Bug 1852568

Summary: temporarily blocking a device by whole rule breaks internal device indexing
Product: Red Hat Enterprise Linux 8 Reporter: Dalibor Pospíšil <dapospis>
Component: usbguardAssignee: Radovan Sroka <rsroka>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: alakatos, dapospis, zfridric
Target Milestone: rcKeywords: EasyFix, Patch, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 16:12:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2020-06-30 17:46:07 UTC 
Description of problem:
temporarily blocking a device by whole rule breaks internal device indexing which later causes an error while iterating over the devices.

Version-Release number of selected component (if applicable):
usbguard-0.7.8-5.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:05.7" name "EHCI Host Controller" hash "Ap1KJvrloJGZ/VZPReyAzHk9s3sUJoX+F3eeIdAzrk0=" parent-hash "6VbQ3Wzd2u9tM+sO3PkYl2AbeMCL9b4Pn/6NrVcOp48=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0001 serial "0000:00:05.0" name "UHCI Host Controller" hash "7+qnS/RvNOzjkaKf2mRN8ZMmWxBbdF57KOxIOBNpThE=" parent-hash "cMRKHUSNcd0vJPcUZhwrTI3c5CWedllA0lXosTS9gCQ=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:05.1" name "UHCI Host Controller" hash "xwTm2paM4X/ScyT5PYY6rWFFMZ+jXCjOVTWbYLfBj50=" parent-hash "fnFFKoHl/zTkF3al0L9t1MBqWIAlAK9f47O1NQP71WA=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:05.2" name "UHCI Host Controller" hash "UBYy0eFTMVbtdI2KyByEquPNZPvnz2RA2V+9JD7RHJQ=" parent-hash "fvyME4Csge1oin0lQkJH3fl+4WFYogwW7KbwOEbviZM=" via-port "usb4" with-interface 09:00:00 with-connect-type ""
5: block id 0627:0001 serial "42" name "QEMU USB Tablet" hash "86Y7/hNhZiVcdnYQHH+Jpo3QrLtJhUC7daTv5YQs6eg=" parent-hash "Ap1KJvrloJGZ/VZPReyAzHk9s3sUJoX+F3eeIdAzrk0=" via-port "1-1" with-interface 03:00:02 with-connect-type "unknown"        
# usbguard block-device allow id 1d6b:0002 serial "0000:00:05.7" name "EHCI Host Controller" hash "Ap1KJvrloJGZ/VZPReyAzHk9s3sUJoX+F3eeIdAzrk0=" parent-hash "6VbQ3Wzd2u9tM+sO3PkYl2AbeMCL9b4Pn/6NrVcOp48=" with-interface 09:00:00 with-connect-type ""
# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:05.7" name "EHCI Host Controller" hash "Ap1KJvrloJGZ/VZPReyAzHk9s3sUJoX+F3eeIdAzrk0=" parent-hash "6VbQ3Wzd2u9tM+sO3PkYl2AbeMCL9b4Pn/6NrVcOp48=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0001 serial "0000:00:05.0" name "UHCI Host Controller" hash "7+qnS/RvNOzjkaKf2mRN8ZMmWxBbdF57KOxIOBNpThE=" parent-hash "cMRKHUSNcd0vJPcUZhwrTI3c5CWedllA0lXosTS9gCQ=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 1d6b:0001 serial "0000:00:05.1" name "UHCI Host Controller" hash "xwTm2paM4X/ScyT5PYY6rWFFMZ+jXCjOVTWbYLfBj50=" parent-hash "fnFFKoHl/zTkF3al0L9t1MBqWIAlAK9f47O1NQP71WA=" via-port "usb3" with-interface 09:00:00 with-connect-type ""
4: allow id 1d6b:0001 serial "0000:00:05.2" name "UHCI Host Controller" hash "UBYy0eFTMVbtdI2KyByEquPNZPvnz2RA2V+9JD7RHJQ=" parent-hash "fvyME4Csge1oin0lQkJH3fl+4WFYogwW7KbwOEbviZM=" via-port "usb4" with-interface 09:00:00 with-connect-type ""
7: block id 0627:0001 serial "42" name "QEMU USB Tablet" hash "86Y7/hNhZiVcdnYQHH+Jpo3QrLtJhUC7daTv5YQs6eg=" parent-hash "Ap1KJvrloJGZ/VZPReyAzHk9s3sUJoX+F3eeIdAzrk0=" via-port "1-1" with-interface 03:00:02 with-connect-type "unknown"
# usbguard block-device allow id *:*'
IPC ERROR: request id=6: Device lookup: device id: id doesn't exist
Comment 2 Zoltan Fridrich 2020-08-10 13:46:22 UTC 
I can confirm that the problem is exactly as Attila mentioned.

(100% reproducible)
Steps to reproduce:

# usbguard list-devices
1: allow DeviceX
2: allow ChildDeviceOfDeviceX
# usbguard block-device allow id *:*
IPC ERROR: request id=xy: Device lookup: device id: id doesn't exist

Probably the best way how to fix this is by suppressing the risen exception.
Fix has been proposed on upstream https://github.com/USBGuard/usbguard/pull/404
Comment 3 Dalibor Pospíšil 2020-08-26 17:51:12 UTC 
`usbguard allow-device -p block id *:*` does not work neither, the block rule is not written to the rules.conf
Comment 7 Attila Lakatos 2020-09-29 09:06:05 UTC 
This particular issue has been merged into upstream. The link is attached.
Comment 21 errata-xmlrpc 2021-05-18 16:12:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (usbguard bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1931