Hi, On 7/16/19 12:47 PM, Antoine Beaupré wrote: > On 2019-07-15 11:09:55, Thiébaud Weksteen wrote:
>> On generate-policy vs PresentDevicePolicy, I would argue that the >> simplest option is the best. By running generate-policy, you are >> parsing all current devices, generating rules and then applying these >> rules. There might be (unlikely) a bug in the rule generation which >> ends up blocking a device (e.g., missing attribute or so). The >> PresentDevicePolicy=keep is just a simpler alternative. >> >> It might be useful to write down some Debian-specific documentation on >> how to setup the daemon to be more restrictive? The wiki might be a >> good place for that? > > Problem with PresentDevicePolicy=keep is that it might break on reboot > or setup changes (e.g. moving laptop from office to home). You mean that usbguard doesn't honor the rules when it is started on boot? That would be my fear- because the default from the kernel is to allow devices and if we set PresentDevicePolicy to keep, it doesn't look at the rules defined in the rules file at boot time. That means if I forbid a device, after the next reboot the device would be allowed. cheers, Birger
