initial commit
This commit is contained in:
commit
b5bc16d9ca
29
README.txt
Normal file
29
README.txt
Normal file
@ -0,0 +1,29 @@
|
||||
This set of scripts is experimental
|
||||
|
||||
info
|
||||
====
|
||||
With these scripts you can filter which USB devices can connect to your linux
|
||||
system. For instance, allow your usb mass-storage device only to be exactly
|
||||
that and not one day register itself as a keyboard...
|
||||
|
||||
Setup
|
||||
=====
|
||||
Create /etc/usb_whitelist:
|
||||
idVendor:idProduct:AllowedClass
|
||||
...
|
||||
|
||||
"AllowClass" is the usb class code [1]. For example, use 08 for usb flash drives.
|
||||
|
||||
Add the following to the kernel command line (edit your boot loader config): usbcore.authorized_default=0
|
||||
|
||||
Make sure the following runs by init on system boot:
|
||||
|
||||
echo 0 > /sys/bus/usb/drivers_autoprobe
|
||||
echo "/sbin/hotplug_filter.sh" > /proc/sys/kernel/hotplug
|
||||
/sbin/authorize_scan.sh
|
||||
|
||||
Use scan_new.sh to see devices which aren't in the whitelist yet.
|
||||
|
||||
Resources
|
||||
=========
|
||||
[1] List of classes: http://www.usb.org/developers/defined_class
|
||||
12
authorize_scan.sh
Executable file
12
authorize_scan.sh
Executable file
@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
cd /sys/bus/usb/devices/
|
||||
|
||||
ls | grep -v : | while read device ; do
|
||||
idProduct=$(cat $device/idProduct)
|
||||
idVendor=$(cat $device/idVendor)
|
||||
grep "$idVendor:$idProduct" /etc/usb_whitelist
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo 1 > $device/authorized
|
||||
fi
|
||||
|
||||
done
|
||||
42
hotplug_filter.sh
Executable file
42
hotplug_filter.sh
Executable file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
env >> /tmp/hotpluglog
|
||||
echo $SUBSYSTEM
|
||||
if [ "$SUBSYSTEM" = "usb" ] ; then
|
||||
|
||||
if [ "$ACTION" != "add" ] ; then
|
||||
exit
|
||||
fi
|
||||
|
||||
if [ "$DEVTYPE" = "usb_device" ] ; then
|
||||
cd /sys/$DEVPATH/
|
||||
fi
|
||||
|
||||
if [ "$DEVTYPE" = "usb_interface" ] ; then
|
||||
cd /sys/$DEVPATH/..
|
||||
fi
|
||||
|
||||
port=$(basename $DEVPATH)
|
||||
idProduct=$(cat idProduct)
|
||||
idVendor=$(cat idVendor)
|
||||
bInterfaceClass=""
|
||||
search=""
|
||||
|
||||
|
||||
if [ "$DEVTYPE" = "usb_device" ] ; then
|
||||
search="$idVendor:$idProduct"
|
||||
fi
|
||||
|
||||
if [ "$DEVTYPE" = "usb_interface" ] ; then
|
||||
cd /sys/$DEVPATH/
|
||||
bInterfaceClass=$(cat bInterfaceClass)
|
||||
search="$idVendor:$idProduct:$bInterfaceClass"
|
||||
fi
|
||||
echo $search >> /tmp/search
|
||||
grep -q $search /etc/usb_whitelist
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "denied $DEVPATH" >> /tmp/denied_log
|
||||
exit
|
||||
fi
|
||||
[ -e /sys/$DEVPATH/authorized ] && echo 1 > /sys/$DEVPATH/authorized
|
||||
echo "$port" > /sys/bus/usb/drivers_probe
|
||||
fi
|
||||
4
scan_new.sh
Executable file
4
scan_new.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
lsusb | awk '{print $6}' | while read line ; do
|
||||
grep -q "$line" /etc/usb_whitelist || echo "$line is not in whitelist yet"
|
||||
done
|
||||
Loading…
Reference in New Issue
Block a user