![]() ![]() list: Get values of run-time parameters.modify: Set values of run-time parameters.list: Ability to view the currently enforced policy.modify: Append rules to or remove any rules from the policy.listen: Listen to device presence and device policy changes.list: Ability to get a list of recognized devices and their attributes.modification of device specific rules in the policy). modify: Change authorization state of devices including permanent changes (i.e.If a section is omitted, it is assumed that no privileges are given for that section. The contents of the file are parsed as Section=privilege formatted lines which specify the section privileges. Otherwise, it is interpreted as an user identifier (username or UID in case of numeric-only string). If the names starts with : (colon), it is assumed that the rest of the name represents a group identifier (groupname or GID in case of a numeric-only string). The basename of the file is interpreted as an username, UID, groupname or GID. Each file in the directory is processed as follows: When you set IPCAccessControlFiles option, the daemon will look for IPC access control files in the directory specified by the setting value. Furthermore, by using the IPC Access Control files, it is possible to limit the access down to the level of Sections and Privileges as explained below. IPC ACCESS CONTROLĪccess to the USBGuard IPC interface can be limited per user or group. If set to true, the USB authorization policy could be bypassed by performing some sort of attack on the daemon (via a local exploit or via a USB device) to make it shutdown and restore to the operating-system default state (known to be permissive). RestoreControllerDeviceState configuration option Do not leave the ACL unconfigured as that will expose the IPC interface to all local users and will allow them to manipulate the authorization state of USB devices and modify the USBGuard policy. Please set either the IPCAllowedUsers, IPCAllowedGroups or IPCAccessControlFiles options to limit access to the IPC interface. Depending on your distribution defaults, access to this interface is limited to a certain group or a specific user only. The daemon provides the USBGuard public IPC interface. Hashes of descriptors (which include the serial number) from audit entries. Hides personally identifiable information such as device serial numbers and Required if AuditBackend is set to FileAudit.ĭefault: %localstatedir%/log/usbguard/usbguard-audit.log The backend value should be one of FileAudit or LinuxAudit. Generate device specific rules including the “via-port” attribute. The files at this location will be interpreted by the daemon as IPC access control definition files. ![]() Which device manager backend implementation to use.īackend should be one of uevent (default) or umockdev.Ī space delimited list of usernames that the daemon will accept IPC connections from.Ī space delimited list of groupnames that the daemon will accept IPC connections from. Using this setting, you can control whether the daemon will try to restore the attribute values to the state before modification on shutdown. The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances. How to treat USB devices that are already connected after the daemon starts. How to treat USB controllers that are already connected when the daemon starts:
0 Comments
Leave a Reply. |