Bug#971424: gsd-usb-protection fails to add rule to allow USB devices

Sam Morris sam at robots.org.uk
Wed Sep 30 11:18:41 BST 2020 

Source: gnome-settings-daemon
Version: 3.38.0-2
Severity: normal

As I understand it, gsd-usb-protection adds a rule to allow any USB
device but only while the system is not locked.

On my system, gsd-usb-protection is unable to add the rule.

    $ /usr/libexec/gsd-usb-protection  -v
    (gsd-usb-protection:437340): GLib-DEBUG: 11:03:34.418: unsetenv() is not thread-safe and should not be used after threads are created
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.420: Starting USB protection manager
    (gsd-usb-protection:437340): GLib-GIO-DEBUG: 11:03:34.422: _g_io_module_get_default: Found default implementation dconf (DConfSettingsBackend) for ‘gsettings-backend’
    (gsd-usb-protection:437340): dconf-DEBUG: 11:03:34.429: watch_fast: "/org/gnome/desktop/privacy/" (establishing: 0, active: 0)
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.431: bus_acquired_cb: acquired bus 0x5627ceb83070 for name org.gnome.SettingsDaemon.UsbProtection
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.432: Registered client at path /org/gnome/SessionManager/Client43
    (gsd-usb-protection:437340): dconf-DEBUG: 11:03:34.440: watch_established: "/org/gnome/desktop/privacy/" (establishing: 1)
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.443: name_acquired_cb: acquired name org.gnome.SettingsDaemon.UsbProtection on bus 0x5627ceb83070
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.444: name_lost_cb: lost name org.gnome.SettingsDaemon.UsbProtection on bus 0x5627ceb83070
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.456: Received screensaver ActiveChanged signal: 0 (old: 0)
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.464: usb_protection_policy_proxy_ready
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.464: Set protection policy proxy to 0x5627ceb961e0
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.465: Attempting to sync USB parameters: 1 0x5627ceb961e0 0x5627ceb76fa0
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.466: Listening to signals
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.470: InsertedDevicePolicy is: apply-policy
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.470: Ensuring allow all
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.481: Detecting rule...
    (gsd-usb-protection:437340): usb-protection-plugin-DEBUG: 11:03:34.481: Adding rule 0

    (gsd-usb-protection:437340): usb-protection-plugin-WARNING **: 11:03:34.484: Error appending USBGuard rule: GDBus.Error:org.freedesktop.DBus.Error.Failed: Policy append: rule: Invalid parent ID

I've got usbguard 0.7.8+ds-2 instaled. It looks like it doesn't
recognize rule ID 0 as meaning prepend to existing rules.

Here are the D-Bus calls made by gsd-usb-protection:

    ‣ Type=method_call  Endian=l  Flags=0  Version=1 Cookie=20
      Sender=:1.79980  Destination=:1.923  Path=/org/usbguard1/Policy  Interface=org.usbguard.Policy1  Member=appendRule
      UniqueName=:1.79980
      MESSAGE "sub" {
	      STRING "allow id *:* label "GNOME_SETTINGS_DAEMON_RULE"";
	      UINT32 0;
	      BOOLEAN true;
      };

    ‣ Type=signal  Endian=l  Flags=1  Version=1 Cookie=110
      Sender=:1.923  Path=/org/usbguard1  Interface=org.usbguard1  Member=ExceptionMessage
      UniqueName=:1.923
      MESSAGE "sss" {
	      STRING "Policy append";
	      STRING "rule";
	      STRING "Invalid parent ID";
      };

    ‣ Type=error  Endian=l  Flags=1  Version=1 Cookie=111  ReplyCookie=20
      Sender=:1.923  Destination=:1.79980
      ErrorName=org.freedesktop.DBus.Error.Failed  ErrorMessage="Policy append: rule: Invalid parent ID"
      UniqueName=:1.923
      MESSAGE "s" {
	      STRING "Policy append: rule: Invalid parent ID";
      };

-- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (535, 'stable-updates'), (535, 'stable'), (520, 'testing'), (510, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-9-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the pkg-gnome-maintainers mailing list