On 03/06/2018 01:03 AM, Shuah Khan wrote:
In my particular case devices are imported from remote machines. But
well, the thing is that I don't care where the connections come from,
they could even be devices emulated in user space.
On 03/05/2018 02:00 AM, Salvador Fandiño wrote:
On 02/21/2018 01:35 AM, Shuah Khan wrote:
On 01/30/2018 01:36 AM, Salvador Fandino wrote:
Let me start by explaining the problem that have motivated me to write
I work on the QVD, a virtual desktop platform for Linux. This software
runs Linux desktops (i.e. XFCE, KDE) and their applications inside LXC
containers, and makes then available through the network to remote
Supporting USB devices is a common feature customers have been
requesting us for a long time (in order to use, for instance, remote
signature pads, bar-code scanners, fingerprint readers, etc.). So, we
have been working on that feature using the USB/IP layer on the
Connecting and disconnecting devices and transferring data works
seamless for the devices listed above. But we also want to make the
usbip operations private to the container where they are run. For
instance, it is unacceptable for our product, that one user could list
the devices connected by other users or access them.
We can control how can access every device using cgroups once those
are attached, but the usbip layer is not providing any mechanism for
controlling who can attach, detach or list the devices.
In this use-case:
- does a container act as usbip client and attach devices from their
- do containers attach remote devices from other systems?
No, that is a different issue. You are talking about controlling which
devices can be connected, from which hosts, etc. That is an interesting
problem but not the one I am trying to tackle here.
Is the core of the problem really that any remote system can import without
a provision for being able to restrict export to a set of remote machines?
If so, this is a generic problem even without containers and I would like
to solve this with a generic solution that works in all cases, not just for
I don't mind which every user does inside its container as far as it
does not interfere which other users. In practice that means:
1- Not being able to attach/detach devices in other containers
2- Not being able to list devices attached in other containers
3- Not being able to access devices attached in other containers.
Point 3 is already enforceable using the devices hierarchy in cgroups.
For points 1 and 2, my proposition is making every vhci_hcd device have
its own fully independent sysfs directory (instead of all of them going
through vhci_hcd.0) so that they can be selectively exposed with rw
permissions inside the containers.
The approach in this patch series appears to solve the problem just for
Did you explore a solution to add a mechanism for access control to
Could you elaborate on that?
For "usbip", do you mean the user space tools?
If that is the case, I don't think it would be enough.
My aim is to limit vhci usage from containers and I have no control about what runs
inside the containers. So, a mangled usbip tool-set could > > be used by a
malicious user to circumvent any access control set there.>
I mean the driver. There might be changes necessary in the user-space
as well depending on how the access controls are implemented. I am not
proposing implementing access controls in the user-space.
IMO, there is no other choice but to control access to VHCI at the kernel level.
Probably. Please give as many details as possible on your environment
for me to make a call on if this problem can be solved in a different
In our particular real life application, we are targeting the kernel
interface directly, we don't use the usbip tools at all. It is that way
because we have our own* transport layer, authentication and
authorization mechanisms. And once all the handshaking is done we end
with a socket we can directly pass to the kernel in order to get it
attached to a vhci_hcd port. We don't like having an extra application
listening on some TCP port which can be accessed by third parties on the
client side either.
The imported USB devices used are mostly devices which do not require
kernel modules and that are accessed though libusb by the applications
(i.e., id card readers, barcode scanners, signing pads, etc.).
* Just in case you want to know, USBIP data goes through a channel in a
nx (https://github.com/ArcticaProject/nx-libs) connection running over a
websocket over TLS. Authentication is performed by the broker (a proxy
which knows where a user containers are running). Authorization is
performed following policies configured by the administrator (currently
it is just an all or nothing policy: USPIP is allowed or not) by the
control application at container creation time.
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html