USBGuard
[RFE] Add support for USB per-interface authorization
per-interface authorization was recently added to the kernel, so we should reflect this in USBGuard too.
https://www.spinics.net/lists/linux-usb/msg126182.html
Rule language extension proposal to support per-interface policies:
To support per-interface policies, the rule language will be extended with per-interface rules which will be associated with a device rule using the "interface-policy" attribute. The attribute should have the following syntax:
interface-policy <implicit-target> { interface-rules }
The implicit target should be either allow or block. It will be used as a target for any interface that won't match a rule in the interface policy.
An interface rule will have similar syntax to that of a device rule. The differences will be in the device id syntax and in the set of available attributes. Instead of a USB device ID it will accept an USB interface type (numerical form). The attribute set should be the following:
- index
... index of the interface relative to the parent configuration - configuration
... the configuration number of the interface - hash "
" ... hash of the interface and associated endpoint descriptors - rule conditions?
Examples
allow 1234:1234 interface-policy block {
allow 12:34:56 index 12 configuration 0 hash "1234567890abcdef"
}
Known issues
- Support for per-interface authorization in the Linux Kernel is "quite" new. How to handle that? Presence of this feature is easy to detect.
- The rule language parser isn't designed to support multi-line rules. The rules can be quite long even now and with per-interface rules it will get even worse.
FTR: This is how usbauth does it: https://github.com/kochstefan/usbauth-all/blob/master/usbauth/data/usbauth.conf
