USBGuard on Arch Linux continues to identify usb devices plugged into Thinkpad dock as blocked even when added in rules.conf

[rsramkis]

Hi,

I've noticed recently that USB devices like my "Turtle Beach P11 Headset" or Logitech "USB Receiver" will get blocked on a cold boot or after a restart even though they are listed in the /etc/usbguard/rules.conf.

When I manually start the usbguard.service I will see the following item show as blocked:

❯ sudo usbguard list-devices | grep block
31: block id 10f5:0231 serial "0000000001" name "Turtle Beach P11 Headset" hash "LV6IMISEpfcN52MtFVJNcp+Dv88RpzAbHz0NOpQ52Hw=" parent-hash "zC/l1hLcFOg5CzEKcyZMP/h1xmdZLnH5ssvafoV6pj0=" via-port "1-4.4.2" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 } with-connect-type "unknown"

Troubleshoot:

1. I can use the "sudo usbguard allow-device" command to manually add the devices and they are fully functional.

2. The problem shows in both kernels Linux-LTS 6.6.65-1 and Linux ZEN 6.12.4.zen1-1.

3. I did rename the rules.conf file. Then used the "usbguard generate-policy > /etc/usbguard/rules.conf" command as root to generate the file below. Still the "Turtle Beach P11 Headset" is blocked after I restart the T470.

4. Original laptop displaying this issue was a Thinkpad T470s (only Turtle beach headphones blocked). On Thinkpad T450 the "USB Receiver" was blocked.

5. This USBguard 1.1.3-8 Arch Linux Native package has also displayed a symptom where the rules.conf file will all of a sudden lose all its contents. I have seen this twice so far. But not repeatable.

System information:

System:

Kernel: 6.12.4-zen1-1-zen arch: x86_64 bits: 64
Desktop: GNOME v: 47.2 Distro: EndeavourOS

Machine:
  Type: Laptop System: LENOVO ThinkPad T470s

USB Guard Version:

 usbguard --version
usbguard 1.1.3 compiled with:
  Linux audit support:    enabled
  Libcapng support:       enabled
  Seccomp support:        enabled
  Systemd support:        enabled
  Umockdev support:       disabled
  Crypto backend library: libsodium

USB Guard Directory:

 ls -al
total 36
drwxr-x---   4 root root  4096 Dec 13 00:26 .
drwxr-xr-x 106 root root 12288 Dec 13 00:33 ..
drwxr-xr-x   2 root root  4096 Jun 20  2021 IPCAccessControl.d
-rw-r--r--   1 root root  2500 Dec 13 00:26 rules.conf
drwx------   2 root root  4096 Jun 22 19:33 rules.d
-rw-------   1 root root  6648 Jun 22 19:35 usbguard-daemon.conf

Contents of rules.conf

allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 17ef:1010 serial "" name "Lenovo ThinkPad Dock   " hash "OkrTUwAUxn55t8+ezGtkhdgxjz9TIluGUS+bjFE+iC4=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-4" with-interface 09:00:00 with-connect-type "hotplug"
allow id 8087:0a2b serial "" name "" hash "TtRMrWxJil9GOY/JzidUEOz0yUiwwzbLm8D7DJvGxdg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used"
allow id 5986:111c serial "200901010001" name "Integrated Camera" hash "eJOK0isU58kbzlKp7vkhqIX9jnniOygkoiGdZ9rqWZg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type "not used"
allow id 0bda:0316 serial "20120501030900000" name "USB3.0-CRW" hash "WG1MSC3YZsmCslTNGpjTTjT2lUvhNfU4gEVvD3gIuV4=" parent-hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" with-interface 08:06:50 with-connect-type "not used"
allow id 17ef:1010 serial "" name "Lenovo ThinkPad Dock   " hash "KeGZSLglm8uUqZaWgqpMz4O4Eb8lWCd3vnRbRJIL5mM=" parent-hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" via-port "2-4" with-interface 09:00:00 with-connect-type "hotplug"
allow id 17ef:100f serial "Rev1.2" name "Lenovo ThinkPad Dock" hash "zC/l1hLcFOg5CzEKcyZMP/h1xmdZLnH5ssvafoV6pj0=" parent-hash "OkrTUwAUxn55t8+ezGtkhdgxjz9TIluGUS+bjFE+iC4=" with-interface { 09:00:01 09:00:02 } with-connect-type "unknown"
allow id 10f5:0231 serial "0000000001" name "Turtle Beach P11 Headset" hash "LV6IMISEpfcN52MtFVJNcp+Dv88RpzAbHz0NOpQ52Hw=" parent-hash "zC/l1hLcFOg5CzEKcyZMP/h1xmdZLnH5ssvafoV6pj0=" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 } with-connect-type "unknown"
allow id 046d:c505 serial "" name "USB Receiver" hash "DLUGx/Ox7PN6QQfwhi/tkVqPMsfUJa70/S1d30y/JFo=" parent-hash "zC/l1hLcFOg5CzEKcyZMP/h1xmdZLnH5ssvafoV6pj0=" via-port "1-4.4.3" with-interface { 03:01:01 03:01:02 } with-connect-type "unknown"

[rsramkis]

I did some more research today, and I get this feeling the usbguard.daemon.conf configuration is not being followed. I checked the file configuration and found:

# RuleFile=/path/to/rules.conf
#
RuleFile=/etc/usbguard/rules.d/rules.conf

# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/

I put the rules.conf file into "/etc/usbguard/rules.d/rules.conf" and when I try to start the usbguard.service I get the following error:

❯ sudo systemctl start usbguard.service
[sudo] password for rsruser:
Job for usbguard.service failed because the control process exited with error code.
See "systemctl status usbguard.service" and "journalctl -xeu usbguard.service" for details.

~ took 4s
❯ sudo systemctl status usbguard.service
× usbguard.service - USBGuard daemon
     Loaded: loaded (/usr/lib/systemd/system/usbguard.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Fri 2024-12-13 20:25:04 EST; 34s ago
 Invocation: 46b32fa18d174d61a428d277847cdd7f
       Docs: man:usbguard-daemon(8)
    Process: 30611 ExecStart=/usr/bin/usbguard-daemon -f -s -c /etc/usbguard/usbguard-daemon.conf (>

Dec 13 20:25:04 mani systemd[1]: usbguard.service: Scheduled restart job, restart counter is at 5.
Dec 13 20:25:04 mani systemd[1]: usbguard.service: Start request repeated too quickly.
Dec 13 20:25:04 mani systemd[1]: usbguard.service: Failed with result 'exit-code'.
Dec 13 20:25:04 mani systemd[1]: Failed to start USBGuard daemon.

If I move the file to the directory "/etc/usbguard" the service will start. So maybe this is contributing to the several reported issues where people will not be able to authorize a device in the rules.conf file.

[rsramkis]

Looks like the documentation needs to be updated when generating the rules.conf file. Found this error:

❯ journalctl -xeu usbguard.service
░░ the configured Restart= setting for the unit.
Dec 13 20:47:34 mani systemd[1]: Starting USBGuard daemon...
░░ Subject: A start job for unit usbguard.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit usbguard.service has begun execution.
░░
░░ The job identifier is 5063.
Dec 13 20:47:34 mani usbguard-daemon[31625]: [1734140854.831] (E) Permissions for /etc/usbguard/rules.d/rules.conf should be 0600
Dec 13 20:47:34 mani usbguard-daemon[31625]: [1734140854.831] (E) Check permissions: /etc/usbguard/rules.d/rules.conf: Policy may be readable
Dec 13 20:47:34 mani usbguard-daemon[31625]: Permissions for /etc/usbguard/rules.d/rules.conf should be 0600
Dec 13 20:47:34 mani usbguard-daemon[31625]: Check permissions: /etc/usbguard/rules.d/rules.conf: Policy may be readable
Dec 13 20:47:34 mani systemd[1]: usbguard.service: Control process exited, code=exited, status=1/FAILUR

I ended up running 'chmod 600 /etc/usbguard/rules.d/rules.conf' and now the service starts.

I'm going to re-test on the T470s to see what its configuration files say. I know it will have the wrong permission. since I deleted the original file.

[rsramkis]

Looks like I figured out the issue (think it is a documentation bug). Looking at the setup page at https://github.com/USBGuard/usbguard it mentions to crate the rules.conf file you should "$ sudo sh -c 'usbguard generate-policy > /etc/usbguard/rules.conf".

This did work in the past when there was no rules.d directory and the start service was not looking for the permission of 600.

Suggest we change the instruction as follows:

1. Create the usbguard rules.conf file in the default "/etc/usbguard/rules.d" directory:

sudo usbguard generate-policy > /etc/usbguard/rules.d/rules.conf

2. Set the rules.conf configuration file permissions.

sudo chmod 600 /etc/usbguard/rules.d/rules.conf

I will leave bug open for the USBGuard team to review. Thank you.

[rsramkis]

Looks like the issue is not fixed. I cold booted my laptop and all of a sudden all these devices are blocked (which are in the rules.conf):

❯ sudo usbguard list-devices | grep block

26: block id 8087:8001 serial "" name "" hash "2LhKvCIy98dsYS9WHwmshbf4OsPav1TYjV3uYAqS71M=" parent-hash "WHBTxNaEoMGNSNc31KpFNSAeFF4HbLMQgSBqORlC6S8=" via-port "1-1" with-interface 09:00:00 with-connect-type "not used"
27: block id 17ef:1010 serial "" name "Lenovo ThinkPad Dock   " hash "OkrTUwAUxn55t8+ezGtkhdgxjz9TIluGUS+bjFE+iC4=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "2-3" with-interface 09:00:00 with-connect-type "hotplug"
28: block id 8087:0a2a serial "" name "" hash "7jCRH2DCYUfdP9zZCYIQH6Z5QWx8Nzt8sX21UHwxIqA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "2-7" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used"
32: block id 046d:c505 serial "" name "USB Receiver" hash "DLUGx/Ox7PN6QQfwhi/tkVqPMsfUJa70/S1d30y/JFo=" parent-hash "zC/l1hLcFOg5CzEKcyZMP/h1xmdZLnH5ssvafoV6pj0=" via-port "2-3.4.3" with-interface { 03:01:01 03:01:02 } with-connect-type "unknown"

I did get this output from the usbguard.service after i manually enabled the devices from the built in laptop keyboard:

❯ sudo systemctl status usbguard.service
● usbguard.service - USBGuard daemon
     Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; preset: disabled)
     Active: active (running) since Sat 2024-12-14 23:31:28 EST; 11min ago
 Invocation: 14e48f65caa14b1b94bae7d9faaa585f
       Docs: man:usbguard-daemon(8)
    Process: 763 ExecStart=/usr/bin/usbguard-daemon -f -s -c /etc/usbguard/usbguard-daemon.conf (code=exited, status=0/SUCCESS)
   Main PID: 809 (usbguard-daemon)
      Tasks: 3 (limit: 18868)
     Memory: 10.2M (peak: 13.5M)
        CPU: 170ms
     CGroup: /system.slice/usbguard.service
             └─809 /usr/bin/usbguard-daemon -f -s -c /etc/usbguard/usbguard-daemon.conf

Dec 14 23:37:16 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4' target.new='allow' device.rule='block id 17ef:100f serial "Rev1.2" na>
Dec 14 23:37:16 mani usbguard-daemon[809]: Ignoring unknown UEvent action: sysfs_devpath=/devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4 action=change
Dec 14 23:37:16 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.rule='block id 046d:c505 serial "" name "USB Receiver" hash "DLUGx/Ox7PN6QQfwhi/tkVqPMsfUJa70/S1d30y/JFo=" parent-hash "zC/l1hLcFOg>
Dec 14 23:37:16 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4/2-3.4.3' target.new='block' device.rule='block id 046d:c505 serial "" >
Dec 14 23:37:16 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.rule='block id 10f5:0231 serial "0000000001" name "Turtle Beach P11 Headset" hash "LV6IMISEpfcN52MtFVJNcp+Dv88RpzAbHz0NOpQ52Hw=" pa>
Dec 14 23:37:16 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4/2-3.4.2' target.new='allow' device.rule='block id 10f5:0231 serial "00>
Dec 14 23:37:28 mani usbguard-daemon[809]: Ignoring unknown UEvent action: sysfs_devpath=/devices/pci0000:00/0000:00:14.0/usb2/2-7 action=change
Dec 14 23:37:28 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:14.0/usb2/2-7' target.new='allow' device.rule='block id 8087:0a2a serial "" name "" hash ">
Dec 14 23:37:56 mani usbguard-daemon[809]: Ignoring unknown UEvent action: sysfs_devpath=/devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4/2-3.4.3 action=change
Dec 14 23:37:56 mani usbguard-daemon[809]: uid=0 pid=763 result='SUCCESS' device.system_name='/devices/pci0000:00/0000:00:14.0/usb2/2-3/2-3.4/2-3.4.3' target.new='allow' device.rule='block id 046d:c505 serial "" >

If I downgrade my kernel from 6.12 to 6.11.9 then I will not have issues wth USBguard blocking devices already i the rule file. So I will wait for a response from our team.

[rsramkis]

@radosroka @muelli Good Morning. I was reviewing a number of open issues for the USBGuard project and noticed quite a few where there is minimal information (possibly no triage done).

Is this project still active (or in maintenance mode)? Thanks.