[systemd-devel] Udev hardening
Greg KH
gregkh at linuxfoundation.org
Mon Dec 14 16:32:36 UTC 2020
On Mon, Dec 14, 2020 at 06:18:24PM +0200, Adi Ml wrote:
> I guess that udev can block devices from userspace only, so from there.
>
> Of course, you are right-whitelist is better.
>
> As for usbguard, I thought about using seccomp and filterring system calls
> in my udev service based on their code - I have seen that they list a group
> of system calls and restrict the usage to them only.
That restriction is for the usbguard daemon, has nothing to do with what
a USB device can or can not do.
I recommend using that program for what you want to accomplish, as that
is exactly what it is designed to do.
good luck!
greg k-h
More information about the systemd-devel
mailing list