search

USBGuard / usbguard

USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)
https://usbguard.github.io/
GNU General Public License v2.0
1.13k stars 138 forks source link

USBGuard 0.7.8 failed to start using Systemd on Ubuntu 18.04 #442

Closed aditiambadkar closed 3 years ago

aditiambadkar commented 3 years ago

I have installed USBGuard 0.7.8 on Ubuntu 18.04 using the following steps:

aditi@aditi-VirtualBox:~$ git clone https://github.com/USBGuard/usbguard.git

aditi@aditi-VirtualBox:~$ cd usbguard/

aditi@aditi-VirtualBox:~/usbguard$ git checkout usbguard-0.7.8 

aditi@aditi-VirtualBox:~/usbguard$ sudo apt install dh-autoreconf pkg-config

aditi@aditi-VirtualBox:~/usbguard$ autoreconf -i -f

aditi@aditi-VirtualBox:~/usbguard$ sudo apt install libqb-dev libtool libsodium-dev libprotobuf-dev protobuf-compiler libdbus-glib-1-dev libxml2-utils xsltproc libpolkit-gobject-1-dev libgcrypt20-dev libssl-dev libcrypto++6 libcrypto++-dev libcrypto++6-dbg asciidoc asciidoctor libseccomp-dev seccomp libcap-ng-dev

aditi@aditi-VirtualBox:~/usbguard$ ./autogen.sh

aditi@aditi-VirtualBox:~/usbguard$ ./configure --prefix=/usr --sysconfdir=/etc --with-bundled-catch --with-bundled-pegtl --with-crypto-library=sodium --enable-systemd

aditi@aditi-VirtualBox:~/usbguard$ make

aditi@aditi-VirtualBox:~/usbguard$ sudo make install

aditi@aditi-VirtualBox:~/usbguard$ make check

aditi@aditi-VirtualBox:~/usbguard$ sudo ldconfig

aditi@aditi-VirtualBox:$ sudo usbguard generate-policy > rules.conf

aditi@aditi-VirtualBox:~$ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf

aditi@aditi-VirtualBox:~$ sudo systemctl daemon-reload

aditi@aditi-VirtualBox:~$ sudo systemctl start usbguard.service

aditi@aditi-VirtualBox:~$ sudo systemctl enable usbguard.service

aditi@aditi-VirtualBox:~$ sudo systemctl status usbguard.service

This is the output of sudo systemctl status usbguard.service

aditi@aditi-VirtualBox:~$ sudo systemctl status usbguard.service 
● usbguard.service - USBGuard daemon
   Loaded: loaded (/lib/systemd/system/usbguard.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-12-15 13:54:19 +04; 23min ago
     Docs: man:usbguard-daemon(8)
 Main PID: 21576 (usbguard-daemon)
    Tasks: 3 (limit: 4915)
   CGroup: /system.slice/usbguard.service
           └─21576 /usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf

Dec 15 13:54:19 aditi-VirtualBox systemd[1]: Started USBGuard daemon.
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 device.rule='allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXk
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:0b.0/usb1' target.new='allow' type='Policy.De
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 device.rule='allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:06.0/usb2' target.new='allow' type='Policy.De
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.928] (A) uid=0 pid=21576 device.rule='allow id 80ee:0021 serial "" name "USB Tablet" hash "8S88DbsXkyb93aEG099kxcbjrHSGfpZEJ8W0048wl1A=
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.928] (A) uid=0 pid=21576 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:06.0/usb2/2-1' target.new='allow' type='Polic
Dec 15 14:16:35 aditi-VirtualBox systemd[1]: /lib/systemd/system/usbguard.service:29: Unknown system call group, ignoring: @system-service

If I stop the usbguard.service and start again this is the output:

aditi@aditi-VirtualBox:~$ sudo systemctl stop usbguard.service 
aditi@aditi-VirtualBox:~$ sudo systemctl status usbguard.service 
● usbguard.service - USBGuard daemon
   Loaded: loaded (/lib/systemd/system/usbguard.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2020-12-15 14:19:53 +04; 2s ago
     Docs: man:usbguard-daemon(8)
  Process: 21576 ExecStart=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf (code=exited, status=0/SUCCESS)
 Main PID: 21576 (code=exited, status=0/SUCCESS)

Dec 15 13:54:19 aditi-VirtualBox systemd[1]: Started USBGuard daemon.
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 device.rule='allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXk
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:0b.0/usb1' target.new='allow' type='Policy.De
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 device.rule='allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.927] (A) uid=0 pid=21576 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:06.0/usb2' target.new='allow' type='Policy.De
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.928] (A) uid=0 pid=21576 device.rule='allow id 80ee:0021 serial "" name "USB Tablet" hash "8S88DbsXkyb93aEG099kxcbjrHSGfpZEJ8W0048wl1A=
Dec 15 13:54:19 aditi-VirtualBox usbguard-daemon[21576]: [1608026059.928] (A) uid=0 pid=21576 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:06.0/usb2/2-1' target.new='allow' type='Polic
Dec 15 14:16:35 aditi-VirtualBox systemd[1]: /lib/systemd/system/usbguard.service:29: Unknown system call group, ignoring: @system-service
Dec 15 14:19:53 aditi-VirtualBox systemd[1]: Stopping USBGuard daemon...
Dec 15 14:19:53 aditi-VirtualBox systemd[1]: Stopped USBGuard daemon.

aditi@aditi-VirtualBox:~$ sudo systemctl start usbguard.service 
aditi@aditi-VirtualBox:~$ sudo systemctl status usbguard.service 
● usbguard.service - USBGuard daemon
   Loaded: loaded (/lib/systemd/system/usbguard.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-12-15 14:20:06 +04; 260ms ago
     Docs: man:usbguard-daemon(8)
 Main PID: 25292 (usbguard-daemon)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/usbguard.service
           └─25292 /usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf

Dec 15 14:20:06 aditi-VirtualBox systemd[1]: Started USBGuard daemon.

After this, I restarted my Ubuntu and this was the output:

aditi@aditi-VirtualBox:~$ sudo systemctl start usbguard.service 
[sudo] password for aditi: 
aditi@aditi-VirtualBox:~$ sudo systemctl status usbguard.service 
● usbguard.service - USBGuard daemon
   Loaded: loaded (/lib/systemd/system/usbguard.service; enabled; vendor preset:
   Active: failed (Result: signal) since Tue 2020-12-15 14:28:47 +04; 661ms ago
     Docs: man:usbguard-daemon(8)
  Process: 2086 ExecStart=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard
 Main PID: 2086 (code=killed, signal=SYS)

Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Service hold-off 
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Scheduled restart
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: Stopped USBGuard daemon.
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Start request rep
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Failed with resul
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: Failed to start USBGuard daemon.
lines 1-13/13 (END)...skipping...
● usbguard.service - USBGuard daemon
   Loaded: loaded (/lib/systemd/system/usbguard.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Tue 2020-12-15 14:28:47 +04; 661ms ago
     Docs: man:usbguard-daemon(8)
  Process: 2086 ExecStart=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf (code=killed, signal=SYS)
 Main PID: 2086 (code=killed, signal=SYS)

Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Service hold-off time over, scheduling restart.
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Scheduled restart job, restart counter is at 5.
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: Stopped USBGuard daemon.
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Start request repeated too quickly.
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: usbguard.service: Failed with result 'signal'.
Dec 15 14:28:47 aditi-VirtualBox systemd[1]: Failed to start USBGuard daemon.

I also tried stop, restart and status:

aditi@aditi-VirtualBox:~$ sudo systemctl restart usbguard.service 
aditi@aditi-VirtualBox:~$ sudo systemctl status usbguard.service 
● usbguard.service - USBGuard daemon
   Loaded: loaded (/lib/systemd/system/usbguard.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Tue 2020-12-15 14:29:28 +04; 891ms ago
     Docs: man:usbguard-daemon(8)
  Process: 2205 ExecStart=/usr/sbin/usbguard-daemon -k -c /etc/usbguard/usbguard-daemon.conf (code=killed, signal=SYS)
 Main PID: 2205 (code=killed, signal=SYS)

Dec 15 14:29:28 aditi-VirtualBox systemd[1]: usbguard.service: Service hold-off time over, scheduling restart.
Dec 15 14:29:28 aditi-VirtualBox systemd[1]: usbguard.service: Scheduled restart job, restart counter is at 5.
Dec 15 14:29:28 aditi-VirtualBox systemd[1]: Stopped USBGuard daemon.
Dec 15 14:29:28 aditi-VirtualBox systemd[1]: usbguard.service: Start request repeated too quickly.
Dec 15 14:29:28 aditi-VirtualBox systemd[1]: usbguard.service: Failed with result 'signal'.
Dec 15 14:29:28 aditi-VirtualBox systemd[1]: Failed to start USBGuard daemon.

I also tried setting #DefaultStartLimitBurst=5 in the /etc/systemd/system.conf to DefaultStartLimitBurst=0 but the service still doesn't get active.

This is my systemd version:

aditi@aditi-VirtualBox:~$ systemd --version
systemd 237
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid

This is the output of sudo systemd-analyze verify usbguard.service

aditi@aditi-VirtualBox:~$ sudo systemd-analyze verify usbguard.service
/lib/systemd/system/usbguard.service:29: Unknown system call group, ignoring: @system-service
Attempted to remove disk file system, and we can't allow that.

This is the output of sudo systemd-analyze syscall-filter

aditi@aditi-VirtualBox:~$ sudo systemd-analyze syscall-filter 
@default
    # System calls that are always permitted
    clock_getres
    clock_gettime
    clock_nanosleep
    execve
    exit
    exit_group
    futex
    get_robust_list
    get_thread_area
    getegid
    getegid32
    geteuid
    geteuid32
    getgid
    getgid32
    getgroups
    getgroups32
    getpgid
    getpgrp
    getpid
    getppid
    getresgid
    getresgid32
    getresuid
    getresuid32
    getrlimit
    getsid
    gettid
    gettimeofday
    getuid
    getuid32
    membarrier
    nanosleep
    pause
    prlimit64
    restart_syscall
    rt_sigreturn
    sched_yield
    set_robust_list
    set_thread_area
    set_tid_address
    set_tls
    sigreturn
    time
    ugetrlimit

@aio
    # Asynchronous IO
    io_cancel
    io_destroy
    io_getevents
    io_setup
    io_submit

@basic-io
    # Basic IO
    _llseek
    close
    dup
    dup2
    dup3
    lseek
    pread64
    preadv
    preadv2
    pwrite64
    pwritev
    pwritev2
    read
    readv
    write
    writev

@chown
    # Change ownership of files and directories
    chown
    chown32
    fchown
    fchown32
    fchownat
    lchown
    lchown32

@clock
    # Change the system time
    adjtimex
    clock_adjtime
    clock_settime
    settimeofday
    stime

@cpu-emulation
    # System calls for CPU emulation functionality
    modify_ldt
    subpage_prot
    switch_endian
    vm86
    vm86old

@debug
    # Debugging, performance monitoring and tracing functionality
    lookup_dcookie
    perf_event_open
    process_vm_readv
    process_vm_writev
    ptrace
    rtas
    sys_debug_setcontext

@file-system
    # File system operations
    access
    chdir
    chmod
    close
    creat
    faccessat
    fallocate
    fchdir
    fchmod
    fchmodat
    fcntl
    fcntl64
    fgetxattr
    flistxattr
    fremovexattr
    fsetxattr
    fstat
    fstat64
    fstatat64
    fstatfs
    fstatfs64
    ftruncate
    ftruncate64
    futimesat
    getcwd
    getdents
    getdents64
    getxattr
    inotify_add_watch
    inotify_init
    inotify_init1
    inotify_rm_watch
    lgetxattr
    link
    linkat
    listxattr
    llistxattr
    lremovexattr
    lsetxattr
    lstat
    lstat64
    mkdir
    mkdirat
    mknod
    mknodat
    mmap
    mmap2
    munmap
    newfstatat
    oldfstat
    oldlstat
    oldstat
    open
    openat
    readlink
    readlinkat
    removexattr
    rename
    renameat
    renameat2
    rmdir
    setxattr
    stat
    stat64
    statfs
    statfs64
    statx
    symlink
    symlinkat
    truncate
    truncate64
    unlink
    unlinkat
    utime
    utimensat
    utimes

@io-event
    # Event loop system calls
    _newselect
    epoll_create
    epoll_create1
    epoll_ctl
    epoll_ctl_old
    epoll_pwait
    epoll_wait
    epoll_wait_old
    eventfd
    eventfd2
    poll
    ppoll
    pselect6
    select

@ipc
    # SysV IPC, POSIX Message Queues or other IPC
    ipc
    memfd_create
    mq_getsetattr
    mq_notify
    mq_open
    mq_timedreceive
    mq_timedsend
    mq_unlink
    msgctl
    msgget
    msgrcv
    msgsnd
    pipe
    pipe2
    process_vm_readv
    process_vm_writev
    semctl
    semget
    semop
    semtimedop
    shmat
    shmctl
    shmdt
    shmget

@keyring
    # Kernel keyring access
    add_key
    keyctl
    request_key

@memlock
    # Memory locking control
    mlock
    mlock2
    mlockall
    munlock
    munlockall

@module
    # Loading and unloading of kernel modules
    delete_module
    finit_module
    init_module

@mount
    # Mounting and unmounting of file systems
    chroot
    mount
    pivot_root
    umount
    umount2

@network-io
    # Network or Unix socket IO, should not be needed if not network facing
    accept
    accept4
    bind
    connect
    getpeername
    getsockname
    getsockopt
    listen
    recv
    recvfrom
    recvmmsg
    recvmsg
    send
    sendmmsg
    sendmsg
    sendto
    setsockopt
    shutdown
    socket
    socketcall
    socketpair

@obsolete
    # Unusual, obsolete or unimplemented system calls
    _sysctl
    afs_syscall
    bdflush
    break
    create_module
    ftime
    get_kernel_syms
    getpmsg
    gtty
    idle
    lock
    mpx
    prof
    profil
    putpmsg
    query_module
    security
    sgetmask
    ssetmask
    stty
    sysfs
    tuxcall
    ulimit
    uselib
    ustat
    vserver

@privileged
    # All system calls which need super-user capabilities
    @chown
    @clock
    @module
    @raw-io
    @reboot
    @swap
    _sysctl
    acct
    bpf
    capset
    chroot
    nfsservctl
    pivot_root
    quotactl
    setdomainname
    setfsuid
    setfsuid32
    setgroups
    setgroups32
    sethostname
    setresuid
    setresuid32
    setreuid
    setreuid32
    setuid
    setuid32
    vhangup

@process
    # Process control, execution, namespaceing operations
    arch_prctl
    capget
    clone
    execveat
    fork
    getrusage
    kill
    prctl
    rt_sigqueueinfo
    rt_tgsigqueueinfo
    setns
    tgkill
    times
    tkill
    unshare
    vfork
    wait4
    waitid
    waitpid

@raw-io
    # Raw I/O port access
    ioperm
    iopl
    pciconfig_iobase
    pciconfig_read
    pciconfig_write

@reboot
    # Reboot and reboot preparation/kexec
    kexec_file_load
    kexec_load
    reboot

@resources
    # Alter resource settings
    ioprio_set
    mbind
    migrate_pages
    move_pages
    nice
    sched_setaffinity
    sched_setattr
    sched_setparam
    sched_setscheduler
    set_mempolicy
    setpriority
    setrlimit

@setuid
    # Operations for changing user/group credentials
    setgid
    setgid32
    setgroups
    setgroups32
    setregid
    setregid32
    setresgid
    setresgid32
    setresuid
    setresuid32
    setreuid
    setreuid32
    setuid
    setuid32

@signal
    # Process signal handling
    rt_sigaction
    rt_sigpending
    rt_sigprocmask
    rt_sigsuspend
    rt_sigtimedwait
    sigaction
    sigaltstack
    signal
    signalfd
    signalfd4
    sigpending
    sigprocmask
    sigsuspend

@swap
    # Enable/disable swap devices
    swapoff
    swapon

@sync
    # Synchronize files and memory to storage
    fdatasync
    fsync
    msync
    sync
    sync_file_range
    sync_file_range2
    syncfs

@timer
    # Schedule operations by time
    alarm
    getitimer
    setitimer
    timer_create
    timer_delete
    timer_getoverrun
    timer_gettime
    timer_settime
    timerfd_create
    timerfd_gettime
    timerfd_settime
    times
lines 412-458/458 (END)

There is no @system-service present in systemd 237.

If I comment out the line SystemCallFilter=@system-service in the usbguard.service.in file and follow the same installation and configuration steps, the USBGuard works perfectly.

I want to run USBGuard 0.7.8 on my Ubuntu 18.04 using systemd without removing the SystemCallFilter=@system-service.

Please help me with the issue.

radosroka commented 3 years ago

Hello,

it looks like ubuntu's systemd problem. There's systemd-245.8-2.fc32.x86_64 on my Fedora system and it works. If the current code works with the latest systemd it is sufficient. If I'm correct and this is ubuntu only problem because of old systemd then it should be fixed in ubuntu downstream.

aditiambadkar commented 3 years ago

Yes, you are correct. After a lot of research even I came to the conclusion that it's a systemd version issue. USBGuard 0.7.8 works perfectly on Ubuntu 20.04 (systemd version 245 and in Ubuntu 18.04 systemd version is 237). Thank you for confirmation from your side.