[USB] USB devices getting blocked on reboot

steelwing · 02-24-2021, 03:08 PM

So I implemented USB blocking and whitelisting in an environment following this guide. Now, when we reboot any machine that has these rules in place, all USB devices immediately get blocked. All of them, even the ones I've explicitly allowed by idVendor and idProduct. The USB root hubs (usb1 and usb2) both get authorized successfully, but nothing else does, even though the rules. So what gives? I've tried enabling debug logging in udev using

Code:

udevadm control --log-priority=debug

, but even that didn't seem to reveal anything. Under usb1 in the /sys tree, there appears to be a device 2-0:1.0 that's been deauthorized, but I'm not sure if that matters or not.

jefro · 02-24-2021, 07:56 PM

Most of time I'd think some small edit is wrong or some sequence of what is OK versus what is not at boot.

Might look at usbguard also.

steelwing · 02-25-2021, 05:07 AM

Quote:

Originally Posted by jefro

Most of time I'd think some small edit is wrong or some sequence of what is OK versus what is not at boot.

Might look at usbguard also.

usbguard is on those machines, but this last time I deliberately disabled it and rebooted the machine I was testing on. When the USB stuff was still missing after that, I removed usbguard entirely and rebooted again. Still the same behavior.

So it's definitely the rules and something about the way they're allowing/not allowing things during boot time. Any suggestions for how to trace this would be welcome.

syg00 · 02-25-2021, 05:24 AM

I agree with jefro - especially after your experiences in the previous thread.
I don't like the theory of that link for gross disabling. The whole idea of dropping through to a disable unless matched prior is just waiting for this scenario. I might be inclined to test a match and add a separate alias - that way you know what has "hit". If the alias(s) aren't there later, you know your tests (or logic) are wrong.

steelwing · 02-25-2021, 06:09 AM

Quote:

Originally Posted by syg00

I agree with jefro - especially after your experiences in the previous thread.
I don't like the theory of that link for gross disabling. The whole idea of dropping through to a disable unless matched prior is just waiting for this scenario. I might be inclined to test a match and add a separate alias - that way you know what has "hit". If the alias(s) aren't there later, you know your tests (or logic) are wrong.

In this case, though, the gross disabling is exactly the behavior my bosses want. That's why usbguard was the first thing they tried, because it blocks everything not explicitly allowed. The only reason we're implementing our own version of usbguard via udev (instead of using usbguard itself) is because we need some of the devices we're allowing to get handled in a certain special way.
Maybe I can have the disable part create some sort of log. Like a RUN+= at the end that tells it to echo out the idProduct and idVendor (or other identifying attributes) to a text file for each thing that got disabled.

ccj4467 · 03-19-2021, 06:36 AM

Posted in the wrong thread