Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xHCI controllers only partially allowed by matching rule #604

Open
daenney opened this issue Oct 21, 2023 · 1 comment
Open

xHCI controllers only partially allowed by matching rule #604

daenney opened this issue Oct 21, 2023 · 1 comment

Comments

@daenney
Copy link

daenney commented Oct 21, 2023

I have a basic rule that's intended to allow any device with the Linux Foundation ID:

allow id equals { 1d6b:* }

However, this doesn't seem to allow all devices matching the ID:

# usbguard list-devices
3: allow id 1d6b:0002 serial "0000:c1:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb1" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0003 serial "0000:c1:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb2" with-interface 09:00:00 with-connect-type ""
5: allow id 1d6b:0002 serial "0000:c1:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb3" with-interface 09:00:00 with-connect-type ""
6: allow id 1d6b:0003 serial "0000:c1:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb4" with-interface 09:00:00 with-connect-type ""
7: allow id 1d6b:0002 serial "0000:c3:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb5" with-interface 09:00:00 with-connect-type ""
8: allow id 1d6b:0003 serial "0000:c3:00.3" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb6" with-interface 09:00:00 with-connect-type ""
9: allow id 1d6b:0002 serial "0000:c3:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb7" with-interface 09:00:00 with-connect-type ""
10: allow id 1d6b:0003 serial "0000:c3:00.4" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb8" with-interface 09:00:00 with-connect-type ""
11: block id 1d6b:0002 serial "0000:64:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb9" with-interface 09:00:00 with-connect-type ""
12: block id 1d6b:0003 serial "0000:64:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb10" with-interface 09:00:00 with-connect-type ""
13: block id 1d6b:0002 serial "0000:65:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb11" with-interface 09:00:00 with-connect-type ""
14: block id 1d6b:0003 serial "0000:65:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb12" with-interface 09:00:00 with-connect-type ""
15: block id 1d6b:0002 serial "0000:66:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb13" with-interface 09:00:00 with-connect-type ""
16: block id 1d6b:0003 serial "0000:66:00.0" name "xHCI Host Controller" hash "redacted" parent-hash "redacted" via-port "usb14" with-interface 09:00:00 with-connect-type ""

For some reason it seems to switch to blocking once we hit usb9.

# usbguard list-devices -t
.
├── 9: allow xHCI Host Controller
├── 10: allow xHCI Host Controller
├── 11: block xHCI Host Controller
├── 12: block xHCI Host Controller
├── 15: block xHCI Host Controller
├── 16: block xHCI Host Controller
├── 7: allow xHCI Host Controller
├── 8: allow xHCI Host Controller
├── 3: allow xHCI Host Controller
│   └── 17: allow Wireless_Device
├── 4: allow xHCI Host Controller
├── 5: allow xHCI Host Controller
│   └── 18: allow Laptop Camera
├── 6: allow xHCI Host Controller
├── 13: block xHCI Host Controller
└── 14: block xHCI Host Controller

# lsusb
Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 0bda:5634 Realtek Semiconductor Corp. Laptop Camera
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0e8d:e616 MediaTek Inc. Wireless_Device
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 014 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 013 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 012 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 011 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 009 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 010 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

I think the reason there's so many xHCI units is because this is on a Framework laptop, so each of the 4 port modules is a USB-C port in itself too.
@daenney
Copy link
Author

daenney commented Oct 21, 2023

Removing that line and restarting usbguard doesn't affect the output. So I guess that rule doesn't apply in the first place. But that still leaves me somewhat confused about the two sets of controllers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daenney