how to disable USB devices based on vendor id in Linux environment?
Solution 1
You can make a udev rule that disables devices by default, but enables certain ones by vendor ID. Make a file /etc/udev/rules.d/01-usblockdown.rules that contains a rule to disable devices:
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'"
And then rules to enable the devices you want to allow (you can use ATTR{idVendor} to get at the vendor ID):
ACTION=="add", ATTR{idVendor}=="0000" RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
See "Locking down Linux using UDEV" for more information.
Solution 2
(this might have been better as a comment but I lack the points so expanded it into an answer)
I came here searching for how to allow all usb devices except disabling a specific one by vendor and product id. How to disable a usb sound device with udev answers it for the 0d8c:000c example.
Create /etc/udev/rules.d/disable-usb-device.rules:
ACTION=="add", ATTR{idVendor}=="0d8c", ATTR{idProduct}=="000c", RUN="/bin/sh -c 'echo 0 >/sys/\$devpath/authorized'"
There a discrepancy between the answer and a comment below with RUN= vs. RUN+=, I tried the former and it worked fine.
I was expecting dmesg or lusb to report differently but they both show the un-authorized device getting enumerated just as before, but other processes/modules that would have launched automatically appear to not be running which was the desired effect. cat /sys/bus/usb/devices/1-2.2.1.1.4/authorized (the 1-2.2... for example which can be found in dmesg) shows that the 0 was put in the right place.
Solution 3
This worked for me on Ubuntu 20.04:
$ cat /etc/udev/rules.d/81-elan-fingerprint.rules
# ID 04f3:0c28 Elan Microelectronics Corp. ELAN:Fingerprint should be disabled
ACTION=="add", ATTR{idVendor}=="04f3", ATTR{idProduct}=="0c28", RUN="/bin/sh -c 'echo 1 >/sys/\$devpath/remove'"
This makes the usb device unusuable, as it's removed as soon as is plugged in, removing 'ATTR{idProduct}=="0c28",' should do the same for all devices from that vendor.
Related videos on Youtube
00 : 51
01 : 16
01 : 40
01 : 45
01 : 29
Fran Muñoz
Updated on September 18, 2022Comments
-
Fran Muñoz over 1 year
I want to disable usb devices based on vendor id in Linux environment. I want to allow only specific USB devices, based on vendor id.
-
Admin over 9 yearsHow to Block USB/PEN DRIVE in Linux (kali linux) grprajapat.blogspot.in/2014/09/… -
mirabilos over 9 yearsI have one specific vendor:device ID I want to disable cdc_acm for. I have since made this into a separate question.
-
-
Fran Muñoz about 11 yearsis the above command is enough or we have to do any udevadm trigger to get effect of this.
-
Fran Muñoz about 11 yearshi Stephane, we have to add both rules to allow specific pendrive?
-
DBX12 over 6 years@subbarao Yes, you have to add both rules, the first blocks anything per default, the second allows certain devices.
-
Filipe Calasans over 4 yearsI don't know if there was some changes in-between in udev, but nowadays attributes are namedATTRS(plural) and notATTRwhen I query devices withudevadm. -
ScottN about 4 yearsThis works for when you plug in, say a keyboard, once the system is booted. But if the keyboard is connected and you reboot, the keyboard works upon the OS booting back up. Unplugging the keyboard then re-plug, the keyboard doesn't work as expected. Is there some area more lower level that this rule can be run before boot devices are activated? -
telcoM almost 4 yearsIt is
ATTRfor the attributes of the exact device udev is focusing on, andATTRSfor attributes belonging to its parent devices. -
Mark Stewart over 3 yearsThanks for your contribution. Can you edit your question and add a little explanation about what part of your answer solves the question? Thanks.
