freedomofpress · emkll · Jan 30, 2020 · Nov 9, 2019 · Jan 29, 2020 · Jan 30, 2020
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -18,3 +18,4 @@ include scripts/*
 include sys-firewall/*
 include launcher/*.py
 include launcher/sdw_updater_gui/*.py
+include usb-autoattach/*
diff --git a/Makefile b/Makefile
@@ -19,6 +19,12 @@ clone: assert-dom0 ## Pulls the latest repo from work VM to dom0
 qubes-rpc: prep-salt ## Places default deny qubes-rpc policies for sd-app and sd-gpg
 	sudo qubesctl --show-output --targets sd-dom0-qvm-rpc state.highstate
 
+add-usb-autoattach: prep-salt ## Adds udev rules and scripts to sys-usb
+	sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate
+
+remove-usb-autoattach: prep-salt ## Removes udev rules and scripts from sys-usb
+	sudo qubesctl --show-output state.sls sd-usb-autoattach-remove
+
 sd-workstation-template: prep-salt ## Provisions base template for SDW AppVMs
 	sudo qubesctl --show-output state.sls sd-workstation-buster-template
 	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate

diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -7,6 +7,9 @@ set-fedora-as-default-dispvm:
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
+include:
+  - sd-usb-autoattach-remove
+
 remove-dom0-sdw-config-files:
   file.absent:
     - names:

diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls
@@ -83,8 +83,27 @@ dom0-rpc-qubes.USB:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
+        sd-devices sys-usb allow
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny
+dom0-rpc-qubes.ensure.USBAttach:
+  file.managed:
+    - name: /etc/qubes-rpc/policy/qubes.USBAttach
+    - contents: |
+        @anyvm @anyvm ask
+    - replace: false
+dom0-rpc-qubes.USBAttach:
+  file.blockreplace:
+    - name: /etc/qubes-rpc/policy/qubes.USBAttach
+    - prepend_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        sys-usb sd-devices allow,user=root
+        @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
+    - require:
+      - file: dom0-rpc-qubes.ensure.USBAttach
 dom0-rpc-qubes.VMRootShell:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.VMRootShell

diff --git a/dom0/sd-usb-autoattach-add.sls b/dom0/sd-usb-autoattach-add.sls
@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# Installs udev configuration in a USB Qube for automatically attaching
+# USB devices to sd-devices.
+##
+
+sd-udev-rules:
+  file.managed:
+    - name: /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules
+    - source: salt://sd/usb-autoattach/99-sd-devices.rules
+    - user: root
+    - group: root
+    - mode: 0444
+    - makedirs: True
+
+sd-rc-local-udev-rules:
+  file.blockreplace:
+    - name: /rw/config/rc.local
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        # Add udev rules for export devices
+        ln -sf /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules /etc/udev/rules.d/
+        udevadm control --reload
+    - require:
+      - file: sd-udev-rules
+  cmd.run:
+    - name: ln -sf /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules /etc/udev/rules.d/ && udevadm control --reload
+    - require:
+      - file: sd-rc-local-udev-rules
+
+sd-attach-export-device:
+  file.managed:
+    - name: /usr/local/bin/sd-attach-export-device
+    - source: salt://sd/usb-autoattach/sd-attach-export-device
+    - user: root
+    - group: root
+    - mode: 0555
diff --git a/dom0/sd-usb-autoattach-remove.sls b/dom0/sd-usb-autoattach-remove.sls
@@ -0,0 +1,9 @@
+remove-usb-autoattach:
+  cmd.run:
+    - names:
+      - qvm-run sys-usb 'sudo rm -f /etc/udev/rules.d/99-sd-devices.rules'
+      - qvm-run sys-usb 'sudo rm -f /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules'
+      - qvm-run sys-usb 'sudo rm -f /usr/local/bin/sd-attach-export-device'
+      - qvm-run sys-usb 'sudo udevadm control --reload'
+      - >-
+        qvm-run sys-usb 'sudo perl -i -0pe "s/### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###//gms" /rw/config/rc.local'
diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
@@ -37,6 +37,8 @@ base:
     - sd-log-template-files
   securedrop-workstation-buster:
     - sd-workstation-template-files
+  sys-usb:
+    - sd-usb-autoattach-add
 
   # "Placeholder" config to trigger TemplateVM boots,
   # so upgrades can be applied automatically via cron.

diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -42,6 +42,7 @@ install -m 755 -d %{buildroot}/srv/salt/sd/sd-whonix
 install -m 755 -d %{buildroot}/srv/salt/sd/sd-workstation
 install -m 755 -d %{buildroot}/srv/salt/sd/sys-firewall
 install -m 755 -d %{buildroot}/usr/share/%{name}/scripts
+install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach
 install -m 644 dom0/*.sls %{buildroot}/srv/salt/
 install -m 644 dom0/*.top %{buildroot}/srv/salt/
 install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
@@ -56,6 +57,8 @@ install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/
 install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/
 install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/
 install -m 644 sys-firewall/* %{buildroot}/srv/salt/sd/sys-firewall/
+install -m 644 usb-autoattach/99-sd-devices.rules %{buildroot}/srv/salt/sd/usb-autoattach/
+install -m 755 usb-autoattach/sd-attach-export-device %{buildroot}/srv/salt/sd/usb-autoattach/
 install -m 644 Makefile %{buildroot}/usr/share/%{name}/Makefile
 install -m 755 scripts/* %{buildroot}/usr/share/%{name}/scripts/
 install -m 644 launcher/*.py %{buildroot}/opt/securedrop/launcher/
@@ -70,6 +73,7 @@ install -m 644 launcher/sdw_updater_gui/*.py %{buildroot}/opt/securedrop/launche
 /srv/salt/securedrop-*
 /srv/salt/fpf*
 /opt/securedrop/*
+
 %post
 find /srv/salt -maxdepth 1 -type f -iname '*.top' \
     | xargs -n1 basename \

diff --git a/scripts/prep-salt b/scripts/prep-salt
@@ -22,6 +22,7 @@ if [[ ! -d "$SDW_SALT_DIR" ]]; then
     sudo cp -r sd-whonix /srv/salt/sd
     sudo cp -r sd-workstation /srv/salt/sd
     sudo cp -r sys-firewall /srv/salt/sd
+    sudo cp -r usb-autoattach /srv/salt/sd
     sudo cp dom0/* /srv/salt/
     sudo cp -r launcher /srv/salt/
 fi

diff --git a/scripts/provision-all b/scripts/provision-all
@@ -24,3 +24,6 @@ all_sdw_vms_target="$(qvm-ls --tags sd-workstation --raw-list | perl -npE 's/\n/
 # We skip dom0 in the task below, since dom0 highstate was enforced in the previous command.
 echo "Provision all SecureDrop Workstation VMs with service-specific configs"
 sudo qubesctl --show-output --max-concurrency "$max_concurrency" --skip-dom0 --targets "$all_sdw_vms_target" state.highstate
+
+echo "Add SecureDrop export device handling to sys-usb"
+sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate
diff --git a/tests/test_sys_usb.py b/tests/test_sys_usb.py
@@ -0,0 +1,19 @@
+import unittest
+
+from base import SD_VM_Local_Test
+
+
+class SD_SysUSB_Tests(SD_VM_Local_Test):
+
+    def setUp(self):
+        self.vm_name = "sys-usb"
+        super(SD_SysUSB_Tests, self).setUp()
+
+    def test_files_are_properly_copied(self):
+        self.assertTrue(self._fileExists("/etc/udev/rules.d/99-sd-devices.rules"))
+        self.assertTrue(self._fileExists("/usr/local/bin/sd-attach-export-device"))
+
+
+def load_tests(loader, tests, pattern):
+    suite = unittest.TestLoader().loadTestsFromTestCase(SD_SysUSB_Tests)
+    return suite
diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml
@@ -164,6 +164,15 @@
 - policy: USB
   starts_with: |-
     ### BEGIN securedrop-workstation ###
+    sd-devices sys-usb allow
+    @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
+    ### END securedrop-workstation ###
+
+- policy: USBAttach
+  starts_with: |-
+    ### BEGIN securedrop-workstation ###
+    sys-usb sd-devices allow,user=root
     @anyvm @tag:sd-workstation deny
     @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###

diff --git a/usb-autoattach/99-sd-devices.rules b/usb-autoattach/99-sd-devices.rules
@@ -0,0 +1,6 @@
+# Class 08 == storage, subclass 06 == SCSI
+# Class 07 == printer, subclass 01 == printer
+# https://www.usb.org/defined-class-codes
+# https://www.usb.org/document-library/mass-storage-class-specification-overview-14
+# https://www.usb.org/document-library/printer-device-class-document-11
+ACTION=="add", SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="*:0806??:*|*:0701??:*", RUN+="/usr/local/bin/sd-attach-export-device"
diff --git a/usb-autoattach/sd-attach-export-device b/usb-autoattach/sd-attach-export-device
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# udev action for attaching USB export devices to sd-devices
+
+QDEVNAME="$(basename $DEVPATH)"
+echo sys-usb "$QDEVNAME" | qrexec-client-vm sd-devices qubes.USBAttach