- First, get an ssh session to the machine, just in case we accidentally block our keyboard.
- Plug in a USB drive to the port you want to restrict.
- Run
lsblkto find the device name (e.g./dev/sdd), you can check by size. - Verify this by running
ls -l /dev/disk/by-id, the device ID/name should point to the/dev/sd*you identified in the previous step. - Now, run
ls -l /dev/disk/by-path, and check which path points to the device. (Note, you need this for the step 1 of the StepMania USB profiles setup as well.) This should look something likepci-0000:06:00.3-usb-0:3:1.0-scsi-0:0:0:0. Remove the-scsi-0:0:0:0and we're left with a "path" likepci-0000:06:00.3-usb-0:3:1.0. - To create the actual rule, create a file called
/etc/udev/rules.d/99-restrict-usb-storage.rules, and add this line:
ENV{ID_PATH}=="pci-0000:06:00.3-usb-0:3:1.0", ENV{DRIVER}!="usb-storage", RUN+="/bin/sh -c 'echo 0 > /sys%p/authorized'"
replacing the ID_PATH with the one you found earlier.
This will match any device on this USB port, and if it is not using the usb-storage driver, immediately mark it as unauthorized which will prevent the device from communicating with the machine.
- You can do the same process from the top for the other port, adding a second line to the same file.
- To reload these rules, run
sudo udevadm control --reload-rules.
You should now be able to observe that any devices plugged into these ports except USB storage devices will not work.
To debug, you can use udevadm monitor while plugging/unplugging to make sure you have the right device path. Also, check journalctl for any issues running the rule.
Sources: