How do I flexibly enable and disable plugging in new USB devices (running driver code responsible for those devices) at runtime without Grsecurity patch?
Are there other approaches or alternative kernel patches with this feature?
Reopen: Differences and comments about the proposed duplicate question How to safely insert USB stick/device to Linux computer?
- Linked question asks about always selectively accepting some devices, this question asks about accepting all devices in selected moments of time (and denying anything in other moments).
- Primary answer (USBGuard) is a userland solution. It seems to only prevent udev actions. It's unlikely prevent scanning a block device for partitions, creating network interface and querying its metadata or registering some
/dev/input/eventX
node. In-kernel attack surface seems to be exposed. - Another answer partially links to Grsecurity which is explicitly ruled out by this question's statement.
As far as I remember, there were plans to make screen-locked desktop Linux systems not accept any USB devices until screen is unlocked. This means there may be some patches about this somewhere.
Best Answer
Here is my patch for Linux kernel version 4.19.18:
It is based on code from Grsecurity. It uses
/proc/sys/dev/deny_new_usb
instead of/proc/sys/kernel/grsecurity/deny_new_usb
.