On Mon, Dec 14, 2020 at 06:18:24PM +0200, Adi Ml wrote: > I guess that udev can block devices from userspace only, so from there. > > Of course, you are right-whitelist is better. > > As for usbguard, I thought about using seccomp and filterring system calls > in my udev service based on their code - I have seen that they list a group > of system calls and restrict the usage to them only. That restriction is for the usbguard daemon, has nothing to do with what a USB device can or can not do. I recommend using that program for what you want to accomplish, as that is exactly what it is designed to do. good luck! greg k-h _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Udev hardening
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Udev hardening
- From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 14 Dec 2020 17:32:36 +0100
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAOMQ7b4scxJ_Yka_vtdH00_Xvw3QDgHbzr96mh5r3MZoxnZ9qg@mail.gmail.com>
- References: <CAOMQ7b597AAOXkHGvsQ7hAzAdCzDunCn8ExugLEH8kUR1_x4hA@mail.gmail.com> <X9drhf/x3A8lOKxc@kroah.com> <CAOMQ7b6TN-Rp6gO=u=-0y0GARqkFHpNSOaJM4hUzf+pDG+c2Ow@mail.gmail.com> <X9d6sLoSxWLZgR59@kroah.com> <CAOMQ7b5Yc7SzX69Qg3fJjPvCGjdG-+bfmgs8ZpUJaJmthLuB=Q@mail.gmail.com> <X9eH25u7WvMmsMz+@kroah.com> <CAOMQ7b4scxJ_Yka_vtdH00_Xvw3QDgHbzr96mh5r3MZoxnZ9qg@mail.gmail.com>
- References:
- Udev hardening
- From: Adi Ml
- Re: Udev hardening
- From: Greg KH
- Re: Udev hardening
- From: Adi Ml
- Re: Udev hardening
- From: Greg KH
- Re: Udev hardening
- From: Adi Ml
- Re: Udev hardening
- From: Greg KH
- Re: Udev hardening
- From: Adi Ml
- Udev hardening
- Prev by Date: Re: service kills application differently on shutdown vs on stop
- Next by Date: Re: Antw: [EXT] Re: Creating executable device nodes in /dev?
- Previous by thread: Re: Udev hardening
- Next by thread: Re: Udev hardening
- Index(es):
 |