Re: [systemd-devel] Udev rules on reboot
On Sun, Dec 20, 2020, 21:37 Adi Ml wrote: > Yes. Thats exactly what I mean (what mantas said)- ATTR{authorized}="0". > I would like to have a usb whitelist via udev and want it to be enforced on > devices which connected pre boot too. > > authorized_default=0- it seems the same like > ATTR{authorized}="0", isnt it? > Not quite – I guess there is a very small window of time between connection and udev processing where the device is still authorized, before udev removes the authorization. So having authorized_default=0, and then setting all allowed devices to authorized=1 (allow only approved devices, block the rest) is probably slightly safer technically. (Actually maybe you should just use USBGuard instead of writing custom rules?) This is what I used to have a long time ago: ACTION!="add", GOTO="deauthorize_end" SUBSYSTEM!="usb", GOTO="deauthorize_end" TEST=="authorized_default", ATTR{authorized_default}="0", GOTO="deauthorize_end" ENV{ID_VENDOR}=="Yubico", ENV{ID_MODEL}=="Yubikey_NEO*", ATTR{authorized}="1", GOTO="deauthorize_end" ENV{ID_VENDOR}=="Zubico", ENV{ID_MODEL}=="Zubikey_GEO*", ATTR{authorized}="1", GOTO="deauthorize_end" LABEL="deauthorize_end" ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
Yes. Thats exactly what I mean (what mantas said)- ATTR{authorized}="0". I would like to have a usb whitelist via udev and want it to be enforced on devices which connected pre boot too. authorized_default=0- it seems the same like ATTR{authorized}="0", isnt it? בתאריך יום א׳, 20 בדצמ׳ 2020, 15:59, מאת Mantas Mikulėnas < graw...@gmail.com>: > On Sun, Dec 20, 2020 at 3:49 PM Lennart Poettering > wrote: > >> On Sa, 19.12.20 15:37, Adi Ml (maladi1...@gmail.com) wrote: >> >> > I see. so if I have a rule against a certain usb in udev, it should be >> > blocked automatically during the boot. >> >> Hmm, "blocked"? What do you mean by that? I am not following... >> > > I suspect they mean something like ATTR{authorized}="0", which tells the > kernel to completely ignore that USB device. > > (Though it's more common to set authorized_default=0 on all hubs, then > allow only trusted devices, like USBGuard does.) > > -- > Mantas Mikulėnas > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
On Sun, Dec 20, 2020 at 3:49 PM Lennart Poettering wrote: > On Sa, 19.12.20 15:37, Adi Ml (maladi1...@gmail.com) wrote: > > > I see. so if I have a rule against a certain usb in udev, it should be > > blocked automatically during the boot. > > Hmm, "blocked"? What do you mean by that? I am not following... > I suspect they mean something like ATTR{authorized}="0", which tells the kernel to completely ignore that USB device. (Though it's more common to set authorized_default=0 on all hubs, then allow only trusted devices, like USBGuard does.) -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
On Sa, 19.12.20 15:37, Adi Ml (maladi1...@gmail.com) wrote: > I see. so if I have a rule against a certain usb in udev, it should be > blocked automatically during the boot. Hmm, "blocked"? What do you mean by that? I am not following... > > בתאריך שבת, 19 בדצמ׳ 2020, 15:31, מאת Lennart Poettering < > lenn...@poettering.net>: > > > On Sa, 19.12.20 15:26, Adi Ml (maladi1...@gmail.com) wrote: > > > > > Hi, > > > > > > Is there a way to enforce udev rules on all connected devices (which were > > > connected pre-boot) after a reboot? > > > I have tried udevadm trigger and seems like its not working > > > > udevadm trigger is invoked atuomatically at boot, in order to > > "coldplug" devices that have been found by the kernel already during > > earlier boot. It's what the systemd-udev-trigger.service unit is > > doing. > > > > Triggering means all udev rules are run again. > > > > Lennart > > > > -- > > Lennart Poettering, Berlin > > Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
I see. so if I have a rule against a certain usb in udev, it should be blocked automatically during the boot. בתאריך שבת, 19 בדצמ׳ 2020, 15:31, מאת Lennart Poettering < lenn...@poettering.net>: > On Sa, 19.12.20 15:26, Adi Ml (maladi1...@gmail.com) wrote: > > > Hi, > > > > Is there a way to enforce udev rules on all connected devices (which were > > connected pre-boot) after a reboot? > > I have tried udevadm trigger and seems like its not working > > udevadm trigger is invoked atuomatically at boot, in order to > "coldplug" devices that have been found by the kernel already during > earlier boot. It's what the systemd-udev-trigger.service unit is > doing. > > Triggering means all udev rules are run again. > > Lennart > > -- > Lennart Poettering, Berlin > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Udev rules on reboot
On Sa, 19.12.20 15:26, Adi Ml (maladi1...@gmail.com) wrote: > Hi, > > Is there a way to enforce udev rules on all connected devices (which were > connected pre-boot) after a reboot? > I have tried udevadm trigger and seems like its not working udevadm trigger is invoked atuomatically at boot, in order to "coldplug" devices that have been found by the kernel already during earlier boot. It's what the systemd-udev-trigger.service unit is doing. Triggering means all udev rules are run again. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Udev rules on reboot
Hi, Is there a way to enforce udev rules on all connected devices (which were connected pre-boot) after a reboot? I have tried udevadm trigger and seems like its not working Thank you ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel