What's Changed

• polkit: Always allow getParameter/listDevices/listRules in active sessions (fixes #544) by @hartwork in https://github.com/USBGuard/usbguard/pull/545
• D-Bus: Send reply on auth failure by @hartwork in https://github.com/USBGuard/usbguard/pull/548
• GitHub Actions: Fix Ubuntu Docker build (by migrating from 21.10 to 22.04) by @hartwork in https://github.com/USBGuard/usbguard/pull/552
• Unreference PolkitAuthorizationResult and PolkitAuthority structs if needed by @Cropi in https://github.com/USBGuard/usbguard/pull/551

Full Changelog: https://github.com/USBGuard/usbguard/compare/usbguard-1.1.1...usbguard-1.1.2

What's Changed

• Use authentication instead of authentification by @b1rger in https://github.com/USBGuard/usbguard/pull/542
• Restore support for access control filenames without a group (fixes #540) by @hartwork in https://github.com/USBGuard/usbguard/pull/541

Full Changelog: https://github.com/USBGuard/usbguard/compare/usbguard-1.1.0...usbguard-1.1.1

Change Log

Added

• Started building with C++17
• Tree-like list-devices output
• Added CAP_AUDIT_WRITE capability to service file
• Added support for lower OpenSSL versions prior to 1.1.0
• Added a new signal: DevicePolicyApplied

Fixed/Changed

• Moved PIDFile from /var/run to /run
• Fixed linker isssues with disable-static
• Enhanced bash-completion script
• Make username/group checking consistent with useradd manual page definition
  (with addition of capital letters)
• Fixed multiple IPC related bugs
• Fixed race condition when accessing port/connect_type for USB devices
• Using bundled catch v2.13.8
• Using bundled PEGTL v3.2.5
• Fixed usbguard-rule-parser file opening
• Fix unauthorized access via D-Bus [CVE-2019-25058]

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Attila Lakatos
• Zoltan Fridrich
• Sebastian Pipping
• Anu Deepthika
• and many more

SHA256(usbguard-1.1.0.tar.gz) a39104042b0c57f969c4e6580f6d80ad7066551eda966600695e644081128a2d

Change Log

Added

• Added openssl support
• Starting with libtool versioning
• Added interface for IPC permission query
• Introduced partial rule concept fo CLI
• Added WithConnectType for ldap rule

Fixed/Changed

• Daemon does not apply the policy when
  "change" action event appears anymore
• IPCClientPrivate@disconnect is thread safe
• Enforced loading of files from .d/ direcory
  in alfabetical order
• Improved CLI behaviour to be consistent
• Clarified rule's label documentation
• Fixed thread copy assignment bug
• Fixed oss-fuzz build
• Improved overall documentation
• Set DevicePolicy to closed in service file

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Attila Lakatos
• Aditi Ambadkar
• Zoltan Fridrich
• Kathryn Spiers
• Allen-Webb
• muelli
• Birger Schacht
• Marek Tamaskovic
• and many more

SHA256(usbguard-1.0.0.tar.gz) 5617986cd5dd1a2d311041648a1977d836cf4e33a4121d7f82599f21496abc42

Change Log

Fixed

• Fixed segfaults with rules.d feature

SHA256(usbguard-0.7.8.tar.gz) 45b0bea8a2239f7ff3c5fe0027dfa7ce4641e8996e05cb91640276876b8d85c6

Change Log

Added

• Added readwritepath to service file
• Added match-all keyword to rules language
• Added rules.d feature
  • daemon can load multiple rule files from rules.d/
• Included with-connect-type in dbus signal

Fixed/Changed

• Fixed sigwaitinfo handling
• Fixed possible data corruption on stack with appendRule via dbus
• Fixed ENOBUFS errno handling on netlink socket
  • daemon can survive and wait until socket is readable again

Removed

• Dropped unused PIDFile from service file
• Dropped deprecated dbus-glib dependency

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Allen-Webb <allenwebb(at)google.com>
• Atilla Lakatos <alakatos(at)redhat.com>
• Birger Schacht <...>
• Marek Tamaskovic <tamaskovic.marek(at)gmail.com>
• Levente Polyak <levente(at)leventepolyak.net>
• Sebastian Pipping <sebastian(at)pipping.org>
• Tobias Mueller <muelli(at)cryptobitch.de>
• Zoltan Fridrich <zfridric(at)redhat.com>

SHA256(usbguard-0.7.7.tar.gz) b331d7ef607a3e7a62a89120be34098f13a2e4937683f31eb8a3076cd1ca5974

Change Log

Added

• Added missing options in manpage usbguard-daemon(8)
• Extended the functionality of allow/block/reject commands
  • the command can handle rule as a param and not only its ID
  • e.g. in case of allow, command will allow each device that matches provided rule
• Added debug info for malformed descriptors

Fixed/Changed

• Changed default backend to uevent
• Fixed handling of add uevents during scanning
  • now we are sure that the enumeration is completed before processing any uevent
  • we are trying to avoid a race where the kernel is still enumerating the devices
  • and send the uevent while the parent is being authorised
• Silenced 'bind' and 'unbind' uevents

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Allen-Webb <allenwebb(at)google.com>
• Atilla Lakatos <alakatos(at)redhat.com>
• Thiebaud Weksteen <tweek(at)google.com>
• userWayneCampbell <wcampbell1995(at)gmail.com>
• Zoltan Fridrich <zfridric(at)redhat.com>

SHA256(usbguard-0.7.6.tar.gz) 7234d5a30b964eb4cd3564d645e24c23454dca376345c96635484d4534d2f03f  ```

Change Log

Added

• Added daemon configuration option HidePII
• Added check to avoid conflict between ASAN and TSAN
• Added daemon configuration option for authorized_default
• Added devpath option to generate-policy
• Added # line comments to the rule grammar
• Added ImplicitPolicyTarget to get/set parameter methods
• Added option to filter rules by label when listing
• Added the label attribute to rule
• Added PropertyParameterChanged signal
• Added support for portX/connect_type attribute
• Added temporary option to append-rule
• Added versioning to DBus service
• Added optional LDAP support

Fixed/Changed

• Fixed invalid return value in Rule::Attribute::setSolveEqualsOrdered
• Fixed KeyValueParser to validate keys only when known names are set
• Fixed uninitialized variables found by coverity
• Fixes and cleanups based on LGTM.com report
• Hardened systemd service
• Rename ListRules parameter 'query' to 'label'
• Skip empty lines in usbguard-rule-parser

Removed

• The proof-of-concept Qt applet was removed. It is going to be maintained in a simplified form as a separate project.

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Allen-Webb <allenwebb(at)google.com>
• Dridi Boukelmoune <dridi.boukelmoune(at)gmail.com>
• Georges Winkenbach <gwink(at)chromium.org>
• Mantas Mikulėnas <grawity(at)gmail.com>
• Radovan Sroka <rsroka(at)redhat.com>
• RyuzakiKK <aasonykk(at)gmail.com>
• Steve Grubb <sgrubb(at)redhat.com>
• Thiébaud Weksteen <tweek(at)google.com>
• Topi Miettinen <toiwoton(at)gmail.com>
• userWayneCampbell <wcampbell1995(at)gmail.com>

SHA256(usbguard-0.7.5.tar.gz)= ab98091969bf4ea68d7a950997cd7af98ddac84558aa6dfe733e8fa0a936454a

Change Log

Fixed/Changed

• Fixed conditional manual page generation & installation
• Replaced Boost library based ext/stdio_filebuf.h implementation
  with a custom FDStreamBuf implementation

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Allen Webb <allenwebb(at)google.com>

SHA256(usbguard-0.7.4.tar.gz)= 732cc99f9b03632eb558941781c01f869bf96aad7f6976998094b3824d9b7ae2

Change Log

Changed

• usbguard-daemon will now exit with an error if it fails to open
  a logging file or audit event file.
• Updated PEGTL submodule and dropped support for older PEGTL API
• Modified the present device enumeration algorithm to be more
  reliable. Enumeration timeouts won't cause usbguard-daemon process
  to exit anymore.
• Manual pages are now generated using asciidoc (a2x) instead of
  asciidoctor.
• Generation and installation of manual pages is now optional.
• Fixed several bugs D-Bus interface XML specification

Added

• umockdev based device manager capable of simulating devices based
  on umockdev-record files.
• Boost libraries can be used as ext/stdio_filebuf.h header file source.

Removed

• Removed DummyDevices.tar.xz tarball that was supposed to be used for
  testing.

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Allen Webb <allenwebb(at)google.com>
• Bas van Schaik <gihub(at)s.traiectum.net>
• michaeladler <therisen06(at)googlemail.com>
• rsclarke <rsclrk(at)pm.me>

SHA256(usbguard-0.7.3.tar.gz)= ec1dbf72fd9622c1556055080d6fdb522d8c22c7b7ab8ef591b45004d5de87a9

Change Log

Fixed/Changed

• Fixed memory leaks in usbguard::Hash class.
• Fixed file descriptor leaks in usbguard::SysFSDevice class.
• Skip audit backend logging when no backend was set.

Added

• Added zsh completion & other scripts to the distribution tarball.

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Marek Tamaskovic <mtamasko(at)redhat.com>
• Muri Nicanor
• Radovan Sroka <rsroka(at)redhat.com>

SHA256(usbguard-0.7.2.tar.gz)= 5bd3e5219c590c3ae27b21315bd10b60e823cef64e5deff3305ff5b4087fc2d6

Change Log

Added

• CLI: usbguard watch command now includes an -e option to run an executable for every received event. Event data are passed to the executable via environment variables.
• usbguard-daemon: added "-K" option which can disable logging to console.
• Added zsh autocompletion support.
• usbguard-daemon: added "-f" option which enabled double-fork daemonization procedure.
• Added AuditBackend usbguard-daemon configuration option for selecting audit log backend.
• Linux Audit support via new LinuxAudit backend.
• Added missing RuleCondition.hpp header file to the public API headers.
• Code Style specification via AStyle configuration file.

Removed

• Removed Utility.hpp header file from public API headers
• Reduced usage of raw C pointers throughout the code

Changed

• Qt Applet: disabled session management
• usbguard-daemon console logging output is enabled by default now. Previously, the -k option had to be passed to enable the output.
• Replaced --enable-maintainer-mode configure option with --enable-full-test-suite option. When the new option is not used during the configure phase, only a basic set of test is run during the make check phase.
• usbguard-daemon now opens configuration in read-only mode
• Fixed UEventDeviceManager to work with Linux Kernel >= 4.13
• Refactored audit logging to support different audit log backends
• Reformatted source code to conform to the code style.
• Made the configuration parser strict. Unknown directives and wrong syntax will cause an error.
• Reformated documentation from markdown to asciidoc format.

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Benjamin Schubert
• Fabio Noris <fnoris(at)users.noreply.github.com>
• Ike Devolder
• InsanePrawn <Insane.Prawny(at)gmail.com>
• jvymazal <jvymazal(at)redhat.com>
• Marek Tamaskovic <mtamasko(at)redhat.com>
• Muri Nicanor
• Pamplemousse <xav.maso(at)gmail.com>
• Phil <phil(at)grmr.de>
• Pino Toscano <toscano.pino(at)tiscali.it>
• Radovan Sroka <rsroka(at)redhat.com>

SHA256(usbguard-0.7.1.tar.gz)= f919a4a212d354710a4b7c9ad65a79f6d73e96ad9f2036635aa85eb6742ee12d

Change Log

Added

• Added InsertedDevicePolicy configuration option to control the policy method for inserted devices.
• Added RestoreControllerDeviceState configuration option.
• Added DeviceManagerBackend configuration option. This option can be used to select from several device manager backend implementations.
• Implemented an uevent based device manager backend.
• Added setParameter, getParameter IPC (incl. D-Bus) methods.
• Added set-parameter, get-parameter CLI subcommands.
• Qt Applet: Added Spanish (es_AR) translation.
• Create empty rules.conf file at install time (make install).
• Support for numeric UID/GID values in IPCAllowedUsers and IPCAllowedGroups settings.
• If bash completion support is detected at configure time, install the bash completion script during make install.
• Added new configuration setting: IPCAccessControlFiles.
• IPC access is now configurable down to a section and privilege level per user and/or group.
• Added add-user, remove-user usbuard CLI subcommands for creating, removing IPC access control files.
• Added AuditFilePath configuration option for setting the location of the USBGuard audit events log file path. If set, the usbguard-daemon will log policy and device related actions and whether they succeeded or not.

Removed

• Removed UDev based device manager backend and UDev related dependencies.
• Removed UDev development files/API dependecy

Changed

• Reset Linux root hub bcdDevice value before updating device hash. This is a backwards incompatible change because it changes how the device hash is computed for Linux root hub devices.
• Refactored low-level USB device handling into SysFSDevice class which represents a device in the /sys filesystem (sysfs).
• Removed usage of readdir_r because it's obsolete. Replaced with readdir with the assumption that its usage is thread-safe if the directory handle passed to it is not shared between threads.
• Extended test suite with use case tests.
• Install the usbguard-daemon configuration and policy file with strict file permissions to prevent policy leaks.
• Fixed several memory leaks.
• Don't pre-resolve user and group names in IPCAllowedUsers and IPCAllowedGroups settings. Instead, resolve the name during the IPC authentication phase.

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• cgzones (@cgzones)
• Christian Stadelmann (@genodeftest)
• elKaZe (@elKaZe)
• endomandi (@endomandi)
• Ian Beringer (@ianberinger)
• intrigeri (@intrigeri)
• Jiri (@comps)
• Noam cohen (@noam1023)
• Paweł Jackowski (@pjackowski)
• Philipp Deppenwiese (@zaolin)
• phocean (@phocean)
• simakhan785 (@simakhan785)
• Zach Lym (@indolering)
• zezadas (@zezadas)

SHA256(usbguard-0.7.0.tar.gz)= 1e1485a2b47ba3bde9de2851b371d2552a807047a21e0b81553cf80d7f722709

Change Log

Changed

• Wait for disconnect in IPCClient dtor if needed
• Qt Applet: Fixed loading of decision method and default decision settings

SHA256(usbguard-0.6.2.tar.gz)= dad33da0312b95a3a41434a7b5bbd03f5ec7096f6ea9ee238ad2f15908bc51fd

Change Log

Changed

• Refactored logging subsystem
• Fixed handling of IPC disconnect in the IPCClient class
• Qt Applet: Fixed handling of main window minimization and maximization
• Fixed building on architectures that don't provide required atomic operations.
  The libatomic emulation library will be used in such cases.
• Fixed several typos in the documentation

Added

• Implemented a simple internal logger
• Access to the logger via public API
• Improved logging coverage. Logging output can be enabled either via
  CLI options or by setting the USBGUARD_DEBUG environment variable to 1.
• Qt Applet: UI translation support.
• Qt Applet: Czech (cs_CZ) translation

Removed

• Removed spdlog dependency

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• elKaZe (@elKaZe)
• phocean (@phocean)
• Muri Nicanor (@murinicanor)
• Christian Stadelmann (@genodeftest)
• Jakub Wilk (@jwilk)

SHA256(usbguard-0.6.1.tar.gz)= 582d6d069bc2369ff959e97c28295781dd3c5f562c6c0d9ab9eca2ec0ec39f6a

Change Log

Changed

• Fixed the daemon to use the match target when matching device rules.
  This fixes matching devices against the rules in the policy.
• Switched to protobuf based IPC
• Simplified the IPC and D-Bus interfaces
• Refactored custom exceptions

Added

• Added DevicePresenceChanged signal for notifying about device
  insertions, updates and removals
• Added DevicePolicyChanged signal for notifying about device
  policy changes.
• Added ExceptionMessage signal for sending asynchronous exceptions
  to the IPC/D-Bus clients.
• Extended the usbguard CLI watch subcommand with the ability to
  wait for the IPC connection to become available. See the new -w
  and -o options for details.

Removed

• Removed nlohmann/json submodule
• Removed allowDevice, blockDevice and rejectDevice methods from
  the IPC and D-Bus interface.
• Removed DeviceAllowed, DeviceBlocked and DeviceRejected signals
  from the IPC and D-Bus interface (replaced by single signal)
• Removed DeviceInserted, DevicePresent and DeviceRemoved signals
  from the IPC and D-Bus interface (replaced by single signal)

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Christian Stadelmann (@genodeftest)

SHA256(usbguard-0.6.0.tar.gz)= b19152e2cc5d0d2ec56fce95b84ee2bed8d1f600a1aed04639757eb7282e8c33

Change Log

One more bugfix release which addresses issue #119.

Changed

• Fixed unknown descriptor type handling

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Muri Nicanor (@murinicanor)

SHA256(usbguard-0.5.14.tar.gz)= e8f150539c4b2a7b487193a63d61074063919f8396bf844a049b77c18356e3de

Change Log

Another quick bugfix release which addresses issues #115 and #117.

Changed

• refactored USB parser to support multiple handlers per USB descriptor type
• Qt Applet: device list should be always expanded

Added

• added support for an audio device related endpoint descriptor

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Christian Stadelmann (@genodeftest)

SHA256(usbguard-0.5.13.tar.gz)= 9c3332b851db569b6e29996d1c5482b2be16aad216d9de2600ae95fcee1a9cf7

Change Log

This is a quick bugfix release which addresses issues #112 and #113.

Changed

• Fixed a bug in matching USB interface types with wildcards
• usbguard-daemon will now abort at startup if the rule file contains
  syntax error instead of continuing with an empty rule set

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Ian Beringer (@ianberinger)
• Sec (@Sec42)

SHA256(usbguard-0.5.12.tar.gz)= fa0281ca8b97d508d6ccfc1e907744be6263735952d1433f3a5e4a0b1bdad794

ChangeLog

WARNING: This release contains backwards incompatible changes. Read the Changed section bellow for details.

Added

• Maintainer script for spellchecking source archive files
• Rule::Attribute class for representing the rule attributes
• USBDeviceID class for represing the USB device ID
• configure script option to control the bundling of PEGTL source files
• id attribute to the rule language for specifing the USB device ID
• Added a parent device ID field (and methods) to the Device class which
  tracks the ID of the parent device
• Implemented "parent-hash" attribute for associating a device with its
  parent device.
• The QtSvg module/library is now needed to compile the Qt applet
• Qt Applet: Device Dialog settings work now
• Qt Applet: The settings state is now remembered (via Qt's QSettings class)
• Qt Applet: Implemented serial number masking
• Qt Applet: Initial implementation of DeviceDialog window position randomization
• Qt Applet: IPC exceptions are shown in the message log
• Qt Applet: added an initial implementation of the device list with the ability
  to change authorization target for each device
• Qt Applet: show a grey version of the USBGuard icon in IPC disconnected state
• usbguard-daemon.conf: added DeviceRulesWithPort setting (set to false by default)
• Added support for selecting crypto backend library at compile time using the
  --with-crypto-library configure script switch

Changed

• IMPORTANT: The device hash value computation was changed to include the
  USB descriptor data. Additionally, the algorithm was changed to SHA-256 and
  the hash value representation to base64. These changes are backwards incompatible
  and existing policies that use the hash attribute need to be updated.
• Reimplemented the rule parser using PEGTL
• Changed public API of the Rule and Device classes because of the new
  Rule::Attribute class rule attribute representation
• Extended the public IPCClient::IPCDisconnected method to include exception
  related information
• All rule attributes now support both the single and multivalued form
• A rule attribute can now be specified only once
• The default usbguard-daemon.conf and usbguard.service files now respect
  the paths set by the configure script
• New Qt applet icons with
• Fixed Qt applet so that it doesn't show an empty window when starting
• Qt Applet: Reject button is hidden by default.
• Updated usbguard-daemon manual page
• Permanent device specific rules managed by allowDevice, blockDevice and
  rejectDevice actions are now handled properly. Existing device rules are
  updated instead of just appending new rules to the policy.
• usbguard-daemon.conf: changed the default configuration value of
  PresentControllerPolicy to keep
• Changed the device hashing algorithm to SHA-256
• Switched hash value representation from hex to base64

Removed

• Removed Quex related files
• The "from Rule" Device class constructor was removed because it's use case
  is unclear and it wasn't used anywhere

Thanks

Many thanks to the following people for contributions to this release and to the USBGuard project:

• Muri Nicanor (@murinicanor)
• Rebecca N. Palmer (@rebecca-palmer)
• JT (@jmtaylor90)
• All the people who sent me their USB descriptors for testing purposes (fedora-devel, debian-user, reddit)

SHA256(usbguard-0.5.11.tar.gz)= 9b156552d169593d91400e9f021ed84c0e83e9eabfa71a985fd1b00a461feee7