Hello strangers! It’s been a while. A new release of USBGuard is available and it brings important bug fixes and new features.
From all the bug fixes in this release, I’d like to point out one which required a backwards incompatible change and requires an update to existing policies. The Linux USB root hub devices use the kernel version as the bcdDevice attribute value. The value is part of the USB descriptor data which USBGuard uses for computing the device hash and therefore causes the device hash to change on every kernel update. This in turn makes USBGuard rules which rely on this hash to not match and block the device. And because it’s a root hub device that gets blocked, all the other devices get blocked too. The bug fix is simple, reset the bcdDevice value to zero before hashing (applied only for the Linux root hub devices).
New features include an UEvent based device manager and support for fine-grained IPC access control. Check out the Change Log for more details.
- Added DeviceManagerBackend configuration option. This option can be used to select from several device manager backend implementations.
- Implemented an uevent based device manager backend.
- Added setParameter, getParameter IPC (incl. D-Bus) methods.
- Added set-parameter, get-parameter CLI subcommands.
- Qt Applet: Added Spanish (es_AR) translation.
- Create empty rules.conf file at install time (make install).
- Support for numeric UID/GID values in IPCAllowedUsers and IPCAllowedGroups settings.
- If bash completion support is detected at configure time, install the bash completion script during make install.
- Added new configuration setting: IPCAccessControlFiles.
- IPC access is now configurable down to a section and privilege level per user and/or group.
- Added add-user, remove-user usbuard CLI subcommands for creating, removing IPC access control files.
- Added AuditFilePath configuration option for setting the location of the USBGuard audit events log file path. If set, the usbguard-daemon will log policy and device related actions and whether they succeeded or not.
- Removed UDev based device manager backend and UDev related dependencies.
- Removed UDev development files/API dependency
- Reset Linux root hub bcdDevice value before updating device hash. This is a backwards incompatible change because it changes how the device hash is computed for Linux root hub devices.
- Refactored low-level USB device handling into SysFSDevice class which represents a device in the /sys filesystem (sysfs).
- Removed usage of
readdir_rbecause it’s obsolete. Replaced with readdir with the assumption that its usage is thread-safe if the directory handle passed to it is not shared between threads.
- Extended test suite with use case tests.
- Install the usbguard-daemon configuration and policy file with strict file permissions to prevent policy leaks.
- Fixed several memory leaks.
- Don’t pre-resolve user and group names in IPCAllowedUsers and IPCAllowedGroups settings. Instead, resolve the name during the IPC authentication phase.
Many thanks to the following people for contributions to this release and to the USBGuard project:
- Christian Stadelmann
- Ian Beringer
- Noam cohen
- Paweł Jackowski
- Philipp Deppenwiese
- Zach Lym
If you are using Fedora or the USBGuard Copr repository, run:
$ sudo dnf update --enablerepo=updates-testing usbguard
Signed release tarball can be downloaded from the USBGuard release page at GitHub: