[usbguard] USBGuard module added by Jannik Schönartz

[usb-lock-off] Updated usb info collection script to use the openslx config variables.

[usb-lock-off] Updated usbguard to version 0.7.2 and libsodium to 1.0.16. Fixed the build script, so that -c cleans everything.

8 files changed, 133 insertions, 0 deletions

diff --git a/core/modules/usbguard/data/etc/systemd/system/multi-user.target.wants/usbguard-daemon.service b/core/modules/usbguard/data/etc/systemd/system/multi-user.target.wants/usbguard-daemon.service
new file mode 100644
index 00000000..4d7bc799
--- /dev/null
+++ b/core/modules/usbguard/data/etc/systemd/system/multi-user.target.wants/usbguard-daemon.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=USBGuard Services Daemon
+After=systemd-user-sessions.service
+
+[Service]
+ExecStart=/usr/local/sbin/usbguard-daemon -c /usr/local/etc/usbguard/usbguard-daemon.conf
+Type=simple
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/core/modules/usbguard/data/etc/systemd/system/multi-user.target.wants/usbguard-watch.service b/core/modules/usbguard/data/etc/systemd/system/multi-user.target.wants/usbguard-watch.service
new file mode 100644
index 00000000..d3654f55
--- /dev/null
+++ b/core/modules/usbguard/data/etc/systemd/system/multi-user.target.wants/usbguard-watch.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=USBGuard collect usb Daemon
+After=usbguard-daemon.service
+
+[Service]
+ExecStart=/usr/local/bin/usbguard watch -e /usr/local/etc/usbguard/sendUSBInfo.sh
+Type=simple
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/core/modules/usbguard/data/etc/systemd/system/usbguard-daemon.service b/core/modules/usbguard/data/etc/systemd/system/usbguard-daemon.service
new file mode 100644
index 00000000..4d7bc799
--- /dev/null
+++ b/core/modules/usbguard/data/etc/systemd/system/usbguard-daemon.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=USBGuard Services Daemon
+After=systemd-user-sessions.service
+
+[Service]
+ExecStart=/usr/local/sbin/usbguard-daemon -c /usr/local/etc/usbguard/usbguard-daemon.conf
+Type=simple
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/core/modules/usbguard/data/etc/systemd/system/usbguard-watch.service b/core/modules/usbguard/data/etc/systemd/system/usbguard-watch.service
new file mode 100644
index 00000000..d3654f55
--- /dev/null
+++ b/core/modules/usbguard/data/etc/systemd/system/usbguard-watch.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=USBGuard collect usb Daemon
+After=usbguard-daemon.service
+
+[Service]
+ExecStart=/usr/local/bin/usbguard watch -e /usr/local/etc/usbguard/sendUSBInfo.sh
+Type=simple
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/core/modules/usbguard/data/usr/local/etc/usbguard/sendUSBInfo.sh b/core/modules/usbguard/data/usr/local/etc/usbguard/sendUSBInfo.sh
new file mode 100755
index 00000000..3fe91fef
--- /dev/null
+++ b/core/modules/usbguard/data/usr/local/etc/usbguard/sendUSBInfo.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# use SLX_KCL_SERVERS
+. /opt/openslx/config
+
+SERVER_IP=${SLX_PXE_SERVER_IP}
+CLIENT_IP=${SLX_PXE_CLIENT_IP}
+NADAPTER="br0"
+
+if [ "$USBGUARD_DEVICE_EVENT" == "Insert" ]
+then
+	id=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=id\s).*(?=\sserial)')
+	serial=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=serial\s").*(?="\sname)')
+	name=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=name\s").*(?="\shash)')
+	vhash=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=\shash\s").*(?="\sparent-hash)')
+	phash=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=\sparent-hash\s").*(?="\svia-port)')
+	vport=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=\svia-port\s").*(?="\swith-interface)')
+	interface=$(echo $USBGUARD_DEVICE_RULE | grep -Pzo '(?s)(?<=\swith-interface\s).*')
+	# nat1 ONLY WORKS FOR some VM's THIS NEEDS TO BE EDITED. IP Info only needed for getting the machineuuid -> location of the machine.
+	# interface-policy is not needed here is it? --> Once it's implemented in usbguard it is.. but currently the device rule doesn't have those information.
+	url=$(echo "http://$SERVER_IP/slx-admin/api.php?do=usbguard&action=newdevice&id=$id&serial=$serial&name=$name&ip=$CLIENT_IP&hash=$vhash&parent-hash=$phash&via-port=$vport&with-interface=$interface" | sed 's/ /%20/g')
+	curl $url
+fi
diff --git a/core/modules/usbguard/module.build b/core/modules/usbguard/module.build
new file mode 100644
index 00000000..bbf5b330
--- /dev/null
+++ b/core/modules/usbguard/module.build
@@ -0,0 +1,35 @@
+fetch_source() {
+	[ -d "${MODULE_WORK_DIR}/src/.git" ] && return 0
+	rm -rf -- "${MODULE_WORK_DIR}/src"
+	download_untar "${REQUIRED_LIBSODIUM_URL}" "src/libsodium/"
+	git clone --depth 1 "${REQUIRED_GIT}" "${MODULE_WORK_DIR}/src/usbguard" || perror "Could not clone git to ${MODULE_WORK_DIR}/src/usbguard"
+	cd "${MODULE_WORK_DIR}/src/usbguard"
+	git checkout "${REQUIRED_COMMIT}" || perror "Could not switch to required commit"
+	cd - &>/dev/null
+}
+
+build() {
+	# copy REQUIRED_CONTENT_PACKAGES to mltk/tmp/work/<module>/build/
+	#COPYLIST="list_dpkg_output"
+	#[ -e "$COPYLIST" ] && rm "$COPYLIST"
+	#list_packet_files >> "$COPYLIST"
+	#tarcopy "$(cat "$COPYLIST" | sort -u)" "${MODULE_BUILD_DIR}"
+	# Compile libsodium
+	cd "${MODULE_WORK_DIR}/src/libsodium/${REQUIRED_LIBSODIUM_UNTAR_NAME}" || perror "Could not cd to '${MODULE_WORK_DIR}/src/libsodium'. Did download_untar in fetch_source work?"
+	./configure || perror "configure failed"
+	make || perror "Could not compile libsodium using 'make'"
+	DESTDIR="${MODULE_BUILD_DIR}" make install || perror "libsodium: make install failed"
+	# Compile usbguard
+	cd "${MODULE_WORK_DIR}/src/usbguard" || perror "Could not cd to '${MODULE_WORK_DIR}/src/usbguard'. Did fetch_source work?"
+	./autogen.sh || perror "./autogen.sh failed"
+	./configure --with-bundled-catch --with-bundled-pegtl sodium_CFLAGS="-I${MODULE_BUILD_DIR}/usr/local/include/" sodium_LIBS="-L${MODULE_BUILD_DIR}/usr/local/lib/ -lsodium" || perror "./configure failed"
+	#./configure --with-bundled-catch --with-bundled-pegtl PKG_CONFIG_PATH=/root/mltk/tmp/work/usbguard/build/libsodium/usr/local/lib/pkgconfig || perror "configure failed"
+	make || perror "Could not compile usbguard using 'make'."
+	# make install:
+	DESTDIR="${MODULE_BUILD_DIR}" make install || perror "usbguard: make install failed"
+}
+
+post_copy() {
+	:
+}
+
diff --git a/core/modules/usbguard/module.conf b/core/modules/usbguard/module.conf
new file mode 100644
index 00000000..cf9bfc10
--- /dev/null
+++ b/core/modules/usbguard/module.conf
@@ -0,0 +1,8 @@
+#!/bin/bash
+REQUIRED_GIT="https://github.com/dkopecek/usbguard.git"
+REQUIRED_LIBSODIUM_URL="https://download.libsodium.org/libsodium/releases/libsodium-1.0.16.tar.gz"
+REQUIRED_LIBSODIUM_UNTAR_NAME="libsodium-1.0.16"
+REQUIRED_COMMIT="4ba9fbb337da439a1bcff6886847fb24b3df95b3"
+REQUIRED_BINARIES="usbguard usbguard-daemon"
+REQUIRED_LIBRARIES=""
+REQUIRED_DIRECTORIES="/"
diff --git a/core/modules/usbguard/module.conf.ubuntu b/core/modules/usbguard/module.conf.ubuntu
new file mode 100644
index 00000000..c0f3817f
--- /dev/null
+++ b/core/modules/usbguard/module.conf.ubuntu
@@ -0,0 +1,23 @@
+REQUIRED_INSTALLED_PACKAGES="
+	asciidoctor
+	autoconf
+	automake
+	libtool
+	g++
+	git
+	libudev-dev
+	libqb-dev
+	libcap-ng-dev
+	libseccomp-dev
+	libprotobuf-dev
+	protobuf-compiler
+	libdbus-1-dev
+	libdbus-glib-1-dev
+	xsltproc
+	libxml2-utils
+	libpolkit-gobject-1-dev
+"
+
+REQUIRED_CONTENT_PACKAGES="
+
+"