On ven., 2014-08-08 at 18:50 -0400, Alan Stern wrote: > On Sat, 9 Aug 2014, Yves-Alexis Perez wrote: > > > On ven., 2014-08-08 at 18:26 -0400, Alan Stern wrote: > > > I'm not sure what you mean. You can toggle these values at any time, > > > but toggling them may not accomplish anything useful. What do you > > > want > > > to accomplish? > > > > The point would be to prevent new usb device to be plugged while a > > system is locked (or no one is logged in). > > > > Grsecurity has something like that using a custom sysctl, but Greg > > comment on the oss-sec made me thing it might have already been possible > > in mainline. > > Well, you can't prevent new devices from being plugged in -- not unless > you do something pretty drastic, like filling the USB ports with glue. > :-) Yeah, that's not really what I intended :) > But you _can_ prevent new devices from being authorized. You just > do what I said earlier > : write > > echo 0 >/sys/bus/usb/devices/usbN/authorized_default > > for each N corresponding to an existing USB bus. Ok, I was confused and used usbN/authorized instead of authorized_default, sorry for the noise. > > > > Note that in addition to changing the default values, you can change > > > the actual authorization value for an existing device at any time by > > > writing to the device's "authorized" sysfs file. > > > > Yeah but that doesn't really work, > > What do you mean? It really _does_ work. If you write > > echo 0 >/sys/bus/usb/devices/1-3/authorized > > then device 3 on bus 1 really _will_ be deauthorized. > Indeed, that works. > > If you write "echo 0 >/sys/bus/usb/devices/usb1/authorized_default", it > will not deauthorize any currently plugged devices. All it will do is > change the default authorization value assigned to new devices when > they are plugged in. Ok, it does seem to work. Two things, though. - before doing anything, I have: grep . /sys/bus/usb/devices/*/authorized_default /sys/bus/usb/devices/usb1/authorized_default:1 /sys/bus/usb/devices/usb2/authorized_default:1 shouldn't it be -1? After putting 0 there, unplugging my USB mouse and re-plugging it, the mouse doesn't work, still gets enumerated: Aug 9 09:06:24 scapa kernel: [33176.030104] usb 1-1.5.1: new low-speed USB device number 12 using ehci-pci Aug 9 09:06:24 scapa kernel: [33176.143702] usb 1-1.5.1: New USB device found, idVendor=046d, idProduct=c00c Aug 9 09:06:24 scapa kernel: [33176.143709] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Aug 9 09:06:24 scapa kernel: [33176.143713] usb 1-1.5.1: Product: USB Optical Mouse Aug 9 09:06:24 scapa kernel: [33176.143716] usb 1-1.5.1: Manufacturer: Logitech but it's not handled by the input driver like usually: Aug 9 09:06:50 scapa kernel: [33202.016667] input: Logitech USB Optical Mouse as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.5/1-1.5.1/1-1.5.1:1.0/0003:046D:C00C.0004/input/input17 Aug 9 09:06:50 scapa kernel: [33202.016975] hid-generic 0003:046D:C00C.0004: input,hidraw0: USB HID v1.10 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1a.0-1.5.1/input0 Anyway, thanks for the tip, and again sorry for the noise. Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
