On 2019-07-15 11:09:55, Thiébaud Weksteen wrote:
> Hi Birger, Antoine,
>
> Thanks for getting 0.7.5 ready. For the difference between "allow" and
> "keep" on PresentDevicePolicy, the standard use case is handled
> similarly (i.e., user installing USBGuard for the 1st time, no
> customisation). The difference is slightly more subtle for hosts that
> have changed the sysfs attributes directly, for some reason. In this
> case, "keep" would respect whatever state was declared. Because of
> this and as Antoine suggested, I think this is a better option.
>
> On generate-policy vs PresentDevicePolicy, I would argue that the
> simplest option is the best. By running generate-policy, you are
> parsing all current devices, generating rules and then applying these
> rules. There might be (unlikely) a bug in the rule generation which
> ends up blocking a device (e.g., missing attribute or so). The
> PresentDevicePolicy=keep is just a simpler alternative.
>
> It might be useful to write down some Debian-specific documentation on
> how to setup the daemon to be more restrictive? The wiki might be a
> good place for that?
Problem with PresentDevicePolicy=keep is that it might break on reboot
or setup changes (e.g. moving laptop from office to home).
That said, I'd expect such docs to live in
/usr/share/doc/usbguard/README.Debian or something similar, that way if
my USB ethernet controller gets blockd, i can still read it. :) But wiki
is also good because people can contribute more easily.
Either way, docs are good. :) And one can point to the other.
a.
--
On ne peut s'empêcher de vieillir, mais on peut s'empêcher de devenir
vieux.
- Henri Matisse
