There is this machine that runs
Fedora GNU/Linux, for which its owners asked us to block all USB Storage Devices without affecting other peripheral devices like keyboards and mice. The reason for that was to prevent unlawful data leakage that the users of that machine could do.
On Linux there is a kernel module named
usb_storage that can be found at
/lib/modules/$KERNEL_VERSION/kernel/drivers/usb/storage/usb-storage.ko.xz (to get the kernel version, execute
uname -r;) which operates as the USB Mass Storage driver for Linux.
Apparently, we just needed to block the
usb_storage module. Initially, we tried to block the module by using the
/etc/modprobe.d/blacklist.conf file but with no success. We failed to blacklist the module using the following commands (we were not sure which of the two names are correct, so we tried both, one at a time. It appears that both can be correct..):
echo -e "usb_storage\n" | sudo tee -a /etc/modprobe.d/blacklist.conf;
echo -e "usb-storage\n" | sudo tee -a /etc/modprobe.d/blacklist.conf;
After creating/updating the
blacklist.conf file we restarted the machine as the module does not get loaded on boot automatically, it only gets loaded when needed. Unfortunately, as we mentioned before, these attempts led to no solution as we were still able to use USB storage devices even after creating the
Since this method failed, we had to turn our heads towards a different solution, that due to its nature, it can be considered a hack.
What we did was to create a new configuration file in
/etc/modprobe.d/ that would prevent
usb_storage from being loaded by redirecting any requests to load the specific module to the
echo "install usb_storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf;
# Or the following (both names usb_storage and usb-storage seem to work)
# echo "install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf;
Then, we had to make sure that the module was not already loaded. To see if the
usb_storage module was already loaded we executed:
lsmod | grep -i usb_storage;
lsmod | grep -i usb_storage; did not return any results, then it meant we were done! Since it was not in the list, it meant that the module was not loaded and so the next time someone tried to use a USB mass storage device they would not be able to load the module.
In cases were we got a line back (and thus the module was already loaded), then we needed to unload it manually or restart the machine. To avoid rebooting the machine we used
modprobe to unload the
modprobe -r usb_storage;
Some times, we would get the following error:
modprobe: FATAL: Module usb_storage is in use.. This error meant that some other kernel module was using
usb_storage and would not allow us to unload it. Using
lsmod | grep -i usb_storage; we would get back a line like the following:
usb_storage 73728 1 uas. The last column is a comma separated list of kernel modules that use
usb_storage and we would need to unload them as well (replacing commas with space characters). Since we had only one dependency, our command became like the one below:
modprobe -r uas usb_storage;
And we were done!
To Re-enable USB mass storage devices (revert)
That is the easy part, to re-enable access to the USB mass storage devices, all we had to do was delete the configuration file:
Of course, to block them again, the we would have to follow the steps in the above solution.