I wanted to block all usb devices except Human Interface Devices (Interface class "03"),
so block all devices and enable only hubs with following udev rule. My question is if the part where i enable device class "00" and interface class "03" is correct and will not allow any other usb device to work.
For my understanding device class "00" just tells to define the device at interface level and if that interface isnt authorized it shoudnt work.
Am i right here or is something wrong/missing?
Code: Select all
#whitelist keyboards and mouse
# Skeep not USB
SUBSYSTEM!="usb", GOTO="usb_end"
# Skeep remove actions
ACTION=="remove", GOTO="usb_end"
# Linux Foundation
# enable ehci
SUBSYSTEMS=="usb", ACTION=="add", ATTR{product}=="EHCI Host Controller", \
ATTR{bDeviceClass}=="09", ATTR{authorized}="1", GOTO="usb_end"
# enable uhci
SUBSYSTEMS=="usb", ACTION=="add", ATTR{product}=="UHCI Host Controller", \
ATTR{bDeviceClass}=="09", ATTR{authorized}="1", GOTO="usb_end"
# get to intel hubs / enable root hubs
SUBSYSTEMS=="usb", ACTION=="add", ATTR{bInterfaceClass}=="09", ATTR{authorized}="1", GOTO="usb_end"
# enable intel hubs / all hubs
SUBSYSTEMS=="usb", ACTION=="add", ATTR{bDeviceClass}=="09", ATTR{authorized}="1", GOTO="usb_end"
#enable 00 (one before keyboar)
SUBSYSTEMS=="usb", ACTION=="add", ATTR{bDeviceClass}=="00", ATTR{authorized}="1", GOTO="usb_end"
#enable human interface devices
SUBSYSTEMS=="usb", ACTION=="add", ATTR{bInterfaceClass}=="03", ATTR{authorized}="1", GOTO="usb_end"
# Disable all other USB devices
SUBSYSTEMS=="usb", ACTION=="add", ATTR{authorized}="0"
LABEL="usb_end"