udev rules to allow only one vendor and model USB drive but no others
Solution 1
I've faced before same problem with non effective ignore_device
. I couldn't figure out why then I always go with other solutions.
-
Well,
ignore_device
removed with udev release 148. See release note or changelogIf you noticed, all topics suggesting the use of it are old (~ 2009).
-
A quick alternative is to use:
ENV{UDISKS_PRESENTATION_HIDE}="1"
(Ubuntu 12.04). For releases (>=12.10) which includeudisks2
use:ENV{UDISKS_IGNORE}="1"
.Reference: Archlinux Wiki: Udisks
The other solutions are using SYSFS. Either device/authorized
(as solsTiCe mentioned), device/remove
or driver/unbind
. See Only use Mass Storage devices on a selected USB port - how?
Difficulty comes in how to deny all storage except only one brand/model. So the rule match condition should filter a single device node, no more no less (no child or parent devices). That's why I added KERNELS=="[1-9]*-[0-9]*"
KERNELS=="[1-9]*-[0-9]*", SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}!="0951", ENV{UDISKS_PRESENTATION_HIDE}="1"
KERNELS=="[1-9]*-[0-9]*", SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}=="0951", ATTRS{idProduct}!="1665", ENV{UDISKS_PRESENTATION_HIDE}="1"
Well, UDisks hides only mounting hook. These may be better using SYSFS driver unbind.
KERNELS=="[1-9]*-[0-9]*", SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}!="125f", ENV{IF_STORAGE_REMOVE_ME}="1"
KERNELS=="[1-9]*-[0-9]*", SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}=="125f", ATTRS{idProduct}!="c96a", ENV{IF_STORAGE_REMOVE_ME}="1"
ENV{IF_STORAGE_REMOVE_ME}=="1", DRIVERS=="usb-storage", DRIVER=="sd", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"
Reference: udev rule with few parent device attributes
Solution 2
NOTE: Obsoleted by Sneetsher's answer. This answer is left here for legacy reasons.
So, I sorta solved this, and it was a PAIN to do.
I reexamined the restrictions in my rules, and I changed functionality. Apparently, 12.04 doesn't honor the ignore_device
option. So, I improvised and wrote an unmount script. Since there's only one functional USB port on these systems, we end up with the following, which I KNOW may break other things:
/etc/udev/rules.d/100-restrict-usb-devices.rules
# If a device is NOT a Kingston drive, ignore it.
ACTION=="add", ATTRS{idVendor}!="0951", OPTIONS+="ignore_device", RUN+="/usr/bin/logger UnauthorizedUSBConnected", RUN+="/lib/udev/unmount.sh"
# If a device is a Kingston drive, but is NOT the model we have, ignore it.
ACTION=="add", ATTRS{idVendor}=="0951", ATTRS{idProduct}!="1665", OPTIONS+="ignore_device", RUN+="/usr/bin/logger UnauthorizedUSBConnected", RUN+="/lib/udev/unmount.sh"
# If a device is a Kingston drive and is the model we have, then run a script
ACTION=="add", ATTRS{idVendor}=="0951", ATTRS{idProduct}=="1665", RUN+="/lib/udev/syslog-authorized-device-connected.sh", RUN+="/usr/bin/logger AuthorizedUSBConnected"
/lib/udev/unmount.sh
- Just a script that checks first for currently existing devices, and then checks all the other drive devices and unmounts if and only if the script runs. Since all devices would be sdb
, sdc
, etc. there's ways to make it work for everything.
Moral of the story: the system ignores the ignore_device
option in 12.04. Gotta script everything. :/
Related videos on Youtube
Thomas Ward
Updated on September 18, 2022Comments
-
Thomas Ward over 1 year
So, we're working to set up an environment here where we have a secure storage setup on our Linux laptops, such that our Linux laptops can only connect a specific USB drive: a Kingston DataTraveler 2.0. Vendor:Model code is this (from
lsusb
):Bus 003 Device 003: ID 0951:1665 Kingston Technology
I've been trying to get these rules to work, but on a 12.04 environment the rules aren't working. (Note I've made comments with
#
prepended lines, but they're not in the udev files):# If a device is NOT a Kingston drive, ignore it. SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}!="0951", OPTIONS+="ignore_device" # If a device is a Kingston drive, but is NOT the model we have, ignore it. SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}=="0951", ATTRS{idProduct}!="1665", OPTIONS+="ignore_device" # If a device is a Kingston drive and is the model we have, then run a script SUBSYSTEMS=="usb", DRIVERS=="usb", ATTRS{idVendor}=="0951", ATTRS{idProduct}=="1665", RUN+="/lib/udev/syslog-authorized-device-connected.sh"
The issue I have is that NONE of these rules are working, and I have no idea if this is even the correct approach for this.
Thoughts?
-
solsTiCe almost 9 yearsYour udev rules can use what is described here superuser.com/a/617454/34387 instead of shell script. Or you can use it in your script either.
-
Thomas Ward almost 9 years@solsTiCe That's a good point. We could do either, but the longer term problem is new systems that are in the category will have more than one functional USB, at which point I need it scripted to handle any USB bus/port combo. For the current implementation the dirty solution works, but it's mostly a proof of concept first before actually whittling away at it to fix it.
-
Thomas Ward almost 9 yearsIs there a way to restrict only USB storage devices in this manner (USB mice will apparently need to work on the next systems we get to replace the aging equipment in use now).
-
Thomas Ward almost 9 yearsI did a test with a USB mouse and keyboard lying around here via a VM, and was able to use those devices easily. As far as I can see this works. :)
-
user.dz almost 9 years@ThomasW. , User can get around this, because all it does hiding the hook in the GUI. The disk still there and it can be mounted using CLI, Disks Utility or Gparted... I will look of sysfs solution
-
Thomas Ward almost 9 yearsTrue, but we only have a small handful of power users who have administrative access anyways, and none of them are of a concern for these systems. They're basically research systems and we want to block other drives in the sense that the GUI doesn't automount it and such.