tree: a5902ef3ac65d955fde9b2f8292c795230644f8d [path history] [tgz]
  1. BUILD.gn
  2. OWNERS
  3. README.md
  4. authorizer.cc
  5. authorizer.h
  6. daemon.cc
  7. daemon.h
  8. event_handler.cc
  9. event_handler.h
  10. init/
  11. main.cc
  12. pciguard_utils.cc
  13. pciguard_utils.h
  14. seccomp/
  15. session_monitor.cc
  16. session_monitor.h
  17. tbt_udev_monitor.cc
  18. tbt_udev_monitor.h
pciguard/README.md

pciguard: Chromeos security tool for external PCI devices

ABOUT

pciguard is daemon that is listens to following events:

  • session events: such as user login / logoff and screen lock / unlock,
  • udev events: plugging in of new thunderbolt devices.
  • Chrome flag changes: for user permission flag changes.

These events change the security policies around external PCI devices. This mostly concerns thunderbolt / USB4 peripherals that allow PCIe tunnels to be established, but can also be used for any other technologies that allow external PCI devices, e.g. SD Express cards.

In short, this daemon implements the security policy of allowing external PCIe devices only when a user is signed in, and when user has opted for it using the appropriate chrome://flags setting. See flag details here