[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to secure access to SD cards a la USBGuard?

On 2021-11-12 17:13, Stefan Monnier wrote:

I'd like to limit access to (micro) SD cards on our systems to only those
cards that have been vetted up front.


IIUC the way SD card are interfaced with the system, you can't use an
approach like USBGuard for that indeed.


I was getting afraid of that.


I suspect you'll need to be more specific about what you mean by
"access".  E.g. you may need to control this access when `mount`ing,
which will then depend on how you want to allow such mounts.
What I'd like is to be able to let users mount only those memory cards that have been registered up front. I've always thought it strange that people consider thumbdrives to be a risk (and rightly so), but no one is seemingly bothered by almost the equivalent risk posed by memory cards. Those can contain "bad" software as well, and they can to automounted just as easily as USB-drives. So why not make it possible to prevent users from mounting a card they found somewhere or that was given to them by some unknown agent? 


Then another question will be how you want to "vet" (by partion
UUID, maybe?).
That was indeed my first thought. TBH I don't know of any other trustworthy and unique ID for storage devices (not USB).
P.S. Just to be sure: this is not about letting only specific users mount a filesystem. I know how to achieve that goal. This is about preventing social engineering attacks through malicious memory cards, without blocking the card reader altogether. 

Thanks!

Grx HdV
Reply to: