Created
January 24, 2017 19:22
-
-
Save conorsch/795100caf411fccf1957b3e4ff0f2843 to your computer and use it in GitHub Desktop.
Script to temporarily whitelist new USB devices under grsecurity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Temporarily permit new USB devices by disabling the grsecurity sysctl option | |
# `kernel.grsecurity.deny_new_usb` for several seconds. Will automatically | |
# restore the ban on exit (even on error). | |
set -e | |
set -u | |
set -o pipefail | |
function deny-usb { | |
sysctl --write --quiet kernel.grsecurity.deny_new_usb=1 | |
} | |
# Set trap to lock out new USB devices after script runs, even if the | |
# script errors out or is canceled. | |
trap deny-usb EXIT | |
function temporarily-allow-usb { | |
local allow_usb_seconds=$1 | |
sysctl --write --quiet kernel.grsecurity.deny_new_usb=0 | |
printf "New USB devices temporarily allowed; connect new device now.\n" | |
for n in $(seq ${allow_usb_seconds} | tac); do | |
sleep 1; | |
printf "\rDisabling new USB devices in ${n}..." | |
done | |
printf " done.\n" | |
} | |
temporarily-allow-usb ${1-5} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment