| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "The setup and teardown logic for hardening the lock screen." |
| author "allenwebb@chromium.org" |
| |
| # Prior to starting usbguard-daemon, the rule files in |
| # "/etc/usbguard/rules.d/" are concatenated in alphabetical order to |
| # create the runtime rules configuration at "/run/usbguard/rules.conf". |
| # Filename prefixes are used to control the order of the included files. |
| # Here are the prefixes |
| # 00- is reserved for a default header for all boards. |
| # {10..29}- are for high priority rules. |
| # {30..59}- are for default priority rules. |
| # {60..79}- are for low priority rules. |
| # 99- is reserved for the default footer for all boards. |
| # Most board specific configurations should use the "50-" prefix. |
| |
| # These signals are emitted by session_manager. |
| # |
| # screen-unlocked may not be called for every screen-locked event, but |
| # start-user-session covers those cases. |
| start on screen-locked |
| stop on (screen-unlocked or start-user-session) and stopped usbguard |
| |
| pre-start script |
| logger -t "${UPSTART_JOB}" 'Locking USB.' |
| # White-list connected devices. |
| umask 077 |
| mkdir -p /run/usbguard/ |
| cd /run/usbguard/ |
| rm -f rules.conf |
| |
| /usr/sbin/usb_bouncer genrules > rules.conf |
| chown usbguard:usbguard . rules.conf |
| end script |
| |
| post-stop script |
| rm -f /run/usbguard/rules.conf |
| logger -t "${UPSTART_JOB}" "Unlocking USB." |
| |
| # Accept new usb devices by default, and authorize connected devices. |
| usb_bouncer authorize-all |
| end script |