From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: usb: core: add option of only authorizing internal devices From: Greg Kroah-Hartman Message-Id: <20190222082744.GA6963@kroah.com> Date: Fri, 22 Feb 2019 09:27:44 +0100 To: Dmitry Torokhov Cc: Alan Stern , linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org List-ID: T24gU2F0LCBGZWIgMTYsIDIwMTkgYXQgMTE6MjE6NTFQTSAtMDgwMCwgRG1pdHJ5IFRvcm9raG92 IHdyb3RlOgo+IE9uIENocm9tZSBPUyB3ZSB3YW50IHRvIHVzZSBVU0JndWFyZCB0byBwb3RlbnRp YWxseSBsaW1pdCBhY2Nlc3MgdG8gVVNCCj4gZGV2aWNlcyBiYXNlZCBvbiBwb2xpY3kuIFdlIGhv d2V2ZXIgdG8gZG8gbm90IHdhbnQgdG8gd2FpdCBmb3IgdXNlcnNwYWNlIHRvCj4gY29tZSB1cCBi ZWZvcmUgaW5pdGlhbGl6aW5nIGZpeGVkIFVTQiBkZXZpY2VzIHRvIG5vdCByZWdyZXNzIG91ciBi b290Cj4gdGltZXMuCj4gCj4gVGhpcyBwYXRjaCBhZGRzIG9wdGlvbiB0byBpbnN0cnVjdCB0aGUg a2VybmVsIHRvIG9ubHkgYXV0aG9yaXplIGRldmljZXMKPiBjb25uZWN0ZWQgdG8gdGhlIGludGVy bmFsIHBvcnRzLiBQcmV2aW91c2x5IHdlIGNvdWxkIGVpdGhlciBhdXRob3JpemUKPiBhbGwgb3Ig bm9uZSAob3IsIGJ5IGRlZmF1bHQsIHdlJ2Qgb25seSBhdXRob3JpemUgd2lyZWQgZGV2aWNlcyku Cj4gCj4gVGhlIGJlaGF2aW9yIGlzIGNvbnRyb2xsZWQgdmlhIHVzYmNvcmUuYXV0aG9yaXplZF9k ZWZhdWx0IGNvbW1hbmQgbGluZQo+IG9wdGlvbi4KPiAKPiBTaWduZWQtb2ZmLWJ5OiBEbWl0cnkg VG9yb2tob3YgPGR0b3JAY2hyb21pdW0ub3JnPgo+IC0tLQo+ICAuLi4vYWRtaW4tZ3VpZGUva2Vy bmVsLXBhcmFtZXRlcnMudHh0ICAgICAgICAgfCAgMyArLQo+ICBEb2N1bWVudGF0aW9uL3VzYi9h dXRob3JpemF0aW9uLnR4dCAgICAgICAgICAgfCAgNCArLQo+ICBkcml2ZXJzL3VzYi9jb3JlL2hj ZC5jICAgICAgICAgICAgICAgICAgICAgICAgfCA1MSArKysrKysrKysrKy0tLS0tLS0tCj4gIGRy aXZlcnMvdXNiL2NvcmUvdXNiLmMgICAgICAgICAgICAgICAgICAgICAgICB8IDMzICsrKysrKysr Ky0tLQo+ICBpbmNsdWRlL2xpbnV4L3VzYi9oY2QuaCAgICAgICAgICAgICAgICAgICAgICAgfCAx MCArKy0tCj4gIDUgZmlsZXMgY2hhbmdlZCwgNjkgaW5zZXJ0aW9ucygrKSwgMzIgZGVsZXRpb25z KC0pCj4gCj4gZGlmZiAtLWdpdCBhL0RvY3VtZW50YXRpb24vYWRtaW4tZ3VpZGUva2VybmVsLXBh cmFtZXRlcnMudHh0IGIvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVy cy50eHQKPiBpbmRleCBhZWZkMzU4YTVjYTMuLjQ0NDY5MTkwODliOSAxMDA2NDQKPiAtLS0gYS9E b2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL2tlcm5lbC1wYXJhbWV0ZXJzLnR4dAo+ICsrKyBiL0Rv Y3VtZW50YXRpb24vYWRtaW4tZ3VpZGUva2VybmVsLXBhcmFtZXRlcnMudHh0Cj4gQEAgLTQ2NzUs NyArNDY3NSw4IEBACj4gIAl1c2Jjb3JlLmF1dGhvcml6ZWRfZGVmYXVsdD0KPiAgCQkJW1VTQl0g RGVmYXVsdCBVU0IgZGV2aWNlIGF1dGhvcml6YXRpb246Cj4gIAkJCShkZWZhdWx0IC0xID0gYXV0 aG9yaXplZCBleGNlcHQgZm9yIHdpcmVsZXNzIFVTQiwKPiAtCQkJMCA9IG5vdCBhdXRob3JpemVk LCAxID0gYXV0aG9yaXplZCkKPiArCQkJMCA9IG5vdCBhdXRob3JpemVkLCAxID0gYXV0aG9yaXpl ZCwgMiA9IGF1dGhvcml6ZWQKPiArCQkJaWYgZGV2aWNlIGNvbm5lY3RlZCB0byBpbnRlcm5hbCBw b3J0KQoKT2ggbmljZSwgYW5vdGhlciAic2ltcGxlIiBmbGFnIG1vZGlmaWVkIG92ZXIgdGltZSB0 byBiZSBtb3JlIGNvbXBsZXggOigKCkFueXdheSwgdGhhdCdzIGZpbmUsIGl0J3MgaG93IEFQSXMg Z3JvdywganVzdCBncnVtcHkuLi4KClRoaXMgYWxsIGxvb2tzIGdvb2QgdG8gbWUsIEknbGwgZ28g cXVldWUgaXQgdXAgbm93LgoKZ3JlZyBrLWgK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36785C43381 for ; Fri, 22 Feb 2019 08:27:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F09F4207E0 for ; Fri, 22 Feb 2019 08:27:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550824071; bh=8edfktwJBuX3vEVcGO3bmC4PE498wHxd4TksCyJ72xs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=qpR3sd0WWc1DBWwkreoejiw72QjVGMy6BL3zWsiRRrhkvyhxrwQjNa1SSkTyIGC9g cHiEk2M54oidgxqIWvsEUl3rnvjuC5wniQhJg3x2WmGtH3MIbfsKfoSVO8XCyRZnWJ RXod+CEc+msD4MPrrTzbIk19klQQXmZzLMiJ3SHA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726603AbfBVI1t (ORCPT ); Fri, 22 Feb 2019 03:27:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:32834 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726313AbfBVI1t (ORCPT ); Fri, 22 Feb 2019 03:27:49 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D847A20700; Fri, 22 Feb 2019 08:27:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550824068; bh=8edfktwJBuX3vEVcGO3bmC4PE498wHxd4TksCyJ72xs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YY7+ejk6GcXseVv8exsO3JbAQTxPjz+xmlakcjcRe+lq8hvGyW3jlPh0SAM9CfMAd Wlfgn7qGe1FVbrUtwrEMhIS0nF6WGD5OERKJ/cN1oekhp+69uFGvho7uhtOi82a5dR PcBhXWem0TmZATGTlYzjmnHtAlYsYNEDagcgN82Y= Date: Fri, 22 Feb 2019 09:27:44 +0100 From: Greg Kroah-Hartman To: Dmitry Torokhov Cc: Alan Stern , linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org Subject: Re: [PATCH] usb: core: add option of only authorizing internal devices Message-ID: <20190222082744.GA6963@kroah.com> References: <20190217072151.GA244815@dtor-ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190217072151.GA244815@dtor-ws> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Feb 16, 2019 at 11:21:51PM -0800, Dmitry Torokhov wrote: > On Chrome OS we want to use USBguard to potentially limit access to USB > devices based on policy. We however to do not want to wait for userspace to > come up before initializing fixed USB devices to not regress our boot > times. > > This patch adds option to instruct the kernel to only authorize devices > connected to the internal ports. Previously we could either authorize > all or none (or, by default, we'd only authorize wired devices). > > The behavior is controlled via usbcore.authorized_default command line > option. > > Signed-off-by: Dmitry Torokhov > --- > .../admin-guide/kernel-parameters.txt | 3 +- > Documentation/usb/authorization.txt | 4 +- > drivers/usb/core/hcd.c | 51 +++++++++++-------- > drivers/usb/core/usb.c | 33 +++++++++--- > include/linux/usb/hcd.h | 10 ++-- > 5 files changed, 69 insertions(+), 32 deletions(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index aefd358a5ca3..4446919089b9 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -4675,7 +4675,8 @@ > usbcore.authorized_default= > [USB] Default USB device authorization: > (default -1 = authorized except for wireless USB, > - 0 = not authorized, 1 = authorized) > + 0 = not authorized, 1 = authorized, 2 = authorized > + if device connected to internal port) Oh nice, another "simple" flag modified over time to be more complex :( Anyway, that's fine, it's how APIs grow, just grumpy... This all looks good to me, I'll go queue it up now. greg k-h