On Sat, 9 Aug 2014, Yves-Alexis Perez wrote: > On ven., 2014-08-08 at 18:26 -0400, Alan Stern wrote: > > I'm not sure what you mean. You can toggle these values at any time, > > but toggling them may not accomplish anything useful. What do you > > want > > to accomplish? > > The point would be to prevent new usb device to be plugged while a > system is locked (or no one is logged in). > > Grsecurity has something like that using a custom sysctl, but Greg > comment on the oss-sec made me thing it might have already been possible > in mainline. Well, you can't prevent new devices from being plugged in -- not unless you do something pretty drastic, like filling the USB ports with glue. :-) But you _can_ prevent new devices from being authorized. You just do what I said earlier: write echo 0 >/sys/bus/usb/devices/usbN/authorized_default for each N corresponding to an existing USB bus. > > Note that in addition to changing the default values, you can change > > the actual authorization value for an existing device at any time by > > writing to the device's "authorized" sysfs file. > > Yeah but that doesn't really work, What do you mean? It really _does_ work. If you write echo 0 >/sys/bus/usb/devices/1-3/authorized then device 3 on bus 1 really _will_ be deauthorized. > because one would need to disable > that at the bus level (for every bus), and that would also disable the > currently plugged devices. I don't understand this sentence. You used the word "that" twice without a clear antecedent either time. If you write "echo 0 >/sys/bus/usb/devices/usb1/authorized_default", it will not deauthorize any currently plugged devices. All it will do is change the default authorization value assigned to new devices when they are plugged in. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
