Source: gnome-settings-daemon
Version: 3.38.0-2
Severity: normal
As I understand it, gsd-usb-protection adds a rule to allow any USB
device but only while the system is not locked.
On my system, gsd-usb-protection is unable to add the rule.
$ /usr/libexec/gsd-usb-protection -v
(gsd-usb-protection:437340): GLib-DEBUG: 11:03:34.418: unsetenv() is not
thread-safe and should not be used after threads are created
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.420:
Starting USB protection manager
(gsd-usb-protection:437340): GLib-GIO-DEBUG: 11:03:34.422:
_g_io_module_get_default: Found default implementation dconf
(DConfSettingsBackend) for ‘gsettings-backend’
(gsd-usb-protection:437340): dconf-DEBUG: 11:03:34.429: watch_fast:
"/org/gnome/desktop/privacy/" (establishing: 0, active: 0)
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.431:
bus_acquired_cb: acquired bus 0x5627ceb83070 for name
org.gnome.SettingsDaemon.UsbProtection
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.432:
Registered client at path /org/gnome/SessionManager/Client43
(gsd-usb-protection:437340): dconf-DEBUG: 11:03:34.440: watch_established:
"/org/gnome/desktop/privacy/" (establishing: 1)
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.443:
name_acquired_cb: acquired name org.gnome.SettingsDaemon.UsbProtection on bus
0x5627ceb83070
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.444:
name_lost_cb: lost name org.gnome.SettingsDaemon.UsbProtection on bus
0x5627ceb83070
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.456:
Received screensaver ActiveChanged signal: 0 (old: 0)
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.464:
usb_protection_policy_proxy_ready
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.464: Set
protection policy proxy to 0x5627ceb961e0
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.465:
Attempting to sync USB parameters: 1 0x5627ceb961e0 0x5627ceb76fa0
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.466:
Listening to signals
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.470:
InsertedDevicePolicy is: apply-policy
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.470:
Ensuring allow all
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.481:
Detecting rule...
(gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.481:
Adding rule 0
(gsd-usb-protection:437340): usb-protection-plugin-WARNING **:
11:03:34.484: Error appending USBGuard rule:
GDBus.Error:org.freedesktop.DBus.Error.Failed: Policy append: rule: Invalid
parent ID
I've got usbguard 0.7.8+ds-2 instaled. It looks like it doesn't
recognize rule ID 0 as meaning prepend to existing rules.
Here are the D-Bus calls made by gsd-usb-protection:
‣ Type=method_call Endian=l Flags=0 Version=1 Cookie=20
Sender=:1.79980 Destination=:1.923 Path=/org/usbguard1/Policy
Interface=org.usbguard.Policy1 Member=appendRule
UniqueName=:1.79980
MESSAGE "sub" {
STRING "allow id *:* label "GNOME_SETTINGS_DAEMON_RULE"";
UINT32 0;
BOOLEAN true;
};
‣ Type=signal Endian=l Flags=1 Version=1 Cookie=110
Sender=:1.923 Path=/org/usbguard1 Interface=org.usbguard1
Member=ExceptionMessage
UniqueName=:1.923
MESSAGE "sss" {
STRING "Policy append";
STRING "rule";
STRING "Invalid parent ID";
};
‣ Type=error Endian=l Flags=1 Version=1 Cookie=111 ReplyCookie=20
Sender=:1.923 Destination=:1.79980
ErrorName=org.freedesktop.DBus.Error.Failed ErrorMessage="Policy append:
rule: Invalid parent ID"
UniqueName=:1.923
MESSAGE "s" {
STRING "Policy append: rule: Invalid parent ID";
};
-- System Information:
Debian Release: 10.6
APT prefers stable-updates
APT policy: (535, 'stable-updates'), (535, 'stable'), (520, 'testing'), (510,
'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 4.19.0-9-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
