minimal port of grsecurity's DENYUSB feature

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index c0f95ec776a648e1a537cfcfe82c7e1003197577..1608b43978e61bf1a1153a8f2cc856b608734ea7 100644 (file)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -43,6 +43,8 @@
 #define USB_VENDOR_GENESYS_LOGIC               0x05e3
 #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND       0x01
 
+int deny_new_usb = 0;
+
 static inline int hub_is_superspeed(struct usb_device *hdev)
 {
        return (hdev->descriptor.bDeviceProtocol == USB_HUB_PR_SS);
@@ -4541,6 +4543,12 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
                        goto done;
                return;
        }
+
+       if (deny_new_usb) {
+               dev_err(hub_dev, "denied insert of USB device on port %d\n", port1);
+               goto done;
+       }
+
        if (hub_is_superspeed(hub->hdev))
                unit_load = 150;
        else

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 0ed2fdd0014863fe71ea624b0e5775239a0a4028..1989b45c119427a77f83a582524ffcb36e175b01 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -95,6 +95,9 @@
 #if defined(CONFIG_SYSCTL)
 
 /* External variables not in a header file. */
+#ifdef CONFIG_USB
+extern int deny_new_usb;
+#endif
 extern int sysctl_overcommit_memory;
 extern int sysctl_overcommit_ratio;
 extern int max_threads;
@@ -794,6 +797,17 @@ static struct ctl_table kern_table[] = {
                .extra1         = &zero,
                .extra2         = &four,
        },
+#endif
+#ifdef CONFIG_USB
+       {
+               .procname       = "deny_new_usb",
+               .data           = &deny_new_usb,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = proc_dointvec_minmax_sysadmin,
+               .extra1         = &zero,
+               .extra2         = &one,
+       },
 #endif
        {
                .procname       = "ngroups_max",