From 092842330e8d62d77f3edc86c3869d6f51b6c4b8 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 16 May 2017 17:51:48 -0400 Subject: [PATCH] add toggle for disabling newly added USB devices Based on the public grsecurity patches. Change-Id: I2cbea91b351cda7d098f4e1aa73dff1acbd23cce Signed-off-by: Daniel Micay Signed-off-by: starlight5234 --- drivers/usb/core/hub.c | 8 ++++++++ kernel/sysctl.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 17febe960b63..9dc15d9b5c4a 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -45,6 +45,8 @@ #define USB_TP_TRANSMISSION_DELAY 40 /* ns */ #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */ +int deny_new_usb __read_mostly = 0; + /* Protect struct usb_device->state and ->children members * Note: Both are also protected by ->dev.sem, except that ->state can * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ @@ -4995,6 +4997,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, goto done; return; } + + if (deny_new_usb) { + dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); + goto done; + } + if (hub_is_superspeed(hub->hdev)) unit_load = 150; else diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 61e40b7c5d75..fa85ee4ebda2 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -100,6 +100,9 @@ #if defined(CONFIG_SYSCTL) /* External variables not in a header file. */ +#ifdef CONFIG_USB +extern int deny_new_usb; +#endif extern int suid_dumpable; #ifdef CONFIG_COREDUMP extern int core_uses_pid; @@ -1198,6 +1201,17 @@ static struct ctl_table kern_table[] = { .extra1 = &zero, .extra2 = &two, }, +#endif +#ifdef CONFIG_USB + { + .procname = "deny_new_usb", + .data = &deny_new_usb, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax_sysadmin, + .extra1 = &zero, + .extra2 = &one, + }, #endif { .procname = "ngroups_max",