app-linux-input-proxy v1.0.44 (r4.3)
app-linux-input-proxy v1.0.44 (r4.2)
A very interesting and exciting patch from security perspective. It is now possible to allow only certain USB input devices (Keyboards, Mice, Tablets) based on the vendor ID, Product ID or even the USB port it is connected to. This way, you could avoid most hardware keyboard loggers which usually could not fake the VID/PID (at the time of this post). This is very useful considering how such loggers have become so common these days everywhere and even open source implementations which could be easily implanted inside original devices are readily available. The only issue with this patch is that the documentation for it is not yet available. Tech-savvy users should not have problem to understand it and use it by reading the patch code and the related Github issue.
There’s githup page for it
I’m experimenting with it but only thing that I’ve achieved is that mouse pointer is not moving or keyboard don’t register special keys (CTRL, ALT) but mouse buttons still works and alphanumeric keys of keyboard also works - strange thing.
–
PS: OK, I have it, but it’s trial and error and I don’t know how to pull all relevant data
First, in a sys-usb terminal you need to list PCI devices to find usb controller to which mouse+keyboard is connected.
for me it’s
00:09.0 USB controller: Intel Corporation Alder Lake PCH USB 3.2 xHCI Host Controller (rev 01)
note device address - 00:09.0
Then you need devices vendor and product number - lsusb
mouse:
Bus 004 Device 018: ID 258a:0036 SINOWEALTH Wired Gaming Mouse
Vendor=258a Product=0036
keyboard:
Bus 004 Device 023: ID 0c45:8033 Microdia AK820MAX
Vendor=0c45 Product=8033
Then in dom0 in Qubes Policy Editor open 50-config-input.policy
default:
# THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
# Any changes made manually may be overwritten by Qubes Configuration Tools.
qubes.InputMouse * sys-usb @adminvm ask
qubes.InputKeyboard * sys-usb @adminvm ask
qubes.InputTablet * sys-usb @adminvm ask default_target=@adminvm
after changes (I’ve watched notification about mouse/keyboard denied in dom0):
# THIS IS AN AUTOMATICALLY GENERATED POLICY FILE.
# Any changes made manually may be overwritten by Qubes Configuration Tools.
qubes.InputMouse +usb-0000_00_09.0-1.4+3-258a-36-111 sys-usb @adminvm allow
qubes.InputKeyboard +usb-0000_00_09.0-1.3+3-c45-8033-110 sys-usb @adminvm allow
qubes.InputMouse +usb-0000_00_09.0-1.3+3-c45-8033-110 sys-usb @adminvm allow
qubes.InputTablet * sys-usb @adminvm ask default_target=@adminvm
+ is for one argument
usb-0000_00_09.0 is from PCI list
-1.4+3- and -1.3+3- dunno from where is taken
258a-36 and c45-8033 is from lsusb (leading zeros are omitted)
-111 and -110 dunno from where are coming
But it works.
If I connect any other mouse/keyboard it shows notification about denied:inputMouse or denied:inputKeyboard
One thing - there was bug in qubes-app-linux-input-proxy package and it didn’t worked.
For this to work template must be upgraded to testing repository:
4.2
sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing
4.3
sudo dnf update --enablerepo=qubes-vm-r4.3-current-testing
–
PS2: 1.4 you can find by
dmesg |grep idVendor=258a
PS3:
#!/bin/bash
#
# usb2sys - find lsusb device in /sys file system
#
die()
{
echo "$@"
exit 1
}
[[ $# -lt 1 ]] && die "need vendor and product ids (from lsusb) as dddd:dddd"
vendor=${1%:*}
product=${1##*:}
sys=/sys/bus/usb/devices/
cd $sys
for d in *; do
path=$sys$d
if [ -f $path/idProduct ]; then
prod=$( cat $path/idProduct )
vend=$( cat $path/idVendor )
if [ $prod = $product -a $vend = $vendor ]; then
echo prod = $prod
echo vend = $vend
echo /sys device is $path
fi
fi
done
usage:
usb2sys.sh 258a:0036