Overview
The new Linux USB Policy (LINUX_USB_POLICY_V2) provides advanced control over USB device access on Ubuntu LTS 24 systems. This update replaces the older, category-based policy with a more flexible, rule-based approach, allowing organizations to precisely manage which USB devices can be used on managed Linux endpoints.
Key Features
1. Rule-Based USB Control
Policies are now defined as a set of rules, each specifying actions, device levels, device codes, and optional vendor/product IDs.
Example rule structure:
{
"policyName": "LINUX_USB_POLICY_V2",
"policyType": "LINUX_USB_POLICY_V2",
"policy": {
"rules": [
{
"actions": ["add", "bind", "change"],
"level": "usb_device",
"devCode": "00", // Use class information in the Interface Descriptors
"authorize": true,
"vendorId": "XXXX" // Optional: restrict to specific vendor
}
]
}
}
2. Granular Device Authorization
Control USB access at the device or interface level.
Authorize or block devices based on class codes, vendor IDs, and product IDs.
Easily allow or deny specific USB devices (e.g., only allow company-issued USB drives).
3. Dynamic Policy Updates
Policies can be updated or removed at any time.
When a policy is deleted, the corresponding udev rule file (
/etc/udev/rules.d/99-swifteam-block-usb.rules
) is also removed, restoring normal USB functionality.
4. Compatibility and Migration
Existing customers do not need to migrate immediately; the old policy format is still supported.
The option to disable all external USB drives remains available.
5. Improved Troubleshooting and Testing
Clear test steps for verifying USB policy enforcement, including checking device authorization status and udev rule file presence.
Supports both scenarios where the VM can or cannot detect USB devices.
How to Use
Assigning a Policy
Identify the USB device’s Vendor ID and Product ID using
lsusb
andcat /sys/bus/usb/devices/<device>/idVendor
.Create a policy rule specifying the desired actions, device level, and authorization status.
Apply the policy to the target device(s).
Example: Block All USB Devices
{
"policyName": "LINUX_USB_POLICY_V2",
"policyType": "LINUX_USB_POLICY_V2",
"policy": {
"rules": [
{
"actions": ["add", "bind", "change"],
"level": "usb_device",
"devCode": "00",
"authorize": false
}
]
}
}
Example: Allow Only Specific Vendor
{
"policyName": "LINUX_USB_POLICY_V2",
"policyType": "LINUX_USB_POLICY_V2",
"policy": {
"rules": [
{
"actions": ["add", "bind", "change"],
"level": "usb_device",
"devCode": "00",
"authorize": true,
"vendorId": "XXXX"
}
]
}
}
Removing a Policy
When the policy is removed, the system automatically deletes the udev rule file, restoring USB access.
Notes and Limitations
If a USB device is plugged in before the policy is applied, the policy may not take effect until the device is reconnected.
Removing the policy now correctly removes the udev profile.
The new policy format supports all previous device categories via
devCode
mapping.
Troubleshooting
To check if a device is authorized:
cat /sys/bus/usb/devices/<device>/authorized
1
means authorized,0
means blocked.
To verify policy removal, check that
/etc/udev/rules.d/99-swifteam-block-usb.rules
no longer exists.
Additional Resources
For more details on USB class codes and advanced configuration, refer to the official Linux USB documentation.
For support, contact your IT administrator or Swif.ai support.