Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752862AbdFLRfY (ORCPT <rfc822;w@1wt.eu>);
        Mon, 12 Jun 2017 13:35:24 -0400
Received: from mailout1.samsung.com ([203.254.224.24]:56927 "EHLO
        mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752104AbdFLRfV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Jun 2017 13:35:21 -0400
X-AuditID: b6c32a2e-f79506d0000046c0-e8-593ed0d1c194
Subject: Re: [PATCH 03/11] Creation of "usb_device_auth" LSM hook
To: Salvatore Mesoraca <s.mesoraca16@gmail.com>,
        linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
        kernel-hardening@lists.openwall.com,
        Brad Spengler <spender@grsecurity.net>,
        PaX Team <pageexec@freemail.hu>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Kees Cook <keescook@chromium.org>,
        James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, linux-usb@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Krzysztof Opasiak <k.opasiak@samsung.com>
Message-id: <75f33a0f-4643-fe17-fc35-b60b48efd499@samsung.com>
Date: Mon, 12 Jun 2017 19:35:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
        Thunderbird/45.3.0
MIME-version: 1.0
In-reply-to: <1497286620-15027-4-git-send-email-s.mesoraca16@gmail.com>
Content-type: text/plain; charset="windows-1252"; format="flowed"
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA02SeUgUcRTH++2Ms7ODa+N69DBS2BAPSDsshopFO3AipEgClUAXHVR0ddlR
        04pSLPPIaw3ETUvWPNOMLbzywjLBRFcitcCj1nUztEyJRKVyHQX/+77v+zze+/74kZis18aF
        jE1I4jQJyng5QeEtb7w8Do0aFaGHm7opZqpljWAyq5oJpsB0hRnKUzHVy+sE86GjnGCWHnwl
        GH3NPYwxNVow5snyR4IZMQ6LmXnTIvK3ZR+lj+Ls0+xVMduumxSzBQ0PcXbsdSjbU9EoZutz
        TAT7y/wZZ/t79AS7YnC9TIVRp6O4+NgUTuOriKBiauuWROo/ROr4hEWUjkZtcpGEBNoPKluL
        CUE7g3GqeVNTpIyuRtAxu4gJxQqCH4Zi0c5EmXlmu9GGQFtrFgvFNIIKQxZupRzoACg3fMGs
        2pG+BBkTJcgKYXQuBgtzJZsTJEnQvvC4w8nKSGkFmPort2ycdoe5noNW6USHQOGQh0DYw2rJ
        FG61JXQgaD+FWm1sc9GMvt1G0G7wslG4GegpMehNZVs80AfA0IsJ55+Djd5v21Ec4PvAK7Gg
        XSAvWycWZjMRZHfO4UJRhKDled82dQo2GoTnwmg7yF+fFQkLpJCdJRMQFpqmLdt4AFR3dm0t
        k9HjCJ7p1UXITbcrjm5XBt2uDJUIa0DOnJpXRXP8cfUxH16p4pMTon0iE1UGtPWvvH3a0N/K
        i32IJpHcVlqnVYTKbJQpfJqqDwGJyR2lkpFNSxqlTLvBaRLDNcnxHN+H9pO4fJ/Us34sREZH
        K5O4OI5Tc5qdroiUuKSjoHVtwYWfqV6edsF3MlY6Wm5lTXjWRPq/DfESpdRaqvYobro6HpUM
        BFYVXD1jjjW6e+THaFLv8zNnqfnJu70VJ7zeLwx2mkP8MHVM8L+1wPOlgxt7tcOF1PQ129Yu
        4/Xwk54Nrmn1o+7BrMLiVJrz2+3dbMTtF0Fh3fY+61Rchq0c52OUR7wxDa/8D0tlt6pTAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsVy+t9jAd0LF+wiDS7ckra4t+0Xm0Xz4vVs
        Fn2PgyzOdOdaLP30m83i8q45bBYfeh6xWSxa1sps8XjNc2aL+Z+uslmcv3CO3eLl47eMDjwe
        sxsusngs6fjB7rFz1l12j75VU1g8ru2O9Ng/dw27x8rOx2weH5/eYvE4un8Rm8fnTXIBXFFu
        NhmpiSmpRQqpecn5KZl56bZKoSFuuhZKCnmJuam2ShG6viFBSgpliTmlQJ6RARpwcA5wD1bS
        t0twy1i+4gNTwXe2ius3njM1MF5k7WLk5JAQMJGY+fQBM4QtJnHh3nq2LkYuDiGBbYwS56/O
        ZYRwHjJKvPl7B6xDWMBRYs6mh2AdIgK+Er0LvjJBFF1nlNjz7jALiMMs0MUscf/aJiCHg4NN
        QF9i3i5RkAZeATuJx0cXsIOEWQRUJZ7tVwYJiwpESNx62MECUSIo8WPyPbBOTgF3iUk3I0HC
        zAK2Egver2OBsOUlNq95yzyBUWAWko5ZSMpmISlbwMi8ipErtaA4Nz232KjAaBMjMEq3HdYK
        2MHYdC76EKMAB6MSD++KSXaRQqyJZcWVuYcYJTiYlUR4Oc8DhXhTEiurUovy44tKc1KLDzGa
        Ah0+kVlKNDkfmEDySuINTSyNTAzMzAyNDIzNlMR5JwR+iRASSE8sSc1OTS1ILYLpY+LglGpg
        1OZ6scEy4IvV8aKO7QYbEwUnKxyzSfPRu8J0jn/qzbXRs+2EVntpTV1WPOnJ5mPxe7y95y6d
        9r9i/eQzSVkKKmbrbj38dfr27D9O665HPN18l7fxd56taUGxs/7JB61H5nJdv3K/cHe3w6xL
        +VVurOuUXT8eXxyuK3dsYrWt4KyZnn6vtkftTlBiKc5INNRiLipOBAAONHK+6AIAAA==
X-MTR: 20000000000000000@CPGS
X-CMS-MailID: 20170612173512epcas5p23bdc18a23f2dac7df206fead88b5fa6d
X-Msg-Generator: CA
X-Sender-IP: 182.195.42.80
X-Local-Sender: =?UTF-8?B?S3J6eXN6dG9mIE9wYXNpYWsbU1JQT0wtU3lzdGVtIChUUCkb?=
        =?UTF-8?B?7IK87ISx7KCE7J6QG1NvZnR3YXJlIEVuZ2luZWVy?=
X-Global-Sender: =?UTF-8?B?S3J6eXN6dG9mIE9wYXNpYWsbU1JQT0wtU3lzdGVtIChUUCkb?=
        =?UTF-8?B?U2Ftc3VuZ8KgRWxlY3Ryb25pY3MbU29mdHdhcmUgRW5naW5lZXI=?=
X-Sender-Code: =?UTF-8?B?QzEwG0VIURtDMTBDRDAyQ0QwMjczOTY=?=
CMS-TYPE: 105P
X-CMS-RootMailID: 20170612170045epcas2p2889350eed8fb2caaa592ef8e6e2c12bf
X-RootMTR: 20170612170045epcas2p2889350eed8fb2caaa592ef8e6e2c12bf
References: <1497286620-15027-1-git-send-email-s.mesoraca16@gmail.com>
        <CGME20170612170045epcas2p2889350eed8fb2caaa592ef8e6e2c12bf@epcas2p2.samsung.com>
        <1497286620-15027-4-git-send-email-s.mesoraca16@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 860
Lines: 27

Hi,

On 06/12/2017 06:56 PM, Salvatore Mesoraca wrote:
> Creation of a new LSM hook that can be used to authorize or deauthorize
> new USB devices via the usb authorization interface.
> The same hook can also prevent the authorization of a USB device via
> "/sys/bus/usb/devices/DEVICE/authorized".
> Using this hook an LSM could provide an higher level of granularity
> than the current authorization interface.
>

Could you please explain me why we need LSM for this?

There are tools like usbguard[1] and as far as I can tell it looks like 
they can do everything for you...
Without kernel modification...
without matching and storing rules inside kernel..
just pure userspace which uses device/interface authorization

Footnote:
1 - https://dkopecek.github.io/usbguard/

Best regards,
-- 
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics