lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 22 Feb 2019 09:27:44 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Dmitry Torokhov <dtor@...omium.org>
Cc:     Alan Stern <stern@...land.harvard.edu>,
        linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: [PATCH] usb: core: add option of only authorizing internal
 devices

On Sat, Feb 16, 2019 at 11:21:51PM -0800, Dmitry Torokhov wrote:
> On Chrome OS we want to use USBguard to potentially limit access to USB
> devices based on policy. We however to do not want to wait for userspace to
> come up before initializing fixed USB devices to not regress our boot
> times.
> 
> This patch adds option to instruct the kernel to only authorize devices
> connected to the internal ports. Previously we could either authorize
> all or none (or, by default, we'd only authorize wired devices).
> 
> The behavior is controlled via usbcore.authorized_default command line
> option.
> 
> Signed-off-by: Dmitry Torokhov <dtor@...omium.org>
> ---
>  .../admin-guide/kernel-parameters.txt         |  3 +-
>  Documentation/usb/authorization.txt           |  4 +-
>  drivers/usb/core/hcd.c                        | 51 +++++++++++--------
>  drivers/usb/core/usb.c                        | 33 +++++++++---
>  include/linux/usb/hcd.h                       | 10 ++--
>  5 files changed, 69 insertions(+), 32 deletions(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index aefd358a5ca3..4446919089b9 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -4675,7 +4675,8 @@
>  	usbcore.authorized_default=
>  			[USB] Default USB device authorization:
>  			(default -1 = authorized except for wireless USB,
> -			0 = not authorized, 1 = authorized)
> +			0 = not authorized, 1 = authorized, 2 = authorized
> +			if device connected to internal port)

Oh nice, another "simple" flag modified over time to be more complex :(

Anyway, that's fine, it's how APIs grow, just grumpy...

This all looks good to me, I'll go queue it up now.

greg k-h

Powered by blists - more mailing lists