add toggle for disabling newly added USB devices

Based on the public grsecurity patches. Change-Id: I2cbea91b351cda7d098f4e1aa73dff1acbd23cce Signed-off-by: Daniel Micay <danielmicay@gmail.com> Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2016-06-15 06:11:48 -04:00 · 2016-06-15 06:11:48 -04:00 · bacad4b4cb
parent 9332955257
commit bacad4b4cb
2 changed files with 21 additions and 0 deletions
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@ -111,6 +111,8 @@ struct usb_hub {
 	void			**port_owners;
 };

+int deny_new_usb = 0;
+
 static inline int hub_is_superspeed(struct usb_device *hdev)
 {
 	return (hdev->descriptor.bDeviceProtocol == USB_HUB_PR_SS);
@ -3648,6 +3650,11 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
 		return;
 	}

+	if (deny_new_usb) {
+		dev_err(hub_dev, "denied insert of USB device on port %d\n", port1);
+		goto done;
+	}
+
 	for (i = 0; i < SET_CONFIG_TRIES; i++) {

 		/* reallocate for each attempt, since references
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@ -93,6 +93,9 @@
 #if defined(CONFIG_SYSCTL)

 /* External variables not in a header file. */
+#ifdef CONFIG_USB
+extern int deny_new_usb;
+#endif
 extern int sysctl_overcommit_memory;
 extern int sysctl_overcommit_ratio;
 extern int max_threads;
@ -722,6 +725,17 @@ static struct ctl_table kern_table[] = {
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
+#endif
+#ifdef CONFIG_USB
+	{
+		.procname	= "deny_new_usb",
+		.data		= &deny_new_usb,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 #endif
 	{
 		.procname	= "ngroups_max",