LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   [USB] USB devices getting blocked on reboot (https://www.linuxquestions.org/questions/linux-software-2/%5Busb%5D-usb-devices-getting-blocked-on-reboot-4175691085/)

steelwing 02-24-2021 03:08 PM
[USB] USB devices getting blocked on reboot
 
So I implemented USB blocking and whitelisting in an environment following this guide. Now, when we reboot any machine that has these rules in place, all USB devices immediately get blocked. All of them, even the ones I've explicitly allowed by idVendor and idProduct. The USB root hubs (usb1 and usb2) both get authorized successfully, but nothing else does, even though the rules. So what gives? I've tried enabling debug logging in udev using
Code:
udevadm control --log-priority=debug
, but even that didn't seem to reveal anything. Under usb1 in the /sys tree, there appears to be a device 2-0:1.0 that's been deauthorized, but I'm not sure if that matters or not.

jefro 02-24-2021 07:56 PM
Most of time I'd think some small edit is wrong or some sequence of what is OK versus what is not at boot.

Might look at usbguard also.

steelwing 02-25-2021 05:07 AM
Quote:
Originally Posted by jefro (Post 6224248)
Most of time I'd think some small edit is wrong or some sequence of what is OK versus what is not at boot.

Might look at usbguard also.
usbguard is on those machines, but this last time I deliberately disabled it and rebooted the machine I was testing on. When the USB stuff was still missing after that, I removed usbguard entirely and rebooted again. Still the same behavior.

So it's definitely the rules and something about the way they're allowing/not allowing things during boot time. Any suggestions for how to trace this would be welcome.

syg00 02-25-2021 05:24 AM
I agree with jefro - especially after your experiences in the previous thread.
I don't like the theory of that link for gross disabling. The whole idea of dropping through to a disable unless matched prior is just waiting for this scenario. I might be inclined to test a match and add a separate alias - that way you know what has "hit". If the alias(s) aren't there later, you know your tests (or logic) are wrong.

steelwing 02-25-2021 06:09 AM
Quote:
Originally Posted by syg00 (Post 6224329)
I agree with jefro - especially after your experiences in the previous thread.
I don't like the theory of that link for gross disabling. The whole idea of dropping through to a disable unless matched prior is just waiting for this scenario. I might be inclined to test a match and add a separate alias - that way you know what has "hit". If the alias(s) aren't there later, you know your tests (or logic) are wrong.
In this case, though, the gross disabling is exactly the behavior my bosses want. That's why usbguard was the first thing they tried, because it blocks everything not explicitly allowed. The only reason we're implementing our own version of usbguard via udev (instead of using usbguard itself) is because we need some of the devices we're allowing to get handled in a certain special way.
Maybe I can have the disable part create some sort of log. Like a RUN+= at the end that tells it to echo out the idProduct and idVendor (or other identifying attributes) to a text file for each thing that got disabled.

ccj4467 03-19-2021 06:36 AM
Posted in the wrong thread


All times are GMT -5. The time now is 11:27 AM.