#401 Include usbguard by default
Opened a year ago by ananas-comosus. Modified 10 months ago

It's a nice security feature to prevent USB devices from interacting with the system when the device is locked. This feature would be nice addition to improve security, specially since the Device Security panel exists now.

This option doesn't appear in GNOME Settings unless usbguard is installed, which makes users to not be aware that such feature exists: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2689


Metadata Update from @catanzaro:
- Issue tagged with: meeting-request

a year ago

Hello,

I definitely agree that this could be a good opportunity for others to get acquainted with usbguard.

However, I can see one problem with having usbguard installed by default. Before the service is started, you need to manually generate the initial ruleset and review it. Otherwise, all devices including host controllers will be blocked (default behavior).

Before the service is started, you need to manually generate the initial ruleset and review it. Otherwise, all devices including host controllers will be blocked (default behavior).

Hm, if manual work is required then it can never be installed by default. The policy is supposed to be managed by gnome-settings-daemon's usb-protection plugin. Any chance you could investigate that? Presumably it shouldn't require manual configuration?

The expected behavior is to block new USB devices only on the lock screen. (I see gnome-settings-daemon has an additional setting to always block new USB devices, but I don't think we have UI to expose that.)

Sorry, poor choice of words on my side. I wanted to say that after installing usbguard and before starting the service, there is a need to generate the initial policy (usbguard rules) for your machine. Otherwise, every single device will be blocked.

Usually, we recommend users to use the usbguard CLI to generate the initial policy and review the rules. Because the initial policy will allow all known devices.

I wonder whether what gnome-settings-daemon does is sufficient or not. I have no experience with usbguard.

Does anybody else know?

@rhughes , you might be interested in this...

Sure am, thanks for the ping. I think if we install it by default we have to allow-list all the devices by default, otherwise we're going to be drowning in user bugs on the first day.

I did some research in Fedora and Fedora Silverblue.

It didn't come with usbguard installed by default, so I installed the following packages usbguard and usbguard-dbus. We need both.

Then I enabled both systemd services with systemctl enable usbguard and systemctl enable usbguard-dbus. Reboot.

Now I get to see the "Forbid new USB devices" option in Settings -> Privacy -> Screen Lock. It is ON by default. But I also start getting Usbguard polkit authentication dialogs. So I searched the web and found this article on the ArchWiki with a polkit rule for this. https://wiki.archlinux.org/title/USBGuard#Grant_GNOME_access_to_the_USBGuard_daemon Now the authentication issue is solved.

After a reboot, I was able to confirm that no new USB devices were allowed in the lockscreen. Plugging/unplugging a usb mouse didn't do anything (as expected by the setting!)

Then I logged in as my user and still had no access to my usb devices. After unplugging and plugging them back, they were finally allowed.

I noticed that the gnome-settings-daemon usb-protection plugin logged usb-protection-plugin-DEBUG: 11:40:54.150: Ensuring allow all in my debug session. So it seems that Settings Daemon adds a rule during user session to allow devices (but that doesn't seem to apply to devices that were already connected). See https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/blob/master/plugins/usb-protection/gsd-usb-protection-manager.c?ref_type=heads#L181

The ArchWiki article suggested editing /etc/usbguard/usbguard-daemon.conf, specifically the PresentDevicePolicy to allow so that it blocks all newly connected devices but leave devices connected before daemon as is.

So I guess the path to support this in fedora is to add the packages to the compose, enable the systemd services, install the policykit rule, and set PresentDevicePolicy=allow (as Richard suggested in the comment above).

I think the usbguard package itself should ship that polkit rule (ideally the upstream package, but downstream if need be).

Is any feedback shown if a USB device is blocked? We will need this, so that users understand what has happened and how to resolve the situation.

For context, the default protection-level is LOCKSCREEN. That can be changed in org.gnome.desktop.privacy usb-protection-level.

Enabling "Forbid new USB devices" in the Screen Lock Settings toggles org.gnome.desktop.privacy usb-protection true|false.

Is any feedback shown if a USB device is blocked? We will need this, so that users understand what has happened and how to resolve the situation.

Yes. GNOME Settings Daemon has code to show the following notifications when a device is inserted.

When the session is locked

We check if the inserted device is a e.g. keyboard, mouse, or an HUB. If that is the case, we authorize and show the following notification:

New device detected
Either one of your existing devices has been reconnected or a new one has been plugged in. If you did not do it, check your system for any suspicious device.

For other device types we check if the protection-level is LOCKSCREEN. If yes, we show:

Reconnect USB device
New device has been detected while you were away. Please disconnect and reconnect the device to start using it.

If the device is not a mouse/keyboard/hub AND the protection level is not LOCKSCREEN, we show:

USB device blocked
New device has been detected while you were away. It has been blocked because the USB protection is active.

When the session is unlocked

If the protection-level is "LOCKSCREEN", the device will be automatically authorized by usbguard. No notification.

If the protection-level is not LOCKSCREEN, there are two scenarios:

We authorize only keyboard/mouse/hubs, and then we lock the screen and show the following notification.

New USB device
New device has been detected while the session was not locked. If you did not plug anything, check your system for any suspicious device.

and if the device is not a keyboard/mouse/hub, we show:

USB device blocked
The new inserted device has been blocked because the USB protection is active.

Is any feedback shown if a USB device is blocked? We will need this, so that users understand what has happened and how to resolve the situation.

I just wanted to note that there is a separate usbguard-notifier project [1], which can be used to detect device presence changes and usbguard policy changes in the form of pop up notifications.

[1] https://src.fedoraproject.org/rpms/usbguard-notifier

Metadata Update from @catanzaro:
- Issue untagged with: meeting-request

11 months ago

We discussed this yesterday. If somebody is willing to work on this and ensure it is properly integrated into the desktop, and if we're confident that existing USB devices won't be improperly blocked, then it seems good. However, I don't want to leave this issue report open forever without a volunteer to work on it.

@aday has an action item to advertise that we are looking for someone to help.

We discussed this yesterday. If somebody is willing to work on this and ensure it is properly integrated into the desktop, and if we're confident that existing USB devices won't be improperly blocked, then it seems good. However, I don't want to leave this issue report open forever without a volunteer to work on it.

I can continue exploring this.

Metadata Update from @catanzaro:
- Issue assigned to feborges
- Issue tagged with: pending-action

11 months ago

We discussed this yesterday. If somebody is willing to work on this and ensure it is properly integrated into the desktop, and if we're confident that existing USB devices won't be improperly blocked, then it seems good. However, I don't want to leave this issue report open forever without a volunteer to work on it.

I can continue exploring this.

I can help you from usbguard point of view. Let me know if you need any kind of help.

Log in to comment on this ticket.

Metadata