Rulesets from rules.d folder are loaded but not applied

[Lukas1811]

TLDR: Rules are loaded from RuleFolder but not applied or listed when doing usbguard list-rules

I have usbguard 1.0.0+ds-2 running on modified version of Debian 11.11 and install my config using a deb package that diverts the /etc/usbguard/usbguard-daemon.conf file to the following config (removed all the comments to keep it short):

# RuleFile=/etc/usbguard/rules.conf
RuleFolder=/etc/usbguard/rules.d/
ImplicitPolicyTarget=block
PresentDevicePolicy=apply-policy
PresentControllerPolicy=apply-policy
InsertedDevicePolicy=apply-policy
AuthorizedDefault=none
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=root
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=LinuxAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log
HidePII=false

My /etc/usbguard/rules.d/ folder contains six rule files (names are different irl, numbers and extensions are correct):

• 01-rulea.conf
• 02-ruleb.conf
• 10-rulec.conf
• 20-ruled.conf
• 30-rulee.conf
• 99-reject-remaining.conf (only contains reject, commented that out already, didn't changed anything)

When I run the daemon the debug output contains the following outputs:

[1744290595.693] (i) NSHandler Loading...
[1744290595.693] (i) separator -> :
[1744290595.693] (i) keys:
[1744290595.693] (i) --->usbguard
[1744290595.693] (i) NSHandler Loaded
[1744290595.693] (i) Loading configuration from /etc/usbguard/usbguard-daemon.conf
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: RuleFolder=/etc/usbguard/rules.d/
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: ImplicitPolicyTarget=block
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: PresentDevicePolicy=apply-policy
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: PresentControllerPolicy=apply-policy
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: InsertedDevicePolicy=apply-policy
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: AuthorizedDefault=none
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: RestoreControllerDeviceState=false
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: DeviceManagerBackend=uevent
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: IPCAllowedUsers=root
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: IPCAllowedGroups=root
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: DeviceRulesWithPort=false
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: AuditBackend=LinuxAudit
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: AuditFilePath=/var/log/usbguard/usbguard-audit.log
[1744290595.693] (D) ConfigFilePrivate.cpp@155/parse: Parsed: HidePII=false
[1744290595.693] (i) Loading NSSwitch...
[1744290595.693] (i) Loading nsswitch from /etc/nsswitch.conf
[1744290595.693] (D) NSHandler.cpp@163/parseNSSwitch: Map contains:
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> ETHERS -> db files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> GROUP -> files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> GSHADOW -> files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> HOSTS -> files dns <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> NETGROUP -> nis <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> NETWORKS -> files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> PASSWD -> files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> PROTOCOLS -> db files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> RPC -> db files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> SERVICES -> db files <--
[1744290595.693] (D) NSHandler.cpp@166/parseNSSwitch: --> SHADOW -> files <--
[1744290595.693] (i) Fetched value is ->  <-
[1744290595.693] (i) Value is not valid or not set, using default FILES
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (i) File has correct permissions.
[1744290595.693] (i) Loading RuleSet
[1744290595.693] (i) Creating FileRuleSet
[1744290595.693] (i) Creating FileRuleSet
[1744290595.693] (i) Creating FileRuleSet
[1744290595.693] (i) Creating FileRuleSet
[1744290595.694] (i) Creating FileRuleSet
[1744290595.694] (i) Creating FileRuleSet
[1744290595.694] (D) Daemon.cpp@493/setImplicitPolicyTarget: Setting ImplicitPolicyTarget to block
[1744290595.694] (D) Daemon.cpp@500/setPresentDevicePolicyMethod: Setting PresentDevicePolicy to apply-policy
[1744290595.694] (D) Daemon.cpp@506/setPresentControllerPolicyMethod: Setting PresentControllerPolicy to apply-policy
[1744290595.694] (D) Daemon.cpp@512/setInsertedDevicePolicyMethod: Setting InsertedDevicePolicy to apply-policy
[1744290595.694] (D) Daemon.cpp@262/loadConfiguration: Setting IPCAllowedUsers to { root }
[1744290595.694] (T) Daemon.cpp@1079/addIPCAllowedUser: user=root
[1744290595.694] (D) Daemon.cpp@274/loadConfiguration: Setting IPCAllowedGroups to { root }
[1744290595.694] (T) Daemon.cpp@1091/addIPCAllowedGroup: group=root
[1744290595.694] (D) Daemon.cpp@284/loadConfiguration: Setting DeviceRulesWithPort to false
[1744290595.694] (i) File has correct permissions.
[1744290595.694] (i) Loading IPC access control files at /etc/usbguard/IPCAccessControl.d/
[1744290595.694] (T) Utility.cpp@361/loadFiles: L: :plugdev : /etc/usbguard/IPCAccessControl.d//:plugdev
[1744290595.694] (i) Loading IPC access control file /etc/usbguard/IPCAccessControl.d//:plugdev
[1744290595.694] (T) Daemon.cpp@1091/addIPCAllowedGroup: group=plugdev
[1744290595.694] (D) Daemon.cpp@342/loadConfiguration: Setting AuditBackend to LinuxAudit
[1744290595.694] (D) LinuxAuditBackend.cpp@206/LinuxAuditBackend: Opening Linux Audit socket
[1744290595.694] (i) Configuration loaded successfully.
[1744290595.694] (T) Daemon.cpp@530/run: Entering main loop
[1744290595.694] (T) UEventDeviceManager.cpp@100/scan: 
[1744290595.694] (T) UEventDeviceManager.cpp@403/ueventEnumerateDevices: 
......

As it can be seen there, all six config files/rulesets are loaded and evaluated (adding wrong commands also leads to an error).
But those rules are not applied and also not listed with usbguard list-rules. Adding the same rules to the rules.conf file (and enabling it in the daemon config again) leads to correct application of the rules.

Have I done anything wrong in my config or in my rule files ? For me everything seems correct or have i overlooked something ?

As an example my 01-rulea.conf looks like:

allow id 1d6b:0003
allow id 1d6b:0002

I only see the two root hubs as blocked when executing list-devices.

EDIT:
I also tested putting all my rules into the rules.conf file and enabling it in the daemon config, then all rules are loaded properly.
I also tested version 1.1.2+ds-3+b1 that has the same behavior.

[Lukas1811]

I figured out what the issue is, it wasn't usbguards fault. The distributions of usbguard on Debian are shipped with systemd service configurations with limited capabilities. The CAP_DAC_READ_SEARCH is missing in the CapabilityBoundingSet field of the usbguard.service file, this leads usbguard not being able to load the files from the rules.d folder.

[Cropi]

In that case I am closing this as it's distribution related issue. Reopen if needed.

[Lukas1811]

But the systemd service file comes from this repo ubsguard.service.in, so I wouldn't say this is only a distribution error since the packages distributed by Debian also use this file.

I created an PR for this simple fix.

[Cropi]

Can you share me more details on the content of :plugdev and its ownership/permission ? What user are you using to invoke the usbguard CLI? Which group is the user part of? Do you get any error messages?
Does the daemon emit any errors when you execute the command?
This should be a pretty basic use case but I have not bumped into this issue.