add toggle for disabling newly added USB devices

Based on the public grsecurity patches. Change-Id: I2cbea91b351cda7d098f4e1aa73dff1acbd23cce Signed-off-by: Daniel Micay <danielmicay@gmail.com> Signed-off-by: starlight5234 <starlight5234@protonmail.ch>
2017-05-16 17:51:48 -04:00 · 2017-05-16 17:51:48 -04:00 · 092842330e
commit 092842330e
parent 4b2b333bbb
2 changed files with 22 additions and 0 deletions
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@ -45,6 +45,8 @@
 #define USB_TP_TRANSMISSION_DELAY	40	/* ns */
 #define USB_TP_TRANSMISSION_DELAY_MAX	65535	/* ns */

+int deny_new_usb __read_mostly = 0;
+
 /* Protect struct usb_device->state and ->children members
 * Note: Both are also protected by ->dev.sem, except that ->state can
 * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */
@ -4995,6 +4997,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 			goto done;
 		return;
 	}
+
+	if (deny_new_usb) {
+		dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1);
+		goto done;
+	}
+
 	if (hub_is_superspeed(hub->hdev))
 		unit_load = 150;
 	else
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@ -100,6 +100,9 @@
 #if defined(CONFIG_SYSCTL)

 /* External variables not in a header file. */
+#ifdef CONFIG_USB
+extern int deny_new_usb;
+#endif
 extern int suid_dumpable;
 #ifdef CONFIG_COREDUMP
 extern int core_uses_pid;
@ -1198,6 +1201,17 @@ static struct ctl_table kern_table[] = {
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
+#endif
+#ifdef CONFIG_USB
+	{
+		.procname	= "deny_new_usb",
+		.data		= &deny_new_usb,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 #endif
 	{
 		.procname	= "ngroups_max",