Bug#1050493: gnome-settings-daemon breaks existing usbguard rules, allowing all usb device by default

John Livingston reportbug at john-livingston.fr
Fri Aug 25 10:18:06 BST 2023 

Package: gnome-settings-daemon
Version: 43.0-4
Severity: normal
X-Debbugs-Cc: reportbug at john-livingston.fr

Dear Maintainer,

I'm using USBguard to prevent attacks using bad usb devices. So i had some
rules defined in /etc/usbguard/rules.conf, allowing only known usb devices.

This worked perfectly well in Debian Bullseye. When i connected a new usb
device, i had first to allow it.

But since I upgraded to Bookworm, all usb devices are accepted by default.
Making usbguard useless...

It seems this rule is added at runtime by gnome-settings-daemon:
https://gitlab.gnome.org/denittis/gnome-settings-
daemon/blob/29ae1fb6b76a38f27a0875be0e3fffe0a904ea1e/plugins/usb-
protection/gsd-usb-protection-manager.c#L145

This is really bad, as it disable a protection without any warning.

I found some documentation about this new behaviour:
https://wiki.archlinux.org/title/USBGuard (section "Gnome integration")

Seems i have to do:
gsettings set org.gnome.desktop.privacy usb-protection-level always

When upgrading from a previous version, it should detect if there are any rules
already defined, and set the default level to always. Or at least warn the user
somehow.


Best regards,
John


-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-24-amd64 (SMP w/8 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-settings-daemon depends on:
ii  gnome-settings-daemon-common  43.0-4
ii  gsettings-desktop-schemas     43.0-1
ii  libasound2                    1.2.8-1+b1
ii  libc6                         2.36-9+deb12u1
ii  libcairo2                     1.16.0-7
ii  libcanberra-gtk3-0            0.30-10
ii  libcanberra0                  0.30-10
ii  libcolord2                    1.4.6-2.2
ii  libcups2                      2.4.2-3+deb12u1
ii  libfontconfig1                2.14.1-4
ii  libgcr-base-3-1               3.41.1-1+b1
ii  libgdk-pixbuf-2.0-0           2.42.10+dfsg-1+b1
ii  libgeoclue-2-0                2.6.0-2
ii  libgeocode-glib-2-0           3.26.3-6
ii  libglib2.0-0                  2.74.6-2
ii  libgnome-desktop-3-20         43.2-2
ii  libgtk-3-0                    3.24.37-2
ii  libgudev-1.0-0                237-2
ii  libgweather-4-0               4.2.0-2
ii  libmm-glib0                   1.20.4-1
ii  libnm0                        1.42.4-1
ii  libnotify4                    0.8.1-1
ii  libnspr4                      2:4.35-1
ii  libnss3                       2:3.87.1-1
ii  libpam-systemd [logind]       252.12-1~deb12u1
ii  libpango-1.0-0                1.50.12+ds-1
ii  libpangocairo-1.0-0           1.50.12+ds-1
ii  libpolkit-gobject-1-0         122-3
ii  libpulse-mainloop-glib0       16.1+dfsg1-2+b1
ii  libpulse0                     16.1+dfsg1-2+b1
ii  libspa-0.2-bluetooth          0.3.65-3
ii  libupower-glib3               0.99.20-2
ii  libwacom9                     2.6.0-1
ii  libwayland-client0            1.21.0-1
ii  libx11-6                      2:1.8.4-2+deb12u1
ii  libxext6                      2:1.3.4-1+b1
ii  libxfixes3                    1:6.0.0-2
ii  libxi6                        2:1.8-1+b1
ii  pipewire-audio                0.3.65-3

Versions of packages gnome-settings-daemon recommends:
ii  iio-sensor-proxy   3.0-2
ii  pipewire-audio     0.3.65-3
ii  pkexec             122-3
ii  x11-xserver-utils  7.7+9+b1

Versions of packages gnome-settings-daemon suggests:
ii  usbguard  1.1.2+ds-3+b1

-- no debconf information

More information about the pkg-gnome-maintainers mailing list