USB device blocking in Linux can be implemented with udev — a subsystem for managing device events.
Block rules file should be located in /etc/udev/rules.d. The name can be arbitrary. For new rules loading launch:
udevadm control --reload-rules
The rule below is applied to a specific idVendor and idProduct. Both can be got from lsusb command.
It’s possible to write shell commands right in block rules file but this will require constant rules reloading. A better solution is to run some script (e.g. /home/user/run.sh). Editing script doesn’t require rules reloading. USB attributes can be passed to script as ‘%E{ATTR_NAME}’. For example ‘%E{DEVPATH}’ is necessary for device blocking.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ACTION=="add", ATTRS{idVendor}=="2001", ATTRS{idProduct}=="1a02", RUN+="/home/user/run_block.sh '%E{DEVPATH}'" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| echo 0 >/sys$1/authorized |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| echo 1 >/sys$1/authorized |
Devpath example is /sys/bus/usb/devices/usb1. Under this directory attribute files can be found. For blocking USB value ‘0’ should be written to /devpath/authorized file, for unblocking — value ‘1’
Forever code 