Skip to main content

Introducing the New Linux USB Policy V2

Updated this week

Overview

The new Linux USB Policy (LINUX_USB_POLICY_V2) provides advanced control over USB device access on Ubuntu LTS 24 systems. This update replaces the older, category-based policy with a more flexible, rule-based approach, allowing organizations to precisely manage which USB devices can be used on managed Linux endpoints.

Key Features

1. Rule-Based USB Control

  • Policies are now defined as a set of rules, each specifying actions, device levels, device codes, and optional vendor/product IDs.

  • Example rule structure:

    {
    "policyName": "LINUX_USB_POLICY_V2",
    "policyType": "LINUX_USB_POLICY_V2",
    "policy": {
    "rules": [
    {
    "actions": ["add", "bind", "change"],
    "level": "usb_device",
    "devCode": "00", // Use class information in the Interface Descriptors
    "authorize": true,
    "vendorId": "XXXX" // Optional: restrict to specific vendor
    }
    ]
    }
    }

2. Granular Device Authorization

  • Control USB access at the device or interface level.

  • Authorize or block devices based on class codes, vendor IDs, and product IDs.

  • Easily allow or deny specific USB devices (e.g., only allow company-issued USB drives).

3. Dynamic Policy Updates

  • Policies can be updated or removed at any time.

  • When a policy is deleted, the corresponding udev rule file (/etc/udev/rules.d/99-swifteam-block-usb.rules) is also removed, restoring normal USB functionality.

4. Compatibility and Migration

  • Existing customers do not need to migrate immediately; the old policy format is still supported.

  • The option to disable all external USB drives remains available.

5. Improved Troubleshooting and Testing

  • Clear test steps for verifying USB policy enforcement, including checking device authorization status and udev rule file presence.

  • Supports both scenarios where the VM can or cannot detect USB devices.

How to Use

Assigning a Policy

  1. Identify the USB device’s Vendor ID and Product ID using lsusb and cat /sys/bus/usb/devices/<device>/idVendor.

  2. Create a policy rule specifying the desired actions, device level, and authorization status.

  3. Apply the policy to the target device(s).

Example: Block All USB Devices

{
"policyName": "LINUX_USB_POLICY_V2",
"policyType": "LINUX_USB_POLICY_V2",
"policy": {
"rules": [
{
"actions": ["add", "bind", "change"],
"level": "usb_device",
"devCode": "00",
"authorize": false
}
]
}
}

Example: Allow Only Specific Vendor

{
"policyName": "LINUX_USB_POLICY_V2",
"policyType": "LINUX_USB_POLICY_V2",
"policy": {
"rules": [
{
"actions": ["add", "bind", "change"],
"level": "usb_device",
"devCode": "00",
"authorize": true,
"vendorId": "XXXX"
}
]
}
}

Removing a Policy

  • When the policy is removed, the system automatically deletes the udev rule file, restoring USB access.

Notes and Limitations

  • If a USB device is plugged in before the policy is applied, the policy may not take effect until the device is reconnected.

  • Removing the policy now correctly removes the udev profile.

  • The new policy format supports all previous device categories via devCode mapping.

Troubleshooting

  • To check if a device is authorized:

    cat /sys/bus/usb/devices/<device>/authorized

    • 1 means authorized, 0 means blocked.

  • To verify policy removal, check that /etc/udev/rules.d/99-swifteam-block-usb.rules no longer exists.

Additional Resources

  • For more details on USB class codes and advanced configuration, refer to the official Linux USB documentation.

  • For support, contact your IT administrator or Swif.ai support.

Did this answer your question?