[Spice-devel] [PATCH usbredir 2/8] Add whitelists and blacklists to control access.

Jeremy White jwhite at codeweavers.com
Wed Dec 9 14:16:02 PST 2015 

Signed-off-by: Jeremy White <jwhite at codeweavers.com>
---
 kernel/main.c  | 10 ++++++++++
 kernel/redir.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/kernel/main.c b/kernel/main.c
index cf11cbb..7b52b94 100644
--- a/kernel/main.c
+++ b/kernel/main.c
@@ -88,6 +88,16 @@ module_param(devices_per_hub, uint, S_IRUSR|S_IWUSR);
 MODULE_PARM_DESC(devices_per_hub,
 		"Maximum number of devices per hub; default 16");
 
+char *whitelist = NULL;
+module_param(whitelist, charp, S_IRUSR|S_IWUSR);
+MODULE_PARM_DESC(whitelist,
+		"List of acceptable devices permitted to connect.");
+
+char *blacklist = NULL;
+module_param(blacklist, charp, S_IRUSR|S_IWUSR);
+MODULE_PARM_DESC(blacklist,
+		"List of devices not permitted to connect.");
+
 module_init(usbredir_main_init);
 module_exit(usbredir_main_exit);
 
diff --git a/kernel/redir.c b/kernel/redir.c
index 5531707..0c71aee 100644
--- a/kernel/redir.c
+++ b/kernel/redir.c
@@ -141,6 +141,19 @@ static void redir_free_lock(void *lock)
 	kfree(lock);
 }
 
+static bool find_device(const char *list, int vendor, int id)
+{
+	const char *p;
+	char buf[24];
+
+	sprintf(buf, "%04x:%04x", vendor, id);
+
+	for (p = list; strlen(p) >= strlen(buf); p++)
+		if (strncasecmp(p, buf, strlen(buf)) == 0)
+			return true;
+
+	return false;
+}
 
 /* The below callbacks are called when a complete packet of the relevant
    type has been received.
@@ -154,6 +167,8 @@ static void redir_hello(void *priv, struct usb_redir_hello_header *hello)
 	pr_debug("Hello!\n");
 }
 
+extern char *whitelist;
+extern char *blacklist;
 static void redir_device_connect(void *priv,
 	struct usb_redir_device_connect_header *device_connect)
 {
@@ -165,6 +180,25 @@ static void redir_device_connect(void *priv,
 	pr_debug("  vendor 0x%04x product %04x\n",
 		device_connect->vendor_id, device_connect->product_id);
 
+	if (whitelist && ! find_device(whitelist, device_connect->vendor_id,
+			device_connect->product_id)) {
+		pr_err("Device %04x:%04x not in white list.\n",
+		device_connect->vendor_id, device_connect->product_id);
+		if (udev->socket)
+			kernel_sock_shutdown(udev->socket, SHUT_RDWR);
+		return;
+	}
+
+	if (blacklist && find_device(blacklist, device_connect->vendor_id,
+			device_connect->product_id)) {
+		pr_err("Device %04x:%04x in black list.\n",
+		device_connect->vendor_id, device_connect->product_id);
+		if (udev->socket)
+			kernel_sock_shutdown(udev->socket, SHUT_RDWR);
+		return;
+	}
+
+
 	spin_lock(&udev->lock);
 	udev->connect_header = *device_connect;
 	spin_unlock(&udev->lock);
-- 
2.1.4

More information about the Spice-devel mailing list