Provide SPICE isolation between guests by using unix sockets

diff --git a/kvmx b/kvmx
index 8e00fc1ac6bee37f0fdbe9d75a225a7a33b9ac86..36b1150df8e06a00a8e747ec92c327488d2c4be9 100755 (executable)
--- a/kvmx
+++ b/kvmx
@@ -178,6 +178,7 @@ function __kvmx_initialize {
     SSHFILE="$STATE_DIR/ssh"
     DISPLAYFILE="$STATE_DIR/display"
     SPICEFILE="$STATE_DIR/spice"
+    SPICESOCKET="$STATE_DIR/spice.socket"
     XEPHYRFILE="$STATE_DIR/xephyr"
     LOGFILE="$LOG_DIR/qemu"
     SPICELOG="$LOG_DIR/spice"
@@ -245,7 +246,7 @@ function kvmx_spice {
 
   # Ensure we have the right port configuration: we can also be
   # running directly from command line.
-  PORT="`cat $PORTFILE`"
+  #PORT="`cat $PORTFILE`"
 
   if [ -z "$PORT" ]; then
     echo "$BASENAME: cannot get spice port for $VM"
@@ -253,16 +254,19 @@ function kvmx_spice {
   fi
 
   if [ "$spice_client" == "spicy" ] && which spicy &> /dev/null; then
-    spicy -h localhost -p $PORT &
+    #spicy -h localhost -p $PORT &
+    spicy --uri=spice+unix://$SPICESOCKET &
   elif [ "$spice_client" == "virt-viewer" ] && which virt-viewer &> /dev/null; then
-    remote-viewer spice://localhost:$PORT &
+    #remote-viewer spice://localhost:$PORT &
+    remote-viewer spice+unix://$SPICESOCKET &
   #elif [ ! -z "$spice_client" ] && [ "$spice_client" != "spicec" ]; then
   elif [ ! -z "$spice_client" ]; then
     echo "$BASENAME: spice_client $spice_client not currently supported"
     exit 1
   else
     if which spicy &> /dev/null; then
-      spicy -h localhost -p $PORT &
+      #spicy -h localhost -p $PORT &
+      spicy --uri=spice+unix://$SPICESOCKET &
     fi
 
     #if which spicec &> /dev/null; then
@@ -467,8 +471,11 @@ function kvmx_up {
 
   net_opts="-net $net_opts"
 
+  # Always run spice using a socket to provide some GUI isolation between guest
+  # Otherwise any guest could open a spice connection to another guest using the host local IP (10.0.2.2) and the other guest spice port
   if [ -z "$spice" ] || [ "$spice" == "1" ]; then
-    spice_opts="-spice port=$PORT,addr=127.0.0.1,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off"
+    #spice_opts="-spice port=$PORT,addr=127.0.0.1,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off"
+    spice_opts="-spice unix,addr=$SPICESOCKET,disable-ticketing,streaming-video=off,jpeg-wan-compression=never,playback-compression=off,zlib-glz-wan-compression=never,image-compression=off"
     spice_opts="$spice_opts -device virtio-serial-pci"
     spice_opts="$spice_opts -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0"
     spice_opts="$spice_opts -chardev spicevmc,id=spicechannel0,name=vdagent"