Whitelist or render inoperative any USB device to secure your personal belongings.
Disable the particular USB device
I will disable the cheap Samsung tablet, so it won’t mount when connected.
Display USB devices before the mentioned device is connected.
$ lsusb
Bus 001 Device 002: ID 8087:8001 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. Bus 002 Device 003: ID 8087:0a2a Intel Corp. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Display USB devices after the device is connected.
$ lsusb
Bus 001 Device 002: ID 8087:8001 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. Bus 002 Device 003: ID 8087:0a2a Intel Corp. Bus 002 Device 029: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP) Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
The mentioned device can be identified by vendor id 0x04e8 Samsung Electronics Co., Ltd and product id 0x6860 Galaxy (MTP).
Identify the device path to display more useful udev information.
$ idVendor="04e8"; idProduct="6860"; \
find -L /sys/bus/usb/devices/ -maxdepth 2 -name idVendor -exec grep -l $idVendor {} \; | \
while read line; do \
location=$(dirname $line); \
grep -q $idProduct $location/idProduct;
if [ "$?" -eq "0" ]; then \
echo $location;
fi
done/sys/bus/usb/devices/2-2
Use the device path to display udev information.
$ udevadm info -a -p /sys/bus/usb/devices/2-2
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.
looking at device '/devices/pci0000:00/0000:00:14.0/usb2/2-2':
KERNEL=="2-2"
SUBSYSTEM=="usb"
DRIVER=="usb"
ATTR{authorized}=="0"
ATTR{avoid_reset_quirk}=="0"
ATTR{bConfigurationValue}==""
ATTR{bDeviceClass}=="00"
ATTR{bDeviceProtocol}=="01"
ATTR{bDeviceSubClass}=="00"
ATTR{bMaxPacketSize0}=="64"
ATTR{bMaxPower}==""
ATTR{bNumConfigurations}=="1"
ATTR{bNumInterfaces}==""
ATTR{bcdDevice}=="0400"
ATTR{bmAttributes}==""
ATTR{busnum}=="2"
ATTR{configuration}==""
ATTR{devnum}=="29"
ATTR{devpath}=="2"
ATTR{idProduct}=="6860"
ATTR{idVendor}=="04e8"
ATTR{ltm_capable}=="no"
ATTR{manufacturer}=="SAMSUNG"
ATTR{maxchild}=="0"
ATTR{product}=="SAMSUNG_Android"
ATTR{quirks}=="0x0"
ATTR{removable}=="removable"
ATTR{serial}=="3801a4eaab8a3400"
ATTR{speed}=="480"
ATTR{urbnum}=="32"
ATTR{version}==" 2.00"
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb2':
KERNELS=="usb2"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{authorized}=="1"
ATTRS{authorized_default}=="1"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{bConfigurationValue}=="1"
ATTRS{bDeviceClass}=="09"
ATTRS{bDeviceProtocol}=="01"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{bMaxPower}=="0mA"
ATTRS{bNumConfigurations}=="1"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bcdDevice}=="0411"
ATTRS{bmAttributes}=="e0"
ATTRS{busnum}=="2"
ATTRS{configuration}==""
ATTRS{devnum}=="1"
ATTRS{devpath}=="0"
ATTRS{idProduct}=="0002"
ATTRS{idVendor}=="1d6b"
ATTRS{interface_authorized_default}=="1"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Linux 4.11.0-13-generic xhci-hcd"
ATTRS{maxchild}=="11"
ATTRS{product}=="xHCI Host Controller"
ATTRS{quirks}=="0x0"
ATTRS{removable}=="unknown"
ATTRS{serial}=="0000:00:14.0"
ATTRS{speed}=="480"
ATTRS{urbnum}=="8014"
ATTRS{version}==" 2.00"
looking at parent device '/devices/pci0000:00/0000:00:14.0':
KERNELS=="0000:00:14.0"
SUBSYSTEMS=="pci"
DRIVERS=="xhci_hcd"
ATTRS{broken_parity_status}=="0"
ATTRS{class}=="0x0c0330"
ATTRS{consistent_dma_mask_bits}=="64"
ATTRS{d3cold_allowed}=="1"
ATTRS{device}=="0x9cb1"
ATTRS{dma_mask_bits}=="64"
ATTRS{driver_override}=="(null)"
ATTRS{enable}=="1"
ATTRS{irq}=="44"
ATTRS{local_cpulist}=="0-3"
ATTRS{local_cpus}=="f"
ATTRS{msi_bus}=="1"
ATTRS{numa_node}=="-1"
ATTRS{revision}=="0x03"
ATTRS{subsystem_device}=="0x0665"
ATTRS{subsystem_vendor}=="0x1028"
ATTRS{vendor}=="0x8086"
looking at parent device '/devices/pci0000:00':
KERNELS=="pci0000:00"
SUBSYSTEMS==""
DRIVERS==""
Create an exact udev rule to de-authorize this device early on.
$ cat << EOF | sudo tee /etc/udev/rules.d/01-disable-samsung.rules
SUBSYSTEM=="usb", ACTION=="add", ATTR{removable}=="removable", ATTR{idVendor}=="04e8", ATTR{idProduct}=="6860", ATTR{authorized}="0"
EOF
This device will be unusable next time it is connected to the computer.
Whitelist USB devices
Display USB devices.
$ lsusb
lsusb Bus 001 Device 002: ID 8087:8001 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. Bus 002 Device 003: ID 8087:0a2a Intel Corp. Bus 002 Device 012: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Authorize these USB devices and their children, but only if the device as a parent is not a hub.
$ cat << EOF | sudo tee /etc/udev/rules.d/01-usb-whitelist.rules
ACTION != "add", GOTO = "usblist_rules_end"
SUBSYSTEM == "usb", GOTO = "usblist_usb_rules"
GOTO="usblist_rules_end"
LABEL="usblist_usb_rules"
# Bus 001 Device 002: ID 8087:8001 Intel Corp.
ATTR{idVendor} == "8087", ATTR{idProduct} == "8001", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "8087", ATTRS{idProduct} == "8001", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ATTR{idVendor} == "1d6b", ATTR{idProduct} == "0002", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "1d6b", ATTRS{idProduct} == "0002", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
ATTR{idVendor} == "1d6b", ATTR{idProduct} == "0003", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "1d6b", ATTRS{idProduct} == "0003", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp.
ATTR{idVendor} == "0bda", ATTR{idProduct} == "5682", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "0bda", ATTRS{idProduct} == "5682", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Bus 002 Device 003: ID 8087:0a2a Intel Corp.
ATTR{idVendor} == "8087", ATTR{idProduct} == "0a2a", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "8087", ATTRS{idProduct} == "0a2a", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Bus 002 Device 012: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth
ATTR{idVendor} == "045e", ATTR{idProduct} == "0745", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "045e", ATTRS{idProduct} == "0745", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ATTR{idVendor} == "1d6b", ATTR{idProduct} == "0002", GOTO = "usblist_rules_end"
ATTRS{idVendor} == "1d6b", ATTRS{idProduct} == "0002", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"
# Other USB devices - de-authorize
ATTR{authorized}="0"
LABEL="usblist_rules_end"
EOF
References
Authorizing (or not) your USB devices to connect to the system