aboutsummaryrefslogtreecommitdiff
path: root/ui
AgeCommit message (Collapse)Author
2015-05-29spice: don't update mm_time when spice-server is stopped.Gerd Hoffmann
Skip mm_time updates (in qxl device memory) in case the guest is stopped. Guest isn't able to look anyway, and it causes problems with migration. Also make sure the initial state for spice server is stopped. Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-20vnc: Tweak error when init failsCole Robinson
Before: qemu-system-x86_64: -display vnc=unix:/root/foo.sock: Failed to start VNC server on `(null)': Failed to bind socket to /root/foo.sock: Permission denied After: qemu-system-x86_64: -display vnc=unix:/root/foo.sock: Failed to start VNC server: Failed to bind socket to /root/foo.sock: Permission denied Rather than tweak the string possibly show unix: value as well, just drop the explicit display reporting. We already get the cli string in the error message, that should be sufficient. Signed-off-by: Cole Robinson <crobinso@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-20vnc: Don't assert if opening unix socket failsCole Robinson
Reproducer: $ qemu-system-x86_64 -display vnc=unix:/root/i-cant-access-you.sock qemu-system-x86_64: iohandler.c:60: qemu_set_fd_handler2: Assertion `fd >= 0' failed. Aborted (core dumped) Signed-off-by: Cole Robinson <crobinso@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-20ui: remove check for failure of qemu_acl_init()Daniel P. Berrange
The qemu_acl_init() function has long since stopped being able to return NULL, since g_malloc will abort on OOM. As such the checks for NULL were unreachable code. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-20Strip brackets from vnc hostJán Tomko
Commit v2.2.0-1530-ge556032 vnc: switch to inet_listen_opts bypassed the use of inet_parse in inet_listen, making literal IPv6 addresses enclosed in brackets fail: qemu-kvm: -vnc [::1]:0: Failed to start VNC server on `(null)': address resolution failed for [::1]:5900: Name or service not known Strip the brackets to make it work again. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-19ui/cocoa: Add console items to the View menuProgrammingkid
Add any console that is available to the current emulator as a menu item under the View menu. Signed-off-by: John Arbuckle <programmingkidx@gmail.com> [PMM: Adjusted to apply after zoom-to-fit menu item was added; create the View menu at the same time as all the others, and only add the dynamically-determined items to it later] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-05-19ui/cocoa: Avoid deprecated NSOKButton/NSCancelButton constantsPeter Maydell
In OSX 10.10, the NSOKButton and NSCancelButton constants are deprecated and provoke compiler warnings. Avoid them by using the NSFileHandlingPanelCancelButton and NSFileHandlingPanelOKButton constants instead. These are the documented correct constants for the 10.6-and-up beginSheetModalForWindow API we use. We also use the same method for the pre-10.6 compatibility code path, but conveniently the constant values are the same and the constant names have been present since 10.0. Preferring the constant names that match the non-legacy API makes more sense anyway. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431296361-16981-7-git-send-email-peter.maydell@linaro.org
2015-05-19ui/cocoa: Don't use NSWindow useOptimizedDrawing on OSX 10.10 and upPeter Maydell
Starting in OSX 10.10, NSWindow useOptimizedDrawing is deprecated, so don't use it there. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431296361-16981-6-git-send-email-peter.maydell@linaro.org
2015-05-19ui/cocoa: Declare that QemuCocoaAppController implements NSApplicationDelegatePeter Maydell
Our class QemuCocoaAppController implements the NSApplicationDelegate interface, and we pass an object of this class to [NSApp setDelegate]. However, we weren't declaring in the class definition that we implemented this interface; in OSX 10.10 this provokes the following (slighly misleading) warning: ui/cocoa.m:1031:24: warning: sending 'QemuCocoaAppController *' to parameter of incompatible type 'id<NSFileManagerDelegate>' [NSApp setDelegate:appController]; ^~~~~~~~~~~~~ /System/Library/Frameworks/Foundation.framework/Headers/NSFileManager.h:109:47: note: passing argument to parameter 'delegate' here @property (assign) id <NSFileManagerDelegate> delegate NS_AVAILABLE(10_5, 2_0); ^ Annoyingly, this interface wasn't formally defined until OSX 10.6, so we have to surround the relevant part of the @interface line with an ifdef. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431296361-16981-5-git-send-email-peter.maydell@linaro.org
2015-05-19ui/cocoa: openPanelDidEnd returnCode should be NSInteger, not intPeter Maydell
The type for openPanelDidEnd's returnCode argument should be NSInteger, not int. This only matters for the OSX 10.5 code path where we pass the method directly to an OSX function to call. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431296361-16981-4-git-send-email-peter.maydell@linaro.org
2015-05-19ui/cocoa: Remove compatibility ifdefs for OSX 10.4Peter Maydell
Remove compatibility ifdefs that work around OSX 10.4 not providing various typedefs and functions. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431296361-16981-3-git-send-email-peter.maydell@linaro.org
2015-05-19ui/cocoa: Drop tests for CGImageCreateWithImageInRect supportPeter Maydell
The code that tries to test at both compiletime and runtime for whether CGImageCreateWithImageInRect is supported provokes a compile warning on OSX 10.3: ui/cocoa.m:378:13: warning: comparison of function 'CGImageCreateWithImageInRect' equal to a null pointer is always false[-Wtautological-pointer-compare] if (CGImageCreateWithImageInRect == NULL) { // test if "CGImageCreateWithImageInRect" is supported on host at runtime ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ The simplest way to deal with this is just to drop this code, since we don't in practice support OSX 10.4 anyway. (10.5 was released in 2007 and is the last PPC version, so is the earliest we really need to continue to support at all.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1431296361-16981-2-git-send-email-peter.maydell@linaro.org
2015-05-19ui/cocoa: Make -full-screen option work on Mac OS XProgrammingkid
This patch makes the -full-screen option actually instruct QEMU to enter fullscreen at startup, on Mac OS X. Signed-off-by: John Arbuckle <programmingkidx@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-05-19ui/cocoa: Fix several full screen issues on Mac OS XProgrammingkid
This patch makes several changes: - Minimizes distorted full screen display by respecting aspect ratios. - Makes full screen mode available on Mac OS 10.7 and higher. - Allows user to decide if video should be stretched to fill the screen, using a menu item called "Zoom To Fit". - Hides the normalWindow so it won't show up in full screen mode. - Allows user to exit full screen mode. Signed-off-by: John Arbuckle <programmingkidx@gmail.com> [PMM: minor whitespace tweaks, remove incorrectly duplicated use of 'f' menu accelerator key] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-05-06gtk: update mouse position in mouse_set()Gerd Hoffmann
Without that the next mouse motion event uses the old position as base for relative move calculation, giving wrong results and making your mouse pointer jump around. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-06gtk: create gtk.hGerd Hoffmann
Move various gtk bits (includes, data structures) to a header file. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-06gtk: add ui_info supportGerd Hoffmann
Pass new display size to the guest after window resizes. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-06console: add dpy_ui_info_supportedGerd Hoffmann
Allow ui code to check whenever the emulated display supports display change notifications. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-06console: delayed ui_info guest notificationGerd Hoffmann
So we don't flood the guest with display change notifications while the user resizes the window. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-05sdl2: Fix RGB555Max Reitz
Reproducable with: $ x86_64-softmmu/qemu-system-x86_64 \ -kernel $vmlinuz_of_your_choice \ -append vga=0x313 -sdl Signed-off-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-05-05sdl2: add support for display rendering using opengl.Gerd Hoffmann
Add new sdl2-gl.c file, with display rendering functions using opengl. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-05-05sdl2: move SDL_* includes to sdl2.hGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-05-05console-gl: add opengl rendering helper functionsGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
2015-05-05opengl: add shader helper functions.Gerd Hoffmann
Helper functions to compile, link and run opengl shader programs. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-30input: remove unused mouse_handlers listEmilio G. Cota
Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-04-30hw/display : remove 'struct' from 'typedef QXL struct'Chih-Min Chao
Signed-off-by: Chih-Min Chao <cmchao@gmail.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-04-30ui/console : remove 'struct' from 'typedef struct' typeChih-Min Chao
Signed-off-by: Chih-Min Chao <cmchao@gmail.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-04-30ui/vnc : remove 'struct' of 'typedef struct'Chih-Min Chao
Signed-off-by: Chih-Min Chao <cmchao@gmail.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-04-30ui/vnc : fix coding styleChih-Min Chao
reported by checkpatch.pl Signed-off-by: Chih-Min Chao <cmchao@gmail.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-04-27Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150427-1' into ↵Peter Maydell
staging spice: misc fixes. # gpg: Signature made Mon Apr 27 12:03:16 2015 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/spice/tags/pull-spice-20150427-1: spice: learn to hide cursor spice: set pointer position on hotspot spice: fix mouse cursor position spice: fix simple display on bigendian hosts monitor: Make client_migrate_info synchronous Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-04-27spice: learn to hide cursorMarc-André Lureau
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-27spice: set pointer position on hotspotMarc-André Lureau
The Spice protocol uses cursor position on hotspot: the client is applying hotspot offset when drawing the cursor. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-27spice: fix mouse cursor positionMarc-André Lureau
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-27spice: fix simple display on bigendian hostsGerd Hoffmann
Denis Kirjanov is busy getting spice run on ppc64 and trapped into this one. Spice wire format is little endian, so we have to explicitly say we want little endian when letting pixman convert the data for us. Reported-by: Denis Kirjanov <kirjanov@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-27monitor: Make client_migrate_info synchronousMarkus Armbruster
Live migration with spice works like this today: (1) client_migrate_info monitor cmd (2) spice server notifies client, client connects to target host. (3) qemu waits until spice client connect is finished. (4) send over vmstate (i.e. main part of live migration). (5) spice handover to target host. (3) is implemented by making client_migrate_info a async monitor command. This is the only async monitor command we have. The original reason to implement this dance was that qemu did not accept new tcp connections while the incoming migration was running, so (2) and (4) could not be done in parallel. That issue was fixed long ago though. Qemu version 1.3.0 (released Dec 2012) and newer happily accept tcp connects while the incoming migration runs. Time to drop step (3). This patch does exactly that, by making the monitor command synchronous and removing the code needed to handle the async monitor command in ui/spice-core.c Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-27gtk: Avoid accel key leakage into guest on console switchJan Kiszka
GTK2 sends the accel key to the guest when switching to the graphic console via that shortcut. Resolve this by ignoring any keys until the next key-release event. However, do not ignore keys when switching via the menu or when on GTK3. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-27gtk: Fix VTE focus grabbingJan Kiszka
At least on GTK2, the VTE terminal has to be specified as target of gtk_widget_grab_focus. Otherwise, switching from one VTE terminal to another causes the focus to get lost. CC: John Snow <jsnow@redhat.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> [ kraxel: fixed build with CONFIG_VTE=n ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-22console/gtk: add qemu_console_get_labelGerd Hoffmann
Add a new function to get a nice label for a given QemuConsole. Drop the labeling code in gtk.c and use the new function instead. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-22gtk: bind to text terminal consoles tooGerd Hoffmann
This way gtk has text terminal consoles even when building without vte. Most notably you'll get a monitor tab on windows now. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-22gtk: handle switch_surface(NULL) properlyGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01CVE-2015-1779: limit size of HTTP headers from websockets clientsDaniel P. Berrange
The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM. In practice, because QEMU runs g_strstr_len() across the buffered header data, it will spend increasingly long burning CPU time searching for the substring match and less & less time reading data. So while this does cause arbitrary memory growth, the bigger problem is that QEMU will be burning 100% of available CPU time. A novnc websockets client typically sends headers of around 512 bytes in length. As such it is reasonable to place a 4096 byte limit on the amount of data buffered while searching for the end of HTTP headers. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-04-01CVE-2015-1779: incrementally decode websocket framesDaniel P. Berrange
The logic for decoding websocket frames wants to fully decode the frame header and payload, before allowing the VNC server to see any of the payload data. There is no size limit on websocket payloads, so this allows a malicious network client to consume 2^64 bytes in memory in QEMU. It can trigger this denial of service before the VNC server even performs any authentication. The fix is to decode the header, and then incrementally decode the payload data as it is needed. With this fix the websocket decoder will allow at most 4k of data to be buffered before decoding and processing payload. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> [ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ] @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input, - *payload_size = input->offset; + *payload_size = *payload_remain; [ kraxel: fix 32bit build ] @@ -306,7 +306,7 @@ struct VncState - uint64_t ws_payload_remain; + size_t ws_payload_remain; Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-26gtk: do not call gtk_widget_get_window if drawing area is not initializedHervé Poussineau
This prevents gtk_widget_get_window to return a NULL pointer. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: ensure VNC websockets server checks the ACL if requestedDaniel P. Berrange
If the x509verify option is requested, the VNC websockets server was failing to validate that the websockets client provided an x509 certificate matching the ACL rules. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: remove separate gnutls_session for websockets serverDaniel P. Berrange
The previous change to the auth scheme handling guarantees we can never have nested TLS sessions in the VNC websockets server. Thus we can remove the separate gnutls_session instance. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: enforce TLS when using websockets serverDaniel P. Berrange
When TLS is required, the primary VNC server considers it to be mandatory. ie the server admin decides whether or not TLS is used, and the client has to comply with this decision. The websockets server, however, treated it as optional, allowing non-TLS clients to connect to a server which had setup TLS. Thus enabling websockets lowers the security of the VNC server leaving the admin no way to enforce use of TLS. This removes the code that allows non-TLS fallback in the websockets server, so that if TLS is requested for VNC it is now mandatory for both the primary VNC server and the websockets VNC server. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: fix setup of VNC websockets auth scheme with TLSDaniel P. Berrange
The way the websockets TLS code was integrated into the VNC server made it essentially useless. The only time that the websockets TLS support could be used is if the primary VNC server had its existing TLS support disabled. ie QEMU had to be launched with: # qemu -vnc localhost:1,websockets=5902,x509=/path/to/certs Note the absence of the 'tls' flag. This is already a bug, because the docs indicate that 'x509' is ignored unless 'tls' is given. If the primary VNC server had TLS turned on via the 'tls' flag, then this prevented the websockets TLS support from being used, because it activates the VeNCrypt auth which would have resulted in TLS being run over a TLS session. Of course no websockets VNC client supported VeNCrypt so in practice, since the browser clients cannot setup a nested TLS session over the main HTTPS connection, so it would not even get past auth. This patch causes us to decide our auth scheme separately for the main VNC server vs the websockets VNC server. We take account of the fact that if TLS is enabled, then the websockets client will use https, so setting up VeNCrypt is thus redundant as it would lead to nested TLS sessions. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: split setup of VNC auth scheme into separate methodDaniel P. Berrange
The vnc_display_open method is quite long and complex, so move the VNC auth scheme decision logic into a separate method for clarity. Also update the comment to better describe what we are trying to achieve. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: report error if user requests VNC option that is unsupportedDaniel P. Berrange
If the VNC server is built without tls, sasl or websocket support and the user requests one of these features, they are just silently ignored. This is bad because it means the VNC server ends up running in a configuration that is less secure than the user asked for. It also leads to an tangled mass of preprocessor conditionals when configuring the VNC server. This ensures that the tls, sasl & websocket options are always processed and an error is reported back to the user if any of them were disabled at build time. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2015-03-18ui: replace printf() calls with VNC_DEBUGDaniel P. Berrange
Handling of VNC audio messages results in printfs to the console. This is of no use to anyone in production, so should be using the normal VNC_DEBUG macro instead. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>