initial commit
This commit is contained in:
commit
b5bc16d9ca
|
@ -0,0 +1,29 @@
|
||||||
|
This set of scripts is experimental
|
||||||
|
|
||||||
|
info
|
||||||
|
====
|
||||||
|
With these scripts you can filter which USB devices can connect to your linux
|
||||||
|
system. For instance, allow your usb mass-storage device only to be exactly
|
||||||
|
that and not one day register itself as a keyboard...
|
||||||
|
|
||||||
|
Setup
|
||||||
|
=====
|
||||||
|
Create /etc/usb_whitelist:
|
||||||
|
idVendor:idProduct:AllowedClass
|
||||||
|
...
|
||||||
|
|
||||||
|
"AllowClass" is the usb class code [1]. For example, use 08 for usb flash drives.
|
||||||
|
|
||||||
|
Add the following to the kernel command line (edit your boot loader config): usbcore.authorized_default=0
|
||||||
|
|
||||||
|
Make sure the following runs by init on system boot:
|
||||||
|
|
||||||
|
echo 0 > /sys/bus/usb/drivers_autoprobe
|
||||||
|
echo "/sbin/hotplug_filter.sh" > /proc/sys/kernel/hotplug
|
||||||
|
/sbin/authorize_scan.sh
|
||||||
|
|
||||||
|
Use scan_new.sh to see devices which aren't in the whitelist yet.
|
||||||
|
|
||||||
|
Resources
|
||||||
|
=========
|
||||||
|
[1] List of classes: http://www.usb.org/developers/defined_class
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/bash
|
||||||
|
cd /sys/bus/usb/devices/
|
||||||
|
|
||||||
|
ls | grep -v : | while read device ; do
|
||||||
|
idProduct=$(cat $device/idProduct)
|
||||||
|
idVendor=$(cat $device/idVendor)
|
||||||
|
grep "$idVendor:$idProduct" /etc/usb_whitelist
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
echo 1 > $device/authorized
|
||||||
|
fi
|
||||||
|
|
||||||
|
done
|
|
@ -0,0 +1,42 @@
|
||||||
|
#!/bin/bash
|
||||||
|
env >> /tmp/hotpluglog
|
||||||
|
echo $SUBSYSTEM
|
||||||
|
if [ "$SUBSYSTEM" = "usb" ] ; then
|
||||||
|
|
||||||
|
if [ "$ACTION" != "add" ] ; then
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DEVTYPE" = "usb_device" ] ; then
|
||||||
|
cd /sys/$DEVPATH/
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DEVTYPE" = "usb_interface" ] ; then
|
||||||
|
cd /sys/$DEVPATH/..
|
||||||
|
fi
|
||||||
|
|
||||||
|
port=$(basename $DEVPATH)
|
||||||
|
idProduct=$(cat idProduct)
|
||||||
|
idVendor=$(cat idVendor)
|
||||||
|
bInterfaceClass=""
|
||||||
|
search=""
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$DEVTYPE" = "usb_device" ] ; then
|
||||||
|
search="$idVendor:$idProduct"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$DEVTYPE" = "usb_interface" ] ; then
|
||||||
|
cd /sys/$DEVPATH/
|
||||||
|
bInterfaceClass=$(cat bInterfaceClass)
|
||||||
|
search="$idVendor:$idProduct:$bInterfaceClass"
|
||||||
|
fi
|
||||||
|
echo $search >> /tmp/search
|
||||||
|
grep -q $search /etc/usb_whitelist
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
echo "denied $DEVPATH" >> /tmp/denied_log
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
[ -e /sys/$DEVPATH/authorized ] && echo 1 > /sys/$DEVPATH/authorized
|
||||||
|
echo "$port" > /sys/bus/usb/drivers_probe
|
||||||
|
fi
|
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/bash
|
||||||
|
lsusb | awk '{print $6}' | while read line ; do
|
||||||
|
grep -q "$line" /etc/usb_whitelist || echo "$line is not in whitelist yet"
|
||||||
|
done
|
Loading…
Reference in New Issue