Skip to content

Instantly share code, notes, and snippets.

@conorsch
Created January 24, 2017 19:22
Show Gist options
  • Save conorsch/795100caf411fccf1957b3e4ff0f2843 to your computer and use it in GitHub Desktop.
Save conorsch/795100caf411fccf1957b3e4ff0f2843 to your computer and use it in GitHub Desktop.
Script to temporarily whitelist new USB devices under grsecurity
#!/bin/bash
# Temporarily permit new USB devices by disabling the grsecurity sysctl option
# `kernel.grsecurity.deny_new_usb` for several seconds. Will automatically
# restore the ban on exit (even on error).
set -e
set -u
set -o pipefail
function deny-usb {
sysctl --write --quiet kernel.grsecurity.deny_new_usb=1
}
# Set trap to lock out new USB devices after script runs, even if the
# script errors out or is canceled.
trap deny-usb EXIT
function temporarily-allow-usb {
local allow_usb_seconds=$1
sysctl --write --quiet kernel.grsecurity.deny_new_usb=0
printf "New USB devices temporarily allowed; connect new device now.\n"
for n in $(seq ${allow_usb_seconds} | tac); do
sleep 1;
printf "\rDisabling new USB devices in ${n}..."
done
printf " done.\n"
}
temporarily-allow-usb ${1-5}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment