Bug 2122110

Summary: PresentControllerPolicy=reject does not work
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: usbguardAssignee: Attila Lakatos <alakatos>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: dapospis
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-03 12:48:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2022-08-29 07:20:15 UTC 
Description of problem:
Starting usbguard.service with minimal configuration

ImplicitPolicyTarget=reject
PresentDevicePolicy=reject
PresentControllerPolicy=reject
InsertedDevicePolicy=reject
IPCAllowedUsers=not_allowed
IPCAllowedGroups=not_allowed

aimed to prevent USB usage completely causes this error in syslog (on RHEL 7/8/9 VM running on RHEL 9 host):

Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: SysFSDevice: remove: Bad file descriptor
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Device insert exception: SysFSDevice: (rc = write(fd, &value[0], value.size())) != (ssize_t)value.size(): Invalid argument
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: SysFSDevice: (rc = write(fd, &value[0], value.size())) != (ssize_t)value.size(): Invalid argument
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Rejecting device at syspath=
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: USB Device Exception: SysFSDevice: remove: Bad file descriptor
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: SysFSDevice: remove: Bad file descriptor
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-0:1.0
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0
Aug 29 10:18:26 localhost.localdomain usbguard-daemon[2582]: Cannot resolve realpath for /sys/bus/usb/devices/../../../devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2/2-0:1.0

And lsusb(8) shows that only the USB tablet which gets added to libvirt-created VMs by default has been blocked/rejected, the controllers are still present:

# lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Version-Release number of selected component (if applicable):
usbguard-1.0.0-10.el9.x86_64
Comment 1 Attila Lakatos 2022-08-30 07:53:06 UTC 
It seems like host controllers do not tolerate remove events. I was able to reproduce it manually as well via:

$ echo '1' > /sys/devices/PATH/remove
echo: write error: invalid argument

However, once a host controller is rejected, all of its childs are also rejected even though an error message is displayed.