| Table of Contents |
|---|
Description
...
Example: To deny all USB 3.0 devices:
| Code Block | ||
|---|---|---|
| ||
"usb-rules": { "1001": { "description": "Deny USB 3.0 to all VMs", "command": "deny", "device": { "sysattr": { "version" = "3.00" } } } ... } |
udev Properties
- "property" (Parent node for the set of key-value pairs to match against udev properties)
Example: To allow all Toshiba devices by manufacturer name (as opposed to vendor ID):
| Code Block | ||
|---|---|---|
| ||
"usb-rules": { "1001": { "description": "Allow Toshiba to all VMs", "command": "deny", "device": { "property": { "ID_VENDOR" = "Toshiba" } } } ... } |
Behavior
- Rules are parsed in ("priority") order, from low to high
- First match "wins", the rest of the policy is ignored, default to deny if no rule matches the device
- The order is critical
- Multiple attributes inside a device/vm block must all match (they are AND-ed together).
Default policy
In Note the actual default internal policy is "deny" everything. This is the external default policy in json, taken from /config/db:
| Code Block | ||
|---|---|---|
| ||
"usb-rules": {
"9900": {
"description": "Deny keyboard passthrough to all VMs",
"command": "deny",
"device": {
"keyboard": "1"
}
},
"9999": {
"description": "Allow everything else",
"command": "allow"
}
} |
...
|
Rule 9900 blocks keyboard passthrough and rule 9999 allows everything, effectively switching the default behavior from "deny" to "allow".
...