diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 1ccf7a3bd71e3251b8c9a321bd11be100839ff41..1478832433381ff6f2852b4711566203931b64cc 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -2929,6 +2929,13 @@ qemu-kvm -net nic,model=? /dev/null
Since 0.9.3
NB, this may not be supported by all hypervisors.
"spice" since 0.8.6.
+ The defaultMode attribute sets the default channel
+ security policy, valid values are secure,
+ insecure and the default any
+ (which is secure if possible, but falls back to insecure
+ rather than erroring out if no secure path is
+ available). "defaultMode" since
+ 0.9.12.
When SPICE has both a normal and TLS secured TCP port
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 77f2f6a80aabe99da2266280dc8609587d9164cb..84369c7db41ee5f665109b026ebfb69f933e3f01 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -1774,6 +1774,15 @@
+
+
+
+ any
+ secure
+ insecure
+
+
+
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 10b023eb7a12d2ca1c322b78f5efdd57e3f54163..a60ef5a63e17d4f260598cc0508f100e954fbc3b 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -6071,6 +6071,8 @@ virDomainGraphicsDefParseXML(xmlNodePtr node,
char *port = virXMLPropString(node, "port");
char *tlsPort;
char *autoport;
+ char *defaultMode;
+ int defaultModeVal;
if (port) {
if (virStrToLong_i(port, NULL, 10, &def->data.spice.port) < 0) {
@@ -6103,6 +6105,20 @@ virDomainGraphicsDefParseXML(xmlNodePtr node,
VIR_FREE(autoport);
}
+ def->data.spice.defaultMode = VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY;
+
+ if ((defaultMode = virXMLPropString(node, "defaultMode")) != NULL) {
+ if ((defaultModeVal = virDomainGraphicsSpiceChannelModeTypeFromString(defaultMode)) < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unknown default spice channel mode %s"),
+ defaultMode);
+ VIR_FREE(defaultMode);
+ goto error;
+ }
+ def->data.spice.defaultMode = defaultModeVal;
+ VIR_FREE(defaultMode);
+ }
+
if (def->data.spice.port == -1 && def->data.spice.tlsPort == -1) {
/* Legacy compat syntax, used -1 for auto-port */
def->data.spice.autoport = 1;
@@ -12124,6 +12140,10 @@ virDomainGraphicsDefFormat(virBufferPtr buf,
virBufferEscapeString(buf, " keymap='%s'",
def->data.spice.keymap);
+ if (def->data.spice.defaultMode != VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY)
+ virBufferAsprintf(buf, " defaultMode='%s'",
+ virDomainGraphicsSpiceChannelModeTypeToString(def->data.spice.defaultMode));
+
virDomainGraphicsAuthDefFormatAttr(buf, &def->data.spice.auth, flags);
break;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 6581feaa43a7fcf9f9634a439e1702bcd27013f9..00178e1ffa4df0389e3e5a75bec19b361e7b1043 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1233,6 +1233,7 @@ struct _virDomainGraphicsDef {
virDomainGraphicsAuthDef auth;
unsigned int autoport :1;
int channels[VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST];
+ int defaultMode; /* enum virDomainGraphicsSpiceChannelMode */
int image;
int jpeg;
int zlib;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 070d13ecec41dfa1f0ec85fd8daa4fd122f9f0e3..117542f47ebe19ac65e5dcf47e32d1daef5a7efc 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -5463,6 +5463,7 @@ qemuBuildCommandLine(virConnectPtr conn,
const char *listenAddr = NULL;
char *netAddr = NULL;
int ret;
+ int defaultMode = def->graphics[0]->data.spice.defaultMode;
if (!qemuCapsGet(qemuCaps, QEMU_CAPS_SPICE)) {
qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
@@ -5546,6 +5547,18 @@ qemuBuildCommandLine(virConnectPtr conn,
virBufferAsprintf(&opt, ",x509-dir=%s",
driver->spiceTLSx509certdir);
+ switch (defaultMode) {
+ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_SECURE:
+ virBufferAsprintf(&opt, ",tls-channel=default");
+ break;
+ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_INSECURE:
+ virBufferAsprintf(&opt, ",plaintext-channel=default");
+ break;
+ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY:
+ /* nothing */
+ break;
+ }
+
for (i = 0 ; i < VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST ; i++) {
int mode = def->graphics[0]->data.spice.channels[i];
switch (mode) {
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
index c9fdb99276bded38eb4ea43b3052ee9e1a96aeaf..698e39c4cef4e21e3095e015c3a61ffa1f83eef0 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.args
@@ -2,7 +2,7 @@ LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=spice \
/usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults -monitor \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda \
/dev/HostVG/QEMUGuest1 -usb -spice port=5903,tls-port=5904,addr=127.0.0.1,\
-x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=inputs,\
+x509-dir=/etc/pki/libvirt-spice,tls-channel=default,tls-channel=main,plaintext-channel=inputs,\
image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,\
playback-compression=on,streaming-video=filter,disable-copy-paste -vga \
qxl -global qxl.vram_size=18874368 -device qxl,id=video1,vram_size=33554432,bus=pci.0,addr=0x4 \
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
index 8930b6088153aa0fc58a99b843d2cd135619f920..a3789f25634691ae0680e00a18ff820df593b78f 100644
--- a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
@@ -22,7 +22,7 @@
-
+