[systemd-devel] Udev rules on reboot
Mantas Mikulėnas
grawity at gmail.com
Sun Dec 20 21:25:05 UTC 2020
On Sun, Dec 20, 2020, 21:37 Adi Ml <maladi1747 at gmail.com> wrote:
> Yes. Thats exactly what I mean (what mantas said)- ATTR{authorized}="0".
> I would like to have a usb whitelist via udev and want it to be enforced on
> devices which connected pre boot too.
>
> authorized_default=0- it seems the same like
> ATTR{authorized}="0", isnt it?
>
Not quite – I guess there is a very small window of time between connection
and udev processing where the device is still authorized, before udev
removes the authorization.
So having authorized_default=0, and then setting all allowed devices to
authorized=1 (allow only approved devices, block the rest) is probably
slightly safer technically.
(Actually maybe you should just use USBGuard instead of writing custom
rules?)
This is what I used to have a long time ago:
ACTION!="add", GOTO="deauthorize_end"
SUBSYSTEM!="usb", GOTO="deauthorize_end"
TEST=="authorized_default", ATTR{authorized_default}="0",
GOTO="deauthorize_end"
ENV{ID_VENDOR}=="Yubico", ENV{ID_MODEL}=="Yubikey_NEO*",
ATTR{authorized}="1", GOTO="deauthorize_end"
ENV{ID_VENDOR}=="Zubico", ENV{ID_MODEL}=="Zubikey_GEO*",
ATTR{authorized}="1", GOTO="deauthorize_end"
LABEL="deauthorize_end"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20201220/e2ac53cd/attachment.htm>
More information about the systemd-devel
mailing list