feature-request: persistenly store temporary rules for daemon restarts/crashes

[calestyo]

Hey.

I recently stumbled over the following situation:

AFAIU, rules.conf is mostly meant to store "permanent" rules, e.g. like whitelisting some "internal" USB devices, like the host controllers or a card reader… or such classes of devices which are known to be safe.

I think from a security PoV it makes sense to use PresentDevicePolicy=apply-policy and PresentControllerPolicy=apply-policy instead of =keep so if someone silently attaches a small rogue USB device to my system and I restart, it doesn't get accidentally allowed, e.g. when booting the system or restarting the daemon.

However, when some eligible user has whitelisted another device (in my case it was a docking station's USB controller and a mass storage device attached to that)… and the daemon gets then restarted, these rules might not have been intended "permanent" by the user (and thus not been in rules.conf) and thus get lost.

In my case usbguard.service was automatically restarted by needrestart because of some updated libraries. And then obviously any mounts on the device got killed off.

What I'd like to see is some persistent storage like in /var/run/ or so of rules added by users. And it must of course be made sure, that these are flushed when rebooting (should be asserted by using a volatile location for storing), and single rules removed from it, when those are cleared from the daemon.

Also, it would perhaps make sense to add commands then, that allow the user such flushing (and re-applying the rules according to the configuration, i.e. PresentDevicePolicy=apply-policy and so on).

It would be nice if the maintainers could tell whether this feature is considered, because otherwise I'd at least provide a small patch to needrestart to exclude usbguard from automatic restarts.

Thanks, Chris.

[calestyo]

The PR I made against needrestart is merely a poor workaround, until this here would have been implemented.