Skip to content

[WIP] correction and additions in conjunction with IPCAccessControlFiles #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WIP] correction and additions in conjunction with IPCAccessControlFiles #18

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions documentation/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,11 @@ Access to the USBGuard IPC interface can be limited per user or group. Furthermo

### Recommended: _IPCAccessControlFiles_

When you set _IPCAccessControlFiles_ option, the daemon will look for IPC access control files in the directory specified by the setting value. Each file in the directory is processed as follows:
When you set the _IPCAccessControlFiles_ option, the directory specified by the setting value must be existent to start the daemon and it will look for IPC access control files in it. Each file in the directory is processed as follows:

1. The basename of the file is interpreted as an username, UID, groupname or GID. If the names starts with `:` (colon), it is assumed that the rest of the name represents a group identifier (groupname or GID in case of a numeric-only string). Otherwise, it is interpreted as an user identifier (username or UID in case of numeric-only string).

2. The contents of the file are parsed as `Section=privilege [privilege ...]` formatted lines which specify the section privileges. If a section is omitted, it is assumed that no privileges are given for that section.
2. The contents of the file are parsed as `Section=privilege[,privilege,...]` formatted lines which specify the section privileges. If a section is omitted, it is assumed that no privileges are given for that section.

Available sections and privileges:

Expand All @@ -115,10 +115,11 @@ Available sections and privileges:
* `Parameters`
* modify: Set values of run-time parameters.
* list: Get values of run-time parameters.
* listen:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i saw that listen is missing as i used the --parameters=ALL, but u ´i have no idea what it does... can somebody help me out that this can be finished?


The following is a generally usable and reasonably safe example of an access control file. It allows to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):

Devices=modify list listen
Devices=modify,list,listen
Policy=list
Exceptions=listen

Expand All @@ -130,3 +131,5 @@ Example configuration allowing full IPC access to users _root_, _joe_ and member

IPCAllowedUsers=root joe
IPCAllowedGroups=wheel

Note: Even if this legacy system is setup properly, by default the `IPCAccessControlFiles=` option is set to `%sysconfdir%/IPCAccessControl.d/` which must be existent (even if empty) to start the deamon.