GNOME to support USBGuard



Hi everyone,

GNOME has gained the capability to protect against certain USB-borne
threats.
That is, if USBGuard is installed, GNOME can control its configuration.

To change GNOME's behaviour, the following dconf path can be changed:

   org.gnome.desktop.privacy usb-protection true

The privacy panel will, once 
https://gitlab.gnome.org/GNOME/gnome-control-center/merge_requests/366
has been merged, expose a simple switch.

As you can see, the mechanism is opt-in for now, but we intend to
stabilise this feature for 3.38 and then turn it on by default.

Two values for its configuration currently exist:

1) "On Lockscreen":

   When the session is locked, we don't allow new USB devices to be
   plugged in, except keyboards. A notification will be shown explaining
   that the user has to unlock the session and reconnect the device.
   When the session is unlocked, we allow all devices.


2) "Always":

   We block all new devices, but allow keyboards when the screen is
   locked. Also, when the session is unlocked and a new keyboard is
   inserted, we lock the session and authorize the new device.

   We consider this feature experimental and focus on the lockscreen
   protection for now.


We will take over the control of USBGuard, but try to minimise impact.
That is, keyboards are treated specially, because they present both a
threat and a remedy. On the one hand, it's a typical attack vector and
on the other it's the only thing a user can do when their system
keyboard breaks for whatever reason.

If we detect that the USBGuard configuration has changed, we disable our
logic.

We only support USBGuard as of 0.7.5 or higher.
When an earlier version is detected, we disable our logic.

We try hard to not get in to the user's way and make as few changes to
the system's configuration as possible.
If you do notice problems, please report them back.

Note that if you install USBGuard with the default values upstream
proposes, users will most likely have a hard time making use of their
USB devices.
For example, PresentDevicePolicy with "apply-policy" as default will
prevent the devices inserted at boot time from working correctly (unless
you actually ship a policy).
One approach to save your users from this is to change the value to
"allow".
Some distributions (e.g. Debian, Ubuntu) automatically create rules of
the devices attached to the system at installation time.
Currently, we (as the GNOME USB Protection daemon) don't interfere with
the PresentDevicePolicy and don't handle device that were attached
before our daemon starts, e.g. after the users has logged in.
In other words, if the the device hasn't been authorised at boot time,
it won't be and thus won't work.
If you don't have a strategy for dealing with existing devices at boot
time (e.g. changing the default value of PresentDevicePolicy or
installing a policy), you can expect users to complain about their
devices not working.

FTR: The merge request with an extensive discussion is here:
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/merge_requests/75

Thanks,
  Tobi
  



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]