Re: [systemd-devel] Udev hardening
On Mo, 14.12.20 14:54, Adi Ml (maladi1...@gmail.com) wrote: > Hi, > > I would like to harden my udev service with the > SystemCallFilter option. What systemcalls should be permitted/allowed in > order to secure it and avoid irrelevant system calls? We apply system call filters to all long running services included in systemd by default — but we don't for udev because we cannot. It's more of an "application server" if you so will, that can run other code, as people can drop in rules of any kind if they wish. And we don't know what that'll be and what it wants to use. Hence we don't. In specific setups that only supports very specific software you can of course put together your own rules, but that's only something you can do, if you know the stuff you run. You may use "SystemCallLog=" (added in v247) in the udev unit file to make the kernel log all system calls that are done by a service. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
On Mon, Dec 14, 2020 at 06:18:24PM +0200, Adi Ml wrote: > I guess that udev can block devices from userspace only, so from there. > > Of course, you are right-whitelist is better. > > As for usbguard, I thought about using seccomp and filterring system calls > in my udev service based on their code - I have seen that they list a group > of system calls and restrict the usage to them only. That restriction is for the usbguard daemon, has nothing to do with what a USB device can or can not do. I recommend using that program for what you want to accomplish, as that is exactly what it is designed to do. good luck! greg k-h ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
I guess that udev can block devices from userspace only, so from there. Of course, you are right-whitelist is better. As for usbguard, I thought about using seccomp and filterring system calls in my udev service based on their code - I have seen that they list a group of system calls and restrict the usage to them only. Anyway, I understand, the system calls that udev use are mentioned in its configuration files and are also the system calls used in scripts ran when a rule is been trigerred (the rules writer have to specify the scripts in the rules file of course) . בתאריך יום ב׳, 14 בדצמ׳ 2020, 17:41, מאת Greg KH < gre...@linuxfoundation.org>: > On Mon, Dec 14, 2020 at 05:31:17PM +0200, Adi Ml wrote: > > I am using udev in order to create a kiosk mode. I want to block devices > > which fit a certain vid pid. > > Block devices from where? The kernel or userspace? > > udev runs _after_ the kernel has seen the device and bound to it. > > And usb vid/pids can be made to be whatever they want to be, be careful > about triggering off of them to prevent specific things from happening, > that way is tough. It's easier to whitelist valid devices that you know > are correct, and then only allow specific actions to happen on them. > > You might want to look into using https://usbguard.github.io/ for how to > do this "properly". > > > I want to filter system calls anyway because I > > dont know which devices are entered and I want to avoid devices which > will > > do unusual things like rubber ducky. > > devices do not make system calls directly, and if you plug a rubber > ducky in that acts like a keyboard, that is not going to create things > in udev's process context. > > > What do you mean by filtering system calls in scripts- is it needed > when > > the user can influence actions commited in the script ? > > Look at the programs / scripts that udev calls out to in the udev > configuration files for examples of these. A user does not directly > influence them, except if they are allowed to create/remove hardware. > > Hope this helps, > > greg k-h > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
On Mon, Dec 14, 2020 at 05:31:17PM +0200, Adi Ml wrote: > I am using udev in order to create a kiosk mode. I want to block devices > which fit a certain vid pid. Block devices from where? The kernel or userspace? udev runs _after_ the kernel has seen the device and bound to it. And usb vid/pids can be made to be whatever they want to be, be careful about triggering off of them to prevent specific things from happening, that way is tough. It's easier to whitelist valid devices that you know are correct, and then only allow specific actions to happen on them. You might want to look into using https://usbguard.github.io/ for how to do this "properly". > I want to filter system calls anyway because I > dont know which devices are entered and I want to avoid devices which will > do unusual things like rubber ducky. devices do not make system calls directly, and if you plug a rubber ducky in that acts like a keyboard, that is not going to create things in udev's process context. > What do you mean by filtering system calls in scripts- is it needed when > the user can influence actions commited in the script ? Look at the programs / scripts that udev calls out to in the udev configuration files for examples of these. A user does not directly influence them, except if they are allowed to create/remove hardware. Hope this helps, greg k-h ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
I am using udev in order to create a kiosk mode. I want to block devices which fit a certain vid pid. I want to filter system calls anyway because I dont know which devices are entered and I want to avoid devices which will do unusual things like rubber ducky. What do you mean by filtering system calls in scripts- is it needed when the user can influence actions commited in the script ? בתאריך יום ב׳, 14 בדצמ׳ 2020, 16:45, מאת Greg KH < gre...@linuxfoundation.org>: > On Mon, Dec 14, 2020 at 04:30:58PM +0200, Adi Ml wrote: > > Hi, > > Is there some way to detect which system calls, I am using in udev (in > > order to filter it)? > > I don't understand, if you don't know what system calls you are needing, > why do you need to filter anything? Do you not trust udev to work > properly? > > > I do not use any script, I just echo 0 to the authorized file in the > device > > connected in order to disable it when it is not the wanted device (the > > match is based on serial number, vid, pid) > > Udev calls loads of helper tools in order to generate persistent names. > If you don't have any udev rules that call anything, then what do you > need udev for? > > thanks, > > greg k-h > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
On Mon, Dec 14, 2020 at 04:30:58PM +0200, Adi Ml wrote: > Hi, > Is there some way to detect which system calls, I am using in udev (in > order to filter it)? I don't understand, if you don't know what system calls you are needing, why do you need to filter anything? Do you not trust udev to work properly? > I do not use any script, I just echo 0 to the authorized file in the device > connected in order to disable it when it is not the wanted device (the > match is based on serial number, vid, pid) Udev calls loads of helper tools in order to generate persistent names. If you don't have any udev rules that call anything, then what do you need udev for? thanks, greg k-h ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
Hi, Is there some way to detect which system calls, I am using in udev (in order to filter it)? I do not use any script, I just echo 0 to the authorized file in the device connected in order to disable it when it is not the wanted device (the match is based on serial number, vid, pid) Thank you בתאריך יום ב׳, 14 בדצמ׳ 2020, 15:40, מאת Greg KH < gre...@linuxfoundation.org>: > On Mon, Dec 14, 2020 at 02:54:31PM +0200, Adi Ml wrote: > > Hi, > > > > I would like to harden my udev service with the > > SystemCallFilter option. What systemcalls should be permitted/allowed in > > order to secure it and avoid irrelevant system calls? > > It all depends on what type of scripts/programs you want udev to be able > to call. That's up to your and your specific hardware configuration. > > good luck! > > greg k-h > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev hardening
On Mon, Dec 14, 2020 at 02:54:31PM +0200, Adi Ml wrote: > Hi, > > I would like to harden my udev service with the > SystemCallFilter option. What systemcalls should be permitted/allowed in > order to secure it and avoid irrelevant system calls? It all depends on what type of scripts/programs you want udev to be able to call. That's up to your and your specific hardware configuration. good luck! greg k-h ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Udev hardening
Hi, I would like to harden my udev service with the SystemCallFilter option. What systemcalls should be permitted/allowed in order to secure it and avoid irrelevant system calls? Thank you! ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
