Versions Compared

Old Version 2

changes.mady.by.user Ross Philipson

Saved on

compared with

New Version Current

changes.mady.by.user Jed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
iconNone

Image Added

Copyright 2015 by Assured Information Security, Inc. Created by Jean-Edouard Lejosne <lejosnej@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

Table of Contents

Description

...

  • a "description":
    Free text to describe the rule
  • a "command"
    • "always": always assign the device (or all if unspecified) to the vm (or none if unspecified), implies "allow" for that vm. Prevents re-assignment to any other VM.
    • "default": same as "always", without preventing re-assignment.
    • "allow": allow the device (or all if unspecified) to be passed to the vm (or all if unspecified)
    • "deny": deny the device (or all if unspecified) to be passed to the vm (or all if unspecified)
  • a "device"
    See below for sub-nodes
  • a "vm"
    For now, the only valid sub-node is "uuid", to specify the UUID of the VM

...

Example: To deny all USB 3.0 devices:

Code Block
languagetext
 "usb-rules": {
  "1001": {
    "description": "Deny USB 3.0 to all VMs",
    "command": "deny",
    "device": {
      "sysattr": {
        "version" = "3.00"
      }
    }
  }
  ...
}

udev Properties

  • "property" (Parent node for the set of key-value pairs to match against udev properties)

Example: To allow all Toshiba devicesby devices by manufacturer name (as opposed to vendor ID):

Code Block
languagetext
"usb-rules": {
  "1001": {
    "description": "Allow Toshiba to all VMs",
    "command": "deny",
    "device": {
      "property": {
        "ID_VENDOR" = "Toshiba"
      }
    }
  }
  ...
} 

Behavior

  • Rules are parsed in ("priority") order, from low to high
  • First match "wins", the rest of the policy is ignored, default to deny if no rule matches the device
  • The order is critical
  • Multiple attributes inside a device/vm block must all match (they are AND-ed together).

Default policy

In Note the actual default internal policy is "deny" everything. This is the external default policy in json, taken from /config/db:

Code Block
languagetext
"usb-rules": {
  "9900": {
    "description": "Deny keyboard passthrough to all VMs",
    "command": "deny",
    "device": {
      "keyboard": "1"
    }
  },
  "9999": {
    "description": "Allow everything else",
    "command": "allow"
  }
}

...

 

Rule 9900 blocks keyboard passthrough and rule 9999 allows everything, effectively switching the default behavior from "deny" to "allow".

...