Protect against poisontap (unrecognized USB network devices)
Open, NormalPublic

Description

Ctrl+F "poisontap" in https://mail.gnome.org/archives/networkmanager-list/2016-November/thread.html

Instead of prompting the user every time something is plugged in, I presume the smart approach would be to block DHCP at the udev level while the gnome-shell screen is locked.

Once a solution is found in PureOS, it should be advertised as a feature, and upstreamed (if possible/accepted) to GNOME.

jeff created this task.Apr 16 2017, 12:51 AM
jonas.smedegaard triaged this task as "Normal" priority.Oct 26 2017, 12:36 PM
jonas.smedegaard added a subscriber: jonas.smedegaard.

I believe a solution exists: apt install usbguard-applet-qt

Please test and report back if that indeed solves this issue.

If it does, we can consider options of a) installing that package by default, and b) feasability of hiring developers to code a GTK+ applet (or locating if one has been written already and simply needs packaging).

I have set severity to normal. Please shout if considered more important than that.

@jeff did you test this?
also it has CLI. I think in any case we should add this to defaults as it seems quite usable (@mak ?)

mak added a comment.Jan 14 2018, 4:04 AM

It will pull in Qt though, and GNOME doesn't support applets/system tray icons natively anymore.
So, can we add it? Yes, of course, but it will look very alien, and we will have to modify our GNOME Shell session to display status icons.

what about only CLI option of it or should we get someone to build a gtk version of it?

Using the Qt-version on PureOS and the status icons aren't really needed. The popup for allowing a device looks a little bit out of place, but it works flawlessly.

Add Comment