1

For security purposes, is it possible to have the operating system enforce a whitelist of hardware devices?

This means that plugged in devices that are not in the whitelist will be ignored at an as low a level as possible (so that higher level abstractions in the OS will not even find out about these non-whitelisted devices).

I'm using Ubuntu 11.04, but I'm guessing whatever solution you may have will work on almost any recent Linux distribution.

Improve this question
5
  • Linux doesn't work that way.
    – Ignacio Vazquez-Abrams
    Commented May 21, 2011 at 4:44
  • What do you mean? It certainly "works" for Linux to have USB vulnerabilities for example: charlescurley.com/blog/archives/2011/03/13/… Also, I'm pretty sure this can be done by making custom changes to my kernel. I just wanted to know whether someone has already done this. Given that there's no shortage of such vulnerabilities (see above), I'd be surprised if something like this doesn't already exist.
    – user67834
    Commented May 21, 2011 at 5:41
  • why not compile a custom kernel with only the hardware you want to support?
    – freethinker
    Commented May 21, 2011 at 5:48
  • 1
    I remember that you can use UDEV rules to ignore plugged in USB devices. Might be worth a try.
    – Turbo J
    Commented May 21, 2011 at 16:57
  • Thanks, I'll take a look at UDEV. About the custom kernel with only some hardware supported, I'm not sure this would be enough. Bear in mind that my knowledge about kernel internals is limited, but what I want is a whitelist for each specific hardware item (based on something like a hardware ID) and not for a global category of items. I think that with that solution, some drivers would support an entire category of items.
    – user67834
    Commented May 21, 2011 at 19:18

1 Answer 1

Reset to default
0

When device gets added to the system, kernel asks usermode for appropriate driver by calling /sbin/hotplug as root (UID 0). Hotplug usually just calls insmod(8) with appropriate .ko file, but you may hack it to perform some filtering based on hardware ID (passed in the environment).

Of course, you'll need to protect insmod(8) from being called directly by unprivileged users and make sure ko driver is unloaded after device detachment (/sbin/hotplug gets called for that event too).

Improve this answer

You must log in to answer this question.