Info | ||
---|---|---|
| ||
Copyright 2015 by Assured Information Security, Inc. Created by Jean-Edouard Lejosne <lejosnej@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/. |
Table of Contents |
---|
Description
vusb-daemon handles USB device passthrough.
It listens to dbus and udev for user, toolstack and device events.
Then, according to the database-stored policy, it uses the vusb dom0 kernel module to trigger USB passthrough action.
...
- a "description":
Free text to describe the rule - a "command"
- "always": always assign the device (or all if unspecified) to the vm (or none if unspecified), implies "allow" for that vm. Prevents re-assignment to any other VM.
- "default": same as "always", without preventing re-assignment.
- "allow": allow the device (or all if unspecified) to be passed to the vm (or all if unspecified)
- "deny": deny the device (or all if unspecified) to be passed to the vm (or all if unspecified)
- a "device"
See below for sub-nodes - a "vm"
For now, the only valid sub-node is "uuid", to specify the UUID of the VM
...
Example: To deny all USB 3.0 devices:
Code Block | ||
---|---|---|
| ||
"usb-rules": { "1001": { "description": "Deny USB 3.0 to all VMs", "command": "deny", "device": { "sysattr": { "version" = "3.00" } } } ... } |
udev Properties
- "property" (Parent node for the set of key-value pairs to match against udev properties)
Example: To allow all Toshiba devicesby devices by manufacturer name (as opposed to vendor ID):
Code Block | ||
---|---|---|
| ||
"usb-rules": { "1001": { "description": "Allow Toshiba to all VMs", "command": "deny", "device": { "property": { "ID_VENDOR" = "Toshiba" } } } ... } |
Behavior
- Rules are parsed in ("priority") order, from low to high
- First match "wins", the rest of the policy is ignored, default to deny if no rule matches the device
- The order is critical
- Multiple attributes inside a device/vm block must all match (they are AND-ed together).
Default policy
In Note the actual default internal policy is "deny" everything. This is the external default policy in json, taken from /config/db
:
Code Block | ||
---|---|---|
| ||
"usb-rules": {
"9900": {
"description": "Deny keyboard passthrough to all VMs",
"command": "deny",
"device": {
"keyboard": "1"
}
},
"9999": {
"description": "Allow everything else",
"command": "allow"
}
} |
...
|
Rule 9900 blocks keyboard passthrough and rule 9999 allows everything, effectively switching the default behavior from "deny" to "allow".
...