IPC interface access control

I have already covered how to configure usbguard-daemon IPC access control in a previous post. However, the 0.7.0 release introduced another way to configure the same thing with more control over who can do what.

Previously, one could only enable a user or group to use the whole IPC interface. With the new ACL system, the access can be limited to specific sections of the interface and specific privileges inside that section.

The available sections and privileges are:

To use this new system, you first have to modify the usbguard-daemon configuration and set the IPCAccessControlFiles setting to point to a location where the ACL definition files will be stored, for example: /etc/usbguard/IPCAccessControl.d/.

Once set, you can use the usbguard CLI to define the ACL. For example:

$ sudo usbguard add-user joe --devices ALL --policy list,listen --exceptions ALL

That command will enable user joe to have full access to the Devices and Exceptions sections. In addition, joe will be able to list the policy and listen to policy signals.

To remove the definition, use:

$ sudo usbguard remove-user joe