usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

ERROR: IPC connect: service=usbguard: Permission denied since kernel 5.0.9

Open morfikov opened this issue 5 years ago • 9 comments

I just upgraded my kernel to the latest stable (5.0.7->5.0.9) and I notticed that usbguard-applet-qt has a gray icon. In it's log I can see the following messages:

[Sat Apr 20 14:55:21 2019] Connection failed: IPC connect: service=usbguard: Permission denied
[Sat Apr 20 14:55:22 2019] Connection failed: IPC connect: service=usbguard: Permission denied
[Sat Apr 20 14:55:23 2019] Connection failed: IPC connect: service=usbguard: Permission denied

Also I'm using AppArmor profiles for all the usbguard execs, and I had to add to usr.sbin.usbguard-daemon and usr.sbin.usbguard-dbus profiles the following rules:

 /dev/shm/ r,
 /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/ rw,
 /dev/shm/qb-[0-9]*-[0-9]*-[0-9]*-*/qb-{request,response,event}-usbguard-{header,data} rw,

There was similar rule to the last one:

/dev/shm/qb-usbguard-{request,response,event}-[0-9]*-[0-9]*-[0-9]*-{header,data} rw,

and probably the change causes the problem.

morfikov avatar Apr 20 '19 13:04 morfikov

It looks like the systemd service causes the problem.

When I commented out the following line: CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER It works well now. It's weird...

morfikov avatar Apr 24 '19 17:04 morfikov

I had to add two extra CAPs:

CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE.

Now it works well.

morfikov avatar Apr 24 '19 17:04 morfikov

Re-opening this issue as the necessary changes may not have been committed. This was pulled in the Debian package (https://salsa.debian.org/bisco-guest/usbguard/commit/492e3a38ae0bce192fca926e1eedc0e71dbdb5a2), but I'm not sure these are necessary (and potentially dangerous).

Any chance you could share the version of systemd that you were using? Thanks.

tweksteen avatar Sep 16 '19 07:09 tweksteen

See #289 .

#  systemd --version
systemd 242 (242)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP 
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN 
+PCRE2 default-hierarchy=hybrid

I'm using Debian Sid.

morfikov avatar Sep 16 '19 12:09 morfikov

Seeing the same thing in Linux Kernel 5.3.8 (Arch Linux) with Systemd 242

drGrove avatar Nov 03 '19 21:11 drGrove

I think there is some more capabilities missing to be able to write on the /etc/usbguard/rules.conf

cyrinux avatar Nov 04 '19 12:11 cyrinux

@cyrinux yes, you must allow writing to your rules.conf file.

A quick fix is to place this file at /etc/systemd/system/usbguard.service.d/override.conf:

[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE
ReadWritePaths=-/etc/usbguard/rules.conf

But ideally, this should be fixed upstream.

aagor avatar Jan 05 '20 21:01 aagor

@alcros wrote:

[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE
ReadWritePaths=-/etc/usbguard/rules.conf

The latter is already in the usbguard.service file: https://github.com/USBGuard/usbguard/blob/master/usbguard.service.in#L24 (fffd3d3fc16ff3426e95350b061a44f0ce02d3c7)

genodeftest avatar Feb 05 '20 19:02 genodeftest

Regarding the necessary CAP_DAC_OVERRIDE capability, see #289 for more information and an alternative to adding this potentially dangerous capability.

diabonas avatar Feb 09 '20 15:02 diabonas