Linux – How to prevent HID device on certain USB ports

linuxSecurityudevusb

Due to security reasons, I want to prevent that input devices can not be used on a certain USB port. Non-input functionality (e.g. mass storage or ttyUSB) must be available on this port. Input devices must be still working on other USB ports.

"can not be used" means that e.g. no corresponding /dev/input/eventX device is created and common frameworks (X11, linux console) do not accept input from the device.

I can identify the USB port by udev rules like

DEVPATH=="/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.7/2-1.7.1/*"

but I am not sure how to disable it.

Ancient udev versions supported OPTIONS+="ignore_device" but this option is gone.

How can I do this?

Best Answer

You need to write a rule for each of the possible types of input device, ie:

ID_INPUT_KEYBOARD
ID_INPUT_KEY
ID_INPUT_MOUSE
ID_INPUT_TOUCHPAD
ID_INPUT_TABLET
ID_INPUT_JOYSTICK

In the rule, test that the environment variable with that name is non-empty, eg match it with the glob pattern ?* which only matches if there is at least one character. Eg:

ENV{ID_INPUT_KEYBOARD}=="?*"

In each rule, when it matches, set the device's authorized attribute to 0, eg:

ATTR{authorized}="0"

It is best to replace = with := so it cannot be overridden by a later rule. This gives a typical rule of:

ACTION=="add", DEVPATH=="...", ENV{ID_INPUT_KEYBOARD}=="?*", ATTR{authorized}:="0"

See this presentation by Adrian Crenshaw.

Related Solutions

Raspberry Pi Ubuntu Mate – Persistent Names for Physical USB Ports

I found a solution. The following rules assign a symbolic link to the corresponding usb ports for the given device. You could probably get rid of the idVendor and idProduct terms.

SUBSYSTEM=="tty", KERNELS=="1-1.2", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", SYMLINK+="rplidar1"
SUBSYSTEM=="tty", KERNELS=="1-1.3", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", SYMLINK+="rplidar2"

Ubuntu – USB ports keep resetting on Linux

I had the same issue, my dmesg was full with this messages, and could not unmount nor suspend the computer:

[ 4095.313680] usb usb4-port5: Cannot enable. Maybe the USB cable is bad?
[ 4099.301425] usb usb4-port5: Cannot enable. Maybe the USB cable is bad?
[ 4103.293161] usb usb4-port5: Cannot enable. Maybe the USB cable is bad?

I discovered it happens when keep a long time without unplugging the USB devices. Maybe the controller on some device goes erratic after staying so much time on, and going trough so many suspends and it is sending bad signals.

I discovered this fixes the problem:

unplug all your USB devices;

power off your computer and power off also the button which comes with the PSU (Power supply unit) because otherwise the PSU will still give juice to the motherboard and will still power the USB controllers on the device attached to it.

And of course sometimes can also be a bad cable. See here: https://askubuntu.com/a/348799/82315

Best Answer

Related Solutions

Raspberry Pi Ubuntu Mate – Persistent Names for Physical USB Ports

Ubuntu – USB ports keep resetting on Linux

Related Question