[spice-gtk] Add --spice-disable-clipboard option

Submitted by Christophe Fergeau on Jan. 18, 2018, 9:31 a.m.

Details

Message ID 20180118093126.8497-1-cfergeau@redhat.com
State New
Headers show
Series "Add --spice-disable-clipboard option" ( rev: 1 ) in Spice

Not browsing as part of any series.

Commit Message

Christophe Fergeau Jan. 18, 2018, 9:31 a.m.
At least on X.org, malicious code could run the equivalent of "watch
xsel -o --clipboard" in a VM, and would then be able to track all the
clipboard content, even when the spice-gtk widget is not focused.

At the moment, applications call spice_set_session_option(), and then
set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
This commit adds a --spice-disable-clipboard option, and if it's set,
SpiceGtkSession::auto-clipboard will not be changeable and will always
be FALSE.
The only side effect I noticed is that enabling "clipboard sharing" in
GNOME Boxes VM preferences will appear to work, but will not enable
clipboard, and will be reset to off next time the preferences dialog is
open.

https://bugzilla.redhat.com/show_bug.cgi?id=1320263
---
 man/spice-client.pod     |  4 ++++
 src/spice-gtk-session.c  | 16 +++++++++++++++-
 src/spice-option.c       |  6 ++++++
 src/spice-session-priv.h |  1 +
 src/spice-session.c      | 35 +++++++++++++++++++++++++++++++++++
 5 files changed, 61 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/man/spice-client.pod b/man/spice-client.pod
index 7288b84e..76a7d207 100644
--- a/man/spice-client.pod
+++ b/man/spice-client.pod
@@ -111,6 +111,10 @@  SPICE_DEBUG environment variable, or using G_MESSAGES_DEBUG=all
 
 Disable audio support
 
+=item --spice-disable-clipboard
+
+Disable clipboard sharing between client OS and guest OS
+
 =item --spice-disable-usbredir
 
 Disable USB redirection support
diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
index 31f60dc4..c3546209 100644
--- a/src/spice-gtk-session.c
+++ b/src/spice-gtk-session.c
@@ -309,6 +309,20 @@  static void spice_gtk_session_finalize(GObject *gobject)
         G_OBJECT_CLASS(spice_gtk_session_parent_class)->finalize(gobject);
 }
 
+static void spice_gtk_session_set_auto_clipboard(SpiceGtkSession *self,
+                                                 gboolean auto_clipboard)
+{
+    gboolean disable_clipboard;
+    g_object_get(self->priv->session,
+                 "disable-clipboard", &disable_clipboard,
+                 NULL);
+    if (disable_clipboard && auto_clipboard) {
+        g_debug("not enabling clipboard sharing as it was disabled on the command-line");
+        auto_clipboard = FALSE;
+    }
+    self->priv->auto_clipboard_enable = auto_clipboard;
+}
+
 static void spice_gtk_session_get_property(GObject    *gobject,
                                            guint       prop_id,
                                            GValue     *value,
@@ -352,7 +366,7 @@  static void spice_gtk_session_set_property(GObject      *gobject,
         s->session = g_value_get_object(value);
         break;
     case PROP_AUTO_CLIPBOARD:
-        s->auto_clipboard_enable = g_value_get_boolean(value);
+        spice_gtk_session_set_auto_clipboard(self, g_value_get_boolean(value));
         break;
     case PROP_AUTO_USBREDIR: {
         SpiceDesktopIntegration *desktop_int;
diff --git a/src/spice-option.c b/src/spice-option.c
index 6b400bca..0f2f795d 100644
--- a/src/spice-option.c
+++ b/src/spice-option.c
@@ -21,6 +21,7 @@ 
 #include <glib-object.h>
 #include <glib/gi18n-lib.h>
 #include "spice-session.h"
+#include "spice-session-priv.h"
 #include "spice-util.h"
 #include "spice-channel-priv.h"
 #include "usb-device-manager.h"
@@ -35,6 +36,7 @@  static char *usbredir_auto_redirect_filter = NULL;
 static char *usbredir_redirect_on_connect = NULL;
 static gboolean smartcard = FALSE;
 static gboolean disable_audio = FALSE;
+static gboolean disable_clipboard = FALSE;
 static gboolean disable_usbredir = FALSE;
 static gint cache_size = 0;
 static gint glz_window_size = 0;
@@ -203,6 +205,8 @@  GOptionGroup* spice_get_option_group(void)
           N_("Subject of the host certificate (field=value pairs separated by commas)"), N_("<host-subject>") },
         { "spice-disable-audio", '\0', 0, G_OPTION_ARG_NONE, &disable_audio,
           N_("Disable audio support"), NULL },
+        { "spice-disable-clipboard", '\0', 0, G_OPTION_ARG_NONE, &disable_clipboard,
+          N_("Disable client/guest clipboard sharing"), NULL },
         { "spice-smartcard", '\0', 0, G_OPTION_ARG_NONE, &smartcard,
           N_("Enable smartcard support"), NULL },
         { "spice-smartcard-certificates", '\0', 0, G_OPTION_ARG_STRING, &smartcard_certificates,
@@ -312,6 +316,8 @@  void spice_set_session_option(SpiceSession *session)
         g_object_set(session, "enable-usbredir", FALSE, NULL);
     if (disable_audio)
         g_object_set(session, "enable-audio", FALSE, NULL);
+    if (disable_clipboard)
+        spice_session_set_disable_clipboard(session, TRUE);
     if (cache_size)
         g_object_set(session, "cache-size", cache_size, NULL);
     if (glz_window_size)
diff --git a/src/spice-session-priv.h b/src/spice-session-priv.h
index 03005aac..459a04b8 100644
--- a/src/spice-session-priv.h
+++ b/src/spice-session-priv.h
@@ -91,6 +91,7 @@  void spice_session_set_shared_dir(SpiceSession *session, const gchar *dir);
 gboolean spice_session_get_audio_enabled(SpiceSession *session);
 gboolean spice_session_get_smartcard_enabled(SpiceSession *session);
 gboolean spice_session_get_usbredir_enabled(SpiceSession *session);
+void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled);
 
 const guint8* spice_session_get_webdav_magic(SpiceSession *session);
 PhodavServer *spice_session_get_webdav_server(SpiceSession *session);
diff --git a/src/spice-session.c b/src/spice-session.c
index 2aabf585..c22014dc 100644
--- a/src/spice-session.c
+++ b/src/spice-session.c
@@ -64,6 +64,9 @@  struct _SpiceSessionPrivate {
     /* whether to enable audio */
     gboolean          audio;
 
+    /* whether clipboard sharing was disabled through the command line */
+    gboolean          disable_clipboard;
+
     /* whether to enable smartcard event forwarding to the server */
     gboolean          smartcard;
 
@@ -203,6 +206,7 @@  enum {
     PROP_USERNAME,
     PROP_UNIX_PATH,
     PROP_PREF_COMPRESSION,
+    PROP_DISABLE_CLIPBOARD,
 };
 
 /* signals */
@@ -695,6 +699,9 @@  static void spice_session_get_property(GObject    *gobject,
     case PROP_PREF_COMPRESSION:
         g_value_set_enum(value, s->preferred_compression);
         break;
+    case PROP_DISABLE_CLIPBOARD:
+        g_value_set_boolean(value, s->disable_clipboard);
+        break;
     default:
 	G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
 	break;
@@ -834,6 +841,9 @@  static void spice_session_set_property(GObject      *gobject,
     case PROP_PREF_COMPRESSION:
         s->preferred_compression = g_value_get_enum(value);
         break;
+    case PROP_DISABLE_CLIPBOARD:
+        s->disable_clipboard = g_value_get_boolean(value);
+        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
         break;
@@ -1458,6 +1468,26 @@  static void spice_session_class_init(SpiceSessionClass *klass)
                            G_PARAM_READWRITE |
                            G_PARAM_STATIC_STRINGS));
 
+    /**
+     * SpiceSession:disable-clipboard:
+     *
+     * Whether to clipboard sharing was disabled on the command line.
+     *
+     * Since: 0.35
+     **/
+    /* This property is read-only, and set through a method so that
+     * applications using the library cannot override what the user set on the
+     * command line
+     */
+    g_object_class_install_property
+        (gobject_class, PROP_DISABLE_CLIPBOARD,
+         g_param_spec_boolean("disable-clipboard",
+                              "Disable clipboard sharing",
+                              "Clipboard sharing was disabled on the command line",
+                              FALSE,
+                              G_PARAM_READABLE |
+                              G_PARAM_STATIC_STRINGS));
+
     g_type_class_add_private(klass, sizeof(SpiceSessionPrivate));
 }
 
@@ -2761,6 +2791,11 @@  end:
     return priv->webdav;
 }
 
+void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled)
+{
+    session->priv->disable_clipboard = !!disabled;
+}
+
 /**
  * spice_session_is_for_migration:
  * @session: a Spice session

Comments

Hi

On Thu, Jan 18, 2018 at 10:31 AM, Christophe Fergeau
<cfergeau@redhat.com> wrote:
> At least on X.org, malicious code could run the equivalent of "watch
> xsel -o --clipboard" in a VM, and would then be able to track all the
> clipboard content, even when the spice-gtk widget is not focused.
>
> At the moment, applications call spice_set_session_option(), and then
> set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
> This commit adds a --spice-disable-clipboard option, and if it's set,
> SpiceGtkSession::auto-clipboard will not be changeable and will always
> be FALSE.
> The only side effect I noticed is that enabling "clipboard sharing" in
> GNOME Boxes VM preferences will appear to work, but will not enable
> clipboard, and will be reset to off next time the preferences dialog is
> open.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1320263

Looks reasonable to me. However, I thought we wanted a way to disable
clipboard by default.

Wouldn't it make sense to introduce some GSetting key(s) for that instead?

This way, the behaviour can be enforced globally without changing the
way applications are started.

> ---
>  man/spice-client.pod     |  4 ++++
>  src/spice-gtk-session.c  | 16 +++++++++++++++-
>  src/spice-option.c       |  6 ++++++
>  src/spice-session-priv.h |  1 +
>  src/spice-session.c      | 35 +++++++++++++++++++++++++++++++++++
>  5 files changed, 61 insertions(+), 1 deletion(-)
>
> diff --git a/man/spice-client.pod b/man/spice-client.pod
> index 7288b84e..76a7d207 100644
> --- a/man/spice-client.pod
> +++ b/man/spice-client.pod
> @@ -111,6 +111,10 @@ SPICE_DEBUG environment variable, or using G_MESSAGES_DEBUG=all
>
>  Disable audio support
>
> +=item --spice-disable-clipboard
> +
> +Disable clipboard sharing between client OS and guest OS
> +
>  =item --spice-disable-usbredir
>
>  Disable USB redirection support
> diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
> index 31f60dc4..c3546209 100644
> --- a/src/spice-gtk-session.c
> +++ b/src/spice-gtk-session.c
> @@ -309,6 +309,20 @@ static void spice_gtk_session_finalize(GObject *gobject)
>          G_OBJECT_CLASS(spice_gtk_session_parent_class)->finalize(gobject);
>  }
>
> +static void spice_gtk_session_set_auto_clipboard(SpiceGtkSession *self,
> +                                                 gboolean auto_clipboard)
> +{
> +    gboolean disable_clipboard;
> +    g_object_get(self->priv->session,
> +                 "disable-clipboard", &disable_clipboard,
> +                 NULL);
> +    if (disable_clipboard && auto_clipboard) {
> +        g_debug("not enabling clipboard sharing as it was disabled on the command-line");
> +        auto_clipboard = FALSE;
> +    }
> +    self->priv->auto_clipboard_enable = auto_clipboard;
> +}
> +
>  static void spice_gtk_session_get_property(GObject    *gobject,
>                                             guint       prop_id,
>                                             GValue     *value,
> @@ -352,7 +366,7 @@ static void spice_gtk_session_set_property(GObject      *gobject,
>          s->session = g_value_get_object(value);
>          break;
>      case PROP_AUTO_CLIPBOARD:
> -        s->auto_clipboard_enable = g_value_get_boolean(value);
> +        spice_gtk_session_set_auto_clipboard(self, g_value_get_boolean(value));
>          break;
>      case PROP_AUTO_USBREDIR: {
>          SpiceDesktopIntegration *desktop_int;
> diff --git a/src/spice-option.c b/src/spice-option.c
> index 6b400bca..0f2f795d 100644
> --- a/src/spice-option.c
> +++ b/src/spice-option.c
> @@ -21,6 +21,7 @@
>  #include <glib-object.h>
>  #include <glib/gi18n-lib.h>
>  #include "spice-session.h"
> +#include "spice-session-priv.h"
>  #include "spice-util.h"
>  #include "spice-channel-priv.h"
>  #include "usb-device-manager.h"
> @@ -35,6 +36,7 @@ static char *usbredir_auto_redirect_filter = NULL;
>  static char *usbredir_redirect_on_connect = NULL;
>  static gboolean smartcard = FALSE;
>  static gboolean disable_audio = FALSE;
> +static gboolean disable_clipboard = FALSE;
>  static gboolean disable_usbredir = FALSE;
>  static gint cache_size = 0;
>  static gint glz_window_size = 0;
> @@ -203,6 +205,8 @@ GOptionGroup* spice_get_option_group(void)
>            N_("Subject of the host certificate (field=value pairs separated by commas)"), N_("<host-subject>") },
>          { "spice-disable-audio", '\0', 0, G_OPTION_ARG_NONE, &disable_audio,
>            N_("Disable audio support"), NULL },
> +        { "spice-disable-clipboard", '\0', 0, G_OPTION_ARG_NONE, &disable_clipboard,
> +          N_("Disable client/guest clipboard sharing"), NULL },
>          { "spice-smartcard", '\0', 0, G_OPTION_ARG_NONE, &smartcard,
>            N_("Enable smartcard support"), NULL },
>          { "spice-smartcard-certificates", '\0', 0, G_OPTION_ARG_STRING, &smartcard_certificates,
> @@ -312,6 +316,8 @@ void spice_set_session_option(SpiceSession *session)
>          g_object_set(session, "enable-usbredir", FALSE, NULL);
>      if (disable_audio)
>          g_object_set(session, "enable-audio", FALSE, NULL);
> +    if (disable_clipboard)
> +        spice_session_set_disable_clipboard(session, TRUE);
>      if (cache_size)
>          g_object_set(session, "cache-size", cache_size, NULL);
>      if (glz_window_size)
> diff --git a/src/spice-session-priv.h b/src/spice-session-priv.h
> index 03005aac..459a04b8 100644
> --- a/src/spice-session-priv.h
> +++ b/src/spice-session-priv.h
> @@ -91,6 +91,7 @@ void spice_session_set_shared_dir(SpiceSession *session, const gchar *dir);
>  gboolean spice_session_get_audio_enabled(SpiceSession *session);
>  gboolean spice_session_get_smartcard_enabled(SpiceSession *session);
>  gboolean spice_session_get_usbredir_enabled(SpiceSession *session);
> +void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled);
>
>  const guint8* spice_session_get_webdav_magic(SpiceSession *session);
>  PhodavServer *spice_session_get_webdav_server(SpiceSession *session);
> diff --git a/src/spice-session.c b/src/spice-session.c
> index 2aabf585..c22014dc 100644
> --- a/src/spice-session.c
> +++ b/src/spice-session.c
> @@ -64,6 +64,9 @@ struct _SpiceSessionPrivate {
>      /* whether to enable audio */
>      gboolean          audio;
>
> +    /* whether clipboard sharing was disabled through the command line */
> +    gboolean          disable_clipboard;
> +
>      /* whether to enable smartcard event forwarding to the server */
>      gboolean          smartcard;
>
> @@ -203,6 +206,7 @@ enum {
>      PROP_USERNAME,
>      PROP_UNIX_PATH,
>      PROP_PREF_COMPRESSION,
> +    PROP_DISABLE_CLIPBOARD,
>  };
>
>  /* signals */
> @@ -695,6 +699,9 @@ static void spice_session_get_property(GObject    *gobject,
>      case PROP_PREF_COMPRESSION:
>          g_value_set_enum(value, s->preferred_compression);
>          break;
> +    case PROP_DISABLE_CLIPBOARD:
> +        g_value_set_boolean(value, s->disable_clipboard);
> +        break;
>      default:
>         G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
>         break;
> @@ -834,6 +841,9 @@ static void spice_session_set_property(GObject      *gobject,
>      case PROP_PREF_COMPRESSION:
>          s->preferred_compression = g_value_get_enum(value);
>          break;
> +    case PROP_DISABLE_CLIPBOARD:
> +        s->disable_clipboard = g_value_get_boolean(value);
> +        break;
>      default:
>          G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
>          break;
> @@ -1458,6 +1468,26 @@ static void spice_session_class_init(SpiceSessionClass *klass)
>                             G_PARAM_READWRITE |
>                             G_PARAM_STATIC_STRINGS));
>
> +    /**
> +     * SpiceSession:disable-clipboard:
> +     *
> +     * Whether to clipboard sharing was disabled on the command line.
> +     *
> +     * Since: 0.35
> +     **/
> +    /* This property is read-only, and set through a method so that
> +     * applications using the library cannot override what the user set on the
> +     * command line
> +     */
> +    g_object_class_install_property
> +        (gobject_class, PROP_DISABLE_CLIPBOARD,
> +         g_param_spec_boolean("disable-clipboard",
> +                              "Disable clipboard sharing",
> +                              "Clipboard sharing was disabled on the command line",
> +                              FALSE,
> +                              G_PARAM_READABLE |
> +                              G_PARAM_STATIC_STRINGS));
> +
>      g_type_class_add_private(klass, sizeof(SpiceSessionPrivate));
>  }
>
> @@ -2761,6 +2791,11 @@ end:
>      return priv->webdav;
>  }
>
> +void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled)
> +{
> +    session->priv->disable_clipboard = !!disabled;
> +}
> +
>  /**
>   * spice_session_is_for_migration:
>   * @session: a Spice session
> --
> 2.14.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
On Thu, Jan 18, 2018 at 12:06:34PM +0100, Marc-André Lureau wrote:
> Hi
> 
> On Thu, Jan 18, 2018 at 10:31 AM, Christophe Fergeau
> <cfergeau@redhat.com> wrote:
> > At least on X.org, malicious code could run the equivalent of "watch
> > xsel -o --clipboard" in a VM, and would then be able to track all the
> > clipboard content, even when the spice-gtk widget is not focused.
> >
> > At the moment, applications call spice_set_session_option(), and then
> > set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
> > This commit adds a --spice-disable-clipboard option, and if it's set,
> > SpiceGtkSession::auto-clipboard will not be changeable and will always
> > be FALSE.
> > The only side effect I noticed is that enabling "clipboard sharing" in
> > GNOME Boxes VM preferences will appear to work, but will not enable
> > clipboard, and will be reset to off next time the preferences dialog is
> > open.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> 
> Looks reasonable to me. However, I thought we wanted a way to disable
> clipboard by default.
> 
> Wouldn't it make sense to introduce some GSetting key(s) for that instead?
> 
> This way, the behaviour can be enforced globally without changing the
> way applications are started.

I think you want both, you don't necessarily want c&p for all or none of
your VMs. I don't know if we can check if the admin locked down a
particular GSettings through the API? If the global value is locked down
to FALSE, then we should enforce it, otherwise we should accept
--spice-disable-clipboard.
So a GSettings patch would probably be a followup to that one.

Christophe
On Thu, Jan 18, 2018 at 12:13:45PM +0100, Christophe Fergeau wrote:
> On Thu, Jan 18, 2018 at 12:06:34PM +0100, Marc-André Lureau wrote:
> > Hi
> > 
> > On Thu, Jan 18, 2018 at 10:31 AM, Christophe Fergeau
> > <cfergeau@redhat.com> wrote:
> > > At least on X.org, malicious code could run the equivalent of "watch
> > > xsel -o --clipboard" in a VM, and would then be able to track all the
> > > clipboard content, even when the spice-gtk widget is not focused.
> > >
> > > At the moment, applications call spice_set_session_option(), and then
> > > set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
> > > This commit adds a --spice-disable-clipboard option, and if it's set,
> > > SpiceGtkSession::auto-clipboard will not be changeable and will always
> > > be FALSE.
> > > The only side effect I noticed is that enabling "clipboard sharing" in
> > > GNOME Boxes VM preferences will appear to work, but will not enable
> > > clipboard, and will be reset to off next time the preferences dialog is
> > > open.
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> > 
> > Looks reasonable to me. However, I thought we wanted a way to disable
> > clipboard by default.
> > 
> > Wouldn't it make sense to introduce some GSetting key(s) for that instead?
> > 
> > This way, the behaviour can be enforced globally without changing the
> > way applications are started.
> 
> I think you want both, you don't necessarily want c&p for all or none of
> your VMs. I don't know if we can check if the admin locked down a
> particular GSettings through the API? If the global value is locked down
> to FALSE, then we should enforce it, otherwise we should accept
> --spice-disable-clipboard.
> So a GSettings patch would probably be a followup to that one.

Can we move forward with that command line addition? Or is adding a
GSettings key a prerequisite to getting this in?

Thanks,

Christophe
On Thu, Jan 18, 2018 at 10:31:26AM +0100, Christophe Fergeau wrote:
> At least on X.org, malicious code could run the equivalent of "watch
> xsel -o --clipboard" in a VM, and would then be able to track all the
> clipboard content, even when the spice-gtk widget is not focused.
> 
> At the moment, applications call spice_set_session_option(), and then
> set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
> This commit adds a --spice-disable-clipboard option, and if it's set,
> SpiceGtkSession::auto-clipboard will not be changeable and will always
> be FALSE.
> The only side effect I noticed is that enabling "clipboard sharing" in
> GNOME Boxes VM preferences will appear to work, but will not enable
> clipboard, and will be reset to off next time the preferences dialog is
> open.

You mean running gnome-boxes --spice-disable-clipboard still
shows clipboard enabled? Any bug filed already? If yes, I think
we could add to the commit log.

> https://bugzilla.redhat.com/show_bug.cgi?id=1320263
> ---
>  man/spice-client.pod     |  4 ++++
>  src/spice-gtk-session.c  | 16 +++++++++++++++-
>  src/spice-option.c       |  6 ++++++
>  src/spice-session-priv.h |  1 +
>  src/spice-session.c      | 35 +++++++++++++++++++++++++++++++++++
>  5 files changed, 61 insertions(+), 1 deletion(-)
> 
> diff --git a/man/spice-client.pod b/man/spice-client.pod
> index 7288b84e..76a7d207 100644
> --- a/man/spice-client.pod
> +++ b/man/spice-client.pod
> @@ -111,6 +111,10 @@ SPICE_DEBUG environment variable, or using G_MESSAGES_DEBUG=all
>  
>  Disable audio support
>  
> +=item --spice-disable-clipboard
> +
> +Disable clipboard sharing between client OS and guest OS
> +
>  =item --spice-disable-usbredir
>  
>  Disable USB redirection support
> diff --git a/src/spice-gtk-session.c b/src/spice-gtk-session.c
> index 31f60dc4..c3546209 100644
> --- a/src/spice-gtk-session.c
> +++ b/src/spice-gtk-session.c
> @@ -309,6 +309,20 @@ static void spice_gtk_session_finalize(GObject *gobject)
>          G_OBJECT_CLASS(spice_gtk_session_parent_class)->finalize(gobject);
>  }
>  
> +static void spice_gtk_session_set_auto_clipboard(SpiceGtkSession *self,
> +                                                 gboolean auto_clipboard)
> +{
> +    gboolean disable_clipboard;
> +    g_object_get(self->priv->session,
> +                 "disable-clipboard", &disable_clipboard,
> +                 NULL);
> +    if (disable_clipboard && auto_clipboard) {
> +        g_debug("not enabling clipboard sharing as it was disabled on the command-line");
> +        auto_clipboard = FALSE;
> +    }
> +    self->priv->auto_clipboard_enable = auto_clipboard;
> +}
> +
>  static void spice_gtk_session_get_property(GObject    *gobject,
>                                             guint       prop_id,
>                                             GValue     *value,
> @@ -352,7 +366,7 @@ static void spice_gtk_session_set_property(GObject      *gobject,
>          s->session = g_value_get_object(value);
>          break;
>      case PROP_AUTO_CLIPBOARD:
> -        s->auto_clipboard_enable = g_value_get_boolean(value);
> +        spice_gtk_session_set_auto_clipboard(self, g_value_get_boolean(value));
>          break;
>      case PROP_AUTO_USBREDIR: {
>          SpiceDesktopIntegration *desktop_int;
> diff --git a/src/spice-option.c b/src/spice-option.c
> index 6b400bca..0f2f795d 100644
> --- a/src/spice-option.c
> +++ b/src/spice-option.c
> @@ -21,6 +21,7 @@
>  #include <glib-object.h>
>  #include <glib/gi18n-lib.h>
>  #include "spice-session.h"
> +#include "spice-session-priv.h"
>  #include "spice-util.h"
>  #include "spice-channel-priv.h"
>  #include "usb-device-manager.h"
> @@ -35,6 +36,7 @@ static char *usbredir_auto_redirect_filter = NULL;
>  static char *usbredir_redirect_on_connect = NULL;
>  static gboolean smartcard = FALSE;
>  static gboolean disable_audio = FALSE;
> +static gboolean disable_clipboard = FALSE;
>  static gboolean disable_usbredir = FALSE;
>  static gint cache_size = 0;
>  static gint glz_window_size = 0;
> @@ -203,6 +205,8 @@ GOptionGroup* spice_get_option_group(void)
>            N_("Subject of the host certificate (field=value pairs separated by commas)"), N_("<host-subject>") },
>          { "spice-disable-audio", '\0', 0, G_OPTION_ARG_NONE, &disable_audio,
>            N_("Disable audio support"), NULL },
> +        { "spice-disable-clipboard", '\0', 0, G_OPTION_ARG_NONE, &disable_clipboard,
> +          N_("Disable client/guest clipboard sharing"), NULL },
>          { "spice-smartcard", '\0', 0, G_OPTION_ARG_NONE, &smartcard,
>            N_("Enable smartcard support"), NULL },
>          { "spice-smartcard-certificates", '\0', 0, G_OPTION_ARG_STRING, &smartcard_certificates,
> @@ -312,6 +316,8 @@ void spice_set_session_option(SpiceSession *session)
>          g_object_set(session, "enable-usbredir", FALSE, NULL);
>      if (disable_audio)
>          g_object_set(session, "enable-audio", FALSE, NULL);
> +    if (disable_clipboard)
> +        spice_session_set_disable_clipboard(session, TRUE);
>      if (cache_size)
>          g_object_set(session, "cache-size", cache_size, NULL);
>      if (glz_window_size)
> diff --git a/src/spice-session-priv.h b/src/spice-session-priv.h
> index 03005aac..459a04b8 100644
> --- a/src/spice-session-priv.h
> +++ b/src/spice-session-priv.h
> @@ -91,6 +91,7 @@ void spice_session_set_shared_dir(SpiceSession *session, const gchar *dir);
>  gboolean spice_session_get_audio_enabled(SpiceSession *session);
>  gboolean spice_session_get_smartcard_enabled(SpiceSession *session);
>  gboolean spice_session_get_usbredir_enabled(SpiceSession *session);
> +void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled);
>  
>  const guint8* spice_session_get_webdav_magic(SpiceSession *session);
>  PhodavServer *spice_session_get_webdav_server(SpiceSession *session);
> diff --git a/src/spice-session.c b/src/spice-session.c
> index 2aabf585..c22014dc 100644
> --- a/src/spice-session.c
> +++ b/src/spice-session.c
> @@ -64,6 +64,9 @@ struct _SpiceSessionPrivate {
>      /* whether to enable audio */
>      gboolean          audio;
>  
> +    /* whether clipboard sharing was disabled through the command line */
> +    gboolean          disable_clipboard;
> +
>      /* whether to enable smartcard event forwarding to the server */
>      gboolean          smartcard;
>  
> @@ -203,6 +206,7 @@ enum {
>      PROP_USERNAME,
>      PROP_UNIX_PATH,
>      PROP_PREF_COMPRESSION,
> +    PROP_DISABLE_CLIPBOARD,
>  };
>  
>  /* signals */
> @@ -695,6 +699,9 @@ static void spice_session_get_property(GObject    *gobject,
>      case PROP_PREF_COMPRESSION:
>          g_value_set_enum(value, s->preferred_compression);
>          break;
> +    case PROP_DISABLE_CLIPBOARD:
> +        g_value_set_boolean(value, s->disable_clipboard);
> +        break;
>      default:
>  	G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
>  	break;
> @@ -834,6 +841,9 @@ static void spice_session_set_property(GObject      *gobject,
>      case PROP_PREF_COMPRESSION:
>          s->preferred_compression = g_value_get_enum(value);
>          break;
> +    case PROP_DISABLE_CLIPBOARD:
> +        s->disable_clipboard = g_value_get_boolean(value);
> +        break;
>      default:
>          G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
>          break;
> @@ -1458,6 +1468,26 @@ static void spice_session_class_init(SpiceSessionClass *klass)
>                             G_PARAM_READWRITE |
>                             G_PARAM_STATIC_STRINGS));
>  
> +    /**
> +     * SpiceSession:disable-clipboard:
> +     *
> +     * Whether to clipboard sharing was disabled on the command line.
> +     *
> +     * Since: 0.35
> +     **/
> +    /* This property is read-only, and set through a method so that
> +     * applications using the library cannot override what the user set on the
> +     * command line
> +     */

I would make this part of the documentation too.

If the lack of GSettings is not deal breaker for others,
Acked-by: Victor Toso <victortoso@redhat.com>

> +    g_object_class_install_property
> +        (gobject_class, PROP_DISABLE_CLIPBOARD,
> +         g_param_spec_boolean("disable-clipboard",
> +                              "Disable clipboard sharing",
> +                              "Clipboard sharing was disabled on the command line",
> +                              FALSE,
> +                              G_PARAM_READABLE |
> +                              G_PARAM_STATIC_STRINGS));
> +
>      g_type_class_add_private(klass, sizeof(SpiceSessionPrivate));
>  }
>  
> @@ -2761,6 +2791,11 @@ end:
>      return priv->webdav;
>  }
>  
> +void spice_session_set_disable_clipboard(SpiceSession *session, gboolean disabled)
> +{
> +    session->priv->disable_clipboard = !!disabled;
> +}
> +
>  /**
>   * spice_session_is_for_migration:
>   * @session: a Spice session
> -- 
> 2.14.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
On Tue, Feb 20, 2018 at 12:48:48PM +0100, Victor Toso wrote:
> On Thu, Jan 18, 2018 at 10:31:26AM +0100, Christophe Fergeau wrote:
> > At least on X.org, malicious code could run the equivalent of "watch
> > xsel -o --clipboard" in a VM, and would then be able to track all the
> > clipboard content, even when the spice-gtk widget is not focused.
> > 
> > At the moment, applications call spice_set_session_option(), and then
> > set SpiceGtkSession::auto-clipboard to TRUE (or to its saved state).
> > This commit adds a --spice-disable-clipboard option, and if it's set,
> > SpiceGtkSession::auto-clipboard will not be changeable and will always
> > be FALSE.
> > The only side effect I noticed is that enabling "clipboard sharing" in
> > GNOME Boxes VM preferences will appear to work, but will not enable
> > clipboard, and will be reset to off next time the preferences dialog is
> > open.
> 
> You mean running gnome-boxes --spice-disable-clipboard still
> shows clipboard enabled? Any bug filed already? If yes, I think
> we could add to the commit log.

There's a "clipboard sharing enabled" GObject property on
some spice-gtk object. Boxes uses it to enable/disable clipboard
sharing.
Now if you use --spice-disable-clipboard, this property is always going
to be disabled even if Boxes tries to set it to TRUE. But Boxes is not
aware of that, so when clicks on the checkbox in the UI, it appears to
be toggled, but if you close the dialog and come back, then it will be
shown as disabled again.
I haven't filed yet a Boxes bug for that.

Christophe