USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)
AFAIU, rules.conf is mostly meant to store "permanent" rules, e.g. like whitelisting some "internal" USB devices, like the host controllers or a card reader… or such classes of devices which are known to be safe.
I think from a security PoV it makes sense to use PresentDevicePolicy=apply-policy and PresentControllerPolicy=apply-policy instead of =keep so if someone silently attaches a small rogue USB device to my system and I restart, it doesn't get accidentally allowed, e.g. when booting the system or restarting the daemon.
However, when some eligible user has whitelisted another device (in my case it was a docking station's USB controller and a mass storage device attached to that)… and the daemon gets then restarted, these rules might not have been intended "permanent" by the user (and thus not been in rules.conf) and thus get lost.
In my case usbguard.service was automatically restarted by needrestart because of some updated libraries.
And then obviously any mounts on the device got killed off.
What I'd like to see is some persistent storage like in /var/run/ or so of rules added by users.
And it must of course be made sure, that these are flushed when rebooting (should be asserted by using a volatile location for storing), and single rules removed from it, when those are cleared from the daemon.
Also, it would perhaps make sense to add commands then, that allow the user such flushing (and re-applying the rules according to the configuration, i.e. PresentDevicePolicy=apply-policy and so on).
It would be nice if the maintainers could tell whether this feature is considered, because otherwise I'd at least provide a small patch to needrestart to exclude usbguard from automatic restarts.
Hey.
I recently stumbled over the following situation:
AFAIU,
rules.conf
is mostly meant to store "permanent" rules, e.g. like whitelisting some "internal" USB devices, like the host controllers or a card reader… or such classes of devices which are known to be safe.I think from a security PoV it makes sense to use
PresentDevicePolicy=apply-policy
andPresentControllerPolicy=apply-policy
instead of=keep
so if someone silently attaches a small rogue USB device to my system and I restart, it doesn't get accidentally allowed, e.g. when booting the system or restarting the daemon.However, when some eligible user has whitelisted another device (in my case it was a docking station's USB controller and a mass storage device attached to that)… and the daemon gets then restarted, these rules might not have been intended "permanent" by the user (and thus not been in
rules.conf
) and thus get lost.In my case
usbguard.service
was automatically restarted byneedrestart
because of some updated libraries. And then obviously any mounts on the device got killed off.What I'd like to see is some persistent storage like in
/var/run/
or so of rules added by users. And it must of course be made sure, that these are flushed when rebooting (should be asserted by using a volatile location for storing), and single rules removed from it, when those are cleared from the daemon.Also, it would perhaps make sense to add commands then, that allow the user such flushing (and re-applying the rules according to the configuration, i.e.
PresentDevicePolicy=apply-policy
and so on).It would be nice if the maintainers could tell whether this feature is considered, because otherwise I'd at least provide a small patch to
needrestart
to excludeusbguard
from automatic restarts.Thanks, Chris.