usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard
verified publisher icon USBGuard

Failed to permanently add device to rules.conf: Rule set upsert: rule: Cannot upsert; multiple matching rules

Open genodeftest opened this issue 2 years ago • 2 comments

On a specific device of mine, when I try to permanently add a specific device to the allowlist, I get an error:

IPC ERROR: request id=1: Rule set upsert: rule: Cannot upsert; multiple matching rules

Steps I followed:

  1. get list of devices (censored output of usbguard list-devices)
  2. Allow device 16: usbguard allow-device --permanent 16

What happens:

$ usbguard allow-device --permanent 16
IPC ERROR: request id=1: Rule set upsert: rule: Cannot upsert; multiple matching rules

What should happen:

Work fine without errors.

Additional info:

  • Allowing the device without the --permanent flag works fine (just for the session)
  • It does not matter whether I try to allow 15 or 16, both behave the same (in the output above, 15 was temporarily allowed, but 16 was not)
  • My USB device list (see attachment above) looks weird. Devices 15 and 16 have the same ID, an empty serial number, empty name and two different(!) parents.
  • After enabling device 16 (non-permanent) and double-checking that it is listed as allow in usbguard list-devices, lsusb shows the device only once (output of lsusb). Also, lsusb shows the same output before and after allowing device 16, i.e., the kernel seems to see it as only one device. As a non-expert, this looks to me as if 15 and 16 are physically the same USB device, just with two different parents.
  • I have been using the same physical hardware (no separate USB hubs attached) for a few years with the same linux distribution (Fedora, not reinstalled for years) and same USBGuard configuration without problems. According to my package manager's history (dnf history list usbguard), USBGuard has not been updated since 2022-09, but I've only started seeing this issue since a few weeks now. The hardware is very old and thus probably hasn't seen a firmware update (also, I couldn't find any in my syslog), so the issue is probably related to a recent software update, most probably the kernel.

Software versions:

  • usbguard-1.1.0-4.fc37.x86_64
  • kernel-6.2.9-200.fc37.x86_64

genodeftest avatar Apr 15 '23 09:04 genodeftest

Additional notes regarding kernel versions:

  1. With Fedora's kernel 6.2.7, everything is fine and the device shows up only once.
  2. With Fedora's kernel 6.2.8, the device started showing up twice in usbguard list-devices with two different parent hashes
    • Side note: The enumeration order changed (but not the hashes), which in turn made all USB devices blocked with my configuration, but that's something I should probably report separately… Edit: Done, see #589
  3. With Fedora's kernel 6.2.9, the device still shows up twice in usbguard list-devices.
    • Side note: The enumeration order changed again.

Link to Fedora 37's linux kernel changelog

genodeftest avatar Apr 15 '23 09:04 genodeftest

I had the same bug before and until today on debian 12, kernel 6.1.0-11-amd64, and usbguard 1.1.2+ds-3+b1. I think it happened because I plugged the device to a different port. So it was blocked, and I got your message when trying to unblock it,. But I just found reloading usbguard service did the trick ; sudo systemctl restart usbguard I hope this helps.

pouek avatar Sep 08 '23 20:09 pouek