Re: [Qemu-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu

Re: [Qemu-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu

[Fabio Fantoni]

Il 03/07/2013 15:54, fantonifabio@tiscali.it ha scritto:
> Usage: spicevdagent=1|0 (default=0)
> Enables spice vdagent. The Spice vdagent is an optional component for
> enhancing user experience and performing guest-oriented management
> tasks. Its features includes: client mouse mode (no need to grab mouse
> by client, no mouse lag), automatic adjustment of screen resolution,
> copy and paste (text and image) between client and domU. It also
> requires vdagent service installed on domU o.s. to work.
>
> Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
> ---
>   docs/man/xl.cfg.pod.5       |    9 +++++++++
>   tools/libxl/libxl_create.c  |    1 +
>   tools/libxl/libxl_dm.c      |    6 ++++++
>   tools/libxl/libxl_types.idl |    1 +
>   tools/libxl/xl_cmdimpl.c    |    2 ++
>   5 files changed, 19 insertions(+)
>
> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> index f8b4576..766862d 100644
> --- a/docs/man/xl.cfg.pod.5
> +++ b/docs/man/xl.cfg.pod.5
> @@ -1123,6 +1123,15 @@ Specify the ticket password which is used by a client for connection.
>   Whether SPICE agent is used for client mouse mode. The default is true
>   (turn on)
>   
> +=item B<spicevdagent=BOOLEAN>
> +
> +Enables spice vdagent. The Spice vdagent is an optional component for
> +enhancing user experience and performing guest-oriented management
> +tasks. Its features includes: client mouse mode (no need to grab mouse
> +by client, no mouse lag), automatic adjustment of screen resolution,
> +copy and paste (text and image) between client and domU. It also
> +requires vdagent service installed on domU o.s. to work. The default is 0.
> +
>   =back
>   
>   =head3 Miscellaneous Emulated Hardware
> diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
> index cb9c822..8db5460 100644
> --- a/tools/libxl/libxl_create.c
> +++ b/tools/libxl/libxl_create.c
> @@ -288,6 +288,7 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc,
>               libxl_defbool_setdefault(&b_info->u.hvm.spice.disable_ticketing,
>                                        false);
>               libxl_defbool_setdefault(&b_info->u.hvm.spice.agent_mouse, true);
> +            libxl_defbool_setdefault(&b_info->u.hvm.spice.vdagent, false);
>           }
>   
>           libxl_defbool_setdefault(&b_info->u.hvm.nographic, false);
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index d10a58f..bc605e4 100644
> --- a/tools/libxl/libxl_dm.c
> +++ b/tools/libxl/libxl_dm.c
> @@ -465,6 +465,12 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
>   
>               flexarray_append(dm_args, "-spice");
>               flexarray_append(dm_args, spiceoptions);
> +            if (libxl_defbool_val(b_info->u.hvm.spice.vdagent)) {
> +                flexarray_vappend(dm_args, "-device", "virtio-serial",
> +                    "-chardev", "spicevmc,id=vdagent,name=vdagent", "-device",
> +                    "virtserialport,chardev=vdagent,name=com.redhat.spice.0",
> +                    NULL);
> +            }
>           }
>   
>           switch (b_info->u.hvm.vga.kind) {
> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
> index ecf1f0b..14425d1 100644
> --- a/tools/libxl/libxl_types.idl
> +++ b/tools/libxl/libxl_types.idl
> @@ -172,6 +172,7 @@ libxl_spice_info = Struct("spice_info", [
>       ("disable_ticketing", libxl_defbool),
>       ("passwd",      string),
>       ("agent_mouse", libxl_defbool),
> +    ("vdagent",     libxl_defbool),
>       ])
>   
>   libxl_sdl_info = Struct("sdl_info", [
> diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
> index c1a969b..44a632c 100644
> --- a/tools/libxl/xl_cmdimpl.c
> +++ b/tools/libxl/xl_cmdimpl.c
> @@ -1491,6 +1491,8 @@ skip_vfb:
>                                   &b_info->u.hvm.spice.passwd, 0);
>           xlu_cfg_get_defbool(config, "spiceagent_mouse",
>                               &b_info->u.hvm.spice.agent_mouse, 0);
> +        xlu_cfg_get_defbool(config, "spicevdagent",
> +                            &b_info->u.hvm.spice.vdagent, 0);
>           xlu_cfg_get_defbool(config, "nographic", &b_info->u.hvm.nographic, 0);
>           xlu_cfg_get_defbool(config, "gfx_passthru",
>                               &b_info->u.hvm.gfx_passthru, 0);

I haven't seen any more replies about that patch.

The complete Ian question was:
> What are the security implications ?

I don't know the details about security implications but I think risks 
are minimal. vdagent is disabled by default, therefore you must enable 
it if you want to use it, and you need the spice client and vdagent must 
be installed on the domU os. Furthermore spice can be protected with 
password and/or ssl.

>
> In particular, does it mean that when the user has a spice client
> connected to a guest, the guest can spy on the user's clipboard all
> the time ?

I don't know, do you think we  should ask for details about security 
implications to qemu or spice experts? (added qemu-devel and spice-devel 
on cc)

Re: [Qemu-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu

[Fabio Fantoni]

Il 23/07/2013 15:42, Fabio Fantoni ha scritto:
> Il 03/07/2013 15:54, fantonifabio@tiscali.it ha scritto:
>> Usage: spicevdagent=1|0 (default=0)
>> Enables spice vdagent. The Spice vdagent is an optional component for
>> enhancing user experience and performing guest-oriented management
>> tasks. Its features includes: client mouse mode (no need to grab mouse
>> by client, no mouse lag), automatic adjustment of screen resolution,
>> copy and paste (text and image) between client and domU. It also
>> requires vdagent service installed on domU o.s. to work.
>>
>> Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
>> ---
>>   docs/man/xl.cfg.pod.5       |    9 +++++++++
>>   tools/libxl/libxl_create.c  |    1 +
>>   tools/libxl/libxl_dm.c      |    6 ++++++
>>   tools/libxl/libxl_types.idl |    1 +
>>   tools/libxl/xl_cmdimpl.c    |    2 ++
>>   5 files changed, 19 insertions(+)
>>
>> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
>> index f8b4576..766862d 100644
>> --- a/docs/man/xl.cfg.pod.5
>> +++ b/docs/man/xl.cfg.pod.5
>> @@ -1123,6 +1123,15 @@ Specify the ticket password which is used by a 
>> client for connection.
>>   Whether SPICE agent is used for client mouse mode. The default is true
>>   (turn on)
>>   +=item B<spicevdagent=BOOLEAN>
>> +
>> +Enables spice vdagent. The Spice vdagent is an optional component for
>> +enhancing user experience and performing guest-oriented management
>> +tasks. Its features includes: client mouse mode (no need to grab mouse
>> +by client, no mouse lag), automatic adjustment of screen resolution,
>> +copy and paste (text and image) between client and domU. It also
>> +requires vdagent service installed on domU o.s. to work. The default 
>> is 0.
>> +
>>   =back
>>     =head3 Miscellaneous Emulated Hardware
>> diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
>> index cb9c822..8db5460 100644
>> --- a/tools/libxl/libxl_create.c
>> +++ b/tools/libxl/libxl_create.c
>> @@ -288,6 +288,7 @@ int libxl__domain_build_info_setdefault(libxl__gc 
>> *gc,
>> libxl_defbool_setdefault(&b_info->u.hvm.spice.disable_ticketing,
>>                                        false);
>> libxl_defbool_setdefault(&b_info->u.hvm.spice.agent_mouse, true);
>> + libxl_defbool_setdefault(&b_info->u.hvm.spice.vdagent, false);
>>           }
>> libxl_defbool_setdefault(&b_info->u.hvm.nographic, false);
>> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
>> index d10a58f..bc605e4 100644
>> --- a/tools/libxl/libxl_dm.c
>> +++ b/tools/libxl/libxl_dm.c
>> @@ -465,6 +465,12 @@ static char ** 
>> libxl__build_device_model_args_new(libxl__gc *gc,
>>                 flexarray_append(dm_args, "-spice");
>>               flexarray_append(dm_args, spiceoptions);
>> +            if (libxl_defbool_val(b_info->u.hvm.spice.vdagent)) {
>> +                flexarray_vappend(dm_args, "-device", "virtio-serial",
>> +                    "-chardev", "spicevmc,id=vdagent,name=vdagent", 
>> "-device",
>> + "virtserialport,chardev=vdagent,name=com.redhat.spice.0",
>> +                    NULL);
>> +            }
>>           }
>>             switch (b_info->u.hvm.vga.kind) {
>> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
>> index ecf1f0b..14425d1 100644
>> --- a/tools/libxl/libxl_types.idl
>> +++ b/tools/libxl/libxl_types.idl
>> @@ -172,6 +172,7 @@ libxl_spice_info = Struct("spice_info", [
>>       ("disable_ticketing", libxl_defbool),
>>       ("passwd",      string),
>>       ("agent_mouse", libxl_defbool),
>> +    ("vdagent",     libxl_defbool),
>>       ])
>>     libxl_sdl_info = Struct("sdl_info", [
>> diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
>> index c1a969b..44a632c 100644
>> --- a/tools/libxl/xl_cmdimpl.c
>> +++ b/tools/libxl/xl_cmdimpl.c
>> @@ -1491,6 +1491,8 @@ skip_vfb:
>> &b_info->u.hvm.spice.passwd, 0);
>>           xlu_cfg_get_defbool(config, "spiceagent_mouse",
>> &b_info->u.hvm.spice.agent_mouse, 0);
>> +        xlu_cfg_get_defbool(config, "spicevdagent",
>> + &b_info->u.hvm.spice.vdagent, 0);
>>           xlu_cfg_get_defbool(config, "nographic", 
>> &b_info->u.hvm.nographic, 0);
>>           xlu_cfg_get_defbool(config, "gfx_passthru",
>> &b_info->u.hvm.gfx_passthru, 0);
>
> I haven't seen any more replies about that patch.
>
> The complete Ian question was:
>> What are the security implications ?
>
> I don't know the details about security implications but I think risks 
> are minimal. vdagent is disabled by default, therefore you must enable 
> it if you want to use it, and you need the spice client and vdagent 
> must be installed on the domU os. Furthermore spice can be protected 
> with password and/or ssl.
>
>>
>> In particular, does it mean that when the user has a spice client
>> connected to a guest, the guest can spy on the user's clipboard all
>> the time ?
>
> I don't know, do you think we  should ask for details about security 
> implications to qemu or spice experts? (added qemu-devel and 
> spice-devel on cc)
Ping...

Re: [Qemu-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu

[Alon Levy]

> Il 23/07/2013 15:42, Fabio Fantoni ha scritto:
> > Il 03/07/2013 15:54, fantonifabio@tiscali.it ha scritto:
> >> Usage: spicevdagent=1|0 (default=0)
> >> Enables spice vdagent. The Spice vdagent is an optional component for
> >> enhancing user experience and performing guest-oriented management
> >> tasks. Its features includes: client mouse mode (no need to grab mouse
> >> by client, no mouse lag), automatic adjustment of screen resolution,
> >> copy and paste (text and image) between client and domU. It also
> >> requires vdagent service installed on domU o.s. to work.
> >>
> >> Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
> >> ---
> >>   docs/man/xl.cfg.pod.5       |    9 +++++++++
> >>   tools/libxl/libxl_create.c  |    1 +
> >>   tools/libxl/libxl_dm.c      |    6 ++++++
> >>   tools/libxl/libxl_types.idl |    1 +
> >>   tools/libxl/xl_cmdimpl.c    |    2 ++
> >>   5 files changed, 19 insertions(+)
> >>
> >> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> >> index f8b4576..766862d 100644
> >> --- a/docs/man/xl.cfg.pod.5
> >> +++ b/docs/man/xl.cfg.pod.5
> >> @@ -1123,6 +1123,15 @@ Specify the ticket password which is used by a
> >> client for connection.
> >>   Whether SPICE agent is used for client mouse mode. The default is true
> >>   (turn on)
> >>   +=item B<spicevdagent=BOOLEAN>
> >> +
> >> +Enables spice vdagent. The Spice vdagent is an optional component for
> >> +enhancing user experience and performing guest-oriented management
> >> +tasks. Its features includes: client mouse mode (no need to grab mouse
> >> +by client, no mouse lag), automatic adjustment of screen resolution,
> >> +copy and paste (text and image) between client and domU. It also
> >> +requires vdagent service installed on domU o.s. to work. The default
> >> is 0.
> >> +
> >>   =back
> >>     =head3 Miscellaneous Emulated Hardware
> >> diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
> >> index cb9c822..8db5460 100644
> >> --- a/tools/libxl/libxl_create.c
> >> +++ b/tools/libxl/libxl_create.c
> >> @@ -288,6 +288,7 @@ int libxl__domain_build_info_setdefault(libxl__gc
> >> *gc,
> >> libxl_defbool_setdefault(&b_info->u.hvm.spice.disable_ticketing,
> >>                                        false);
> >> libxl_defbool_setdefault(&b_info->u.hvm.spice.agent_mouse, true);
> >> + libxl_defbool_setdefault(&b_info->u.hvm.spice.vdagent, false);
> >>           }
> >> libxl_defbool_setdefault(&b_info->u.hvm.nographic, false);
> >> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> >> index d10a58f..bc605e4 100644
> >> --- a/tools/libxl/libxl_dm.c
> >> +++ b/tools/libxl/libxl_dm.c
> >> @@ -465,6 +465,12 @@ static char **
> >> libxl__build_device_model_args_new(libxl__gc *gc,
> >>                 flexarray_append(dm_args, "-spice");
> >>               flexarray_append(dm_args, spiceoptions);
> >> +            if (libxl_defbool_val(b_info->u.hvm.spice.vdagent)) {
> >> +                flexarray_vappend(dm_args, "-device", "virtio-serial",
> >> +                    "-chardev", "spicevmc,id=vdagent,name=vdagent",
> >> "-device",
> >> + "virtserialport,chardev=vdagent,name=com.redhat.spice.0",
> >> +                    NULL);
> >> +            }
> >>           }
> >>             switch (b_info->u.hvm.vga.kind) {
> >> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
> >> index ecf1f0b..14425d1 100644
> >> --- a/tools/libxl/libxl_types.idl
> >> +++ b/tools/libxl/libxl_types.idl
> >> @@ -172,6 +172,7 @@ libxl_spice_info = Struct("spice_info", [
> >>       ("disable_ticketing", libxl_defbool),
> >>       ("passwd",      string),
> >>       ("agent_mouse", libxl_defbool),
> >> +    ("vdagent",     libxl_defbool),
> >>       ])
> >>     libxl_sdl_info = Struct("sdl_info", [
> >> diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
> >> index c1a969b..44a632c 100644
> >> --- a/tools/libxl/xl_cmdimpl.c
> >> +++ b/tools/libxl/xl_cmdimpl.c
> >> @@ -1491,6 +1491,8 @@ skip_vfb:
> >> &b_info->u.hvm.spice.passwd, 0);
> >>           xlu_cfg_get_defbool(config, "spiceagent_mouse",
> >> &b_info->u.hvm.spice.agent_mouse, 0);
> >> +        xlu_cfg_get_defbool(config, "spicevdagent",
> >> + &b_info->u.hvm.spice.vdagent, 0);
> >>           xlu_cfg_get_defbool(config, "nographic",
> >> &b_info->u.hvm.nographic, 0);
> >>           xlu_cfg_get_defbool(config, "gfx_passthru",
> >> &b_info->u.hvm.gfx_passthru, 0);
> >
> > I haven't seen any more replies about that patch.
> >
> > The complete Ian question was:
> >> What are the security implications ?
> >
> > I don't know the details about security implications but I think risks
> > are minimal. vdagent is disabled by default, therefore you must enable
> > it if you want to use it, and you need the spice client and vdagent
> > must be installed on the domU os. Furthermore spice can be protected
> > with password and/or ssl.
> >
> >>
> >> In particular, does it mean that when the user has a spice client
> >> connected to a guest, the guest can spy on the user's clipboard all
> >> the time ?
> >
> > I don't know, do you think we  should ask for details about security
> > implications to qemu or spice experts? (added qemu-devel and
> > spice-devel on cc)
> Ping...

Yes, the guest can see the users clipboard, it could automatically copy anything the client makes available. There is no extra "have you authorized this copy into the guest" mechanism in the spice client (you are assuming a compromized guest and a non compromized client afaict). There is an option in qemu to disable clipboard sharing.

> 
> 

Re: [Qemu-devel] [Spice-devel] [PATCH v3 RESEND] libxl: Spice vdagent support for upstream qemu

[Uri Lublin]

On 08/14/2013 12:56 PM, Alon Levy wrote:
>> Il 23/07/2013 15:42, Fabio Fantoni ha scritto:
>>> Il 03/07/2013 15:54, fantonifabio@tiscali.it ha scritto:
>>>> Usage: spicevdagent=1|0 (default=0)
>>>> Enables spice vdagent. The Spice vdagent is an optional component for
>>>> enhancing user experience and performing guest-oriented management
>>>> tasks. Its features includes: client mouse mode (no need to grab mouse
>>>> by client, no mouse lag), automatic adjustment of screen resolution,
>>>> copy and paste (text and image) between client and domU. It also
>>>> requires vdagent service installed on domU o.s. to work.
>>>>
>>>> Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
>>>> ---
>>>>    docs/man/xl.cfg.pod.5       |    9 +++++++++
>>>>    tools/libxl/libxl_create.c  |    1 +
>>>>    tools/libxl/libxl_dm.c      |    6 ++++++
>>>>    tools/libxl/libxl_types.idl |    1 +
>>>>    tools/libxl/xl_cmdimpl.c    |    2 ++
>>>>    5 files changed, 19 insertions(+)
>>>>
>>>> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
>>>> index f8b4576..766862d 100644
>>>> --- a/docs/man/xl.cfg.pod.5
>>>> +++ b/docs/man/xl.cfg.pod.5
>>>> @@ -1123,6 +1123,15 @@ Specify the ticket password which is used by a
>>>> client for connection.
>>>>    Whether SPICE agent is used for client mouse mode. The default is true
>>>>    (turn on)
>>>>    +=item B<spicevdagent=BOOLEAN>
>>>> +
>>>> +Enables spice vdagent. The Spice vdagent is an optional component for
>>>> +enhancing user experience and performing guest-oriented management
>>>> +tasks. Its features includes: client mouse mode (no need to grab mouse
>>>> +by client, no mouse lag), automatic adjustment of screen resolution,
>>>> +copy and paste (text and image) between client and domU. It also
>>>> +requires vdagent service installed on domU o.s. to work. The default
>>>> is 0.
>>>> +
>>>>    =back
>>>>      =head3 Miscellaneous Emulated Hardware
>>>> diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
>>>> index cb9c822..8db5460 100644
>>>> --- a/tools/libxl/libxl_create.c
>>>> +++ b/tools/libxl/libxl_create.c
>>>> @@ -288,6 +288,7 @@ int libxl__domain_build_info_setdefault(libxl__gc
>>>> *gc,
>>>> libxl_defbool_setdefault(&b_info->u.hvm.spice.disable_ticketing,
>>>>                                         false);
>>>> libxl_defbool_setdefault(&b_info->u.hvm.spice.agent_mouse, true);
>>>> + libxl_defbool_setdefault(&b_info->u.hvm.spice.vdagent, false);
>>>>            }
>>>> libxl_defbool_setdefault(&b_info->u.hvm.nographic, false);
>>>> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
>>>> index d10a58f..bc605e4 100644
>>>> --- a/tools/libxl/libxl_dm.c
>>>> +++ b/tools/libxl/libxl_dm.c
>>>> @@ -465,6 +465,12 @@ static char **
>>>> libxl__build_device_model_args_new(libxl__gc *gc,
>>>>                  flexarray_append(dm_args, "-spice");
>>>>                flexarray_append(dm_args, spiceoptions);
>>>> +            if (libxl_defbool_val(b_info->u.hvm.spice.vdagent)) {
>>>> +                flexarray_vappend(dm_args, "-device", "virtio-serial",
>>>> +                    "-chardev", "spicevmc,id=vdagent,name=vdagent",
>>>> "-device",
>>>> + "virtserialport,chardev=vdagent,name=com.redhat.spice.0",
>>>> +                    NULL);
>>>> +            }
>>>>            }
>>>>              switch (b_info->u.hvm.vga.kind) {
>>>> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
>>>> index ecf1f0b..14425d1 100644
>>>> --- a/tools/libxl/libxl_types.idl
>>>> +++ b/tools/libxl/libxl_types.idl
>>>> @@ -172,6 +172,7 @@ libxl_spice_info = Struct("spice_info", [
>>>>        ("disable_ticketing", libxl_defbool),
>>>>        ("passwd",      string),
>>>>        ("agent_mouse", libxl_defbool),
>>>> +    ("vdagent",     libxl_defbool),
>>>>        ])
>>>>      libxl_sdl_info = Struct("sdl_info", [
>>>> diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
>>>> index c1a969b..44a632c 100644
>>>> --- a/tools/libxl/xl_cmdimpl.c
>>>> +++ b/tools/libxl/xl_cmdimpl.c
>>>> @@ -1491,6 +1491,8 @@ skip_vfb:
>>>> &b_info->u.hvm.spice.passwd, 0);
>>>>            xlu_cfg_get_defbool(config, "spiceagent_mouse",
>>>> &b_info->u.hvm.spice.agent_mouse, 0);
>>>> +        xlu_cfg_get_defbool(config, "spicevdagent",
>>>> + &b_info->u.hvm.spice.vdagent, 0);
>>>>            xlu_cfg_get_defbool(config, "nographic",
>>>> &b_info->u.hvm.nographic, 0);
>>>>            xlu_cfg_get_defbool(config, "gfx_passthru",
>>>> &b_info->u.hvm.gfx_passthru, 0);
>>> I haven't seen any more replies about that patch.
>>>
>>> The complete Ian question was:
>>>> What are the security implications ?
>>> I don't know the details about security implications but I think risks
>>> are minimal. vdagent is disabled by default, therefore you must enable
>>> it if you want to use it, and you need the spice client and vdagent
>>> must be installed on the domU os. Furthermore spice can be protected
>>> with password and/or ssl.
>>>
>>>> In particular, does it mean that when the user has a spice client
>>>> connected to a guest, the guest can spy on the user's clipboard all
>>>> the time ?
>>> I don't know, do you think we  should ask for details about security
>>> implications to qemu or spice experts? (added qemu-devel and
>>> spice-devel on cc)
>> Ping...
> Yes, the guest can see the users clipboard, it could automatically copy anything the client makes available. There is no extra "have you authorized this copy into the guest" mechanism in the spice client (you are assuming a compromized guest and a non compromized client afaict). There is an option in qemu to disable clipboard sharing.

Clipboard Sharing (copy/paste) can be disabled by adding 
"disable-copy-paste" to "spice" option of qemu command line option.