HBSD: Provide support for prohibiting new USB device connections

This commit introduces the hardening.pax.prohibit_new_usb sysctl
tunable node. This node can be set to one of three values:

0: Disabled
1: Enabled
2: Enabled without possibility to disable

When set to 2, a reboot is required to end the prohibition on new USB
connections.

This is based on a patch by Loic F <loic.f@hardenedbsd.org>.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>
issue:		#88
MFC-to:		14-STABLE
MFC-to:		13-STABLE

sys/dev/usb/usb_request.c

@@ -27,6 +27,8 @@
  * SUCH DAMAGE.
  */ 
 
+#include "opt_pax.h"
+
 #ifdef USB_GLOBAL_INCLUDE_FILE
 #include USB_GLOBAL_INCLUDE_FILE
 #else
@@ -71,6 +73,50 @@
 #include <sys/ctype.h>
 #endif			/* USB_GLOBAL_INCLUDE_FILE */
 
+#ifdef PAX_HARDENING
+/*
+ * Acceptable values:
+ * 	0: disabled
+ * 	1: enabled
+ * 	2: enabled without possibility to disable
+ */
+static int prohibit_new_usb = 0;
+
+static int sysctl_prohibit_new_usb(SYSCTL_HANDLER_ARGS);
+
+SYSCTL_DECL(_hardening);
+SYSCTL_DECL(_hardening_pax);
+
+SYSCTL_PROC(_hardening_pax, OID_AUTO, prohibit_new_usb,
+    CTLTYPE_INT | CTLFLAG_RWTUN, NULL, 0,
+    sysctl_prohibit_new_usb, "I",
+    "Prohibit new USB device attachments");
+
+static int
+sysctl_prohibit_new_usb(SYSCTL_HANDLER_ARGS)
+{
+	int err, val;
+
+	val = prohibit_new_usb;
+	err = sysctl_handle_int(oidp, &val, sizeof(val), req);
+	if (err || req->newptr == NULL) {
+		return (err);
+	}
+
+	if (prohibit_new_usb == 2) {
+		return (EPERM);
+	}
+
+	if (val < 0 || val > 2) {
+		return (EINVAL);
+	}
+
+	prohibit_new_usb = val;
+
+	return (0);
+}
+#endif
+
 static int usb_no_cs_fail;
 
 SYSCTL_INT(_hw_usb, OID_AUTO, no_cs_fail, CTLFLAG_RWTUN,
@@ -1572,6 +1618,12 @@ usbd_req_set_address(struct usb_device *udev, struct mtx *mtx, uint16_t addr)
 	struct usb_device_request req;
 	usb_error_t err;
 
+#ifdef PAX_HARDENING
+	if (prohibit_new_usb) {
+		return (USB_ERR_INVAL);
+	}
+#endif
+
 	DPRINTFN(6, "setting device address=%d\n", addr);
 
 	req.bmRequestType = UT_WRITE_DEVICE;