[Spice-devel] [PATCH usbredir 2/8] Add whitelists and blacklists to control access.

Wed, 09 Dec 2015 14:17:30 -0800 

Signed-off-by: Jeremy White <[email protected]>
---
 kernel/main.c  | 10 ++++++++++
 kernel/redir.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/kernel/main.c b/kernel/main.c
index cf11cbb..7b52b94 100644
--- a/kernel/main.c
+++ b/kernel/main.c
@@ -88,6 +88,16 @@ module_param(devices_per_hub, uint, S_IRUSR|S_IWUSR);
 MODULE_PARM_DESC(devices_per_hub,
                "Maximum number of devices per hub; default 16");
 
+char *whitelist = NULL;
+module_param(whitelist, charp, S_IRUSR|S_IWUSR);
+MODULE_PARM_DESC(whitelist,
+               "List of acceptable devices permitted to connect.");
+
+char *blacklist = NULL;
+module_param(blacklist, charp, S_IRUSR|S_IWUSR);
+MODULE_PARM_DESC(blacklist,
+               "List of devices not permitted to connect.");
+
 module_init(usbredir_main_init);
 module_exit(usbredir_main_exit);
 
diff --git a/kernel/redir.c b/kernel/redir.c
index 5531707..0c71aee 100644
--- a/kernel/redir.c
+++ b/kernel/redir.c
@@ -141,6 +141,19 @@ static void redir_free_lock(void *lock)
        kfree(lock);
 }
 
+static bool find_device(const char *list, int vendor, int id)
+{
+       const char *p;
+       char buf[24];
+
+       sprintf(buf, "%04x:%04x", vendor, id);
+
+       for (p = list; strlen(p) >= strlen(buf); p++)
+               if (strncasecmp(p, buf, strlen(buf)) == 0)
+                       return true;
+
+       return false;
+}
 
 /* The below callbacks are called when a complete packet of the relevant
    type has been received.
@@ -154,6 +167,8 @@ static void redir_hello(void *priv, struct 
usb_redir_hello_header *hello)
        pr_debug("Hello!\n");
 }
 
+extern char *whitelist;
+extern char *blacklist;
 static void redir_device_connect(void *priv,
        struct usb_redir_device_connect_header *device_connect)
 {
@@ -165,6 +180,25 @@ static void redir_device_connect(void *priv,
        pr_debug("  vendor 0x%04x product %04x\n",
                device_connect->vendor_id, device_connect->product_id);
 
+       if (whitelist && ! find_device(whitelist, device_connect->vendor_id,
+                       device_connect->product_id)) {
+               pr_err("Device %04x:%04x not in white list.\n",
+               device_connect->vendor_id, device_connect->product_id);
+               if (udev->socket)
+                       kernel_sock_shutdown(udev->socket, SHUT_RDWR);
+               return;
+       }
+
+       if (blacklist && find_device(blacklist, device_connect->vendor_id,
+                       device_connect->product_id)) {
+               pr_err("Device %04x:%04x in black list.\n",
+               device_connect->vendor_id, device_connect->product_id);
+               if (udev->socket)
+                       kernel_sock_shutdown(udev->socket, SHUT_RDWR);
+               return;
+       }
+
+
        spin_lock(&udev->lock);
        udev->connect_header = *device_connect;
        spin_unlock(&udev->lock);
-- 
2.1.4

_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to