1
0

Accepting request 1181712 from GNOME:Factory

- Add 0001-usb-protection-Treat-hubs-and-HID-devices-like-any-o.patch:
  usb-protection: Treat hubs and HID devices like any other USB
  gadget(glgo#GNOME/gnome-settings-daemon#780, bsc#1226423). (forwarded request 1181634 from JonathanKang)

OBS-URL: https://build.opensuse.org/request/show/1181712
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnome-settings-daemon?expand=0&rev=194
This commit is contained in:
Ana Guerrero 2024-06-20 14:46:38 +00:00 committed by Git OBS Bridge
commit 4617b3cf01
3 changed files with 111 additions and 0 deletions

View File

@ -0,0 +1,101 @@
From a3c62f442981e39186ce78c140921c4bedfd7b16 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Fri, 17 May 2024 11:35:41 +0200
Subject: [PATCH] usb-protection: Treat hubs and HID devices like any other USB
gadget
The checks on the classes offered by a USB device are pretty lax and
uninformative from the kernel and UsbGuard levels, so our attempt at
user friendliness with USB hubs and HID devices may result in everyone
(lastly us) allowing maliciously crafted devices that present themselves
as one of these devices, but implement other classes (e.g. mass storage).
We believe this is ultimately an issue in the lower layers if this
may go through as good up to us and we cannot truly believe UsbGuard
information, but it is definitely us being the front face of this issue.
Avoid treating USB hubs and HID devices different to any other USB
gadget, this will require users to "enroll" them the same ways.
---
.../gsd-usb-protection-manager.c | 58 +++++--------------
1 file changed, 15 insertions(+), 43 deletions(-)
diff --git a/plugins/usb-protection/gsd-usb-protection-manager.c b/plugins/usb-protection/gsd-usb-protection-manager.c
index 43644408..538b6b1f 100644
--- a/plugins/usb-protection/gsd-usb-protection-manager.c
+++ b/plugins/usb-protection/gsd-usb-protection-manager.c
@@ -678,56 +678,28 @@ on_usbguard_signal (GDBusProxy *proxy,
* If this device advertises also interfaces outside the HID class, or the
* HUB class, it is suspect. It could be a false positive because this could
* be a "smart" keyboard for example, but at this stage is better be safe. */
- if (hid_or_hub && !has_other_classes) {
- guint device_id;
+ if (protection_level == G_DESKTOP_USB_PROTECTION_LOCKSCREEN) {
show_notification (manager,
- _("New device detected"),
- _("Either one of your existing devices has been reconnected or a new one has been plugged in. "
- "If you did not do it, check your system for any suspicious device."));
- g_variant_get_child (parameters, POLICY_APPLIED_DEVICE_ID, "u", &device_id);
- authorize_device (manager, device_id);
+ _("Reconnect USB device"),
+ _("New device has been detected while you were away. "
+ "Please disconnect and reconnect the device to start using it."));
} else {
- if (protection_level == G_DESKTOP_USB_PROTECTION_LOCKSCREEN) {
- show_notification (manager,
- _("Reconnect USB device"),
- _("New device has been detected while you were away. "
- "Please disconnect and reconnect the device to start using it."));
- } else {
- const char* name_for_notification = device_name ? device_name : "unknown name";
- g_debug ("Showing notification for %s", name_for_notification);
- show_notification (manager,
- _("USB device blocked"),
- _("New device has been detected while you were away. "
- "It has been blocked because the USB protection is active."));
- }
+ const char* name_for_notification = device_name ? device_name : "unknown name";
+ g_debug ("Showing notification for %s", name_for_notification);
+ show_notification (manager,
+ _("USB device blocked"),
+ _("New device has been detected while you were away. "
+ "It has been blocked because the USB protection is active."));
}
} else {
/* If the protection level is "lockscreen" the device will be automatically
* authorized by usbguard. */
if (protection_level == G_DESKTOP_USB_PROTECTION_ALWAYS) {
- /* We authorize the device if this is a HID,
- * e.g. a keyboard or a mouse, or an HUB.
- * We also lock the screen to prevent an attacker to plug malicious
- * devices if the legitimate user forgot to lock his session.
- *
- * If this device advertises also interfaces outside the HID class, or the
- * HUB class, it is suspect. It could be a false positive because this could
- * be a "smart" keyboard for example, but at this stage is better be safe. */
- if (hid_or_hub && !has_other_classes) {
- ManagerDeviceId* manager_devid = g_malloc ( sizeof (ManagerDeviceId) );
- manager_devid->manager = manager;
- g_variant_get_child (parameters, POLICY_APPLIED_DEVICE_ID, "u", &(manager_devid->device_id));
- gsd_screen_saver_call_lock (manager->screensaver_proxy,
- manager->cancellable,
- (GAsyncReadyCallback) on_screen_locked,
- manager_devid);
- } else {
- show_notification (manager,
- _("USB device blocked"),
- _("The new inserted device has been blocked because the USB protection is active. "
- "If you want to activate the device, disable the USB protection and re-plug "
- "the device."));
- }
+ show_notification (manager,
+ _("USB device blocked"),
+ _("The new inserted device has been blocked because the USB protection is active. "
+ "If you want to activate the device, disable the USB protection and re-plug "
+ "the device."));
} else {
/* This is protection level == Lockscreen, so we allow everything when the session is unlocked.
There should be a USBGuard rule that automatically allows all devices,
--
2.44.0

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Jun 19 02:38:55 UTC 2024 - Jonathan Kang <songchuan.kang@suse.com>
- Add 0001-usb-protection-Treat-hubs-and-HID-devices-like-any-o.patch:
usb-protection: Treat hubs and HID devices like any other USB
gadget(glgo#GNOME/gnome-settings-daemon#780, bsc#1226423).
-------------------------------------------------------------------
Fri Apr 19 21:19:11 UTC 2024 - Michael Gorse <mgorse@suse.com>

View File

@ -46,6 +46,8 @@ Patch1: gnome-settings-daemon-switch-Japanese-default-input-to-mozc.patc
Patch2: gnome-settings-daemon-bgo793253.patch
# PATCH-FIX-UPSTREAM gnome-settings-daemon-stop-service-when-no-network.patch [merged] joan.torres@suse.com -- Stop assigned services only when no network connection
Patch3: gnome-settings-daemon-stop-service-when-no-network.patch
# PATCH-FIX-UPSTREAM 0001-usb-protection-Treat-hubs-and-HID-devices-like-any-o.patch glgo#GNOME/gnome-settings-daemon#780, bsc#1226423 sckang@suse.com -- usb-protection: Treat hubs and HID devices like any other USB gadget
Patch4: 0001-usb-protection-Treat-hubs-and-HID-devices-like-any-o.patch
## SLE/LEAP-only patches start at 1000
# PATCH-FEATURE-OPENSUSE gnome-settings-daemon-notify-idle-resumed.patch bnc#439018 bnc#708182 bgo#575467 hpj@suse.com -- notify user about auto suspend when returning from sleep
@ -151,6 +153,7 @@ contact the settings daemon via its DBus interface.
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 4 -p1
%endif
# Enable the patches for both Leap 15 and SLE 15, please find the clarification at bsc#1158476.