From fa32ba6c4fccf35111f85ec3819e718963359d7c Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 7 Nov 2025 17:09:22 -0600 Subject: [PATCH] Suppress usbguard startup unless a USB controller is visible to lspci --- debian/security-misc-shared.install | 1 + .../30_security-misc.conf#security-misc-shared | 1 + .../check-for-usb-controller#security-misc-shared | 11 +++++++++++ 3 files changed, 13 insertions(+) create mode 100755 usr/libexec/security-misc/check-for-usb-controller#security-misc-shared diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install index a228845..0b4dba2 100755 --- a/debian/security-misc-shared.install +++ b/debian/security-misc-shared.install @@ -55,6 +55,7 @@ usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x +usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc diff --git a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared index 70accaf..fa87f09 100644 --- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared +++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared @@ -3,3 +3,4 @@ [Unit] ConditionPathExists=/sys/bus/usb +ExecCondition=/usr/libexec/security-misc/check-for-usb-controller diff --git a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared new file mode 100755 index 0000000..7688ee2 --- /dev/null +++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared @@ -0,0 +1,11 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +export LC_ALL='C' + +if lspci | grep -q '^[^ ]* USB controller: '; then + exit 0 +fi +exit 1