diff --git a/lib/maintainers.nix b/lib/maintainers.nix index 7728749f0546..707770cdc820 100644 --- a/lib/maintainers.nix +++ b/lib/maintainers.nix @@ -578,6 +578,7 @@ thoughtpolice = "Austin Seipp "; timbertson = "Tim Cuthbertson "; titanous = "Jonathan Rudenberg "; + tnias = "Philipp Bartsch "; tohl = "Tomas Hlavaty "; tokudan = "Daniel Frank "; tomberek = "Thomas Bereknyei "; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 625b1d3a852c..285c59572d55 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -563,6 +563,7 @@ ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix + ./services/security/usbguard.nix ./services/security/vault.nix ./services/system/cgmanager.nix ./services/system/cloud-init.nix diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix new file mode 100644 index 000000000000..1f2c56a9efa1 --- /dev/null +++ b/nixos/modules/services/security/usbguard.nix @@ -0,0 +1,200 @@ +{config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.usbguard; + + # valid policy options + policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]); + + # decide what file to use for rules + ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile; + + daemonConf = '' + # generated by nixos/modules/services/security/usbguard.nix + RuleFile=${ruleFile} + ImplicitPolicyTarget=${cfg.implictPolicyTarget} + PresentDevicePolicy=${cfg.presentDevicePolicy} + PresentControllerPolicy=${cfg.presentControllerPolicy} + InsertedDevicePolicy=${cfg.insertedDevicePolicy} + RestoreControllerDeviceState=${if cfg.restoreControllerDeviceState then "true" else "false"} + # this does not seem useful for endusers to change + DeviceManagerBackend=uevent + IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers} + IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups} + IPCAccessControlFiles=${cfg.IPCAccessControlFiles} + DeviceRulesWithPort=${if cfg.deviceRulesWithPort then "true" else "false"} + AuditFilePath=${cfg.auditFilePath} + ''; + + daemonConfFile = pkgs.writeText "usbguard-daemon-conf" daemonConf; + +in { + + ###### interface + + options = { + services.usbguard = { + enable = mkEnableOption "USBGuard daemon"; + + ruleFile = mkOption { + type = types.path; + default = "/var/lib/usbguard/rules.conf"; + description = '' + The USBGuard daemon will use this file to load the policy rule set + from it and to write new rules received via the IPC interface. + + Running the command usbguard generate-policy as + root will generate a config for your currently plugged in devices. + For a in depth guide consult the official documentation. + + Setting the rules option will ignore the + ruleFile option. + ''; + }; + + rules = mkOption { + type = types.nullOr types.str; + default = null; + example = '' + allow with-interface equals { 08:*:* } + ''; + description = '' + The USBGuard daemon will load this policy rule set. Modifying it via + the IPC interface won't work if you use this option, since the + contents of this option will be written into the nix-store it will be + read-only. + + You can still use usbguard generate-policy to + generate rules, but you would have to insert them here. + + Setting the rules option will ignore the + ruleFile option. + ''; + }; + + implictPolicyTarget = mkOption { + type = policy; + default = "block"; + description = '' + How to treat USB devices that don't match any rule in the policy. + Target should be one of allow, block or reject (logically remove the + device node from the system). + ''; + }; + + presentDevicePolicy = mkOption { + type = policy; + default = "apply-policy"; + description = '' + How to treat USB devices that are already connected when the daemon + starts. Policy should be one of allow, block, reject, keep (keep + whatever state the device is currently in) or apply-policy (evaluate + the rule set for every present device). + ''; + }; + + presentControllerPolicy = mkOption { + type = policy; + default = "keep"; + description = '' + How to treat USB controller devices that are already connected when + the daemon starts. One of allow, block, reject, keep or apply-policy. + ''; + }; + + insertedDevicePolicy = mkOption { + type = policy; + default = "apply-policy"; + description = '' + How to treat USB devices that are already connected after the daemon + starts. One of block, reject, apply-policy. + ''; + }; + + restoreControllerDeviceState = mkOption { + type = types.bool; + default = false; + description = '' + The USBGuard daemon modifies some attributes of controller + devices like the default authorization state of new child device + instances. Using this setting, you can controll whether the daemon + will try to restore the attribute values to the state before + modificaton on shutdown. + ''; + }; + + IPCAllowedUsers = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "yourusername" ]; + description = '' + A list of usernames that the daemon will accept IPC connections from. + ''; + }; + + IPCAllowedGroups = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "wheel" ]; + description = '' + A list of groupnames that the daemon will accept IPC connections + from. + ''; + }; + + IPCAccessControlFiles = mkOption { + type = types.path; + default = "/var/lib/usbguard/IPCAccessControl.d/"; + description = '' + The files at this location will be interpreted by the daemon as IPC + access control definition files. See the IPC ACCESS CONTROL section + in usbguard-daemon.conf + 5 for more details. + ''; + }; + + deviceRulesWithPort = mkOption { + type = types.bool; + default = false; + description = '' + Generate device specific rules including the "via-port" attribute. + ''; + }; + + auditFilePath = mkOption { + type = types.path; + default = "/var/log/usbguard/usbguard-audit.log"; + description = '' + USBGuard audit events log file path. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.usbguard ]; + + systemd.services.usbguard = { + description = "USBGuard daemon"; + + wantedBy = [ "basic.target" ]; + wants = [ "systemd-udevd.service" "local-fs.target" ]; + + # make sure an empty rule file and required directories exist + preStart = ''mkdir -p $(dirname "${cfg.ruleFile}") "${cfg.IPCAccessControlFiles}" && ([ -f "${cfg.ruleFile}" ] || touch ${cfg.ruleFile})''; + + serviceConfig = { + Type = "simple"; + ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -d -k -c ${daemonConfFile}''; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/pkgs/os-specific/linux/usbguard/daemon_read_only_config.patch b/pkgs/os-specific/linux/usbguard/daemon_read_only_config.patch new file mode 100644 index 000000000000..eb4d5df698ac --- /dev/null +++ b/pkgs/os-specific/linux/usbguard/daemon_read_only_config.patch @@ -0,0 +1,13 @@ +diff --git a/src/Library/ConfigFilePrivate.cpp b/src/Library/ConfigFilePrivate.cpp +index 8aefa65..40914f7 100644 +--- a/src/Library/ConfigFilePrivate.cpp ++++ b/src/Library/ConfigFilePrivate.cpp +@@ -51,7 +51,7 @@ namespace usbguard + + void ConfigFilePrivate::open(const std::string& path) + { +- _stream.open(path, std::ios::in|std::ios::out); ++ _stream.open(path, std::ios::in); + if (!_stream.is_open()) { + throw std::runtime_error("Can't open " + path); + } diff --git a/pkgs/os-specific/linux/usbguard/default.nix b/pkgs/os-specific/linux/usbguard/default.nix new file mode 100644 index 000000000000..b88d96e02a44 --- /dev/null +++ b/pkgs/os-specific/linux/usbguard/default.nix @@ -0,0 +1,68 @@ +{ + stdenv, fetchurl, lib, + libxslt, pandoc, pkgconfig, + dbus_glib, libcap_ng, libqb, libseccomp, polkit, protobuf, qtbase, qttools, qtsvg, + libgcrypt ? null, + libsodium ? null +}: + +with stdenv.lib; + +assert libgcrypt != null -> libsodium == null; + +stdenv.mkDerivation rec { + version = "0.7.0"; + name = "usbguard-${version}"; + + repo = "https://github.com/dkopecek/usbguard"; + + src = fetchurl { + url = "${repo}/releases/download/${name}/${name}.tar.gz"; + sha256 = "1e1485a2b47ba3bde9de2851b371d2552a807047a21e0b81553cf80d7f722709"; + }; + + patches = [ + ./daemon_read_only_config.patch + ./documentation.patch + ]; + + nativeBuildInputs = [ + libxslt + pandoc # for rendering documentation + pkgconfig + ]; + + buildInputs = [ + dbus_glib + libcap_ng + libqb + libseccomp + polkit + protobuf + + qtbase + qtsvg + qttools + ] + ++ (lib.optional (libgcrypt != null) libgcrypt) + ++ (lib.optional (libsodium != null) libsodium); + + configureFlags = [ + "--with-bundled-catch" + "--with-bundled-pegtl" + "--with-dbus" + "--with-gui-qt=qt5" + "--with-polkit" + ] + ++ (lib.optional (libgcrypt != null) "--with-crypto-library=gcrypt") + ++ (lib.optional (libsodium != null) "--with-crypto-library=sodium"); + + enableParallelBuilding = true; + + meta = { + description = "The USBGuard software framework helps to protect your computer against BadUSB."; + homepage = "https://dkopecek.github.io/usbguard/"; + license = licenses.gpl2; + maintainers = [ maintainers.tnias ]; + }; +} diff --git a/pkgs/os-specific/linux/usbguard/documentation.patch b/pkgs/os-specific/linux/usbguard/documentation.patch new file mode 100644 index 000000000000..89de627131f5 --- /dev/null +++ b/pkgs/os-specific/linux/usbguard/documentation.patch @@ -0,0 +1,32 @@ +diff --git a/doc/usbguard-daemon.conf.5.md b/doc/usbguard-daemon.conf.5.md +index ea86ad1..63aec70 100644 +--- a/doc/usbguard-daemon.conf.5.md ++++ b/doc/usbguard-daemon.conf.5.md +@@ -30,21 +30,21 @@ The **usbguard-daemon.conf** file is loaded by the USBGuard daemon after it pars + **RestoreControllerDeviceState**=<*boolean*> + : The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances. Using this setting, you can control whether the daemon will try to restore the attribute values to the state before modification on shutdown. + ++**DeviceManagerBackend**=<*backend*> ++: Which device manager backend implementation to use. Backend should be one of `uevent` (default) or `dummy`. ++ + **IPCAllowedUsers**=<*username*> [<*username*> ...] + : A space delimited list of usernames that the daemon will accept IPC connections from. + + **IPCAllowedGroups**=<*groupname*> [<*groupname*> ...] + : A space delimited list of groupnames that the daemon will accept IPC connections from. + +-**IPCAccessControlFiles**=<*path*> +-: Path to a directory holding the IPC access control files. +- +-**DeviceManagerBackend**=<*backend*> +-: Which device manager backend implementation to use. Backend should be one of `uevent` (default) or `dummy`. +- + **IPCAccessControlFiles**=<*path*> + : The files at this location will be interpreted by the daemon as IPC access control definition files. See the **IPC ACCESS CONTROL** section for more details. + ++**DeviceRulesWithPort**=<*boolean*> ++: Generate device specific rules including the "via-port" attribute. ++ + **AuditFilePath**=<*filepath*> + : USBGuard audit events log file path. + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f8f8477569e1..2a8db9e450f3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12726,6 +12726,10 @@ with pkgs; upstart-check-config = callPackage ../os-specific/linux/upstart/check-config.nix {}; + usbguard = libsForQt5.callPackage ../os-specific/linux/usbguard { + libgcrypt = null; + }; + usbutils = callPackage ../os-specific/linux/usbutils { }; usermount = callPackage ../os-specific/linux/usermount { };