Hi Birger, Antoine, Thanks for getting 0.7.5 ready. For the difference between "allow" and "keep" on PresentDevicePolicy, the standard use case is handled similarly (i.e., user installing USBGuard for the 1st time, no customisation). The difference is slightly more subtle for hosts that have changed the sysfs attributes directly, for some reason. In this case, "keep" would respect whatever state was declared. Because of this and as Antoine suggested, I think this is a better option.
On generate-policy vs PresentDevicePolicy, I would argue that the simplest option is the best. By running generate-policy, you are parsing all current devices, generating rules and then applying these rules. There might be (unlikely) a bug in the rule generation which ends up blocking a device (e.g., missing attribute or so). The PresentDevicePolicy=keep is just a simpler alternative. It might be useful to write down some Debian-specific documentation on how to setup the daemon to be more restrictive? The wiki might be a good place for that? Thanks, Thiébaud On Fri, Jul 12, 2019 at 6:56 PM Birger Schacht <bir...@rantanplan.org> wrote: > > Hi, > > I'm currently working on packaging the 0.7.5 release of usbguard, which > was released a little more than a week ago. I have looked at the various > options we have to tackle the default configuration. > > I agree that the prompts at installation time should be minimized, so > I'm not convinced of my initial idea of asking the user for the value of > ImplicitPolicyTarget et al anymore. Setting ImplicitPolicyTarget to > allow by default seems wrong to me- it would mean users would have to > manually configure the service to actually do what it is intended to do. > > I was torn between the solution to generate a policy and setting > PresentDevicePolicy to `keep`. For now, I have configured the package to > generate a rules file using `usbguard generate-policy` if no rules file > exists - and I will also reenable the service. Thats also what upstream > suggests in the bug report mentioned by Thiébaud. But I am open to > change that to the PresentDevicePolicy solution if there happen to come > up problems with that default configuration. > > Thanks Antoine also for the information about the `plugdev` group, I'll > add a patch adding that group to the IPCAllowedGroups setting. > > cheers, > Birger
