A new stable release of USBGuard is available and it brings mainly important bug fixes. See the release page at Github for more information about the release. The stable release contains minor bugfixes, which were needed to be solved before the official release can be published.
Many thanks to the following people for contributions to this release and to the USBGuard project:
Regards, Radovan
]]>A new release of USBGuard is available and it brings important bug fixes. See the release page at Github for more information about the release. This release mainly contains bugfixes related to the rules.d feature introduced in 0.7.7.
Many thanks to the following people for contributions to this release and to the USBGuard project:
Regards, Radovan
]]>A new release of USBGuard is available and it brings important bug fixes and new features. See the release page at Github for more information about the release.
Many thanks to the following people for contributions to this release and to the USBGuard project:
Regards, Radovan
]]>A new release of USBGuard is available and it brings important bug fixes and new features. See the release page at Github for more information about the release.
Now the important projects updates I would like to announce:
Many thanks to the following people for contributions to this release and to the USBGuard project:
Regards, Radovan
]]>A new release of USBGuard is available and it brings important bug fixes and new features. See the release page at Github for more information about the release.
Now the important projects updates I would like to announce:
Unfortunatelly, I’ve lost access to my GPG keys (and revocation certs too) that were used to sign the release tarballs and commits. Because of that, the upcomming releases will be signed with a a different key, see my keybase.io page for details and the new key. This might change once more because future releases might be created by one of multiple maintainers (see below).
I’m no longer the sole maintainer of the upstream repository. Radovan Sroka from Red Hat and Thiébaud Weksteen from Google joined the forces as maintainers. Thank you both for doing so!
Regards, Daniel
]]>usbguard-daemon instance handles newly inserted USB devices.
The behaviour is defined by the value of the InsertedDevicePolicy runtime parameter and the default choice is to apply the policy rules to figure out whether to authorize the device or not.
The parameter can be read and modified via the usbguard CLI:
$ sudo usbguard get-parameter InsertedDevicePolicy
apply-policy
To change the policy to block use:
$ sudo usbguard set-parameter InsertedDevicePolicy block
Now try to insert a USB device and it won’t be authorized even if there’s a rule in your policy that says otherwise. Devices connected before the parameter value change aren’t affected and remain in the same state.
Please note that for the examples below to work, you need to allow your desktop user to modify the USBGuard runtime parameters.
This can be done either with USBGuard IPC access control or by giving sudo permissions to run usbguard set-parameter without authentication.
The following command will allow user joe to read and modify the runtime parameters via USBGuard IPC:
$ sudo usbguard add-user joe --parameters ALL
Note that the command will set the ACL exactly to what is specified on the command line, not append to the existing ACL settings for the user in case they exist.
If you are using a custom screen locker like i3lock, you’ll need to create a wrapper script that takes care of setting the InsertedDevicePolicy parameter, something like this:
#!/bin/sh
POLICY_UNLOCKED=apply-policy
POLICY_LOCKED=reject
revert() {
usbguard set-parameter InsertedDevicePolicy $POLICY_UNLOCKED
}
trap revert SIGHUP SIGINT SIGTERM
usbguard set-parameter InsertedDevicePolicy $POLICY_LOCKED
i3lock -n
revert
Now adjust your screen locker shortcuts and setting to point to this wrapper script instead of the original locker command and that’s it.
If you are using a desktop environment which has built-in screen locking support, then it probably signals the “screen (un)locked” state via D-Bus.
In that case you need to create a script to watch for these signals and set the InsertedDevicePolicy parameter appropriately.
The script should be running in your session (refer to your desktop environment’s documentation on how to automatically start the script after you log in).
Example script:
#!/bin/sh
DBUS_INTERFACE=org.freedesktop.ScreenSaver
POLICY_UNLOCKED=apply-policy
POLICY_LOCKED=reject
dbus-monitor --session "type='signal',interface='"$DBUS_INTERFACE"'" |
while read x; do
case "$x" in
*"boolean true"*) usbguard set-parameter InsertedDevicePolicy $POLICY_LOCKED
;;
*"boolean false"*) usbguard set-parameter InsertedDevicePolicy $POLICY_UNLOCKED
;;
esac
done
usbguard-daemon IPC access control in a previous post.
However, the 0.7.0 release introduced another way to configure the same thing with more control over who can do what.
Previously, one could only enable a user or group to use the whole IPC interface. With the new ACL system, the access can be limited to specific sections of the interface and specific privileges inside that section.
The available sections and privileges are:
modify: Change authorization state of devices including
permanent changes (i.e. modification of device specific rules in
the policy).list: Ability to get a list of recognized devices and their
attributes.listen: Listen to device presence and device policy
changes.modify: Append rules to or remove any rules from the poli‐
cy.list: Ability to view the currently enforced policy.listen: Receive exception messages.modify: Set values of run‐time parameters.list: Get values of run‐time parameters.To use this new system, you first have to modify the usbguard-daemon configuration and set the IPCAccessControlFiles setting to point to a location where the ACL definition files will be stored, for example: /etc/usbguard/IPCAccessControl.d/.
Once set, you can use the usbguard CLI to define the ACL. For example:
$ sudo usbguard add-user joe --devices ALL --policy list,listen --exceptions ALL
That command will enable user joe to have full access to the Devices and Exceptions sections. In addition, joe will be able to list the policy and listen to policy signals.
To remove the definition, use:
$ sudo usbguard remove-user joe
From all the bug fixes in this release, I’d like to point out one which required a backwards incompatible change and requires an update to existing policies. The Linux USB root hub devices use the kernel version as the bcdDevice attribute value. The value is part of the USB descriptor data which USBGuard uses for computing the device hash and therefore causes the device hash to change on every kernel update. This in turn makes USBGuard rules which rely on this hash to not match and block the device. And because it’s a root hub device that gets blocked, all the other devices get blocked too. The bug fix is simple, reset the bcdDevice value to zero before hashing (applied only for the Linux root hub devices).
New features include an UEvent based device manager and support for fine-grained IPC access control. Check out the Change Log for more details.
readdir_r because it’s obsolete. Replaced with readdir with the assumption that its usage is thread-safe if the directory handle passed to it is not shared between threads.Many thanks to the following people for contributions to this release and to the USBGuard project:
If you are using Fedora or the USBGuard Copr repository, run:
$ sudo dnf update --enablerepo=updates-testing usbguard
Signed release tarball can be downloaded from the USBGuard release page at GitHub:
SHA256(usbguard-0.7.0.tar.gz)= 1e1485a2b47ba3bde9de2851b371d2552a807047a21e0b81553cf80d7f722709
If you are using Fedora or the USBGuard Copr repository, run:
$ sudo dnf update --enablerepo=updates-testing usbguard
Signed release tarball can be downloaded from the USBGuard release page at GitHub:
SHA256(usbguard-0.6.2.tar.gz)= dad33da0312b95a3a41434a7b5bbd03f5ec7096f6ea9ee238ad2f15908bc51fd