USBGuard / usbguard

USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)
https://usbguard.github.io/
GNU General Public License v2.0
1.14k stars 138 forks source link

feature-request: persistenly store temporary rules for daemon restarts/crashes #565

Open calestyo opened 2 years ago

calestyo commented 2 years ago

Hey.

I recently stumbled over the following situation:

AFAIU, rules.conf is mostly meant to store "permanent" rules, e.g. like whitelisting some "internal" USB devices, like the host controllers or a card reader… or such classes of devices which are known to be safe.

I think from a security PoV it makes sense to use PresentDevicePolicy=apply-policy and PresentControllerPolicy=apply-policy instead of =keep so if someone silently attaches a small rogue USB device to my system and I restart, it doesn't get accidentally allowed, e.g. when booting the system or restarting the daemon.

However, when some eligible user has whitelisted another device (in my case it was a docking station's USB controller and a mass storage device attached to that)… and the daemon gets then restarted, these rules might not have been intended "permanent" by the user (and thus not been in rules.conf) and thus get lost.

In my case usbguard.service was automatically restarted by needrestart because of some updated libraries. And then obviously any mounts on the device got killed off.

What I'd like to see is some persistent storage like in /var/run/ or so of rules added by users. And it must of course be made sure, that these are flushed when rebooting (should be asserted by using a volatile location for storing), and single rules removed from it, when those are cleared from the daemon.

Also, it would perhaps make sense to add commands then, that allow the user such flushing (and re-applying the rules according to the configuration, i.e. PresentDevicePolicy=apply-policy and so on).

It would be nice if the maintainers could tell whether this feature is considered, because otherwise I'd at least provide a small patch to needrestart to exclude usbguard from automatic restarts.

Thanks, Chris.

calestyo commented 1 year ago

The PR I made against needrestart is merely a poor workaround, until this here would have been implemented.