Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-939

PresentControllerPolicy=reject does not work

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.0.0
    • usbguard
    • None
    • None
    • rhel-security-special-projects
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 57,005

      Description of problem:
      Starting usbguard.service with minimal configuration

      ImplicitPolicyTarget=reject
      PresentDevicePolicy=reject
      PresentControllerPolicy=reject
      InsertedDevicePolicy=reject
      IPCAllowedUsers=not_allowed
      IPCAllowedGroups=not_allowed

      aimed to prevent USB usage completely causes this error in syslog (on RHEL 7/8/9 VM running on RHEL 9 host):

      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: SysFSDevice: remove: Bad file descriptor
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Device insert exception: SysFSDevice: (rc = write(fd, &value[0], value.size())) != (ssize_t)value.size(): Invalid argument
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: SysFSDevice: (rc = write(fd, &value[0], value.size())) != (ssize_t)value.size(): Invalid argument
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Rejecting device at syspath=
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: USB Device Exception: SysFSDevice: remove: Bad file descriptor
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: SysFSDevice: remove: Bad file descriptor
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-0:1.0
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0
      Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2/2-0:1.0

      And lsusb(8) shows that only the USB tablet which gets added to libvirt-created VMs by default has been blocked/rejected, the controllers are still present:

      1. lsusb
        Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
        Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

      Version-Release number of selected component (if applicable):
      usbguard-1.0.0-10.el9.x86_64

              rh-ee-alakatos Attila Lakatos
              myllynen Marko Myllynen
              Attila Lakatos Attila Lakatos
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: