Re: [systemd-devel] Udev rules on reboot
On Sun, Dec 20, 2020, 21:37 Adi Ml wrote:
> Yes. Thats exactly what I mean (what mantas said)- ATTR{authorized}="0".
> I would like to have a usb whitelist via udev and want it to be enforced on
> devices which connected pre boot too.
>
> authorized_default=0- it seems the same like
> ATTR{authorized}="0", isnt it?
>
Not quite – I guess there is a very small window of time between connection
and udev processing where the device is still authorized, before udev
removes the authorization.
So having authorized_default=0, and then setting all allowed devices to
authorized=1 (allow only approved devices, block the rest) is probably
slightly safer technically.
(Actually maybe you should just use USBGuard instead of writing custom
rules?)
This is what I used to have a long time ago:
ACTION!="add", GOTO="deauthorize_end"
SUBSYSTEM!="usb", GOTO="deauthorize_end"
TEST=="authorized_default", ATTR{authorized_default}="0",
GOTO="deauthorize_end"
ENV{ID_VENDOR}=="Yubico", ENV{ID_MODEL}=="Yubikey_NEO*",
ATTR{authorized}="1", GOTO="deauthorize_end"
ENV{ID_VENDOR}=="Zubico", ENV{ID_MODEL}=="Zubikey_GEO*",
ATTR{authorized}="1", GOTO="deauthorize_end"
LABEL="deauthorize_end"
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
Yes. Thats exactly what I mean (what mantas said)- ATTR{authorized}="0". I
would like to have a usb whitelist via udev and want it to be enforced on
devices which connected pre boot too.
authorized_default=0- it seems the same like
ATTR{authorized}="0", isnt it?
בתאריך יום א׳, 20 בדצמ׳ 2020, 15:59, מאת Mantas Mikulėnas <
graw...@gmail.com>:
> On Sun, Dec 20, 2020 at 3:49 PM Lennart Poettering
> wrote:
>
>> On Sa, 19.12.20 15:37, Adi Ml (maladi1...@gmail.com) wrote:
>>
>> > I see. so if I have a rule against a certain usb in udev, it should be
>> > blocked automatically during the boot.
>>
>> Hmm, "blocked"? What do you mean by that? I am not following...
>>
>
> I suspect they mean something like ATTR{authorized}="0", which tells the
> kernel to completely ignore that USB device.
>
> (Though it's more common to set authorized_default=0 on all hubs, then
> allow only trusted devices, like USBGuard does.)
>
> --
> Mantas Mikulėnas
>
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
On Sun, Dec 20, 2020 at 3:49 PM Lennart Poettering
wrote:
> On Sa, 19.12.20 15:37, Adi Ml (maladi1...@gmail.com) wrote:
>
> > I see. so if I have a rule against a certain usb in udev, it should be
> > blocked automatically during the boot.
>
> Hmm, "blocked"? What do you mean by that? I am not following...
>
I suspect they mean something like ATTR{authorized}="0", which tells the
kernel to completely ignore that USB device.
(Though it's more common to set authorized_default=0 on all hubs, then
allow only trusted devices, like USBGuard does.)
--
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
On Sa, 19.12.20 15:37, Adi Ml (maladi1...@gmail.com) wrote: > I see. so if I have a rule against a certain usb in udev, it should be > blocked automatically during the boot. Hmm, "blocked"? What do you mean by that? I am not following... > > בתאריך שבת, 19 בדצמ׳ 2020, 15:31, מאת Lennart Poettering < > lenn...@poettering.net>: > > > On Sa, 19.12.20 15:26, Adi Ml (maladi1...@gmail.com) wrote: > > > > > Hi, > > > > > > Is there a way to enforce udev rules on all connected devices (which were > > > connected pre-boot) after a reboot? > > > I have tried udevadm trigger and seems like its not working > > > > udevadm trigger is invoked atuomatically at boot, in order to > > "coldplug" devices that have been found by the kernel already during > > earlier boot. It's what the systemd-udev-trigger.service unit is > > doing. > > > > Triggering means all udev rules are run again. > > > > Lennart > > > > -- > > Lennart Poettering, Berlin > > Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
I see. so if I have a rule against a certain usb in udev, it should be blocked automatically during the boot. בתאריך שבת, 19 בדצמ׳ 2020, 15:31, מאת Lennart Poettering < lenn...@poettering.net>: > On Sa, 19.12.20 15:26, Adi Ml (maladi1...@gmail.com) wrote: > > > Hi, > > > > Is there a way to enforce udev rules on all connected devices (which were > > connected pre-boot) after a reboot? > > I have tried udevadm trigger and seems like its not working > > udevadm trigger is invoked atuomatically at boot, in order to > "coldplug" devices that have been found by the kernel already during > earlier boot. It's what the systemd-udev-trigger.service unit is > doing. > > Triggering means all udev rules are run again. > > Lennart > > -- > Lennart Poettering, Berlin > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
On Sa, 19.12.20 15:26, Adi Ml (maladi1...@gmail.com) wrote: > Hi, > > Is there a way to enforce udev rules on all connected devices (which were > connected pre-boot) after a reboot? > I have tried udevadm trigger and seems like its not working udevadm trigger is invoked atuomatically at boot, in order to "coldplug" devices that have been found by the kernel already during earlier boot. It's what the systemd-udev-trigger.service unit is doing. Triggering means all udev rules are run again. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
