minimal port of grsecurity's DENYUSB feature

Change-Id: Ic5ac1b115ab3d6332be9329ddb0d611643da6fd6

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 37bb26da356ee849379fb0929f44043f4bbd4620..029fdc5bad158c589348c2673ff5ee0ec23ef36c 100644 (file)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -162,6 +162,7 @@ extern int usbif_u3h_send_event(char* event) ;
 #include "otg_whitelist.h"
 #endif
 
+int deny_new_usb = 0;
 
 static inline int hub_is_superspeed(struct usb_device *hdev)
 {
@@ -4770,6 +4771,12 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
                        goto done;
                return;
        }
+
+       if (deny_new_usb) {
+               dev_err(hub_dev, "denied insert of USB device on port %d\n", port1);
+               goto done;
+       }
+
        if (hub_is_superspeed(hub->hdev))
                unit_load = 150;
        else

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 3718b15fd5f7088f8fc2812084a6771e2c080c96..856816349697c184adaaa1764162783778766913 100644 (file)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -95,6 +95,9 @@
 #if defined(CONFIG_SYSCTL)
 
 /* External variables not in a header file. */
+#ifdef CONFIG_USB
+extern int deny_new_usb;
+#endif
 extern int sysctl_overcommit_memory;
 extern int sysctl_overcommit_ratio;
 extern int max_threads;
@@ -790,6 +793,17 @@ static struct ctl_table kern_table[] = {
                .extra1         = &zero,
                .extra2         = &two,
        },
+#endif
+#ifdef CONFIG_USB
+       {
+               .procname       = "deny_new_usb",
+               .data           = &deny_new_usb,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = proc_dointvec_minmax_sysadmin,
+               .extra1         = &zero,
+               .extra2         = &one,
+       },
 #endif
        {
                .procname       = "ngroups_max",