usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard
verified publisher icon USBGuard

Rule matching: multiple interfaces with same class

Open AHeinlein opened this issue 8 years ago • 4 comments

I have an external USB hard drive which supports USB attached SCSI as well as "normal" USB bulk transfers. So it has two interfaces, 08:06:50 and 08:06:62.

I thought that the rule given in the examples would match: allow with-interface equals { 08:*:* } but it doesn't. This, however, works: allow with-interface one-of { 08:*:* } I don't know if this is intended behaviour, but it is at least confusing.

AHeinlein avatar Oct 25 '17 14:10 AHeinlein

I have experienced this issue as well, on my first day of experimenting with usbguard.

This does appear to be the intended behaviour of that example rule, however it is probably not in the spirit of what it is supposed to do. I imagine devices with dual UASP and legacy bulk storage capability are fairly common these days with USB 3.0/3.1 devices. So I figure this is really just a documentation bug.

I don't think the one-of operator is sufficient to forbid the "suspicious combination" devices. I added the rule allow with-interface equals { 08:06:50 08:06:62 } to allow my device, but this might be too specific.

alasley avatar Nov 30 '17 07:11 alasley

The documentation specified that allow with-interface equals { 08:*:* } should allow all USB devices. If that doesn't work, I think this is a bug.

thedrow avatar Dec 17 '18 14:12 thedrow

allow with-interface equals { 08:*:* } will allow a USB device which implements exactly one interface of the mass storage class, i.e., the interface-type pattern in the rule will not match more than once.

I think this is working as it ought to, but devices which implement both 08:06:50 and 08:06:62 are so common that they deserve an explicit mention, since it is not necessarily obvious why the example does not work for them.

alasley avatar Dec 19 '18 02:12 alasley

The behavior is expected. We will need to implement a new operator like "match-all" that will try to match each device interface against provided mask.

allow with-interface match-all { 08:*:* }
# will match device with all interfaces started with "08" -> { 08:06:50 08:06:62 }


allow with-interface match-all { 03:*:* }
# will match all HID
# it should not match { 03:00:01 01:00:01 }
# but
allow with-interface match-all { 03:*:* 01:*:* }
# will match.

Such keyword would enhance class based rules to the new level.

@dkopecek what do you think?

radosroka avatar Aug 28 '19 12:08 radosroka