search

USBGuard / usbguard

USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)
https://usbguard.github.io/
GNU General Public License v2.0
1.1k stars 133 forks source link

xHCI controllers only partially allowed by matching rule #604

Open daenney opened 8 months ago

daenney commented 8 months ago

I have a basic rule that's intended to allow any device with the Linux Foundation ID:

allow id equals { 1d6b:* }

However, this doesn't seem to allow all devices matching the ID:

# usbguard list-devices
3: allow id 1d6b:0002 serial "0000:c1:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb1" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0003 serial "0000:c1:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb2" with-interface 09:00:00 with-connect-type ""
5: allow id 1d6b:0002 serial "0000:c1:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb3" with-interface 09:00:00 with-connect-type ""
6: allow id 1d6b:0003 serial "0000:c1:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb4" with-interface 09:00:00 with-connect-type ""
7: allow id 1d6b:0002 serial "0000:c3:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb5" with-interface 09:00:00 with-connect-type ""
8: allow id 1d6b:0003 serial "0000:c3:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb6" with-interface 09:00:00 with-connect-type ""
9: allow id 1d6b:0002 serial "0000:c3:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb7" with-interface 09:00:00 with-connect-type ""
10: allow id 1d6b:0003 serial "0000:c3:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb8" with-interface 09:00:00 with-connect-type ""
11: block id 1d6b:0002 serial "0000:64:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb9" with-interface 09:00:00 with-connect-type ""
12: block id 1d6b:0003 serial "0000:64:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb10" with-interface 09:00:00 with-connect-type ""
13: block id 1d6b:0002 serial "0000:65:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb11" with-interface 09:00:00 with-connect-type ""
14: block id 1d6b:0003 serial "0000:65:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb12" with-interface 09:00:00 with-connect-type ""
15: block id 1d6b:0002 serial "0000:66:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb13" with-interface 09:00:00 with-connect-type ""
16: block id 1d6b:0003 serial "0000:66:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb14" with-interface 09:00:00 with-connect-type ""

For some reason it seems to switch to blocking once we hit usb9.

# usbguard list-devices -t
.
├── 9: allow xHCI Host Controller
├── 10: allow xHCI Host Controller
├── 11: block xHCI Host Controller
├── 12: block xHCI Host Controller
├── 15: block xHCI Host Controller
├── 16: block xHCI Host Controller
├── 7: allow xHCI Host Controller
├── 8: allow xHCI Host Controller
├── 3: allow xHCI Host Controller
│   └── 17: allow Wireless_Device
├── 4: allow xHCI Host Controller
├── 5: allow xHCI Host Controller
│   └── 18: allow Laptop Camera
├── 6: allow xHCI Host Controller
├── 13: block xHCI Host Controller
└── 14: block xHCI Host Controller
# lsusb
Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 0bda:5634 Realtek Semiconductor Corp. Laptop Camera
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0e8d:e616 MediaTek Inc. Wireless_Device
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 014 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 013 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 012 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 011 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 009 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 010 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

I think the reason there's so many xHCI units is because this is on a Framework laptop, so each of the 4 port modules is a USB-C port in itself too.

daenney commented 8 months ago

Removing that line and restarting usbguard doesn't affect the output. So I guess that rule doesn't apply in the first place. But that still leaves me somewhat confused about the two sets of controllers.