Re: [PATCH] usb: core: add option of only authorizing internal devices

From: Greg Kroah-Hartman
Date: Fri Feb 22 2019 - 03:27:51 EST


On Sat, Feb 16, 2019 at 11:21:51PM -0800, Dmitry Torokhov wrote:
> On Chrome OS we want to use USBguard to potentially limit access to USB
> devices based on policy. We however to do not want to wait for userspace to
> come up before initializing fixed USB devices to not regress our boot
> times.
>
> This patch adds option to instruct the kernel to only authorize devices
> connected to the internal ports. Previously we could either authorize
> all or none (or, by default, we'd only authorize wired devices).
>
> The behavior is controlled via usbcore.authorized_default command line
> option.
>
> Signed-off-by: Dmitry Torokhov <dtor@xxxxxxxxxxxx>
> ---
> .../admin-guide/kernel-parameters.txt | 3 +-
> Documentation/usb/authorization.txt | 4 +-
> drivers/usb/core/hcd.c | 51 +++++++++++--------
> drivers/usb/core/usb.c | 33 +++++++++---
> include/linux/usb/hcd.h | 10 ++--
> 5 files changed, 69 insertions(+), 32 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index aefd358a5ca3..4446919089b9 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -4675,7 +4675,8 @@
> usbcore.authorized_default=
> [USB] Default USB device authorization:
> (default -1 = authorized except for wireless USB,
> - 0 = not authorized, 1 = authorized)
> + 0 = not authorized, 1 = authorized, 2 = authorized
> + if device connected to internal port)

Oh nice, another "simple" flag modified over time to be more complex :(

Anyway, that's fine, it's how APIs grow, just grumpy...

This all looks good to me, I'll go queue it up now.

greg k-h