New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

input-proxy: ability to blacklist/whitelist specific devices #3604

Open
taradiddles opened this Issue Feb 18, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@taradiddles

taradiddles commented Feb 18, 2018

Qubes OS version:

R4.0rc4


Steps to reproduce the behavior:

With sys-usb and qubes-input-proxy-sender set up, start or resume a machine with a USB device which advertises keyboard capabilities but that you don't want to use in dom0.

Expected behavior:

There should be a (supported) way to blacklist said device from being detected/used by qubes-input-proxy-sender.

Actual behavior:

On my thinkpad T450s the integrated USB camera (04ca:703c Lite-On Technology Corp.) is picked up as a keyboard device by qubes-input-proxy-sender's udev rules (didn't have time to see why, but the question here is more general).
My qubes.InputKeyboard rpc policy is set to ask so each time I start or resume the laptop I get the gui popup asking if I want to enable a keyboard. With the laptop undocked I know that's the camera. But when the laptop's docked with an external keyboard I have no way to know which popup gui corresponds to the camera so I end up enabling everything.

General notes:

Actually the issue here is two-fold:

  • It would be helpful to have the name of the device in the rpc popup gui.
  • There should be a way to either blacklist or whitelist input devices. If one considers sys-usb unsecure the best way place to do that would be in dom0, but I didn't find how to do that with the rather generic qubes.InputKeyboard rpc policy.

[EDIT: I realize that if sys-usb is considered insecure there's no way to be sure that the device name shown in dom0's popup gui is the right device's name. So that defeats the purpose of having the policy in dom0; That said I still think it would be helpful to have the name shown in the popup gui, maybe with a note that the name isn't trusted].

Workaround: in sys-usb's template, copy /lib/udev/rules.d/90-qubes-input-proxy.rules to /etc/udev/rules.d/90-qubes-input-proxy.rules (an identic naming will override the rules in /lib).

For blacklisting: add a goto line that matches your device near the top of the file:

ENV{ID_SOMETHING}=="somethingelse", GOTO="qubes_input_proxy_end"

For whitelisting: add ENV{whatever} to the systemctl lines so that they match only your devices(s).


Related issues:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment