nixos/modules/services/security/usbguard.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / usbguard.nix
at 18.09-beta 6.7 kB view raw
  1{config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.services.usbguard;
  8
  9  # valid policy options
 10  policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]);
 11
 12  # decide what file to use for rules
 13  ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile;
 14
 15  daemonConf = ''
 16      # generated by nixos/modules/services/security/usbguard.nix
 17      RuleFile=${ruleFile}
 18      ImplicitPolicyTarget=${cfg.implictPolicyTarget}
 19      PresentDevicePolicy=${cfg.presentDevicePolicy}
 20      PresentControllerPolicy=${cfg.presentControllerPolicy}
 21      InsertedDevicePolicy=${cfg.insertedDevicePolicy}
 22      RestoreControllerDeviceState=${if cfg.restoreControllerDeviceState then "true" else "false"}
 23      # this does not seem useful for endusers to change
 24      DeviceManagerBackend=uevent
 25      IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers}
 26      IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups}
 27      IPCAccessControlFiles=${cfg.IPCAccessControlFiles}
 28      DeviceRulesWithPort=${if cfg.deviceRulesWithPort then "true" else "false"}
 29      AuditFilePath=${cfg.auditFilePath}
 30    '';
 31
 32    daemonConfFile = pkgs.writeText "usbguard-daemon-conf" daemonConf;
 33
 34in {
 35
 36  ###### interface
 37
 38  options = {
 39    services.usbguard = {
 40      enable = mkEnableOption "USBGuard daemon";
 41
 42      ruleFile = mkOption {
 43        type = types.path;
 44        default = "/var/lib/usbguard/rules.conf";
 45        description = ''
 46          The USBGuard daemon will use this file to load the policy rule set
 47          from it and to write new rules received via the IPC interface.
 48
 49          Running the command <literal>usbguard generate-policy</literal> as
 50          root will generate a config for your currently plugged in devices.
 51          For a in depth guide consult the official documentation.
 52
 53          Setting the <literal>rules</literal> option will ignore the
 54          <literal>ruleFile</literal> option.
 55        '';
 56      };
 57
 58      rules = mkOption {
 59        type = types.nullOr types.lines;
 60        default = null;
 61        example = ''
 62          allow with-interface equals { 08:*:* }
 63        '';
 64        description = ''
 65          The USBGuard daemon will load this policy rule set. Modifying it via
 66          the IPC interface won't work if you use this option, since the
 67          contents of this option will be written into the nix-store it will be
 68          read-only.
 69
 70          You can still use <literal> usbguard generate-policy</literal> to
 71          generate rules, but you would have to insert them here.
 72
 73          Setting the <literal>rules</literal> option will ignore the
 74          <literal>ruleFile</literal> option.
 75        '';
 76      };
 77
 78      implictPolicyTarget = mkOption {
 79        type = policy;
 80        default = "block";
 81        description = ''
 82          How to treat USB devices that don't match any rule in the policy.
 83          Target should be one of allow, block or reject (logically remove the
 84          device node from the system).
 85        '';
 86      };
 87
 88      presentDevicePolicy = mkOption {
 89        type = policy;
 90        default = "apply-policy";
 91        description = ''
 92          How to treat USB devices that are already connected when the daemon
 93          starts. Policy should be one of allow, block, reject, keep (keep
 94          whatever state the device is currently in) or apply-policy (evaluate
 95          the rule set for every present device).
 96        '';
 97      };
 98
 99      presentControllerPolicy = mkOption {
100        type = policy;
101        default = "keep";
102        description = ''
103          How to treat USB controller devices that are already connected when
104          the daemon starts. One of allow, block, reject, keep or apply-policy.
105        '';
106      };
107
108      insertedDevicePolicy = mkOption {
109        type = policy;
110        default = "apply-policy";
111        description = ''
112          How to treat USB devices that are already connected after the daemon
113          starts. One of block, reject, apply-policy.
114        '';
115      };
116
117      restoreControllerDeviceState = mkOption {
118        type = types.bool;
119        default = false;
120        description = ''
121          The  USBGuard  daemon  modifies  some attributes of controller
122          devices like the default authorization state of new child device
123          instances. Using this setting, you can controll whether the daemon
124          will try to restore the attribute values to the state before
125          modificaton on shutdown.
126        '';
127      };
128
129      IPCAllowedUsers = mkOption {
130        type = types.listOf types.str;
131        default = [ "root" ];
132        example = [ "root" "yourusername" ];
133        description = ''
134          A list of usernames that the daemon will accept IPC connections from.
135        '';
136      };
137
138      IPCAllowedGroups = mkOption {
139        type = types.listOf types.str;
140        default = [ ];
141        example = [ "wheel" ];
142        description = ''
143          A list of groupnames that the daemon will accept IPC connections
144          from.
145        '';
146      };
147
148      IPCAccessControlFiles = mkOption {
149        type = types.path;
150        default = "/var/lib/usbguard/IPCAccessControl.d/";
151        description = ''
152          The files at this location will be interpreted by the daemon as IPC
153          access control definition files. See the IPC ACCESS CONTROL section
154          in <citerefentry><refentrytitle>usbguard-daemon.conf</refentrytitle>
155          <manvolnum>5</manvolnum></citerefentry> for more details.
156        '';
157      };
158
159      deviceRulesWithPort = mkOption {
160        type = types.bool;
161        default = false;
162        description = ''
163          Generate device specific rules including the "via-port" attribute.
164        '';
165      };
166
167      auditFilePath = mkOption {
168        type = types.path;
169        default = "/var/log/usbguard/usbguard-audit.log";
170        description = ''
171          USBGuard audit events log file path.
172        '';
173      };
174    };
175  };
176
177
178  ###### implementation
179
180  config = mkIf cfg.enable {
181
182    environment.systemPackages = [ pkgs.usbguard ];
183
184    systemd.services.usbguard = {
185      description = "USBGuard daemon";
186
187      wantedBy = [ "basic.target" ];
188      wants = [ "systemd-udevd.service" "local-fs.target" ];
189
190      # make sure an empty rule file and required directories exist
191      preStart = ''
192        mkdir -p $(dirname "${cfg.ruleFile}") $(dirname "${cfg.auditFilePath}") "${cfg.IPCAccessControlFiles}" \
193          && ([ -f "${cfg.ruleFile}" ] || touch ${cfg.ruleFile})
194      '';
195
196      serviceConfig = {
197        Type = "simple";
198        ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -k -c ${daemonConfFile}'';
199        Restart = "on-failure";
200      };
201    };
202  };
203}