commit b5bc16d9ca3389551ea188ee10226ea35f2d61d1
Author: Albert S <mail@quitesimple.org>
Date:   Sun Aug 3 12:21:04 2014 +0200

    initial commit

diff --git a/README.txt b/README.txt
new file mode 100644
index 0000000..39a901b
--- /dev/null
+++ b/README.txt
@@ -0,0 +1,29 @@
+This set of scripts is experimental
+
+info
+====
+With these scripts you can filter which USB devices can connect to your linux
+system. For instance, allow your usb mass-storage device only to be exactly
+that and not one day register itself as a keyboard... 
+
+Setup
+=====
+Create /etc/usb_whitelist:
+idVendor:idProduct:AllowedClass
+...
+
+"AllowClass" is the usb class code [1]. For example, use 08 for usb flash drives.
+
+Add the following to the kernel command line (edit your boot loader config): usbcore.authorized_default=0
+
+Make sure the following runs by init on system boot:
+
+echo 0 > /sys/bus/usb/drivers_autoprobe
+echo "/sbin/hotplug_filter.sh" > /proc/sys/kernel/hotplug
+/sbin/authorize_scan.sh
+
+Use scan_new.sh to see devices which aren't in the whitelist yet.
+
+Resources
+=========
+[1] List of classes: http://www.usb.org/developers/defined_class
diff --git a/authorize_scan.sh b/authorize_scan.sh
new file mode 100755
index 0000000..4dd1d50
--- /dev/null
+++ b/authorize_scan.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+cd /sys/bus/usb/devices/
+
+ls | grep -v : | while read device ; do
+idProduct=$(cat $device/idProduct)
+idVendor=$(cat $device/idVendor)
+grep "$idVendor:$idProduct" /etc/usb_whitelist
+if [ $? -eq 0 ] ; then
+echo 1 > $device/authorized
+fi
+
+done
diff --git a/hotplug_filter.sh b/hotplug_filter.sh
new file mode 100755
index 0000000..1941ab2
--- /dev/null
+++ b/hotplug_filter.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+env >> /tmp/hotpluglog
+echo $SUBSYSTEM
+if [ "$SUBSYSTEM" = "usb" ] ; then
+
+	if [ "$ACTION" != "add" ] ; then
+		exit
+	fi
+
+	if [ "$DEVTYPE" = "usb_device" ] ; then
+		cd /sys/$DEVPATH/
+	fi
+
+	if [ "$DEVTYPE" = "usb_interface" ] ; then 
+		cd /sys/$DEVPATH/.. 
+	fi
+
+	port=$(basename $DEVPATH)
+	idProduct=$(cat idProduct)
+	idVendor=$(cat idVendor)
+	bInterfaceClass=""
+	search=""
+
+
+	if [ "$DEVTYPE" = "usb_device" ] ; then
+		search="$idVendor:$idProduct" 
+	fi
+	
+	if [  "$DEVTYPE" = "usb_interface" ] ; then
+		cd /sys/$DEVPATH/
+		bInterfaceClass=$(cat bInterfaceClass)
+		search="$idVendor:$idProduct:$bInterfaceClass" 
+	fi
+	echo $search >> /tmp/search
+	grep -q $search /etc/usb_whitelist
+	if [ $? -ne 0 ] ; then
+		echo "denied $DEVPATH" >> /tmp/denied_log
+		exit
+	fi
+	[ -e /sys/$DEVPATH/authorized ] && echo 1 > /sys/$DEVPATH/authorized
+	echo "$port" > /sys/bus/usb/drivers_probe
+fi
diff --git a/scan_new.sh b/scan_new.sh
new file mode 100755
index 0000000..959f1cd
--- /dev/null
+++ b/scan_new.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+lsusb | awk '{print $6}' | while read line ; do
+grep -q "$line" /etc/usb_whitelist || echo "$line is not in whitelist yet"
+done