On Fri, 8 Aug 2014, Yves-Alexis Perez wrote: > On ven., 2014-08-08 at 14:36 -0700, Greg KH wrote: > > On Fri, Aug 08, 2014 at 11:27:06PM +0200, Yves-Alexis Perez wrote: > > > On ven., 2014-08-08 at 14:20 -0700, Greg KH wrote: > > > > > Actually, since it's a module parameter, it doesn't seem possible to > > > > > toggle it without reloading the module (or rebooting if it's > > > > builtin). > > > > > So it might not be that easy to do the locking part. > > > > > > > > echo "0" > /sys/module/usbcore/parameters/authorized_default > > > > > > I did that, but unplugging/replugging my mouse still works after that. > > > > Hm, not good, take it to the linux-usb@xxxxxxxxxxxxxxx mailing list and > > we can debug it there. > > > Ok. > > So, linux-usb people, a bit of context. Following the BadUSB circus [1] > there was a thread on oss-sec about that [2], where Greg mentionned the > usbcore 'authorized_default' parameter. > > I thought it would be a good idea to toggle that parameter when locking > my laptop, so I tried to echo to the above file, but it doesn't seem to > prevent me plugging my mouse or an usb key. > > I'm running Debian sid, current running kernel is the Debian one: > > Linux scapa 3.14-2-amd64 #1 SMP Debian 3.14.13-2 (2014-07-24) x86_64 > GNU/Linux > > Ben Hutching uploaded 3.14.15-1 so I'll try it asap, but I can also > build a 3.16 just to check. The authorized_default module parameter affects USB buses when they are discovered and registered; after that it has no effect. Therefore to accomplish what you want, you need to put "usbcore.authorized_default=0" in the kernel's boot command line. Alternatively, you can change the default authorization value for a particular bus after it has been created, by writing to the authorized_default sysfs file for the bus's root hub. For example, echo 0 >/sys/bus/usb/devices/usb1/authorized_default will set the default value for new devices on bus 1 to 0. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
