USB Guard | Depend on it and configure rules #166
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this. | ||
|
|
||
| # Explicitly reject any interface that is not documented and/or defined by USB.org | ||
| # Note: Most probably superfluous | ||
| reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*} | ||
|
There was a problem hiding this comment. According to https://usb.org/defined-class-codes, there is no base class of Also, you seem to be missing a space before the closing |
||
|
|
||
| ### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon. | ||
|
There was a problem hiding this comment. Typo fixes: |
||
| ### Take extra measures to ensure security | ||
|
|
||
| # Allow only one keyboard to be connected | ||
| allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 }) | ||
|
|
||
| # Allow only one mouse to be connected | ||
| allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 }) | ||
|
There was a problem hiding this comment. According to the USB HID spec (https://usb.org/sites/default/files/hid1_11.pdf), there's a couple of invalid rules here -
bInterfaceProtocol is this last byte of the triplet, while bInterfaceSubClass is the byte in the middle. When the byte in the middle is Worthy of note, this rule will prohibit mice and keyboards that don't have boot interface support (I think my Logitech MX devices fall into this category), and it will probably prohibit HID devices other than mice and keyboards such as touchscreens. I don't know how common mice and keyboards without boot interface support are though. We should probably document how to disable this rule for people with problematic devices. |
||
|
|
||
| # Explicitly reject any device with a mouse/keyboard interface in combination with some other interface | ||
| # Mouses and keyboards should only have one interface for all legitimate use cases | ||
|
There was a problem hiding this comment. Technically, mouse and keyboard devices might legitimately have two or even three interfaces, in the case of a wireless mouse+keyboard combo with a single receiver. The Microsoft Sculpt desktop set probably falls into this category, it consists of a keyboard, mouse, and touchpad, all separate but all sharing one receiver. So this second line of the comment isn't really accurate from a factual standpoint. The second line of the comment also fails to reflect what the rules do. It prohibits mixing HID and other interfaces, it notably does not prohibit mixing multiple HID interfaces together. This is actually good IMO, but it's not what the comment says, so I think this second line should just be removed, or perhaps replaced with:
If this line is kept, |
||
| reject with-interface all-of { 03:*:* 02:*:* } | ||
| reject with-interface all-of { 03:*:* 04:*:* } | ||
|
There was a problem hiding this comment. Here again there is no base class of |
||
| reject with-interface all-of { 03:*:* 05:*:* } | ||
| reject with-interface all-of { 03:*:* 06:*:* } | ||
| reject with-interface all-of { 03:*:* 07:*:* } | ||
| reject with-interface all-of { 03:*:* 08:*:* } | ||
| reject with-interface all-of { 03:*:* 09:*:* } | ||
| reject with-interface all-of { 03:*:* 0a:*:* } | ||
| reject with-interface all-of { 03:*:* 0b:*:* } | ||
| reject with-interface all-of { 03:*:* 0d:*:* } | ||
| reject with-interface all-of { 03:*:* 0e:*:* } | ||
| reject with-interface all-of { 03:*:* 0f:*:* } | ||
| reject with-interface all-of { 03:*:* 10:*:* } | ||
| reject with-interface all-of { 03:*:* 11:*:* } | ||
| reject with-interface all-of { 03:*:* 12:*:* } | ||
| reject with-interface all-of { 03:*:* 13:*:* } | ||
| reject with-interface all-of { 03:*:* 14:*:* } | ||
| reject with-interface all-of { 03:*:* 3c:*:* } | ||
| reject with-interface all-of { 03:*:* dc:*:* } | ||
| reject with-interface all-of { 03:*:* e0:*:* } | ||
| reject with-interface all-of { 03:*:* ef:*:* } | ||
| reject with-interface all-of { 03:*:* fe:*:* } | ||
| reject with-interface all-of { 03:*:* ff:*:* } | ||
|
|
||
| # Allow USB mass storage | ||
| # If and only if the USB device only has the mass storage interface and nothing extra | ||
| # Suspicious interface combinations with mass storage are blocked | ||
| allow with-interface equals { 08:*:* } | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned previously, this needs to be removed from debian/control so that it can be shipped by a metapackage.