How to use Udev to restrict USB access only to particular set of USB sticks?

How to use Udev to restrict USB access only to particular set of USB sticks?

[Vilius Benetis]

Hi Udev team,

The task I have: to restrict linux machine to be able to accept only a
set of particular usb keys (uniquely identified by brand and serial
numbers).

Google gave references that Udev might be helpful.

We tried to play with udev, but failed to achieve the goal.

Any ideas if this is possible, if not - maybe you know what tools to
use (non-commercial, or even commercial).

Thanks!

-- 
/Vilius

Re: How to use Udev to restrict USB access only to particular set of

[Andrey Borzenkov]

On Mon, Feb 21, 2011 at 12:01 PM, Vilius Benetis
<vilius.benetis@gmail.com> wrote:
> Hi Udev team,
>
> The task I have: to restrict linux machine to be able to accept only a
> set of particular usb keys (uniquely identified by brand and serial
> numbers).
>
> Google gave references that Udev might be helpful.
>
> We tried to play with udev, but failed to achieve the goal.
>
> Any ideas if this is possible, if not - maybe you know what tools to
> use (non-commercial, or even commercial).
>

Please define "restrict". It could also be implemented on user level
by not allowing mounting e.g..

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

Hi,

restrict - means that Linux users (non-root, to simplify the task)
could be able to access only a particular predefined set of USB
devices.

Devices:
  Approved USB A (configured in the system), SN: XXX
  Not approved USB B (not defined anywhere): SN: YYY

Scenario A:
   USB A is plugged to the system, USB is allowed to be mounted
(automatically, or manually) for the users.

Scenario B:
   USB B is plugged to the system, USB is not allowed to be mounted
(automatically, or manually) for the users.

Any ideas how to achieve this?

I looked at DLP solutions, but there is little Linux support. another
possible scope of tools - OS hardering tools, if udev would not be
able to handle.

Vilius

On Mon, Feb 21, 2011 at 11:05 AM, Andrey Borzenkov <arvidjaar@gmail.com> wrote:
> On Mon, Feb 21, 2011 at 12:01 PM, Vilius Benetis
> <vilius.benetis@gmail.com> wrote:
>> Hi Udev team,
>>
>> The task I have: to restrict linux machine to be able to accept only a
>> set of particular usb keys (uniquely identified by brand and serial
>> numbers).
>>
>> Google gave references that Udev might be helpful.
>>
>> We tried to play with udev, but failed to achieve the goal.
>>
>> Any ideas if this is possible, if not - maybe you know what tools to
>> use (non-commercial, or even commercial).
>>
>
> Please define "restrict". It could also be implemented on user level
> by not allowing mounting e.g..
>



-- 
/Vilius

Re: How to use Udev to restrict USB access only to particular set

[Greg KH]

A: No.
Q: Should I include quotations after my reply?

http://daringfireball.net/2007/07/on_top


On Mon, Feb 21, 2011 at 11:27:14AM +0200, Vilius Benetis wrote:
> Hi,
> 
> restrict - means that Linux users (non-root, to simplify the task)
> could be able to access only a particular predefined set of USB
> devices.
> 
> Devices:
>   Approved USB A (configured in the system), SN: XXX
>   Not approved USB B (not defined anywhere): SN: YYY
> 
> Scenario A:
>    USB A is plugged to the system, USB is allowed to be mounted
> (automatically, or manually) for the users.
> 
> Scenario B:
>    USB B is plugged to the system, USB is not allowed to be mounted
> (automatically, or manually) for the users.
> 
> Any ideas how to achieve this?

Yes, add a udev rule to not "enable" any usb device that is a mass
storage device that does not fall in your list of "valid" devices.
There is a single sysfs file to write to which would prevent any access
to that device, use that.

Hope this helps,

greg k-h

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

On Mon, Feb 21, 2011 at 5:57 PM, Greg KH <greg@kroah.com> wrote:
> Yes, add a udev rule to not "enable" any usb device that is a mass
> storage device that does not fall in your list of "valid" devices.
> There is a single sysfs file to write to which would prevent any access
> to that device, use that.

Greg,

by any chance you could draft the command structure, as I think we
tried this, but probably it did not work for some reason?

Thanks for the assistance,
Vilius

Re: How to use Udev to restrict USB access only to particular set

[Greg KH]

On Tue, Feb 22, 2011 at 03:46:06PM +0200, Vilius Benetis wrote:
> On Mon, Feb 21, 2011 at 5:57 PM, Greg KH <greg@kroah.com> wrote:
> > Yes, add a udev rule to not "enable" any usb device that is a mass
> > storage device that does not fall in your list of "valid" devices.
> > There is a single sysfs file to write to which would prevent any access
> > to that device, use that.
> 
> Greg,
> 
> by any chance you could draft the command structure, as I think we
> tried this, but probably it did not work for some reason?

Can you post what you tried and the errors you got from that?
You should also look at the archives for this list, as this topic comes
up every 6 months or so, and has been solved numerous times in the past.

thanks,

greg k-h

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

On Tue, Feb 22, 2011 at 3:54 PM, Greg KH <greg@kroah.com> wrote:
> Can you post what you tried and the errors you got from that?
> You should also look at the archives for this list, as this topic comes
> up every 6 months or so, and has been solved numerous times in the past.

ok, to save the ether, I will search the archives. I looked at them
initially - before posting my question, but could not spot the
mentioned discussions.

There are no errors, just functionality does not work, as we think it should.

Greetings,
vilius

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

[greg]
> Yes, add a udev rule to not "enable" any usb device that is a mass
> storage device that does not fall in your list of "valid" devices.
> There is a single sysfs file to write to which would prevent any access
> to that device, use that.

Greg I searched the documentation and the archives again, and failed
to find how exactly you set a rule
"to not "enable" any usb device that is a mass storage device that
does not fall in your list of "valid" devices."

Could you please clarify this for me?

Thank you,
-- 
/Vilius

Re: How to use Udev to restrict USB access only to particular set

[Greg KH]

On Tue, Feb 22, 2011 at 04:01:25PM +0200, Vilius Benetis wrote:
> On Tue, Feb 22, 2011 at 3:54 PM, Greg KH <greg@kroah.com> wrote:
> > Can you post what you tried and the errors you got from that?
> > You should also look at the archives for this list, as this topic comes
> > up every 6 months or so, and has been solved numerous times in the past.
> 
> ok, to save the ether, I will search the archives. I looked at them
> initially - before posting my question, but could not spot the
> mentioned discussions.
> 
> There are no errors, just functionality does not work, as we think it should.

Ok, what is the udev rule that you tried and did not work?

thanks,

greg k-h

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

On Tue, Feb 22, 2011 at 4:38 PM, Greg KH <greg@kroah.com> wrote:
> Ok, what is the udev rule that you tried and did not work?

we tried to disable USB storage sticks with the following command:

SUBSYSTEMS="usb" DRIVERS="usb-storage"  OPTIONS:="ignore_device"

but we failed to make it work.

in general, I would say, that the sequence should be reversed - at
first ATTR(serial) to be checked for positives with ":=" (to terminate
the next checking), and at the end to place

SUBSYSTEMS="usb" DRIVERS="usb-storage"  OPTIONS:="ignore_device"

Any guidance is very appreciated.

--Vilius

Re: How to use Udev to restrict USB access only to particular set of

[Greg KH]

On Thu, Feb 24, 2011 at 03:52:16PM +0200, Vilius Benetis wrote:
> On Tue, Feb 22, 2011 at 4:38 PM, Greg KH <greg@kroah.com> wrote:
> > Ok, what is the udev rule that you tried and did not work?
> 
> we tried to disable USB storage sticks with the following command:
> 
> SUBSYSTEMS="usb" DRIVERS="usb-storage"  OPTIONS:="ignore_device"
> 
> but we failed to make it work.

Ignoring the device still makes it "active" in the system, especially as
you just tested that the usb-storage device was bound to your device
(which wouldn't be true that early in the process, which is one reason
why this failed).  

you need to write a 0 to the "authorized" file in sysfs which will
disable the whole USB device entirely if it meets your "list of devices
to reject".  You also need to test not for driver binding, which again
will not have happened, and you don't want to have happen, but that it
is a usb storage device type (by virtue of the correct class config
options as shown by sysfs) and that it doesn't pass your list of valid
serial numbers.

Note, all of that might be easier to do in a script than in a udev rule
alone, but it should be possible.

Hope this helps,

greg k-h

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

On Thu, Feb 24, 2011 at 5:46 PM, Greg KH <greg@kroah.com> wrote:
>>[vilius]
>> we tried to disable USB storage sticks with the following command:
>>
>> SUBSYSTEMS="usb" DRIVERS="usb-storage"  OPTIONS:="ignore_device"
>>
>> but we failed to make it work.
>
> Ignoring the device still makes it "active" in the system, especially as
> you just tested that the usb-storage device was bound to your device
> (which wouldn't be true that early in the process, which is one reason
> why this failed).
>
> you need to write a 0 to the "authorized" file in sysfs which will
> disable the whole USB device entirely if it meets your "list of devices
> to reject".  You also need to test not for driver binding, which again
> will not have happened, and you don't want to have happen, but that it
> is a usb storage device type (by virtue of the correct class config
> options as shown by sysfs) and that it doesn't pass your list of valid
> serial numbers.
>
> Note, all of that might be easier to do in a script than in a udev rule
> alone, but it should be possible.

I can follow the logic, but I think I am not able to convert the
guidance to the actions.

do you mean (am not sure what is this "authorised" file in sysfs):

KERNEL!="sd[a-z][0-9]", GOTO="end_usb_key_filter"
SUBSYSTEM="usb", ATTRS{serial}="xx1", GOTO="end_usb_key_filter"
SUBSYSTEM="usb", ATTRS{serial}="xx2", GOTO="end_usb_key_filter"
SUBSYSTEM="usb", RUN="echo 0 >/sys/xxx"

or just:

SUBSYSTEM="usb", ATTRS{serial}="xx1|xx2|xx3", GOTO="end_usb_key_filter"
SUBSYSTEM="usb", RUN="echo 0 >/sys/xxx"
LABEL="end_usb_key_filter"

-- 
/Vilius

Re: How to use Udev to restrict USB access only to particular set of

[Greg KH]

On Thu, Feb 24, 2011 at 06:36:19PM +0200, Vilius Benetis wrote:
> On Thu, Feb 24, 2011 at 5:46 PM, Greg KH <greg@kroah.com> wrote:
> >>[vilius]
> >> we tried to disable USB storage sticks with the following command:
> >>
> >> SUBSYSTEMS="usb" DRIVERS="usb-storage"  OPTIONS:="ignore_device"
> >>
> >> but we failed to make it work.
> >
> > Ignoring the device still makes it "active" in the system, especially as
> > you just tested that the usb-storage device was bound to your device
> > (which wouldn't be true that early in the process, which is one reason
> > why this failed).
> >
> > you need to write a 0 to the "authorized" file in sysfs which will
> > disable the whole USB device entirely if it meets your "list of devices
> > to reject".  You also need to test not for driver binding, which again
> > will not have happened, and you don't want to have happen, but that it
> > is a usb storage device type (by virtue of the correct class config
> > options as shown by sysfs) and that it doesn't pass your list of valid
> > serial numbers.
> >
> > Note, all of that might be easier to do in a script than in a udev rule
> > alone, but it should be possible.
> 
> I can follow the logic, but I think I am not able to convert the
> guidance to the actions.
> 
> do you mean (am not sure what is this "authorised" file in sysfs):
> 
> KERNEL!="sd[a-z][0-9]", GOTO="end_usb_key_filter"

Nope, way too late, you want to catch things _before_ the usb-storage
driver binds to it, right?

So match on a usb interfaces, and look at the class values to match the
usb storage ones.  If they are a match, then go up a level and disable
the device by writing a 0 to the "authorized" file.

> SUBSYSTEM="usb", ATTRS{serial}="xx1", GOTO="end_usb_key_filter"
> SUBSYSTEM="usb", ATTRS{serial}="xx2", GOTO="end_usb_key_filter"
> SUBSYSTEM="usb", RUN="echo 0 >/sys/xxx"
> 
> or just:
> 
> SUBSYSTEM="usb", ATTRS{serial}="xx1|xx2|xx3", GOTO="end_usb_key_filter"
> SUBSYSTEM="usb", RUN="echo 0 >/sys/xxx"
> LABEL="end_usb_key_filter"

That might work, but watch out that you don't deactivate your USB
keyboards :)

thanks,

greg k-h

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

>> KERNEL!="sd[a-z][0-9]", GOTO="end_usb_key_filter"
>
> Nope, way too late, you want to catch things _before_ the usb-storage
> driver binds to it, right?
>
> So match on a usb interfaces, and look at the class values to match the
> usb storage ones.  If they are a match, then go up a level and disable
> the device by writing a 0 to the "authorized" file.
>
>> SUBSYSTEM="usb", ATTRS{serial}="xx1", GOTO="end_usb_key_filter"
>> SUBSYSTEM="usb", ATTRS{serial}="xx2", GOTO="end_usb_key_filter"
>> SUBSYSTEM="usb", RUN="echo 0 >/sys/xxx"
>>
>> or just:
>>
>> SUBSYSTEM="usb", ATTRS{serial}="xx1|xx2|xx3", GOTO="end_usb_key_filter"
>> SUBSYSTEM="usb", RUN="echo 0 >/sys/xxx"
>> LABEL="end_usb_key_filter"
>
> That might work, but watch out that you don't deactivate your USB
> keyboards :)

finally I found this - explaining what this USB authorisation is:
http://www.mjmwired.net/kernel/Documentation/usb/authorization.txt

tomorrow I will play with the code.

Vilius

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

[Vilius]
> tomorrow I will play with the code.
the resulting UDEV rules (with reference to works of Adrian Crenshaw),
for those who are interested:

#By default, disable it.
ACTION="add", SUBSYSTEMS="usb", RUN+="/bin/sh -c 'for host in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default;
done'"

#Enable hub devices.
ACTION="add", ATTR{bDeviceClass}="09", RUN+="/bin/sh -c 'echo 1
>/sys$DEVPATH/authorized'"

#Other things to enable, do nto forget to add mouse, and other devices.
ACTION="add", ATTRS{product}="VendorX", ATTRS{serial}="0xxxxxx",
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"

-- 
/Vilius

Re: How to use Udev to restrict USB access only to particular set

[Bryan Kadzban]

Vilius Benetis wrote:
> [Vilius]
>> tomorrow I will play with the code.
> the resulting UDEV rules (with reference to works of Adrian Crenshaw),
> for those who are interested:
> 
> #By default, disable it.
> ACTION="add", SUBSYSTEMS="usb", RUN+="/bin/sh -c 'for host in
> /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default;
> done'"

It may not be possible to do what I'm about to suggest with this rule
(unless there's a way to match on all devices that have an
authorized_default file -- I'm not sure where in the USB stack those
devices are), but for this rule:

> #Enable hub devices.
> ACTION="add", ATTR{bDeviceClass}="09", RUN+="/bin/sh -c 'echo 1
>> /sys$DEVPATH/authorized'"

(and the one below it), can't you just do this instead of the RUN?:

ATTR{authorized}="1"

Or does that not work for some reason?  (It'll prevent spawning a whole
lot of shells to do work that udev already has code to handle...)

Re: How to use Udev to restrict USB access only to particular set of

[Vilius Benetis]

On Wed, Mar 2, 2011 at 9:06 AM, Bryan Kadzban
<bryan@kadzban.is-a-geek.net> wrote:
> Vilius Benetis wrote:
>> [Vilius]
>>> tomorrow I will play with the code.
>> the resulting UDEV rules (with reference to works of Adrian Crenshaw),
>> for those who are interested:
>>
>> #By default, disable it.
>> ACTION="add", SUBSYSTEMS="usb", RUN+="/bin/sh -c 'for host in
>> /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default;
>> done'"
>
> It may not be possible to do what I'm about to suggest with this rule
> (unless there's a way to match on all devices that have an
> authorized_default file -- I'm not sure where in the USB stack those
> devices are), but for this rule:
>
>> #Enable hub devices.
>> ACTION="add", ATTR{bDeviceClass}="09", RUN+="/bin/sh -c 'echo 1
>>> /sys$DEVPATH/authorized'"
>
> (and the one below it), can't you just do this instead of the RUN?:
>
> ATTR{authorized}="1"
>
> Or does that not work for some reason?  (It'll prevent spawning a whole
> lot of shells to do work that udev already has code to handle...)

we tested, ATTR{authorized}="1" works well, for
ATTR{authorized_default}="0" we get an error during the boot, but it
still works (probably the error is due to the yet non-existing
device?):

error opening ATTR{/sys/devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input11/event9/authorized}
for writing: No such file or directory

If you have an idea how to get rid of this error, please share.

the rules have been used:

       #By default, disable it.
       ACTION="add", SUBSYSTEMS="usb", ATTR{authorized_default}="0"

       #Enable hub devices.
       ACTION="add", ATTR{bDeviceClass}="09", ATTR{authorized}="1"

       #Other things to enable
       ACTION="add", ATTRS{idProduct}="c052", ATTR{authorized}="1"

-- 
/Vilius

Re: How to use Udev to restrict USB access only to particular set

[Bryan Kadzban]

Vilius Benetis wrote:
> we tested, ATTR{authorized}="1" works well, for
> ATTR{authorized_default}="0" we get an error during the boot, but it
> still works (probably the error is due to the yet non-existing
> device?):
> 
> error opening ATTR{/sys/devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input11/event9/authorized}
> for writing: No such file or directory

That's matching the wrong thing when it tries to apply the rule to set
ATTR{authorized}, I think.  This shouldn't have anything to do with the
authorized_default rule, based on the name logged.

> the rules have been used:
> 
>        #By default, disable it.
>        ACTION="add", SUBSYSTEMS="usb", ATTR{authorized_default}="0"

I'd use SUBSYSTEM="usb", TEST="authorized_default" for this matching,
or something like that.  Any USB kobject with an authorized_default
attribute should have a zero written into it.

>        #Enable hub devices.
>        ACTION="add", ATTR{bDeviceClass}="09", ATTR{authorized}="1"
> 
>        #Other things to enable
>        ACTION="add", ATTRS{idProduct}="c052", ATTR{authorized}="1"

I'd use ATTR{idProduct} here, assuming that attribute is set that way on
the proper kobject in your sysfs tree.  (Try finding all the authorized
files in /sys/devices/pci<whatever>/, then see which of them would match
this idProduct.)

ATTRS will search up the tree for a matching idProduct attribute, and
will therefore also match any interfaces that this USB device will
create.  But those interfaces won't have an authorized file (since
authorization only works on devices).  I suspect this is the cause of
the error message you copied above.