From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg KH Date: Thu, 24 Feb 2011 17:01:07 +0000 Subject: Re: How to use Udev to restrict USB access only to particular set of Message-Id: <20110224170107.GA7841@kroah.com> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: linux-hotplug@vger.kernel.org On Thu, Feb 24, 2011 at 06:36:19PM +0200, Vilius Benetis wrote: > On Thu, Feb 24, 2011 at 5:46 PM, Greg KH wrote: > >>[vilius] > >> we tried to disable USB storage sticks with the following command: > >> > >> SUBSYSTEMS=3D"usb" DRIVERS=3D"usb-storage" =A0OPTIONS:=3D"ignore_devic= e" > >> > >> but we failed to make it work. > > > > Ignoring the device still makes it "active" in the system, especially as > > you just tested that the usb-storage device was bound to your device > > (which wouldn't be true that early in the process, which is one reason > > why this failed). > > > > you need to write a 0 to the "authorized" file in sysfs which will > > disable the whole USB device entirely if it meets your "list of devices > > to reject". =A0You also need to test not for driver binding, which again > > will not have happened, and you don't want to have happen, but that it > > is a usb storage device type (by virtue of the correct class config > > options as shown by sysfs) and that it doesn't pass your list of valid > > serial numbers. > > > > Note, all of that might be easier to do in a script than in a udev rule > > alone, but it should be possible. >=20 > I can follow the logic, but I think I am not able to convert the > guidance to the actions. >=20 > do you mean (am not sure what is this "authorised" file in sysfs): >=20 > KERNEL!=3D"sd[a-z][0-9]", GOTO=3D"end_usb_key_filter" Nope, way too late, you want to catch things _before_ the usb-storage driver binds to it, right? So match on a usb interfaces, and look at the class values to match the usb storage ones. If they are a match, then go up a level and disable the device by writing a 0 to the "authorized" file. > SUBSYSTEM=3D"usb", ATTRS{serial}=3D"xx1", GOTO=3D"end_usb_key_filter" > SUBSYSTEM=3D"usb", ATTRS{serial}=3D"xx2", GOTO=3D"end_usb_key_filter" > SUBSYSTEM=3D"usb", RUN=3D"echo 0 >/sys/xxx" >=20 > or just: >=20 > SUBSYSTEM=3D"usb", ATTRS{serial}=3D"xx1|xx2|xx3", GOTO=3D"end_usb_key_fil= ter" > SUBSYSTEM=3D"usb", RUN=3D"echo 0 >/sys/xxx" > LABEL=3D"end_usb_key_filter" That might work, but watch out that you don't deactivate your USB keyboards :) thanks, greg k-h