On Sun, Dec 20, 2020, 21:37 Adi Ml <maladi1747@xxxxxxxxx> wrote:
Yes. Thats exactly what I mean (what mantas said)- ATTR{authorized}="0". I would like to have a usb whitelist via udev and want it to be enforced on devices which connected pre boot too.authorized_default=0- it seems the same likeATTR{authorized}="0", isnt it?
Not quite – I guess there is a very small window of time between connection and udev processing where the device is still authorized, before udev removes the authorization.
So having authorized_default=0, and then setting all allowed devices to authorized=1 (allow only approved devices, block the rest) is probably slightly safer technically.
(Actually maybe you should just use USBGuard instead of writing custom rules?)
This is what I used to have a long time ago:
ACTION!="add", GOTO="deauthorize_end"
SUBSYSTEM!="usb", GOTO="deauthorize_end"
TEST=="authorized_default", ATTR{authorized_default}="0", GOTO="deauthorize_end"
ENV{ID_VENDOR}=="Yubico", ENV{ID_MODEL}=="Yubikey_NEO*", ATTR{authorized}="1", GOTO="deauthorize_end"
ENV{ID_VENDOR}=="Zubico", ENV{ID_MODEL}=="Zubikey_GEO*", ATTR{authorized}="1", GOTO="deauthorize_end"
LABEL="deauthorize_end"
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
