| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Maintain USB device allow-lists for USBGuard" |
| author "chromium-os-dev@chromium.org" |
| |
| start on screen-unlocked or start-user-session |
| |
| task |
| |
| pre-start script |
| # If the ui job isn't running, then don't continue since screen-unlocked will |
| # get called on shutdown or sign-out. |
| |
| # Give session_manager (the ui job) time to finish closing after emitting |
| # screen-unlocked. |
| sleep 0.25 |
| |
| # This was tried as "start on started ui ...", but in that case the job only |
| # triggers once. |
| if ! initctl status ui | grep -q running; then |
| stop |
| exit 0 |
| fi |
| end script |
| |
| # Update the user's USBGuard allow-list to include currently connected devices. |
| script |
| if ! /usr/sbin/usb_bouncer userlogin; then |
| # Only report failure if the ui job is running. |
| if initctl status ui | grep -q running; then |
| exit 1 |
| fi |
| fi |
| exit 0 |
| end script |