On Wed, 17 Jun 2015, Stefan Koch wrote: > This part adds the documentation for the interface authorization. > > Signed-off-by: Stefan Koch <skoch@xxxxxxx> > --- > Documentation/ABI/testing/sysfs-bus-usb | 23 +++++++++++++++++++++++ > Documentation/usb/authorization.txt | 22 ++++++++++++++++++++++ > 2 files changed, 45 insertions(+) > > diff --git a/Documentation/ABI/testing/sysfs-bus-usb b/Documentation/ABI/testing/sysfs-bus-usb > index e5cc763..2ebca4d 100644 > --- a/Documentation/ABI/testing/sysfs-bus-usb > +++ b/Documentation/ABI/testing/sysfs-bus-usb > @@ -1,3 +1,26 @@ > +What: /sys/bus/usb/devices/INTERFACE/authorized > +Date: June 2015 > +KernelVersion: 4.2 > +Description: > + This allows to enable or disable individual interfaces "authorize or de-authorize", not "enable or disable". > + instead a whole device in contrast to > + the device authorization. > + To avoid side effects the driver probing process > + for the interface and it's siblings is triggered > + after each authorization. Please remove this feature (unless other people on the mailing list really think it should be kept). Instead, point out that probing can be triggered by writing INTERFACE to /sys/bus/usb/drivers_probe, after all the authorization settings have been stored. > + The attribute allows a boolean value to > + allow (1) or deny (0) an interface. > + A denied interface cannot used for probing and claiming. "A de-authorized interface cannot be probed or claimed." > + > +What: /sys/bus/usb/devices/usbX/interface_authorized_default > +Date: June 2015 > +KernelVersion: 4.2 > +Description: > + This is used as default value that determines > + if interfaces would allowed per default. "This is used as the default value for /sys/bus/usb/devices/INTERFACE/authorized for interfaces in devices attached to the usbX bus." > + The attribute allows a boolean value to > + allow (1) or deny (0) interfaces per default. Delete this sentence. > + > What: /sys/bus/usb/device/.../authorized > Date: July 2008 > KernelVersion: 2.6.26 > diff --git a/Documentation/usb/authorization.txt b/Documentation/usb/authorization.txt > index c069b68..f274219 100644 > --- a/Documentation/usb/authorization.txt > +++ b/Documentation/usb/authorization.txt > @@ -3,6 +3,9 @@ Authorizing (or not) your USB devices to connect to the system > > (C) 2007 Inaky Perez-Gonzalez <inaky@xxxxxxxxxxxxxxx> Intel Corporation > > +Interface authorization part: > + (C) 2015 Stefan Koch <skoch@xxxxxxx> SUSE LLC > + > This feature allows you to control if a USB device can be used (or > not) in a system. This feature will allow you to implement a lock-down > of USB devices, fully controlled by user space. > @@ -90,3 +93,22 @@ etc, but you get the idea. Anybody with access to a device gadget kit > can fake descriptors and device info. Don't trust that. You are > welcome. > > + > +Interface authorization > +----------------------- > +There is a similar approach to allow or deny specific USB interfaces. > +That allows to block only a subset of an USB device. > + > +Authorize an interface: > +$ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized > + > +Deauthorize an interface: > +$ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized > + > +The default value for new interfaces can be changed, too. The default value for new interfaces on a particular USB bus can be changed, too. > + > +Allow interfaces per default: > +$ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default > + > +Deny interfaces per default: > +$ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default > Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
