Using udev
rule or Linux kernel blacklist
Yes, it is possible but I not confident it will block all such type of attack. I have only one device and I can't say it is a general solution.
I make a check for a USB net key in Ubuntu 21.10.
Info collecting
udevadm monitor -u
monitor will print the received events for:
UDEV - the event which udev sends out after rule processing
UDEV [108.870714] add /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb)
UDEV [108.951632] add /module/mii (module)
UDEV [108.970818] add /module/usbnet (module)
UDEV [114.296923] add /bus/usb/drivers/dm9601 (drivers)
UDEV [114.310640] add /module/dm9601 (module)
UDEV [114.316277] add /bus/usb/drivers/sr9700 (drivers)
UDEV [114.324254] add /module/sr9700 (module)
UDEV [114.325188] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb)
UDEV [114.361207] bind /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb)
UDEV [114.446039] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net)
UDEV [114.471800] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/tx-0 (queues)
UDEV [114.591649] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/rx-0 (queues)
UDEV [114.602864] bind /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb)
UDEV [115.079106] move /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net)
udevadm info -a -p /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.
looking at device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458':
KERNEL=="enx00e04c534458"
SUBSYSTEM=="net"
DRIVER==""
ATTR{addr_assign_type}=="0"
ATTR{addr_len}=="6"
ATTR{address}=="00:e0:4c:53:44:58"
ATTR{broadcast}=="ff:ff:ff:ff:ff:ff"
ATTR{carrier}=="0"
ATTR{carrier_changes}=="3"
ATTR{carrier_down_count}=="2"
ATTR{carrier_up_count}=="1"
ATTR{dev_id}=="0x0"
ATTR{dev_port}=="0"
ATTR{dormant}=="0"
ATTR{duplex}=="full"
ATTR{flags}=="0x1003"
ATTR{gro_flush_timeout}=="0"
ATTR{ifalias}==""
ATTR{ifindex}=="3"
ATTR{iflink}=="3"
ATTR{link_mode}=="0"
ATTR{mtu}=="1500"
ATTR{name_assign_type}=="4"
ATTR{napi_defer_hard_irqs}=="0"
ATTR{netdev_group}=="0"
ATTR{operstate}=="down"
ATTR{power/async}=="disabled"
ATTR{power/control}=="auto"
ATTR{power/runtime_active_kids}=="0"
ATTR{power/runtime_active_time}=="0"
ATTR{power/runtime_enabled}=="disabled"
ATTR{power/runtime_status}=="unsupported"
ATTR{power/runtime_suspended_time}=="0"
ATTR{power/runtime_usage}=="0"
ATTR{proto_down}=="0"
ATTR{queues/rx-0/rps_cpus}=="0"
ATTR{queues/rx-0/rps_flow_cnt}=="0"
ATTR{queues/tx-0/byte_queue_limits/hold_time}=="1000"
ATTR{queues/tx-0/byte_queue_limits/inflight}=="0"
ATTR{queues/tx-0/byte_queue_limits/limit}=="0"
ATTR{queues/tx-0/byte_queue_limits/limit_max}=="1879048192"
ATTR{queues/tx-0/byte_queue_limits/limit_min}=="0"
ATTR{queues/tx-0/tx_maxrate}=="0"
ATTR{queues/tx-0/tx_timeout}=="0"
ATTR{queues/tx-0/xps_rxqs}=="0"
ATTR{speed}=="100"
ATTR{statistics/collisions}=="0"
ATTR{statistics/multicast}=="0"
ATTR{statistics/rx_bytes}=="0"
ATTR{statistics/rx_compressed}=="0"
ATTR{statistics/rx_crc_errors}=="0"
ATTR{statistics/rx_dropped}=="0"
ATTR{statistics/rx_errors}=="0"
ATTR{statistics/rx_fifo_errors}=="0"
ATTR{statistics/rx_frame_errors}=="0"
ATTR{statistics/rx_length_errors}=="0"
ATTR{statistics/rx_missed_errors}=="0"
ATTR{statistics/rx_nohandler}=="0"
ATTR{statistics/rx_over_errors}=="0"
ATTR{statistics/rx_packets}=="0"
ATTR{statistics/tx_aborted_errors}=="0"
ATTR{statistics/tx_bytes}=="0"
ATTR{statistics/tx_carrier_errors}=="0"
ATTR{statistics/tx_compressed}=="0"
ATTR{statistics/tx_dropped}=="0"
ATTR{statistics/tx_errors}=="0"
ATTR{statistics/tx_fifo_errors}=="0"
ATTR{statistics/tx_heartbeat_errors}=="0"
ATTR{statistics/tx_packets}=="0"
ATTR{statistics/tx_window_errors}=="0"
ATTR{testing}=="0"
ATTR{threaded}=="0"
ATTR{tx_queue_len}=="1000"
ATTR{type}=="1"
looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0':
KERNELS=="2-2:1.0"
SUBSYSTEMS=="usb"
DRIVERS=="dm9601"
ATTRS{authorized}=="1"
ATTRS{bAlternateSetting}==" 0"
ATTRS{bInterfaceClass}=="00"
ATTRS{bInterfaceNumber}=="00"
ATTRS{bInterfaceProtocol}=="00"
ATTRS{bInterfaceSubClass}=="00"
ATTRS{bNumEndpoints}=="03"
ATTRS{power/async}=="enabled"
ATTRS{power/runtime_active_kids}=="0"
ATTRS{power/runtime_enabled}=="enabled"
ATTRS{power/runtime_status}=="active"
ATTRS{power/runtime_usage}=="1"
ATTRS{supports_autosuspend}=="1"
looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2':
KERNELS=="2-2"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{authorized}=="1"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{bConfigurationValue}=="1"
ATTRS{bDeviceClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{bMaxPower}=="120mA"
ATTRS{bNumConfigurations}=="1"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bcdDevice}=="0101"
ATTRS{bmAttributes}=="80"
ATTRS{busnum}=="2"
ATTRS{configuration}==""
ATTRS{devnum}=="3"
ATTRS{devpath}=="2"
ATTRS{idProduct}=="9700"
ATTRS{idVendor}=="0fe6"
ATTRS{ltm_capable}=="no"
ATTRS{maxchild}=="0"
ATTRS{power/active_duration}=="124280"
ATTRS{power/async}=="enabled"
ATTRS{power/autosuspend}=="2"
ATTRS{power/autosuspend_delay_ms}=="2000"
ATTRS{power/connected_duration}=="124280"
ATTRS{power/control}=="on"
ATTRS{power/level}=="on"
ATTRS{power/persist}=="1"
ATTRS{power/runtime_active_kids}=="1"
ATTRS{power/runtime_active_time}=="123743"
ATTRS{power/runtime_enabled}=="forbidden"
ATTRS{power/runtime_status}=="active"
ATTRS{power/runtime_suspended_time}=="0"
ATTRS{power/runtime_usage}=="1"
ATTRS{product}=="USB 2.0 10/100M Ethernet Adaptor"
ATTRS{quirks}=="0x0"
ATTRS{removable}=="unknown"
ATTRS{rx_lanes}=="1"
ATTRS{speed}=="12"
ATTRS{tx_lanes}=="1"
ATTRS{urbnum}=="42458"
ATTRS{version}==" 1.10"
looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2':
KERNELS=="usb2"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{authorized}=="1"
ATTRS{authorized_default}=="1"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{bConfigurationValue}=="1"
ATTRS{bDeviceClass}=="09"
ATTRS{bDeviceProtocol}=="00"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{bMaxPower}=="0mA"
ATTRS{bNumConfigurations}=="1"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bcdDevice}=="0513"
ATTRS{bmAttributes}=="e0"
ATTRS{busnum}=="2"
ATTRS{configuration}==""
ATTRS{devnum}=="1"
ATTRS{devpath}=="0"
ATTRS{idProduct}=="0001"
ATTRS{idVendor}=="1d6b"
ATTRS{interface_authorized_default}=="1"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Linux 5.13.0-22-generic ohci_hcd"
ATTRS{maxchild}=="12"
ATTRS{power/active_duration}=="232196"
ATTRS{power/async}=="enabled"
ATTRS{power/autosuspend}=="0"
ATTRS{power/autosuspend_delay_ms}=="0"
ATTRS{power/connected_duration}=="232196"
ATTRS{power/control}=="auto"
ATTRS{power/level}=="auto"
ATTRS{power/runtime_active_kids}=="2"
ATTRS{power/runtime_active_time}=="232137"
ATTRS{power/runtime_enabled}=="enabled"
ATTRS{power/runtime_status}=="active"
ATTRS{power/runtime_suspended_time}=="0"
ATTRS{power/runtime_usage}=="0"
ATTRS{power/wakeup}=="disabled"
ATTRS{power/wakeup_abort_count}==""
ATTRS{power/wakeup_active}==""
ATTRS{power/wakeup_active_count}==""
ATTRS{power/wakeup_count}==""
ATTRS{power/wakeup_expire_count}==""
ATTRS{power/wakeup_last_time_ms}==""
ATTRS{power/wakeup_max_time_ms}==""
ATTRS{power/wakeup_total_time_ms}==""
ATTRS{product}=="OHCI PCI host controller"
ATTRS{quirks}=="0x0"
ATTRS{removable}=="unknown"
ATTRS{rx_lanes}=="1"
ATTRS{serial}=="0000:00:06.0"
ATTRS{speed}=="12"
ATTRS{tx_lanes}=="1"
ATTRS{urbnum}=="65"
ATTRS{version}==" 1.10"
looking at parent device '/devices/pci0000:00/0000:00:06.0':
KERNELS=="0000:00:06.0"
SUBSYSTEMS=="pci"
DRIVERS=="ohci-pci"
ATTRS{ari_enabled}=="0"
ATTRS{broken_parity_status}=="0"
ATTRS{class}=="0x0c0310"
ATTRS{consistent_dma_mask_bits}=="32"
ATTRS{d3cold_allowed}=="0"
ATTRS{device}=="0x003f"
ATTRS{dma_mask_bits}=="32"
ATTRS{driver_override}=="(null)"
ATTRS{enable}=="1"
ATTRS{irq}=="22"
ATTRS{local_cpulist}=="0"
ATTRS{local_cpus}=="1"
ATTRS{msi_bus}=="1"
ATTRS{numa_node}=="-1"
ATTRS{power/async}=="enabled"
ATTRS{power/control}=="on"
ATTRS{power/runtime_active_kids}=="1"
ATTRS{power/runtime_active_time}=="232396"
ATTRS{power/runtime_enabled}=="forbidden"
ATTRS{power/runtime_status}=="active"
ATTRS{power/runtime_suspended_time}=="0"
ATTRS{power/runtime_usage}=="2"
ATTRS{power/wakeup}=="enabled"
ATTRS{power/wakeup_abort_count}=="0"
ATTRS{power/wakeup_active}=="0"
ATTRS{power/wakeup_active_count}=="0"
ATTRS{power/wakeup_count}=="0"
ATTRS{power/wakeup_expire_count}=="0"
ATTRS{power/wakeup_last_time_ms}=="0"
ATTRS{power/wakeup_max_time_ms}=="0"
ATTRS{power/wakeup_total_time_ms}=="0"
ATTRS{power_state}=="D0"
ATTRS{revision}=="0x00"
ATTRS{subsystem_device}=="0x0000"
ATTRS{subsystem_vendor}=="0x0000"
ATTRS{vendor}=="0x106b"
looking at parent device '/devices/pci0000:00':
KERNELS=="pci0000:00"
SUBSYSTEMS==""
DRIVERS==""
ATTRS{power/async}=="enabled"
ATTRS{power/control}=="auto"
ATTRS{power/runtime_active_kids}=="11"
ATTRS{power/runtime_active_time}=="0"
ATTRS{power/runtime_enabled}=="disabled"
ATTRS{power/runtime_status}=="unsupported"
ATTRS{power/runtime_suspended_time}=="0"
ATTRS{power/runtime_usage}=="0"
ATTRS{waiting_for_supplier}=="0"
lsusb; echo;lsusb -t
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 003: ID 0fe6:9700 ICS Advent DM9601 Fast Ethernet Adapter
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/12p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
|__ Port 2: Dev 3, If 0, Class=, Driver=dm9601, 12M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/12p, 480M
Linux kernel blacklist
As you may notice usbnet
(module) get loaded from udev monitor output.
Udev rule
One that seems clear, it this condition:
ACTION=="add",SUBSYSTEM=="net", SUBSYSTEMS=="usb",...
So it is the newly added net node which has a parent usb node.
Then target that leaf node or its parent node, to be removed, unauthorized, or unbind its driver. As in this answer about blocking USB storage devices.