. This would be easy to implement with gtk_message_dialog_new().
It's imho an overkill though. Anyone paranoid enough to use it? :)

> Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
> ---
> Not overly happy with the added complexity, maybe someone will have
> suggestions for a better approach ;) 
 
> 
> 
>  src/spice-gtk-session-priv.h |  1 +
>  src/spice-gtk-session.c      | 97
> +++++++++++++++++++++++++++++++++++++++++---
>  src/spice-widget.c           |  5 +++
>  3 files changed, 97 insertions(+), 6 deletions(-)
> 
> diff --git a/src/spice-gtk-session-priv.h b/src/spice-gtk-session-
> priv.h
> index 0dbc9e96..efd36806 100644
> --- a/src/spice-gtk-session-priv.h
> +++ b/src/spice-gtk-session-priv.h
> @@ -44,6 +44,7 @@ void
> spice_gtk_session_set_keyboard_has_focus(SpiceGtkSession *self,
> gboolean ke
>  void spice_gtk_session_set_mouse_has_pointer(SpiceGtkSession *self,
> gboolean  mouse_has_pointer);
>  gboolean spice_gtk_session_get_keyboard_has_focus(SpiceGtkSession
> *self);
>  gboolean spice_gtk_session_get_mouse_has_pointer(SpiceGtkSession
> *self);
> +void spice_gtk_session_set_clipboard_delayed(SpiceGtkSession *self,
> gboolean clipboard_delayed);
>  
>  G_END_DECLS
>  
> diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
> index 31f60dc4..15f2b531 100644
> --- a/src/spice-gtk-session.c
> +++ b/src/spice-gtk-session.c
> @@ -59,6 +59,17 @@ struct _SpiceGtkSessionPrivate {
>      gboolean                clip_hasdata[CLIPBOARD_LAST];
>      gboolean                clip_grabbed[CLIPBOARD_LAST];
>      gboolean                clipboard_by_guest[CLIPBOARD_LAST];
> +
> +    /* Used to prevent sending host->guest clipboard data when the
> guest
> +     * display is not focused
> +     */
> +    gboolean                clipboard_delayed;
> +    gboolean                clipboard_pending_selection_release[CLIP
> BOARD_LAST];
> +    gboolean                clipboard_pending_selection[CLIPBOARD_LA
> ST];
> +    guint32                 clipboard_pending_type[CLIPBOARD_LAST];
> +    guchar                  *clipboard_pending_data[CLIPBOARD_LAST];
> +    gsize                   clipboard_pending_len[CLIPBOARD_LAST];
> +
>      /* auto-usbredir related */
>      gboolean                auto_usbredir_enable;
>      int                     auto_usbredir_reqs;
> @@ -666,6 +677,24 @@ static void clipboard_get_targets(GtkClipboard
> *clipboard,
>      s->nclip_targets[selection] = 0;
>  }
>  
> +static void
> +clipboard_selection_release(SpiceGtkSession *self, int selection)
> +{
> +    g_return_if_fail(selection >= 0);
> +    g_return_if_fail(selection < CLIPBOARD_LAST);
> +
> +    g_warning("selection_release");
> +
> +    if (!self->priv->clipboard_delayed) {
> +        spice_main_channel_clipboard_selection_release(self->priv-
> >main, selection);
> +    } else {
> +        self->priv->clipboard_pending_selection_release[selection] =
> TRUE;
> +        g_clear_pointer(&self->priv-
> >clipboard_pending_data[selection], g_free);
> +        self->priv->clipboard_pending_len[selection] = 0;
> +        self->priv->clipboard_pending_selection[selection] = FALSE;
> +    }
> +}
> +
>  static void clipboard_owner_change(GtkClipboard        *clipboard,
>                                     GdkEventOwnerChange *event,
>                                     gpointer            user_data)
> @@ -685,7 +714,7 @@ static void
> clipboard_owner_change(GtkClipboard        *clipboard,
>      if (s->clip_grabbed[selection]) {
>          s->clip_grabbed[selection] = FALSE;
>          if (spice_main_channel_agent_test_capability(s->main,
> VD_AGENT_CAP_CLIPBOARD_BY_DEMAND))
> -            spice_main_channel_clipboard_selection_release(s->main,
> selection);
> +            clipboard_selection_release(self, selection);
>      }
>  
>      switch (event->reason) {
> @@ -714,6 +743,18 @@ typedef struct
>      guint selection;
>  } RunInfo;
>  
> +static void
> +clipboard_delayed_selection_notify(SpiceGtkSession *self);
> +
> +G_GNUC_INTERNAL void
> spice_gtk_session_set_clipboard_delayed(SpiceGtkSession *self,
> +                                                             gboolea
> n clipboard_delayed)
> +{
> +    self->priv->clipboard_delayed = clipboard_delayed;
> +    if (!self->priv->clipboard_delayed) {
> +        clipboard_delayed_selection_notify(self);
> +    }
> +}
> +
>  static void clipboard_got_from_guest(SpiceMainChannel *main, guint
> selection,
>                                       guint type, const guchar *data,
> guint size,
>                                       gpointer user_data)
> @@ -927,6 +968,52 @@ static char
> *fixup_clipboard_text(SpiceGtkSession *self, const char *text, int *
>      return conv;
>  }
>  
> +static void
> +clipboard_delayed_selection_notify(SpiceGtkSession *self)
> +{
> +    unsigned int i;
> +
> +    for (i = 0; i < CLIPBOARD_LAST; i++) {
> +        if (self->priv->clipboard_pending_selection_release[i]) {
> +            g_warn_if_fail(!self->priv-
> >clipboard_pending_selection[i]);
> +            spice_main_channel_clipboard_selection_release(self-
> >priv->main, i);
> +            self->priv->clipboard_pending_selection_release[i] =
> FALSE;
> +        }
> +        if (!self->priv->clipboard_pending_selection[i]) {
> +            continue;
> +        }
> +        spice_main_channel_clipboard_selection_notify(self->priv-
> >main,
> +                                                      i,
> +                                                      self->priv-
> >clipboard_pending_type[i],
> +                                                      self->priv-
> >clipboard_pending_data[i],
> +                                                      self->priv-
> >clipboard_pending_len[i]);
> +        g_clear_pointer(&self->priv->clipboard_pending_data[i],
> g_free);
> +        self->priv->clipboard_pending_len[i] = 0;
> +        self->priv->clipboard_pending_selection[i] = FALSE;
> +    }
> +}
> +
> +static void
> +clipboard_selection_notify(SpiceGtkSession *self, int selection,
> guint32 type,
> +                           const guchar *data, gsize len)
> +{
> +    g_return_if_fail(selection >= 0);
> +    g_return_if_fail(selection < CLIPBOARD_LAST);
> +
> +    if (!self->priv->clipboard_delayed) {
> +        spice_main_channel_clipboard_selection_notify(self->priv-
> >main,
> +                                                      selection,
> type,
> +                                                      data, len);
> +    } else {
> +        self->priv->clipboard_pending_selection[selection] = TRUE;
> +        self->priv->clipboard_pending_type[selection] = type;
> +        g_clear_pointer(&self->priv-
> >clipboard_pending_data[selection], g_free);
> +        self->priv->clipboard_pending_data[selection] =
> g_memdup(data, len);
> +        self->priv->clipboard_pending_len[selection] = len;
> +        self->priv->clipboard_pending_selection_release[selection] =
> FALSE;
> +    }
> +}
> +

This discards the previous data, so if the guest requested the
clipboard N times, it only receives one response. Note that the
individual requests could have different types. How does the vdagent
deal with that?

>  static void clipboard_received_text_cb(GtkClipboard *clipboard,
>                                         const gchar *text,
>                                         gpointer user_data)
> @@ -965,10 +1052,8 @@ static void
> clipboard_received_text_cb(GtkClipboard *clipboard,
>  
>      data = (const guchar *) (conv != NULL ? conv : text);
>  notify_agent:
> -    spice_main_channel_clipboard_selection_notify(self->priv->main,
> selection,
> -                                                  VD_AGENT_CLIPBOARD
> _UTF8_TEXT,
> -                                                  data,
> -                                                  (data != NULL) ?
> len : 0);
> +    clipboard_selection_notify(self, selection,
> VD_AGENT_CLIPBOARD_UTF8_TEXT,
> +                               data, (data != NULL) ? len : 0);
>      g_free(conv);
>  }
>  
> @@ -1021,7 +1106,7 @@ static void clipboard_received_cb(GtkClipboard
> *clipboard,
>       */
>      g_warn_if_fail(type != VD_AGENT_CLIPBOARD_UTF8_TEXT);
>  
> -    spice_main_channel_clipboard_selection_notify(s->main,
> selection, type, data, len);
> +    clipboard_selection_notify(self, selection, type, data, len);
>  }
>  
>  static gboolean clipboard_request(SpiceMainChannel *main, guint
> selection,
> diff --git a/src/spice-widget.c b/src/spice-widget.c
> index 316043a9..7fd8349b 100644
> --- a/src/spice-widget.c
> +++ b/src/spice-widget.c
> @@ -1833,6 +1833,8 @@ static gboolean focus_in_event(GtkWidget
> *widget, GdkEventFocus *focus G_GNUC_UN
>  
>      DISPLAY_DEBUG(display, "%s", __FUNCTION__);
>  
> +    spice_gtk_session_set_clipboard_delayed(d->gtk_session, FALSE);
> +
>      /*
>       * Ignore focus in when we already have the focus
>       * (this happens when doing an ungrab from the leave_event
> callback).
> @@ -1868,6 +1870,9 @@ static gboolean focus_out_event(GtkWidget
> *widget, GdkEventFocus *focus G_GNUC_U
>      SpiceDisplay *display = SPICE_DISPLAY(widget);
>  
>      DISPLAY_DEBUG(display, "%s", __FUNCTION__);
> +
> +    spice_gtk_session_set_clipboard_delayed(display->priv-
> >gtk_session, TRUE);
> +
>      update_display(NULL);
>  
>      /*

Cheers,
  Jakub
Hi

----- Original Message -----
> This patch is solving guest <-> client issue, I doubt portals would address
> this
> so I think only spice-gtk can address it. 

Portals could check the permissions for an application using the clipboard. Whether it's spice-gtk talking to a guest VM or an editor, it doesn't matter.

A portal may be overkill (since there would probably be no UI), and a simple static permission could be enough.

This basically would be the same thing as having a --spice-disable-clipboard option.
> 
> Hi
> 
> ----- Original Message -----
> > This patch is solving guest <-> client issue, I doubt portals would address
> > this
> > so I think only spice-gtk can address it.
> 
> Portals could check the permissions for an application using the clipboard.
> Whether it's spice-gtk talking to a guest VM or an editor, it doesn't
> matter.
> 

So use these portals (are they cross platform?) to temporarily disable clipboard
access

> A portal may be overkill (since there would probably be no UI), and a simple
> static permission could be enough.
> 
> This basically would be the same thing as having a --spice-disable-clipboard
> option.
> 

A command line option does not look that temporary. I think an option on the GUI
like c&p:
- never;
- always;
- only if have the focus;
- special keyboard combination.
Or crazy stuff like enabling for only some seconds.

Frediano
Hi

----- Original Message -----
> 
> > 
> > Hi
> > 
> > ----- Original Message -----
> > > This patch is solving guest <-> client issue, I doubt portals would
> > > address
> > > this
> > > so I think only spice-gtk can address it.
> > 
> > Portals could check the permissions for an application using the clipboard.
> > Whether it's spice-gtk talking to a guest VM or an editor, it doesn't
> > matter.
> > 
> 
> So use these portals (are they cross platform?) to temporarily disable
> clipboard
> access
> 
> > A portal may be overkill (since there would probably be no UI), and a
> > simple
> > static permission could be enough.
> > 
> > This basically would be the same thing as having a
> > --spice-disable-clipboard
> > option.
> > 
> 
> A command line option does not look that temporary. I think an option on the
> GUI
> like c&p:
> - never;
> - always;

Yes, additional UI may be nice to switch enabling/disabling clipboard sharing (although we still need command line and/or config file).
 
> - only if have the focus;
> - special keyboard combination.
> Or crazy stuff like enabling for only some seconds.

The rest feels unnecessarily complex to me.
On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> I think it's problematic for traditional applications as well.
> clipboard access is probably going to be limited by default and only
> accessed through so-called "portals", just like file access etc. This
> topic should be brought on desktop / flatpak mailing list.

Maybe in some distant future, all applications everyone is running will
be flatpak, and will be using portals to improve security. The same
thing can be said regarding wayland, which does not have this issue.
Some time in the future, this will become a non-issue. However, solving
this now on x11 is definitely not something which should be related to
portals/flatpak in my opinion.

Christophe
Hi

----- Original Message -----
> On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > I think it's problematic for traditional applications as well.
> > clipboard access is probably going to be limited by default and only
> > accessed through so-called "portals", just like file access etc. This
> > topic should be brought on desktop / flatpak mailing list.
> 
> Maybe in some distant future, all applications everyone is running will
> be flatpak, and will be using portals to improve security. The same
> thing can be said regarding wayland, which does not have this issue.
> Some time in the future, this will become a non-issue. However, solving
> this now on x11 is definitely not something which should be related to
> portals/flatpak in my opinion.

I propose a --spice-disable-clipboard, and client UI to switch on/off clipboard sharing functionality.

Something different will likely break some clipboard users or lower experience.
> 
> Hi
> 
> ----- Original Message -----
> > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > I think it's problematic for traditional applications as well.
> > > clipboard access is probably going to be limited by default and only
> > > accessed through so-called "portals", just like file access etc. This
> > > topic should be brought on desktop / flatpak mailing list.
> > 
> > Maybe in some distant future, all applications everyone is running will
> > be flatpak, and will be using portals to improve security. The same
> > thing can be said regarding wayland, which does not have this issue.
> > Some time in the future, this will become a non-issue. However, solving
> > this now on x11 is definitely not something which should be related to
> > portals/flatpak in my opinion.
> 
> I propose a --spice-disable-clipboard, and client UI to switch on/off
> clipboard sharing functionality.
> 
> Something different will likely break some clipboard users or lower
> experience.

If we consider this a security threat than default should be disabled
and there should be a --spice-enable-clipboard. Note that the default
option apply to different tools (like virt-manager and boxes).

If we decide to go to the on/off options I would see some options

- default on (like now). The user should be prompted that there's
  a security issue and confirm to have understood. Without that
  prompt and knowing the issue spice could be potentially considered
  not that secure to use. That means the confirmation should be saved
  in order to avoid prompting it every time;
- default off. We could say nothing but I think the user would be
  quite frustrated as without any message and with just an update
  copy&paste won't work. We could give the user a prompt also in
  this case. This seems more secure, if user does not read the
  message and click "ok" the data can be leaked.

From user experience and customer feeling somebody could complain
that the vmware default (c&p only with focus like Christophe patch
is supposed to do) is quite good and does not require manually
enable/disable that making really easy to use.

From implementation details the off and focus options would require
some code to make c&p not work (always or on conditions) so I
think we could agree on a patch implementing on/off on the code.
As already understood the agent couldn't force a read of remote
clipboard if disable (or the guest could do a polling of the changes).

I personally agree with Christophe about not using portals for now
and on the focus option.

Frediano
On Thu, Jan 11, 2018 at 08:10:39AM -0500, Frediano Ziglio wrote:
> > 
> > Hi
> > 
> > ----- Original Message -----
> > > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > > I think it's problematic for traditional applications as well.
> > > > clipboard access is probably going to be limited by default and only
> > > > accessed through so-called "portals", just like file access etc. This
> > > > topic should be brought on desktop / flatpak mailing list.
> > > 
> > > Maybe in some distant future, all applications everyone is running will
> > > be flatpak, and will be using portals to improve security. The same
> > > thing can be said regarding wayland, which does not have this issue.
> > > Some time in the future, this will become a non-issue. However, solving
> > > this now on x11 is definitely not something which should be related to
> > > portals/flatpak in my opinion.
> > 
> > I propose a --spice-disable-clipboard, and client UI to switch on/off
> > clipboard sharing functionality.
> > 
> > Something different will likely break some clipboard users or lower
> > experience.
> 
> If we consider this a security threat than default should be disabled
> and there should be a --spice-enable-clipboard. Note that the default
> option apply to different tools (like virt-manager and boxes).
> 
> If we decide to go to the on/off options I would see some options
> 
> - default on (like now). The user should be prompted that there's
>   a security issue and confirm to have understood. Without that
>   prompt and knowing the issue spice could be potentially considered
>   not that secure to use. That means the confirmation should be saved
>   in order to avoid prompting it every time;

Prompting the user to confirm that they understand a security issue
is a total disaster. Users will just blindly click through any
warning message about security if it gets in the way of what they
are trying to achieve.  At best we'll annoy users.

> - default off. We could say nothing but I think the user would be
>   quite frustrated as without any message and with just an update
>   copy&paste won't work. We could give the user a prompt also in
>   this case. This seems more secure, if user does not read the
>   message and click "ok" the data can be leaked.
> 
> From user experience and customer feeling somebody could complain
> that the vmware default (c&p only with focus like Christophe patch
> is supposed to do) is quite good and does not require manually
> enable/disable that making really easy to use.

This is really much more viable IMHO. It avoids need to prompt user with
security warnings and avoids extra config options and shouldn't break
normal usage patterns.


Regards,
Daniel
Hi

----- Original Message -----
> On Thu, Jan 11, 2018 at 08:10:39AM -0500, Frediano Ziglio wrote:
> > > 
> > > Hi
> > > 
> > > ----- Original Message -----
> > > > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > > > I think it's problematic for traditional applications as well.
> > > > > clipboard access is probably going to be limited by default and only
> > > > > accessed through so-called "portals", just like file access etc. This
> > > > > topic should be brought on desktop / flatpak mailing list.
> > > > 
> > > > Maybe in some distant future, all applications everyone is running will
> > > > be flatpak, and will be using portals to improve security. The same
> > > > thing can be said regarding wayland, which does not have this issue.
> > > > Some time in the future, this will become a non-issue. However, solving
> > > > this now on x11 is definitely not something which should be related to
> > > > portals/flatpak in my opinion.
> > > 
> > > I propose a --spice-disable-clipboard, and client UI to switch on/off
> > > clipboard sharing functionality.
> > > 
> > > Something different will likely break some clipboard users or lower
> > > experience.
> > 
> > If we consider this a security threat than default should be disabled
> > and there should be a --spice-enable-clipboard. Note that the default
> > option apply to different tools (like virt-manager and boxes).
> > 
> > If we decide to go to the on/off options I would see some options
> > 
> > - default on (like now). The user should be prompted that there's
> >   a security issue and confirm to have understood. Without that
> >   prompt and knowing the issue spice could be potentially considered
> >   not that secure to use. That means the confirmation should be saved
> >   in order to avoid prompting it every time;
> 
> Prompting the user to confirm that they understand a security issue
> is a total disaster. Users will just blindly click through any
> warning message about security if it gets in the way of what they
> are trying to achieve.  At best we'll annoy users.

agree

> 
> > - default off. We could say nothing but I think the user would be
> >   quite frustrated as without any message and with just an update
> >   copy&paste won't work. We could give the user a prompt also in
> >   this case. This seems more secure, if user does not read the
> >   message and click "ok" the data can be leaked.
> > 
> > From user experience and customer feeling somebody could complain
> > that the vmware default (c&p only with focus like Christophe patch
> > is supposed to do) is quite good and does not require manually
> > enable/disable that making really easy to use.
> 
> This is really much more viable IMHO. It avoids need to prompt user with
> security warnings and avoids extra config options and shouldn't break
> normal usage patterns.

Do you know the content of the clipboards when you switch your focus window?

Doesn't seem safe either to me. I would rather have clipboard sharing disabled by default.
On Wed, Jan 10, 2018 at 06:48:14PM -0500, Marc-André Lureau wrote:
> Hi
> 
> ----- Original Message -----
> > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > I think it's problematic for traditional applications as well.
> > > clipboard access is probably going to be limited by default and only
> > > accessed through so-called "portals", just like file access etc. This
> > > topic should be brought on desktop / flatpak mailing list.
> > 
> > Maybe in some distant future, all applications everyone is running will
> > be flatpak, and will be using portals to improve security. The same
> > thing can be said regarding wayland, which does not have this issue.
> > Some time in the future, this will become a non-issue. However, solving
> > this now on x11 is definitely not something which should be related to
> > portals/flatpak in my opinion.
> 
> I propose a --spice-disable-clipboard, and client UI to switch on/off clipboard sharing functionality.
> 
> Something different will likely break some clipboard users or lower experience.

One additional note on that, I was initially worried about which use
cases were going to be broken by these changes. Then I realized that the
very same use cases would be broken when using wayland (after taking into
account Jakub's comments). Since this potential breakage will happen
anyway whether we want it or not, it's not going to make a big
difference if we do the same when running on  X11.

Christophe
Hi

----- Original Message -----
> On Wed, Jan 10, 2018 at 06:48:14PM -0500, Marc-André Lureau wrote:
> > Hi
> > 
> > ----- Original Message -----
> > > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > > I think it's problematic for traditional applications as well.
> > > > clipboard access is probably going to be limited by default and only
> > > > accessed through so-called "portals", just like file access etc. This
> > > > topic should be brought on desktop / flatpak mailing list.
> > > 
> > > Maybe in some distant future, all applications everyone is running will
> > > be flatpak, and will be using portals to improve security. The same
> > > thing can be said regarding wayland, which does not have this issue.
> > > Some time in the future, this will become a non-issue. However, solving
> > > this now on x11 is definitely not something which should be related to
> > > portals/flatpak in my opinion.
> > 
> > I propose a --spice-disable-clipboard, and client UI to switch on/off
> > clipboard sharing functionality.
> > 
> > Something different will likely break some clipboard users or lower
> > experience.
> 
> One additional note on that, I was initially worried about which use
> cases were going to be broken by these changes. Then I realized that the
> very same use cases would be broken when using wayland (after taking into
> account Jakub's comments). Since this potential breakage will happen
> anyway whether we want it or not, it's not going to make a big
> difference if we do the same when running on  X11.

So this change isn't needed for Wayland, and your patch changes the clipboard behaviour to be similar as Wayland.

Why couldn't this be done at Gtk level? This would give a similar clipboard behaviour for all Gtk app wether they run on Wayland or X, or windows etc. They would also benefit the same "added security".
On Thu, Jan 11, 2018 at 3:29 PM, Marc-André Lureau
<marcandre.lureau@redhat.com> wrote:
>
> Hi
>
> ----- Original Message -----
> > On Wed, Jan 10, 2018 at 06:48:14PM -0500, Marc-André Lureau wrote:
> > > Hi
> > >
> > > ----- Original Message -----
> > > > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > > > I think it's problematic for traditional applications as well.
> > > > > clipboard access is probably going to be limited by default and only
> > > > > accessed through so-called "portals", just like file access etc. This
> > > > > topic should be brought on desktop / flatpak mailing list.
> > > >
> > > > Maybe in some distant future, all applications everyone is running will
> > > > be flatpak, and will be using portals to improve security. The same
> > > > thing can be said regarding wayland, which does not have this issue.
> > > > Some time in the future, this will become a non-issue. However, solving
> > > > this now on x11 is definitely not something which should be related to
> > > > portals/flatpak in my opinion.
> > >
> > > I propose a --spice-disable-clipboard, and client UI to switch on/off
> > > clipboard sharing functionality.
> > >
> > > Something different will likely break some clipboard users or lower
> > > experience.
> >
> > One additional note on that, I was initially worried about which use
> > cases were going to be broken by these changes. Then I realized that the
> > very same use cases would be broken when using wayland (after taking into
> > account Jakub's comments). Since this potential breakage will happen
> > anyway whether we want it or not, it's not going to make a big
> > difference if we do the same when running on  X11.
>
> So this change isn't needed for Wayland, and your patch changes the clipboard behaviour to be similar as Wayland.
>
> Why couldn't this be done at Gtk level? This would give a similar clipboard behaviour for all Gtk app wether they run on Wayland or X, or windows etc. They would also benefit the same "added security".

Do you think this change would make it to GTK3? I think it could
potentially break some apps. Note that e.g. spice-vdagent takes
advantage of this "security issue" in X11 - it has no window and
listens for the clipboard changes all the time.
(it seems that clipboard system for GTK 4 has been reworked quite a
bit - see https://git.gnome.org/browse/gtk+/log/?h=wip/otte/clipboard
- this is already merged into master)

Cheers,
  Jakub
Hi

----- Original Message -----
> On Thu, Jan 11, 2018 at 3:29 PM, Marc-André Lureau
> <marcandre.lureau@redhat.com> wrote:
> >
> > Hi
> >
> > ----- Original Message -----
> > > On Wed, Jan 10, 2018 at 06:48:14PM -0500, Marc-André Lureau wrote:
> > > > Hi
> > > >
> > > > ----- Original Message -----
> > > > > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > > > > I think it's problematic for traditional applications as well.
> > > > > > clipboard access is probably going to be limited by default and
> > > > > > only
> > > > > > accessed through so-called "portals", just like file access etc.
> > > > > > This
> > > > > > topic should be brought on desktop / flatpak mailing list.
> > > > >
> > > > > Maybe in some distant future, all applications everyone is running
> > > > > will
> > > > > be flatpak, and will be using portals to improve security. The same
> > > > > thing can be said regarding wayland, which does not have this issue.
> > > > > Some time in the future, this will become a non-issue. However,
> > > > > solving
> > > > > this now on x11 is definitely not something which should be related
> > > > > to
> > > > > portals/flatpak in my opinion.
> > > >
> > > > I propose a --spice-disable-clipboard, and client UI to switch on/off
> > > > clipboard sharing functionality.
> > > >
> > > > Something different will likely break some clipboard users or lower
> > > > experience.
> > >
> > > One additional note on that, I was initially worried about which use
> > > cases were going to be broken by these changes. Then I realized that the
> > > very same use cases would be broken when using wayland (after taking into
> > > account Jakub's comments). Since this potential breakage will happen
> > > anyway whether we want it or not, it's not going to make a big
> > > difference if we do the same when running on  X11.
> >
> > So this change isn't needed for Wayland, and your patch changes the
> > clipboard behaviour to be similar as Wayland.
> >
> > Why couldn't this be done at Gtk level? This would give a similar clipboard
> > behaviour for all Gtk app wether they run on Wayland or X, or windows etc.
> > They would also benefit the same "added security".
> 
> Do you think this change would make it to GTK3? I think it could
> potentially break some apps. Note that e.g. spice-vdagent takes
> advantage of this "security issue" in X11 - it has no window and
> listens for the clipboard changes all the time.

Those gtk applications would break on wayland today anyway, right?

> (it seems that clipboard system for GTK 4 has been reworked quite a
> bit - see https://git.gnome.org/browse/gtk+/log/?h=wip/otte/clipboard
> - this is already merged into master)

I have not much time to look at the details, but I don't think we should rush into changing the behavior of the clipboard in spice only. This is more windowing/toolkit level issue.
On Thu, Jan 11, 2018 at 5:42 PM, Marc-André Lureau
<marcandre.lureau@redhat.com> wrote:
> Hi
>
> ----- Original Message -----
>> On Thu, Jan 11, 2018 at 3:29 PM, Marc-André Lureau
>> <marcandre.lureau@redhat.com> wrote:
>> >
>> > Hi
>> >
>> > ----- Original Message -----
>> > > On Wed, Jan 10, 2018 at 06:48:14PM -0500, Marc-André Lureau wrote:
>> > > > Hi
>> > > >
>> > > > ----- Original Message -----
>> > > > > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
>> > > > > > I think it's problematic for traditional applications as well.
>> > > > > > clipboard access is probably going to be limited by default and
>> > > > > > only
>> > > > > > accessed through so-called "portals", just like file access etc.
>> > > > > > This
>> > > > > > topic should be brought on desktop / flatpak mailing list.
>> > > > >
>> > > > > Maybe in some distant future, all applications everyone is running
>> > > > > will
>> > > > > be flatpak, and will be using portals to improve security. The same
>> > > > > thing can be said regarding wayland, which does not have this issue.
>> > > > > Some time in the future, this will become a non-issue. However,
>> > > > > solving
>> > > > > this now on x11 is definitely not something which should be related
>> > > > > to
>> > > > > portals/flatpak in my opinion.
>> > > >
>> > > > I propose a --spice-disable-clipboard, and client UI to switch on/off
>> > > > clipboard sharing functionality.
>> > > >
>> > > > Something different will likely break some clipboard users or lower
>> > > > experience.
>> > >
>> > > One additional note on that, I was initially worried about which use
>> > > cases were going to be broken by these changes. Then I realized that the
>> > > very same use cases would be broken when using wayland (after taking into
>> > > account Jakub's comments). Since this potential breakage will happen
>> > > anyway whether we want it or not, it's not going to make a big
>> > > difference if we do the same when running on  X11.
>> >
>> > So this change isn't needed for Wayland, and your patch changes the
>> > clipboard behaviour to be similar as Wayland.
>> >
>> > Why couldn't this be done at Gtk level? This would give a similar clipboard
>> > behaviour for all Gtk app wether they run on Wayland or X, or windows etc.
>> > They would also benefit the same "added security".
>>
>> Do you think this change would make it to GTK3? I think it could
>> potentially break some apps. Note that e.g. spice-vdagent takes
>> advantage of this "security issue" in X11 - it has no window and
>> listens for the clipboard changes all the time.
>
> Those gtk applications would break on wayland today anyway, right?

Probably, unless you force GTK to use XWayland with
gdk_set_allowed_backends("x11").
But pushing this kind of change to GTK 3.22, which is supposed to be
stable, doesn't seem right to me.

>
>> (it seems that clipboard system for GTK 4 has been reworked quite a
>> bit - see https://git.gnome.org/browse/gtk+/log/?h=wip/otte/clipboard
>> - this is already merged into master)
>
> I have not much time to look at the details, but I don't think we should rush into changing the behavior of the clipboard in spice only. This is more windowing/toolkit level issue.

That's right, I just wanted to say it might take considerable amount
of time to fix this issue in spice if we were patching GTK.

Jakub
On Thu, Jan 11, 2018 at 11:42:00AM -0500, Marc-André Lureau wrote:
> 
> > (it seems that clipboard system for GTK 4 has been reworked quite a
> > bit - see https://git.gnome.org/browse/gtk+/log/?h=wip/otte/clipboard
> > - this is already merged into master)
> 
> I have not much time to look at the details, but I don't think we
> should rush into changing the behavior of the clipboard in spice only.
> This is more windowing/toolkit level issue.

The impact of doing this in gtk3 would be greater than doing it in SPICE
only, I don't really expect gtk+ people to be open to such a change in
gtk3 at this point. But yes I did not ask, so I could have a nice
surprise ;)
Once again, spice-gtk is a very special gtk+ application in that one of
its features is to let arbitrary code interact with the clipboard. This
is not the case of the case of most gtk+ applications.
I agree with you that some help from the windowing/toolkit would be good
to have, but in this case, I doubt we are going to be able to do better
than managing this in spice-gtk.

Christophe
Hi

----- Original Message -----
> On Thu, Jan 11, 2018 at 11:42:00AM -0500, Marc-André Lureau wrote:
> > 
> > > (it seems that clipboard system for GTK 4 has been reworked quite a
> > > bit - see https://git.gnome.org/browse/gtk+/log/?h=wip/otte/clipboard
> > > - this is already merged into master)
> > 
> > I have not much time to look at the details, but I don't think we
> > should rush into changing the behavior of the clipboard in spice only.
> > This is more windowing/toolkit level issue.
> 
> The impact of doing this in gtk3 would be greater than doing it in SPICE
> only, I don't really expect gtk+ people to be open to such a change in
> gtk3 at this point. But yes I did not ask, so I could have a nice
> surprise ;)

The impact is even bigger if you think that they did it already at the wayland level...

> Once again, spice-gtk is a very special gtk+ application in that one of
> its features is to let arbitrary code interact with the clipboard. This
> is not the case of the case of most gtk+ applications.

spice is proxying the events. You should be aware of what you are running in the guest if you enable clipboard sharing.

fwiw, there are other cases where "arbitrary code" could interact with a clipboard: 
https://stackoverflow.com/questions/6413036/get-current-clipboard-content/6413100#6413100

> I agree with you that some help from the windowing/toolkit would be good
> to have, but in this case, I doubt we are going to be able to do better
> than managing this in spice-gtk.

Yet it is already being solved at a lower level, where you can actually enforce that behaviour.
On Thu, Jan 11, 2018 at 12:35:36PM -0500, Marc-André Lureau wrote:
> > I agree with you that some help from the windowing/toolkit would be good
> > to have, but in this case, I doubt we are going to be able to do better
> > than managing this in spice-gtk.
> 
> Yet it is already being solved at a lower level, where you can actually enforce that behaviour.

Yes, it is solved with wayland. The question I'm asking/the problem I'm
trying to solve is what do we do for existing systems using Xorg and
gtk+3. With Xorg being phased out (which will still take a few years),
and gtk+3 being phased out (again, will take at least a few years), I
don't see this kind of clipboard behaviour changes going into either of
these. Maybe I'm wrong, but assuming I'm not, then either we fix it
("it" being xorg + gtk3) in spice-gtk even though that's not the best
place, or we don't fix it at all.

If we decide to do something in spice-gtk, one option is to only send
the clipboard when the window is focused, which will reduce the attack
surface for everyone, and hopefully will have minimal impact.
Another option (which is not exclusive) is to add command-line/runtime
ways of enabling/disabling clipboard sharing, which you will either have
to know about it if it's enabled by default, or will be quite disruptive
if we disable clipboard sharing by default.

I'd lean towards doing "clipboard sharing for focused client" +
"command-line/runtime option, with clipboard sharing enabled by
default".

Christophe
Hi

----- Original Message -----
> On Thu, Jan 11, 2018 at 12:35:36PM -0500, Marc-André Lureau wrote:
> > > I agree with you that some help from the windowing/toolkit would be good
> > > to have, but in this case, I doubt we are going to be able to do better
> > > than managing this in spice-gtk.
> > 
> > Yet it is already being solved at a lower level, where you can actually
> > enforce that behaviour.
> 
> Yes, it is solved with wayland. The question I'm asking/the problem I'm
> trying to solve is what do we do for existing systems using Xorg and
> gtk+3. With Xorg being phased out (which will still take a few years),
> and gtk+3 being phased out (again, will take at least a few years), I
> don't see this kind of clipboard behaviour changes going into either of
> these. Maybe I'm wrong, but assuming I'm not, then either we fix it
> ("it" being xorg + gtk3) in spice-gtk even though that's not the best
> place, or we don't fix it at all.
> 
> If we decide to do something in spice-gtk, one option is to only send
> the clipboard when the window is focused, which will reduce the attack
> surface for everyone, and hopefully will have minimal impact.
> Another option (which is not exclusive) is to add command-line/runtime
> ways of enabling/disabling clipboard sharing, which you will either have
> to know about it if it's enabled by default, or will be quite disruptive
> if we disable clipboard sharing by default.

Is it really a security reason the clipboard behaviour is different on Wayland? For me, this "share on focus" is not a more secure behaviour.

> 
> I'd lean towards doing "clipboard sharing for focused client" +
> "command-line/runtime option, with clipboard sharing enabled by
> default".

I'd rather stick with a simple command-line & runtime option.
> 
> Hi
> 
> ----- Original Message -----
> > On Thu, Jan 11, 2018 at 12:35:36PM -0500, Marc-André Lureau wrote:
> > > > I agree with you that some help from the windowing/toolkit would be
> > > > good
> > > > to have, but in this case, I doubt we are going to be able to do better
> > > > than managing this in spice-gtk.
> > > 
> > > Yet it is already being solved at a lower level, where you can actually
> > > enforce that behaviour.
> > 
> > Yes, it is solved with wayland. The question I'm asking/the problem I'm
> > trying to solve is what do we do for existing systems using Xorg and
> > gtk+3. With Xorg being phased out (which will still take a few years),
> > and gtk+3 being phased out (again, will take at least a few years), I
> > don't see this kind of clipboard behaviour changes going into either of
> > these. Maybe I'm wrong, but assuming I'm not, then either we fix it
> > ("it" being xorg + gtk3) in spice-gtk even though that's not the best
> > place, or we don't fix it at all.
> > 
> > If we decide to do something in spice-gtk, one option is to only send
> > the clipboard when the window is focused, which will reduce the attack
> > surface for everyone, and hopefully will have minimal impact.
> > Another option (which is not exclusive) is to add command-line/runtime
> > ways of enabling/disabling clipboard sharing, which you will either have
> > to know about it if it's enabled by default, or will be quite disruptive
> > if we disable clipboard sharing by default.
> 
> Is it really a security reason the clipboard behaviour is different on
> Wayland? For me, this "share on focus" is not a more secure behaviour.
> 

The bug report explains in more detail the use case.
Is describing an administrator user with different client opened sometimes
having to copy&paste some password with tools like keepass.
These tools usually clear the clipboard after some time.
Yes, in this case the user would be better not to be connected to VMs
and surely having clipboard support disabled is safer but for security
clipboard should be disable by default, not with an option.
Considering that this is considered low impact a workaround like the
focus limitation is enough.
One more good thing also about the focus limitation is that if you
keep multiple VM connected but you don't interact with them you
don't send clipboard messages potentially reducing th network usage.

> > 
> > I'd lean towards doing "clipboard sharing for focused client" +
> > "command-line/runtime option, with clipboard sharing enabled by
> > default".
> 
> I'd rather stick with a simple command-line & runtime option.

Not so simple considering that you have to patch different tools
(boxes, virt-manager, virt-viewer) while just changing spice-gtk
would be a single patch.

Frediano
Hi

----- Original Message -----
> > 
> > Hi
> > 
> > ----- Original Message -----
> > > On Thu, Jan 11, 2018 at 12:35:36PM -0500, Marc-André Lureau wrote:
> > > > > I agree with you that some help from the windowing/toolkit would be
> > > > > good
> > > > > to have, but in this case, I doubt we are going to be able to do
> > > > > better
> > > > > than managing this in spice-gtk.
> > > > 
> > > > Yet it is already being solved at a lower level, where you can actually
> > > > enforce that behaviour.
> > > 
> > > Yes, it is solved with wayland. The question I'm asking/the problem I'm
> > > trying to solve is what do we do for existing systems using Xorg and
> > > gtk+3. With Xorg being phased out (which will still take a few years),
> > > and gtk+3 being phased out (again, will take at least a few years), I
> > > don't see this kind of clipboard behaviour changes going into either of
> > > these. Maybe I'm wrong, but assuming I'm not, then either we fix it
> > > ("it" being xorg + gtk3) in spice-gtk even though that's not the best
> > > place, or we don't fix it at all.
> > > 
> > > If we decide to do something in spice-gtk, one option is to only send
> > > the clipboard when the window is focused, which will reduce the attack
> > > surface for everyone, and hopefully will have minimal impact.
> > > Another option (which is not exclusive) is to add command-line/runtime
> > > ways of enabling/disabling clipboard sharing, which you will either have
> > > to know about it if it's enabled by default, or will be quite disruptive
> > > if we disable clipboard sharing by default.
> > 
> > Is it really a security reason the clipboard behaviour is different on
> > Wayland? For me, this "share on focus" is not a more secure behaviour.
> > 
> 
> The bug report explains in more detail the use case.
> Is describing an administrator user with different client opened sometimes
> having to copy&paste some password with tools like keepass.
> These tools usually clear the clipboard after some time.
> Yes, in this case the user would be better not to be connected to VMs
> and surely having clipboard support disabled is safer but for security
> clipboard should be disable by default, not with an option.

Yes, disabled by default

> Considering that this is considered low impact a workaround like the
> focus limitation is enough.
> One more good thing also about the focus limitation is that if you
> keep multiple VM connected but you don't interact with them you
> don't send clipboard messages potentially reducing th network usage.

very marginaly (it's not the content)

> > > 
> > > I'd lean towards doing "clipboard sharing for focused client" +
> > > "command-line/runtime option, with clipboard sharing enabled by
> > > default".
> > 
> > I'd rather stick with a simple command-line & runtime option.
> 
> Not so simple considering that you have to patch different tools
> (boxes, virt-manager, virt-viewer) while just changing spice-gtk
> would be a single patch.

Disabling by default, and command line option is in spice-gtk.

Yes, a UI change is needed in the clients, but I believe that will be needed anyway to secure it.
On Fri, Jan 12, 2018 at 08:05:24AM -0500, Marc-André Lureau wrote:
> 
> Is it really a security reason the clipboard behaviour is different on
> Wayland?

I don't know the reason for this behaviour, for me this is similar to
preventing applications from capturing the whole screen.
https://wiki.x.org/wiki/Events/XDC2014/XDC2014DodierPeresSecurity/xorg-talk.pdf
has a slide with
"Some common GUI requirements are un-secure by design
• Clipboard monitoring"
so at least some people wanted to fix some security problems in xorg
clipboard implementation.

> For me, this "share on focus" is not a more secure behaviour.

"VM can monitor everything which goes in your clipboard while you are
not using it" VS "VM can get what is in your clipboard when you switch
to it" sounds more secure to me, even if not perfect.

Christophe
El vie, 12-01-2018 a las 08:05 -0500, Marc-André Lureau escribió:
> Hi
> 
> ----- Original Message -----
> > On Thu, Jan 11, 2018 at 12:35:36PM -0500, Marc-André Lureau wrote:
> > > > I agree with you that some help from the windowing/toolkit
> > > > would be good
> > > > to have, but in this case, I doubt we are going to be able to
> > > > do better
> > > > than managing this in spice-gtk.
> > > 
> > > Yet it is already being solved at a lower level, where you can
> > > actually
> > > enforce that behaviour.
> > 
> > Yes, it is solved with wayland. The question I'm asking/the problem
> > I'm
> > trying to solve is what do we do for existing systems using Xorg
> > and
> > gtk+3. With Xorg being phased out (which will still take a few
> > years),
> > and gtk+3 being phased out (again, will take at least a few years),
> > I
> > don't see this kind of clipboard behaviour changes going into
> > either of
> > these. Maybe I'm wrong, but assuming I'm not, then either we fix it
> > ("it" being xorg + gtk3) in spice-gtk even though that's not the
> > best
> > place, or we don't fix it at all.
> > 
> > If we decide to do something in spice-gtk, one option is to only
> > send
> > the clipboard when the window is focused, which will reduce the
> > attack
> > surface for everyone, and hopefully will have minimal impact.
> > Another option (which is not exclusive) is to add command-
> > line/runtime
> > ways of enabling/disabling clipboard sharing, which you will either
> > have
> > to know about it if it's enabled by default, or will be quite
> > disruptive
> > if we disable clipboard sharing by default.
> 
> Is it really a security reason the clipboard behaviour is different
> on Wayland? For me, this "share on focus" is not a more secure
> behaviour.

If I may, IMHO spicy is doing the "secure" thing here: You can select
to either share the clipboard automatically or manually with the
corresponding UI actions (copy/paste to/from guest). Doing it manually
will never expose your clipboard to the guest unadvertedly.

Adding these actions to other SPICE clients requires more work than the
"share on focus" feature, but as Marc-André says, some UI changes will
be required anyway.

> 
> > 
> > I'd lean towards doing "clipboard sharing for focused client" +
> > "command-line/runtime option, with clipboard sharing enabled by
> > default".
> 
> I'd rather stick with a simple command-line & runtime option.
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> On 17 Jan 2018, at 11:16, Javier Celaya <javier.celaya@flexvdi.com> wrote:
> 
> El vie, 12-01-2018 a las 08:05 -0500, Marc-André Lureau escribió:
>> Hi
>> 
>> ----- Original Message -----
>>> On Thu, Jan 11, 2018 at 12:35:36PM -0500, Marc-André Lureau wrote:
>>>>> I agree with you that some help from the windowing/toolkit
>>>>> would be good
>>>>> to have, but in this case, I doubt we are going to be able to
>>>>> do better
>>>>> than managing this in spice-gtk.
>>>> 
>>>> Yet it is already being solved at a lower level, where you can
>>>> actually
>>>> enforce that behaviour.
>>> 
>>> Yes, it is solved with wayland. The question I'm asking/the problem
>>> I'm
>>> trying to solve is what do we do for existing systems using Xorg
>>> and
>>> gtk+3. With Xorg being phased out (which will still take a few
>>> years),
>>> and gtk+3 being phased out (again, will take at least a few years),
>>> I
>>> don't see this kind of clipboard behaviour changes going into
>>> either of
>>> these. Maybe I'm wrong, but assuming I'm not, then either we fix it
>>> ("it" being xorg + gtk3) in spice-gtk even though that's not the
>>> best
>>> place, or we don't fix it at all.
>>> 
>>> If we decide to do something in spice-gtk, one option is to only
>>> send
>>> the clipboard when the window is focused, which will reduce the
>>> attack
>>> surface for everyone, and hopefully will have minimal impact.
>>> Another option (which is not exclusive) is to add command-
>>> line/runtime
>>> ways of enabling/disabling clipboard sharing, which you will either
>>> have
>>> to know about it if it's enabled by default, or will be quite
>>> disruptive
>>> if we disable clipboard sharing by default.
>> 
>> Is it really a security reason the clipboard behaviour is different
>> on Wayland? For me, this "share on focus" is not a more secure
>> behaviour.
> 
> If I may, IMHO spicy is doing the "secure" thing here: You can select
> to either share the clipboard automatically or manually with the
> corresponding UI actions (copy/paste to/from guest). Doing it manually
> will never expose your clipboard to the guest unadvertedly.

Just curious, how does that work if you select a “Paste” menu option with the mouse instead of keyboard?


Thanks
Christophe

> 
> Adding these actions to other SPICE clients requires more work than the
> "share on focus" feature, but as Marc-André says, some UI changes will
> be required anyway.
> 
>> 
>>> 
>>> I'd lean towards doing "clipboard sharing for focused client" +
>>> "command-line/runtime option, with clipboard sharing enabled by
>>> default".
>> 
>> I'd rather stick with a simple command-line & runtime option.
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>> 
> -- 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>        Javier Celaya
> 
> 
> 
> 
>        Chief Technology Officer
> 
> 
> 
> 
> 
> 
> 
>        javier.celaya@flexvdi.com
> 
> 
> 
> 
> 
>        +34 696 969 959 
> 
> 
> 
> 
> 
>        @j_celaya
> 
> 
> 
> 
>        Legal Information and Privacy Policy
> 
> 
> 
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel