On 2019-07-15 11:09:55, Thiébaud Weksteen wrote: > Hi Birger, Antoine, > > Thanks for getting 0.7.5 ready. For the difference between "allow" and > "keep" on PresentDevicePolicy, the standard use case is handled > similarly (i.e., user installing USBGuard for the 1st time, no > customisation). The difference is slightly more subtle for hosts that > have changed the sysfs attributes directly, for some reason. In this > case, "keep" would respect whatever state was declared. Because of > this and as Antoine suggested, I think this is a better option. > > On generate-policy vs PresentDevicePolicy, I would argue that the > simplest option is the best. By running generate-policy, you are > parsing all current devices, generating rules and then applying these > rules. There might be (unlikely) a bug in the rule generation which > ends up blocking a device (e.g., missing attribute or so). The > PresentDevicePolicy=keep is just a simpler alternative. > > It might be useful to write down some Debian-specific documentation on > how to setup the daemon to be more restrictive? The wiki might be a > good place for that?
Problem with PresentDevicePolicy=keep is that it might break on reboot or setup changes (e.g. moving laptop from office to home). That said, I'd expect such docs to live in /usr/share/doc/usbguard/README.Debian or something similar, that way if my USB ethernet controller gets blockd, i can still read it. :) But wiki is also good because people can contribute more easily. Either way, docs are good. :) And one can point to the other. a. -- On ne peut s'empêcher de vieillir, mais on peut s'empêcher de devenir vieux. - Henri Matisse