Hi all --
I'm trying to implement a security policy in which portable
devices, especially USB drives, are not auto-run.
My idea is to go one better, and have all of these devices
automatically mounted with "noexec,nodev,nosuid" by default.
I also want users to still be able to choose their desktops, so
setting the extra mount options in the desktop automounter isn't
my preferred solution.
This chain of requirements has lead to me to HAL, and so far,
I have worked out how to edit the /etc/hal/fdi/policy/preferences.fdi
file to isolate the device, and add properties to it. My stanza for
doing this looks like this:
> <device>
> <match key="@block.storage_device:storage.hotpluggable" bool="true">
> <match key="@block.storage_device:storage.removable" bool="true">
> <match key="volume.is_partition" bool="true">
> <merge key="volume.policy.mount_option.noexec"
type="bool">true</merge>
> <merge key="volume.policy.mount_option.nodev"
type="bool">true</merge>
> </match>
> </match>
> </match>
> </device>
The "match" operations select hot-pluggable removable devices
which HAL thinks are partitions, which is right, it should work for
both flash sticks and actual disk drives on both USB and FireWire.
I've also confirmed that my policy options are getting set --
if you run "hal-device" after inserting a USB stick, it reports
that the volume.policy stuff is set up as I meant it to be,
and only on the devices I meant.
The problem I have run into is that, on KDE at least, the desktop
mounting gizmo is not respecting the policy options, and is mounting
stuff without my additional options.
What I'd mostly like is some kind of documentation about how
KDE interprets these things. The "hal-doc" package was awesome for
the first part, but I can't seem to find an equivalent for the second
part.
Does anyone know where to find docs on KDE/HAL interactions, or
what the answer is?
This is all on Debian "lenny".
-- A.
--
Andrew Reid / rei...@bellatlantic.net
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
